[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RC5 and timing attacks
Karl,
The way we avoid timing attacks on RC5 is to make sure that
our implementation runs in constant time. The methods are:
1) Using a fixed-time rotate instruction if the CPU has one, or
2) Performing rotation by two shift and mask operations that
together take a fixed amount of time (e.g., rotate right three
positions is implemented as a shift right 3 that takes 3 cycles
and a shift left 29 (= 32 - 3) that takes 29 cycles for a
constant total of 32 cycles.
3) Other tricks are possible on CPUs that perform shifts in
variable time (e.g., shift one and shift eight may both take
one cycle, but shift two takes two cycles).
One of the reasons for buying the BSAFE 3.0 crypto toolkit
is to make sure these are done right on each platform. OK, I
know that was a product plug, but I couldn't resist :-).
--Bob
______________________________ Reply Separator _________________________________
Subject: rc5 perf and rotates
Author: Karl Fox <karl@morningstar.com> at INTERNET
Date: 3/19/96 9:26 PM
stroh@vnet.ibm.com writes:
> Who cares if a rotate is fast in an absolute sense?
I would, if I were using RC5 on a machine without a barrel shifter and
I were concerned about timing attacks.
--
Karl Fox, servant of God, employee of Morning Star Technologies
3518 Riverside Drive, Suite 101, Columbus, Ohio 43221 +1 614 451 1883