pinterkr at gmail.com
Sat May 9 05:29:39 EDT 2015
coderman (at Saturday, May 9, 2015, 3:56:06 AM):
>> The reality is: bcrypt, scrypt, and most PHC finalists use password
>> dependent memory lookups, and thus are not cache-timing safe...
>> In typical scenarios, this does not matter. In some, it does.
> has there been consideration of a processor instruction for hardware
> implementation resistant to timing attacks?
many (most?) PHC candidates create a huge block of pseudorandom data
derived from the password, and then use pseudorandom indexing to
access the data, also based on the password. (scrypt does the same.)
this second phase is what we are talking about here. it is essential
to the algorithm, and can not be written in a side channel safe way.
some algorithms contain other side-channel vulnerable features as
well, like S boxes or division. those can be protected, at the cost of
time and complexity.
More information about the cryptography