Timing attack against AES
Per Tunedal Casual
pt at radvis.nu
Sun May 22 07:26:54 CEST 2005
Bruce Schneier presented in his blog a few days ago a new attack against
AES made by Daniel J. Bernstein.
Schneier's blog "AES Timing Attack":
Bernstein's paper: "Cache timing attacks on AES":
In short Bernstein has shown that:
a) AES is very susceptible to timing attacks, contrary to what was stated
in the AES evaluation process. In the AES evaluation process the evaluators
made an erroneously statement: "Table lookup: not vulnerable to timing
attacks". This lead to the conclusion that Rindael (now AES) had an
advantage to it's competitors in this area.
b) A simple attack is performed successfully against the OpenSSL
implementation of AES. The success is blamed on the design of AES.
c) The problem is that certain operations are not made at a constant time,
rather they are dependent on the input etc. This opens to timing attacks.
d) The attack was performed against a server with a Pentium III CPU and a
known plaintext. He outlines attacks agains other processors and other
implementations of AES.
e) The attack can be improved in several ways and be made on other "leaks"
if this one is mended: "it is extremely difficult to write "Constant-time
high-speed AES software for general purpose computers". Constant-time =
independent of the key and input.
f) The problem is the heavy dependence on S-boxes.
g) It is easy to write slow constant-time software that is immune to this
kind of attacks. He makes a demonstration. AES would be extremely slow.
1) Has anyone looked at the AES implementation in GnuPG in this aspect?
2) Are any other ciphers safer to this kind of attack? What about the
ciphers in OpenPGP applications? Other AES candidates?
3) Would it be easier to write a fast implementation of some other cipher
that is immune to this kind of timing attacks?
4) What are the plans for GnuPG?
Fingerprint: D70D 9057 A985 4944 2191 995A 2D74 F09D AE05 3BE0
More information about the Gnupg-users