[5598] in cryptography@c2.net mail archive
Re: Power analysis of AES candidates
daemon@ATHENA.MIT.EDU (Eugene Leitl)
Wed Sep 15 07:32:21 1999
From: Eugene Leitl <eugene.leitl@lrz.uni-muenchen.de>
Date: Tue, 14 Sep 1999 23:59:12 -0700 (PDT)
To: eli+@cs.cmu.edu
Cc: crypto list <cryptography@c2.net>
In-Reply-To: <199909150022.RAA06139@blacklodge.c2.net>
Eli Brandt writes:
> If so, doubling the cap size halves the cutoff frequency (right?),
> halving the leaked power. Integrating runs gives signal voltage
> linear in n and noise voltage sqrt(n); voltage ratio is sqrt; power
> ratio is linear. So leaked-signal power is
> Theta( (attacker's number of runs) / (capacitor size) ).
> No asymptotic edge either way; attacker wins against bounded cap size.
> </handwave>
I don't quite understand your handwave analysis: if we use
supercapacitors we can power the embedded unit for hours straight. A
typical encryption round completes in milliseconds at best, I don't
see how microsecond spike demands can ever leak out regardless whether
we measure till the Big Crunch or the day after tomorrow.
Apart from such crude-but-effective countermeasures we haven't even
begun tackling lunatic fringe stuff like reversible computation.
