Victor Duchovni wrote:
(b) Is there a better way to scramble the timing of an AES operation without going to the last resort of padding everyting to worst-case timing?Perhaps something along the lines of: "Provably Secure Masking of AES": http://eprint.iacr.org/2004/101.pdf Just found the paper, can't speak to its quality or applicability, but it appears to tackle this sort of problem, and if it fails to cover cache timing, that too is interesting...
The article was published last year on SAC and is a decent description of how to mask the AES SubBytes operation. It tailored to prevent power analysis and EM attacks. I have written a paper about an equivalent but slightly optimized masking scheme myself. From my point of view, if only the table lookup causes the timing leakage in some AES implementations, the most practical masking approach to get rid of this problem is to just mask this table lookup. This is the difference to masking to prevent power analysis or EM attacks -- there really every step needs to be masked.
There was recently some discussion of the the family of ciphers dual to AES, and the fact that some of the equivalent ciphers yield efficient hardware implementations. It is interesting to ask whether the existence of dual ciphers can be used in approaches to thwart cache timing attacks... This thought is not new, http://eprint.iacr.org/2002/157.ps at the bottom of page 12 says:
These things are theoretically interesting but practically of limited value. Efficient AES hardware implementations, in case that efficient means small, make use of composite field arithmetic. The difference between the different ways to define the composite fields leads then to a negligable difference in practice. Elisabeth --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
