coderman (at Saturday, May 9, 2015, 12:49:22 PM): >> ... use pseudorandom indexing to access the data, also based on the >> password ... it is essential to the algorithm, and can not be >> written in a side channel safe way.
> even paired with a separate pseudo-random sequence? > both executed in tandem, one just noise. (unused) > maybe it takes more than one stochastic cover... if i understand correctly, you want to do a dummy memory access that does not do anything, one per one actual memory access. this is something, but not perfect. it is very similar to adding random latency, or random number of bytes to thwart timing or leaking length. statistics can be used to undo the random effect. in case of high cost kdfs, you don't even need repeated measurements, because one single hashing is so long and involves so many operations, you can probably do the analysis on the results of a single run. you can of course increase the number of dummy reads, but it comes with a severe degradation of performance, which was pretty much the sole reason for using secret based memory access pattern in the first place. there is another option, using a random permutation on the memory addresses. a permutation destroys all information except equality (accessing the same address twice). however, you need to apply the same permutation to the initial writing phase, which leaks information about the permutation itself. again, it provides some protection, but not all, and comes with some extra cost. ideally, we don't want implementors to face such decisions. every time someone faces a security vs cost decision, there is a chance that he will choose less security, especially if it is not marketable. it is a good policy to design and choose crypto primitives that are safe in their naive implementation. you don't have to work, or work too much to make them safe. i would go so far to say, even ARX design is something to avoid if possible, because side-channel safe addition can be a problem on some platforms. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
