Timing attacks, Twofish housekeeping

mskala at ansuz.sooke.bc.ca mskala at ansuz.sooke.bc.ca
Mon Sep 23 05:14:01 CEST 2002

I've had some email suggesting improvements to the Twofish code; when I
have some spare time I'd like to take another look through the code and
implement some of them.

One issue I was unsure about concerned timing - it was pointed out to me
that the existing code could be vulnerable to timing attacks, in that the
CALC_S macro's execution time depends on a key byte.  Is this an issue we
should be looking at?  My suspicion is that the public-key stuff in GnuPG
is a whole lot *more* susceptible to timing attacks, and that hardening it
against them would be a major headache and unnecessary in the usual threat
model.  I can imagine some situations (conventional encryption, in a
server situation) where a timing attack against Twofish could be a
problem even if we didn't care about timing attacks on the public-key
ciphers.  That seems far-fetched, though.

So I wanted to ask the list: are timing attacks an issue for us at
all?  How much effort is it worth to eliminate them?
Matthew Skala
mskala at ansuz.sooke.bc.ca                    Embrace and defend.

More information about the Gnupg-devel mailing list