What are the issues of look-up table based implementations?

Question

Cryptographic libraries mostly use pre-computed lookup tables to implement block ciphers. These lookup tables require large amout of memory and a series of cache miss/hit makes them vulnerable to cache timing attacks. Are there any other disadvantages of lookup table based implementations?

Why do we need more disadvantages than that? If the table lookups are still used, shouldn't you be looking for advantages instead? Are large memory requirements really such a big deal for a software implementation? It needs to be a rather large table before it doesn't fit in my 1st level cache anymore to start with. I see a lot of presumptions here, and a rather strange introduction for the question itself. — Maarten Bodewes, Jul 17 '19 at 13:10
You can countermeasure the cache attack very easily. Just access all the keys regardless of usage. — kelalaka, Jul 17 '19 at 20:42
@kelalaka, any rough estimate about the overhead of the suggested method? — crypt, Jul 18 '19 at 13:08
AFAIK, OpenSLL uses this method. Maybe you can find some numbers over there. — kelalaka, Jul 18 '19 at 13:38
@khan you could do a bit-sliced implementation, but what a pain. Alternatively, if you are superuser, you could either lock the cache or disable it for an address range in the MMU. http://www.moserware.com/2008/09/how-do-locks-lock.html — b degnan, Jul 18 '19 at 16:27

score 4 · Accepted Answer · edited Jul 21 '19 at 00:10

4

The disadvantages are simply the side-channel attacks that you mention. I can think of no other disadvantages from either a cryptographic or hardware angle. I have a description of cache and attacks from a hardware perspective.

The advantages are pretty clear:

simplicity in implementation so that the mathematics is correct;
it's faster than a bit-slice implementation, and
it's smaller than doing the inverse mathematics for the irreducible polynomial.

Also, in non-x86 environments, these attacks are be mitigated through a cache lock where you do not flush the cache so you cannot miss.

edited Jul 21 '19 at 00:10

Maarten Bodewes

92,551
13
161
313

answered Jul 17 '19 at 18:02

b degnan

4,810
1
24
48

2

One possible disadvantage is a higher cache pressure for large lookup tables. – forest Jul 18 '19 at 00:58
@forest good point. I'm not sure the largest lookup table used in a cryptographic algorithm. – b degnan Jul 18 '19 at 16:25
1

Many optimized implementations use a lot of lookup tables. AES has quite a few (far more than just a single 8-bit S-box). It can certainly put pressure on the L1d cache. – forest Jul 20 '19 at 06:23

score 0 · Answer 2 · edited Jan 27 '24 at 21:15

0

I can think of two disadvantages:

One issue of look-up tables (such as T-implementation of AES) is when you target low memory environment.
Software masking of look-up tables to protect against side channel requires addition of extra memory (An Efficient Masking Scheme for AES Software Implementations ).

edited Jan 27 '24 at 21:15

b degnan

4,810
1
24
48

answered Jul 17 '19 at 10:04

hardyrama

2,126
1
16
40

What are the issues of look-up table based implementations?

2 Answers2