On Fri, Jun 24, 2005 at 03:36:19AM -0000, Beryllium Sphere LLC wrote: > (b) Is there a better way to scramble the timing of an AES operation > without going to the last resort of padding everyting to worst-case timing?
Perhaps something along the lines of: "Provably Secure Masking of AES": http://eprint.iacr.org/2004/101.pdf Just found the paper, can't speak to its quality or applicability, but it appears to tackle this sort of problem, and if it fails to cover cache timing, that too is interesting... There was recently some discussion of the the family of ciphers dual to AES, and the fact that some of the equivalent ciphers yield efficient hardware implementations. It is interesting to ask whether the existence of dual ciphers can be used in approaches to thwart cache timing attacks... This thought is not new, http://eprint.iacr.org/2002/157.ps at the bottom of page 12 says: The existence of dual ciphers can also be used to protect implementation[s] against fault-analysis and power-analysis, by selecting a different dual cipher at random each time an encryption or decryption is desired. -- /"\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAIL Morgan Stanley confidentiality or privilege, and use is prohibited. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]