Cryptographic libraries mostly use pre-computed lookup tables to implement block ciphers. These lookup tables require large amout of memory and a series of cache miss/hit makes them vulnerable to cache timing attacks. Are there any other disadvantages of lookup table based implementations?
Asked
Active
Viewed 829 times
2 Answers
4
The disadvantages are simply the side-channel attacks that you mention. I can think of no other disadvantages from either a cryptographic or hardware angle. I have a description of cache and attacks from a hardware perspective.
The advantages are pretty clear:
- simplicity in implementation so that the mathematics is correct;
- it's faster than a bit-slice implementation, and
- it's smaller than doing the inverse mathematics for the irreducible polynomial.
Also, in non-x86 environments, these attacks are be mitigated through a cache lock where you do not flush the cache so you cannot miss.
Maarten Bodewes
- 96,351
- 14
- 169
- 323
b degnan
- 5,110
- 1
- 27
- 49
0
I can think of two disadvantages:
One issue of look-up tables (such as T-implementation of AES) is when you target low memory environment.
Software masking of look-up tables to protect against side channel requires addition of extra memory (An Efficient Masking Scheme for AES Software Implementations ).
