What are the reasons because of which ChaCha20 is immune to timing attacks ? Also why is not AES immune to timing attacks?
Asked
Active
Viewed 701 times
1 Answers
9
The obvious way of implementing ChaCha20 involves nothing but additions, fixed rotations, and XORs. All of these are constant time, so the obvious way of implementing ChaCha20 is secure against timing attacks. The main way that ChaCha20 is made faster -- SIMD -- does not change this.
On the other hand, the obvious way of implementing AES uses table lookups for the S-boxes. These are not constant time because of caching. Avoiding this requires either:
- Naive approaches with massive performance penalties.
- A technique called bitslicing. This uses the unlimited parallelism available in CTR mode to emulate a hardware AES implementation, but operating on many bits in parallel. This only works in CTR mode (because other modes don't have the requisite parallelism) and is not easy to implement.
Demi
- 4,853
- 1
- 22
- 40