1

DFC cipher uses affine transformations mod $2^{64}+13$. Soon after DFC's publication, Ian Harvey raised the concern that reduction modulo a 65-bit number was beyond the native capabilities of most platforms, and that careful implementation would be required to protect against side-channel attacks, especially timing attacks.

Consider a cipher which is using affine transformations mod $2^{128}$. Is it still (it was 20 years ago) a problem to implement it securely? Will affine transformations mod $2^{64}$ make a big difference?

Nick Decroos
  • 131
  • 6
Tom
  • 1,221
  • 6
  • 16
  • On which platform? It is always the case that careful implementation would be required to protect against side-channel attacks, especially timing attacks. – kelalaka May 23 '21 at 14:52
  • I didn't think od which platform it could be. I thought about a uniwersal cipher, like AES. By the way DFC submitted to the AES competition. If if he won, would that be a problem today? – Tom May 23 '21 at 23:38
  • Which kind of side-channel attacks are you talking about? Just timing, or are you worried about differential power attacks (DPA), too? Protecting against latter will be quite difficult, as already switching between boolean masks and arithmetic masks (modulo power of 2) is not easy. For timing attacks you'll have to hope that multiplication with 13 (to which reduction modulo $2^{64}+13$ is easily reduced) is constant time. (Dealing with the carries in constant time might also not be easy in C when adding values mod $2^{64}+13$.) – j.p. May 24 '21 at 08:14
  • I think about every possible kind of side-channel attacks. And mostly I thought about modulo $2^{128}$. I have choice to use twice times modulo $2^{64}$ or modulo $2^{128}$ once. Implementing affine transformation have to be done carefully, but is it make a big difference in terms of security to use mod $2^{64}$ or mor $2^{128}$? In both cases we have affine transformations and I do not fully understand what the threat may be when we use a larger modulo. – Tom May 24 '21 at 09:56

1 Answers1

2

I do not know of this cipher; however, if you explicitly calculate everything, ie: do not use arrays or lookup tables, you are not susceptible to timing attacks. Basically, you treat the mathematics like you are on hardware, using only base logic, and it's quite slow, but it's safe because it takes equal time to calculate every value.

Having said that, you basically could not easily calculate something that large in this manner. $2^{64}$ is a huge number, and 64-bits quickly explodes into something large in the world of logic gates.

b degnan
  • 4,810
  • 1
  • 24
  • 48
  • You seem to assume that all CPUs have constant time multiplication. (See for example the second last page of https://crypto.iacr.org/2018/affevents/wac/medias/Hovav_Shacham.pdf) – j.p. May 25 '21 at 06:34
  • 1
    @j.p. I will clear up that I meant base logic, this excludes MUL functions. – b degnan May 25 '21 at 12:38