[Libre-soc-dev] power side-channel attack on intel processors
Jacob Lifshay
programmerjake at gmail.com
Tue Nov 10 23:25:48 GMT 2020
On Tue, Nov 10, 2020, 13:54 Luke Kenneth Casson Leighton <lkcl at lkcl.net>
wrote:
> i was at the IIT Madras Conference where someone gave a talk about
> power analysis attacks against Rijndael. get this: measuring the
> power consumption of the FPU leaked key information 100% successfully.
>
> Rijndael does not use or require FP.
>
> the leakage path? the instruction decoder in the Shakti core being
> investigated happened to link to an FP reg through some OR gated paths
> that, later on, were ANDed out.
>
> this was sufficient information to tell what *integer* instructions
> were doing and thus obtain the private key.
>
> executing security algorithms in software is generally hopelessly
> compromised if you have access to a power statistical inference
> channel. the usual one people expect is timing, but not power.
>
Yeah, I still think we should implement the AES and SHA instructions, since
we can provide non-data-dependent timing. just plain software can't really
do that without being super slow since the S-boxes are data-dependent table
lookups which have issues with cache timing.
We *don't need* special constant-power accelerator hardware, we just need
constant timing, which is much easier to do.
Jacob
More information about the Libre-soc-dev
mailing list