7

In a cryptographic implementation I’m playing with, there’s a round function which includes a conditional if statement.

Stripping the superfluous stuff, the C sourcecode looks like this:

void f(uint32_t *state) {
    …
    for(round = 0; round < 12; round++) {
        // functions working on state
        …
        if((round & 3) == 0) {
           // additional functions working on state
            …
        }
        …
    }
    …
}

Trying to check if this might introduce timing attack problems, I looked at cryptocoding.net which states:

If a conditional branching (if, switch, while, for) depends on secret data then the code executed as well as its execution time depend on the secret data as well.

This seems to hint at the fact that, as long as the if function does not depend on the state itself (which is meant to be handled as secret), there should not be a problem because if in this case depends on the round number and not the secret state.

Is my interpretetion indeed correct, or does that if represent a potential problem regarding to timing attacks? In case my interpretetion is wrong and it represents a timing attack problem, would unrolling the loop (manually by rewriting the code) be a valid way to mitigate it?

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240

1 Answers1

9

Unless the number of rounds is secret, this does indeed not represent a secret-dependent branch.

(If the number of rounds is secret, a chap named Auguste would like to have a word with you. Hope you speak French or Dutch as they were spoken a century ago.)

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230