-----BEGIN PGP SIGNED MESSAGE-----
[ To: Perry's Crypto List ## Date: 08/30/99 ##
Subject: Re: Power analysis of AES candidates ]
>From: "William Whyte" <[EMAIL PROTECTED]>
>To: "Cryptography@C2. Net" <[EMAIL PROTECTED]>
>Subject: Power analysis of AES candidates
>Date: Wed, 11 Aug 1999 19:53:39 +0100
[ Discussion of vulnerability to power analysis of the
finalists, claiming Serpent and Twofish to be the most
resistant. ]
These results look a little odd to me. On conventional
hardware, every cipher I have heard of is vulnerable to DPA.
(Essentially, that means do lots of encryptions under one
unknown key, guess part of the key that would reveal some
internal state, and look for power measurements correlated
to that internal state taken during those encryptions.) A
few people have worked on clever ways to resist DPA,
especially Cryptography Research (Paul Kocher's company),
which holds patents on some of them. I think several
smartcard companies had considered less sophisticated
power-consumption attacks and designed defenses to them
before that. (I know *I* had considered much less
sophisticated attacks, but not DPA, before hearing about
Paul's work.)
There's some question about how hard it will be to design
hardware that will be DPA-resistant for different
algorithms. My impression (but I am not a circuit designer
or anything, so take it with a grain of salt) is that it's
going to be easier to secure simpler hardware designs than
more complex ones. This probably means Rijndael and Serpent
are the easiest to secure (XORs, table lookups, and bit
permutations only), while Twofish is somewhere in the middle
(we use 32-bit adds) and MARS and RC6 are somewhat harder to
secure (because they use multiplications and data-dependent
rotations, as well as 32-bit adds.)
It's important to emphasize that all the AES candidates are
susceptible to DPA if they're implemented on normal
hardware. DES (with nothing but XORs, table-lookups, and
bit permutations) in normal hardware is very easy to attack.
>Cheers,
>William
- --John Kelsey, [EMAIL PROTECTED] / [EMAIL PROTECTED]
NEW PGP print = 5D91 6F57 2646 83F9 6D7F 9C87 886D 88AF
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
iQCVAwUBN8raKSZv+/Ry/LrBAQHNlgP/Z0cyYXBLqah/yH/1+wJQHwIULukYJiz/
z3e3WrtiVdromkONuXV/KA2RTM9sk1Do1V4yUKcqypht5JErSW5ITkKCgrbEvRs8
O8zzZiNZ/uWGk31TkerkdGFyi+TS05QrMuupj5PYR1D7UkNyb5GV5F9GuEmCFYpr
ZEV+O8F8x5k=
=LVJk
-----END PGP SIGNATURE-----
