Timing attack against AES

Per Tunedal Casual pt at radvis.nu
Sun May 22 07:26:54 CEST 2005 

Hi,

Bruce Schneier presented in his blog a few days ago a new attack against 
AES made by Daniel J. Bernstein.

Schneier's blog "AES Timing Attack":
http://www.schneier.com/blog/

Bernstein's paper: "Cache timing attacks on AES":
http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

In short Bernstein has shown that:
a) AES is very susceptible to timing attacks, contrary to what was stated 
in the AES evaluation process. In the AES evaluation process the evaluators 
made an erroneously statement: "Table lookup: not vulnerable to timing 
attacks". This lead to the conclusion that Rindael (now AES) had an 
advantage to it's competitors in this area.

b) A simple attack is performed successfully against the OpenSSL 
implementation of AES. The success is blamed on the design of AES.

c) The problem is that certain operations are not made at a constant time, 
rather they are dependent on the input etc. This opens to timing attacks.

d) The attack was performed against a server with a Pentium III CPU and a 
known plaintext. He outlines attacks agains other processors and other 
implementations of AES.

e) The attack can be improved in several ways and be made on other "leaks" 
if this one is mended: "it is extremely difficult to write "Constant-time 
high-speed AES software for general purpose computers". Constant-time = 
independent of the key and input.

f) The problem is the heavy dependence on S-boxes.

g) It is easy to write slow constant-time software that is immune to this 
kind of attacks. He makes a demonstration. AES would be extremely slow.

My questions:
1) Has anyone looked at the AES implementation in GnuPG in this aspect?

2) Are any other ciphers safer to this kind of attack? What about the 
ciphers in OpenPGP applications? Other AES candidates?

3) Would it be easier to write a fast implementation of some other cipher 
that is immune to this kind of timing attacks?

4) What are the plans for GnuPG?

Per Tunedal
Keyid: 0xAE053BE0
Fingerprint: D70D 9057 A985 4944 2191 995A 2D74 F09D AE05 3BE0

More information about the Gnupg-users mailing list