[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RC5 and timing attacks

To: Karl Fox <karl@morningstar.com>, ipsec@ans.net
Subject: RC5 and timing attacks
From: baldwin <baldwin@rsa.com>
Date: Wed, 20 Mar 96 10:39:02 PST
Sender: ipsec-request@neptune.tis.com

Karl,
        The way we avoid timing attacks on RC5 is to make sure that
our implementation runs in constant time.  The methods are:

1) Using a fixed-time rotate instruction if the CPU has one, or
2) Performing rotation by two shift and mask operations that
   together take a fixed amount of time (e.g., rotate right three
   positions is implemented as a shift right 3 that takes 3 cycles
   and a shift left 29 (= 32 - 3) that takes 29 cycles for a
   constant total of 32 cycles.
3) Other tricks are possible on CPUs that perform shifts in
   variable time (e.g., shift one and shift eight may both take
   one cycle, but shift two takes two cycles).

        One of the reasons for buying the BSAFE 3.0 crypto toolkit
is to make sure these are done right on each platform.   OK, I
know that was a product plug, but I couldn't resist :-).  
                --Bob


______________________________ Reply Separator _________________________________
Subject: rc5 perf and rotates
Author:  Karl Fox <karl@morningstar.com> at INTERNET
Date:    3/19/96 9:26 PM

stroh@vnet.ibm.com writes:
> Who cares if a rotate is fast in an absolute sense?

I would, if I were using RC5 on a machine without a barrel shifter and 
I were concerned about timing attacks.
-- 
Karl Fox, servant of God, employee of Morning Star Technologies
3518 Riverside Drive, Suite 101, Columbus, Ohio 43221    +1 614 451 1883

Prev by Date: rc5 perf and rotates
Next by Date: SMBs "Problem Areas for the IP Security Protocols"--where do we go from here?
Prev by thread: draft paper available
Next by thread: SMBs "Problem Areas for the IP Security Protocols"--where do we go from here?
Index(es):
- Main
- Thread