[Libre-soc-dev] power side-channel attack on intel processors

Jacob Lifshay programmerjake at gmail.com
Tue Nov 10 23:25:48 GMT 2020

On Tue, Nov 10, 2020, 13:54 Luke Kenneth Casson Leighton <lkcl at lkcl.net>

> i was at the IIT Madras Conference where someone gave a talk about
> power analysis attacks against Rijndael.  get this: measuring the
> power consumption of the FPU leaked key information 100% successfully.
> Rijndael does not use or require FP.
> the leakage path? the instruction decoder in the Shakti core being
> investigated happened to link to an FP reg through some OR gated paths
> that, later on, were ANDed out.
> this was sufficient information to tell what *integer* instructions
> were doing and thus obtain the private key.
> executing security algorithms in software is generally hopelessly
> compromised if you have access to a power statistical inference
> channel.  the usual one people expect is timing, but not power.

Yeah, I still think we should implement the AES and SHA instructions, since
we can provide non-data-dependent timing. just plain software can't really
do that without being super slow since the S-boxes are data-dependent table
lookups which have issues with cache timing.

We *don't need* special constant-power accelerator hardware, we just need
constant timing, which is much easier to do.


More information about the Libre-soc-dev mailing list