0

I'm trying to implement AES/DES/.. encryption/decryption in software without using any input dependent operations (specifically only using constant time not, and, or, xor operations and input independent array indexing/loops). Is there any way to implement input independent logical shift (someconst << key[3] & 5 etc.)?

Array indexing with input dependent variable, using hardware shifts with input dependent n, input dependent conditional jumps must be avoided and I don't care about code size/speed.

user20346036
  • 3
  • 2

1 Answers1

1

Depending on your requirements and which operations you can assume to be constant time, this code needs some additional modifications.
However, it might point you in the right direction (as the SELECT primitive is quite powerful for side-channel free code):

#define MAX_SHIFT 32 // maximum amount to be shifted

// this may not be constant time.
// However, you can find different (more ugly) ways to achieve the same thing.
// 1 -> 0
// 0 -> 0xff...
#define MASK(cond) (cond - 1) 

// again, make sure everything here is constant time according to your threat model
// (0, x, y) -> y
// (i, x, y) -> x (i != 0)
#define SELECT(cond, A, B) ((MASK(!(cond)) & A) | (MASK(!!(cond)) & B))

int shift(int value, int shift){
    int result = value;
    for(int i = 0; i <= MAX_SHIFT; i++){
        result = SELECT(i ^ shift, result, value);
        // this may not be constant time. If it is not, implement it yourself ;)
        value <<= 1; 
    }
    return result;
}

Note, however, that you have to make sure the compiler does not optimize this.
Also, CPUs may also employ operand-dependent performance optimizations, that may lead to timing differences.
In addition to this, transient execution attacks like Spectre may also be a possible threat.

In conclusion: It is almost impossible to write side-channel free code.

Lorenz Hetterich
  • 296
  • 5