

AES timing variability at a glance (2005) - ColinWright
http://cr.yp.to/mac/variability1.html

======
omra
I highly recommend reading the explanation on how this is significant, it goes
into more depth about timing attacks:

[http://cr.yp.to/antiforgery/cachetiming-20050414.pdf](http://cr.yp.to/antiforgery/cachetiming-20050414.pdf)

~~~
pbsd
And a more recent revisiting of this subject,
[http://cseweb.ucsd.edu/~hovav/dist/aes_cache.pdf](http://cseweb.ucsd.edu/~hovav/dist/aes_cache.pdf)

------
vilhelm_s
So it seems that modern Intel x86 processors have hardware support for AES
([http://en.wikipedia.org/wiki/AES_instruction_set](http://en.wikipedia.org/wiki/AES_instruction_set)).
Does that solve the problem?

~~~
pbsd
Pretty much, yes. The instructions are constant-time.

------
bradleyjg
I like the presentation with the colored graphs, it definitely it a good way
of demonstrating the problem.

However for his own implementation, it's hard to see how significant the
residual timing attacks are. If fact just looking at the graph, and without
the acknowledgment in the introduction, I'd be hard pressed to say that those
pictures had any irregularity at all.

~~~
rheide
Wouldn't that just mean that you need a lot more tries to do a successful
timing attack? Not sure if the regularity of his algorithm is enough to make
it entirely impractical. I'm not even sure if it's not entirely impractical
already using one of the less regular algorithms.

------
caf
It would be interesting to see how things have progressed (or haven't) in the
intervening years.

