22:
77:. Consider an implementation in which every call to a subroutine always returns in exactly x seconds, where x is the maximum time it ever takes to execute that routine on every possible authorized input. In such an implementation, the timing of the algorithm is less likely to leak information about the data supplied to that invocation. The downside of this approach is that the time used for all executions becomes that of the worst-case performance of the function.
2302:
133:
depends linearly on the number of '1' bits in the key. While the number of '1' bits alone is not nearly enough information to make finding the key easy, repeated executions with the same key and different inputs can be used to perform statistical correlation analysis of timing information to recover
57:
Information can leak from a system through measurement of the time it takes to respond to certain queries. How much this information can help an attacker depends on many variables: cryptographic system design, the CPU running the system, the algorithms used, assorted implementation details, timing
215:
in one process, then monitoring the resulting changes in access times from the other. Likewise, if an application is trusted, but its paging/caching is affected by branching logic, it may be possible for a second application to determine the values of the data compared to the branch condition by
58:
attack countermeasures, the accuracy of the timing measurements, etc. Timing attacks can be applied to any algorithm that has data-dependent timing variation. Removing timing-dependencies is difficult in some algorithms that use low-level operations that frequently exhibit varied execution time.
49:
by analyzing the time taken to execute cryptographic algorithms. Every logical operation in a computer takes time to execute, and the time can differ based on the input; with precise measurements of the time for each operation, an attacker can work backwards to the input. Finding secrets through
195:
to produce a list of login names known to be valid, then attempt to gain access by combining only these names with a large set of passwords known to be frequently used. Without any information on the validity of login names the time needed to execute such an approach would increase by orders of
190:
program in early versions of Unix executed the crypt function only when the login name was recognized by the system. This leaked information through timing about the validity of the login name, even when the password was incorrect. An attacker could exploit such leaks by first applying
646:), resistance to timing attacks should not either. If nothing else, an exemplar can be purchased and reverse engineered. Timing attacks and other side-channel attacks may also be useful in identifying, or possibly reverse-engineering, a cryptographic algorithm used by some device.
637:
Timing attacks are easier to mount if the adversary knows the internals of the hardware implementation, and even more so, the cryptographic system in use. Since cryptographic security should never depend on the obscurity of either (see
169:
optimizations. The actual network distance was small in their experiments, but the attack successfully recovered a server private key in a matter of hours. This demonstration led to the widespread deployment and use of
231:
Timing attacks are difficult to prevent and can often be used to extend other attacks. For example, in 2018, an old attack on RSA was rediscovered in a timing side-channel variant, two decades after the original bug.
185:
library function for hashing an 8-character password into an 11-character string. On older hardware, this computation took a deliberately and measurably long time: as much as two or three seconds in some cases. The
227:
attacks which forced CPU manufacturers (including Intel, AMD, ARM, and IBM) to redesign their CPUs both rely on timing attacks. As of early 2018, almost every computer system in the world is affected by
Spectre.
244:
code demonstrates a typical insecure string comparison which stops testing as soon as a character doesn't match. For example, when comparing "ABCDE" with "ABxDE" it will return after 3 loop iterations:
134:
the key completely, even by a passive attacker. Observed timing measurements often include noise (from such sources as network latency, or disk drive access differences from access to access, and the
84:
Non-local memory access, as the CPU may cache the data. Software run on a CPU with a data cache will exhibit data-dependent timing variations as a result of memory looks into the cache.
2282:
2112:
94:
past jumps by guessing. Guessing wrong (not uncommon with essentially random secret data) entails a measurable large delay as the CPU tries to backtrack. This requires writing
196:
magnitude, effectively rendering it useless. Later versions of Unix have fixed this leak by always executing the crypt function, regardless of login name validity.
104:
Integer division is almost always non-constant time. The CPU uses a microcode loop that uses a different code path when either the divisor or the dividend is small.
29:. The graph on the left denotes a case where the timing attack is successfully able to detect a cached image whereas the one on the right is unable to do the same.
1965:
1900:
981:
61:
Timing attacks are often overlooked in the design phase because they are so dependent on the implementation and can be introduced unintentionally with
138:
techniques used to recover from transmission errors). Nevertheless, timing attacks are practical against a number of encryption algorithms, including
1727:
1083:
73:
Many cryptographic algorithms can be implemented (or masked by a proxy) in a way that reduces or eliminates data-dependent timing information, a
54:
of known plaintext, ciphertext pairs. Sometimes timing information is combined with cryptanalysis to increase the rate of information leakage.
1717:
1211:
929:
1618:
1880:
1854:
1722:
1695:
21:
1958:
220:
174:
techniques in SSL implementations. In this context, blinding is intended to remove correlations between key and encryption time.
1864:
974:
224:
1743:
2161:
1921:
65:. Avoidance of timing attacks involves design of constant-time functions and careful testing of the final executable code.
2330:
754:
693:
126:
1951:
1011:
2277:
2232:
2045:
1807:
967:
848:
147:
2156:
1824:
1734:
1712:
1025:
639:
2272:
1829:
1685:
1638:
1113:
643:
166:
111:
runs shifts and rotations in a loop, one position at a time. As a result, the amount to shift must not be secret.
95:
2262:
2252:
2107:
1895:
1777:
1652:
1021:
241:
2257:
2247:
2050:
2010:
2003:
1993:
1988:
1834:
1623:
994:
804:
171:
1998:
1926:
1802:
1797:
1749:
130:
62:
1598:
2305:
2151:
2097:
1916:
1739:
1176:
216:
monitoring access time changes; in extreme examples, this can allow recovery of cryptographic key bits.
91:
2267:
2191:
1819:
1702:
1628:
1311:
1291:
162:
2030:
1782:
1759:
1078:
42:
2136:
2120:
2067:
1767:
1675:
1387:
1316:
1286:
1231:
935:
893:
420:
By comparison, the following version runs in constant-time by testing all characters and using a
192:
143:
786:
165:-enabled web servers, based on a different vulnerability having to do with the use of RSA with
2196:
2186:
2057:
1487:
1186:
1146:
1141:
1108:
1068:
1016:
925:
873:
421:
2131:
1859:
1754:
1633:
1492:
1372:
1341:
1035:
917:
885:
135:
87:
1706:
1690:
1679:
1613:
1572:
1537:
1467:
1447:
1321:
1201:
1196:
1151:
139:
714:
2206:
2126:
2087:
2035:
2020:
1844:
1792:
1603:
1588:
1527:
1522:
1407:
1156:
740:
204:
108:
2324:
2287:
2242:
2201:
2181:
2077:
2040:
2015:
1839:
1666:
1648:
1437:
1412:
1402:
1226:
1216:
1063:
158:
51:
939:
897:
2237:
2082:
2072:
2062:
2025:
1974:
1772:
1593:
1557:
1422:
1301:
1256:
1088:
1040:
990:
200:
46:
34:
101:
Some "complicated" mathematical operations, depending on the actual CPU hardware:
867:
Timing
Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems.
768:
199:
Two otherwise securely isolated processes running on a single system with either
2216:
1382:
1377:
1261:
914:
Design, Automation & Test in Europe
Conference & Exhibition (DATE), 2017
921:
866:
2176:
2146:
2141:
2102:
1814:
1532:
1472:
1356:
1351:
1296:
1166:
1029:
621:. On other systems, the comparison function from cryptographic libraries like
212:
208:
2166:
1547:
1542:
1432:
1346:
1241:
1221:
823:
727:
668:
626:
154:
26:
2211:
2171:
1885:
1849:
1643:
1306:
1181:
1161:
1073:
906:
876:; Naughton, Jeffrey F. (March 1993). "Clocked adversaries for hashing".
605:
In the world of C library functions, the first function is analogous to
1552:
1502:
1462:
1452:
1397:
1392:
1236:
1045:
889:
622:
2092:
1890:
1512:
1507:
1442:
1427:
1417:
1362:
1336:
1331:
1326:
1206:
1191:
945:
1608:
1567:
1517:
1497:
1482:
1271:
1251:
1171:
1136:
905:
Reparaz, Oscar; Balasch, Josep; Verbauwhede, Ingrid (March 2017).
80:
The data-dependency of timing may stem from one of the following:
20:
1457:
1366:
1281:
1276:
1266:
1246:
1118:
1103:
948:, a simple program that times a piece of code on different data.
178:
1947:
963:
1562:
1477:
1098:
1093:
787:"Security flaws put virtually all phones, computers at risk"
114:
Older CPUs run multiplications in a way similar to division.
50:
timing information may be significantly easier than using
161:
demonstrated a practical network-based timing attack on
2113:
Cryptographically secure pseudorandom number generator
25:
An example of a timing attack being performed on the
951:
805:"Potential Impact on Processors in the POWER Family"
2225:
1981:
1909:
1873:
1662:
1581:
1127:
1054:
1002:
618:
614:
610:
606:
694:"A beginner's guide to constant-time cryptography"
181:use a relatively expensive implementation of the
755:"Reading privileged memory with a side-channel"
45:in which the attacker attempts to compromise a
1959:
975:
8:
609:, while the latter is analogous to NetBSD's
1966:
1952:
1944:
982:
968:
960:
956:
952:
663:
661:
659:
642:, specifically both Shannon's Maxim and
207:can communicate by deliberately causing
717:USENIX Security Symposium, August 2003.
655:
7:
715:Remote timing attacks are practical.
14:
907:"Dude, is my code constant time?"
757:. googleprojectzero.blogspot.com.
2301:
2300:
728:Cache Missing for Fun and Profit
2162:Information-theoretic security
1:
753:Horn, Jann (3 January 2018).
713:David Brumley and Dan Boneh.
127:square-and-multiply algorithm
2278:Message authentication code
2233:Cryptographic hash function
2046:Cryptographic hash function
741:Cache-timing attacks on AES
148:Digital Signature Algorithm
125:The execution time for the
2349:
2157:Harvest now, decrypt later
922:10.23919/DATE.2017.7927267
640:security through obscurity
424:to accumulate the result:
2296:
2273:Post-quantum cryptography
1943:
1865:Time/memory/data tradeoff
959:
955:
432:constantTimeStringCompare
167:Chinese remainder theorem
2263:Quantum key distribution
2253:Authenticated encryption
2108:Random number generation
1653:Whitening transformation
426:
247:
2258:Public-key cryptography
2248:Symmetric-key algorithm
2051:Key derivation function
2011:Cryptographic primitive
2004:Authentication protocol
1994:Outline of cryptography
1989:History of cryptography
1624:Confusion and diffusion
75:constant-time algorithm
1999:Cryptographic protocol
916:. pp. 1697–1702.
739:Bernstein, Daniel J.,
669:"Constant-Time Crypto"
644:Kerckhoffs's principle
131:modular exponentiation
63:compiler optimizations
30:
2152:End-to-end encryption
2098:Cryptojacking malware
1917:Initialization vector
769:"Spectre systems FAQ"
726:See Percival, Colin,
253:insecureStringCompare
92:speculatively execute
90:. Modern CPUs try to
24:
2331:Side-channel attacks
2268:Quantum cryptography
2192:Trusted timestamping
1696:3-subset MITM attack
1312:Intel Cascade Cipher
1292:Hasty Pudding cipher
869:CRYPTO 1996: 104–113
849:"Consttime_memequal"
773:Meltdown and Spectre
611:consttime_memequal()
16:Cryptographic attack
2031:Cryptographic nonce
1735:Differential-linear
824:"The Marvin Attack"
43:side-channel attack
2137:Subliminal channel
2121:Pseudorandom noise
2068:Key (cryptography)
1808:Differential-fault
1026:internal mechanics
890:10.1007/BF01190898
31:
2318:
2317:
2314:
2313:
2197:Key-based routing
2187:Trapdoor function
2058:Digital signature
1939:
1938:
1935:
1934:
1922:Mode of operation
1599:Lai–Massey scheme
944: Describes
931:978-3-9815370-8-6
828:people.redhat.com
793:. 4 January 2018.
619:timingsafe_memcmp
615:timingsafe_bcmp()
422:bitwise operation
177:Some versions of
88:Conditional jumps
2338:
2304:
2303:
2132:Insecure channel
1968:
1961:
1954:
1945:
1793:Power-monitoring
1634:Avalanche effect
1342:Khufu and Khafre
995:security summary
984:
977:
970:
961:
957:
953:
943:
911:
901:
865:Paul C. Kocher.
853:
852:
845:
839:
838:
836:
834:
819:
813:
812:
801:
795:
794:
783:
777:
776:
765:
759:
758:
750:
744:
737:
731:
724:
718:
711:
705:
704:
702:
700:
690:
684:
683:
681:
679:
665:
620:
616:
612:
608:
601:
598:
595:
592:
589:
586:
583:
580:
577:
574:
571:
568:
565:
562:
559:
556:
553:
550:
547:
544:
541:
538:
535:
532:
529:
526:
523:
520:
517:
514:
511:
508:
505:
502:
499:
496:
493:
490:
487:
484:
481:
478:
475:
472:
469:
466:
463:
460:
457:
454:
451:
448:
445:
442:
439:
436:
433:
430:
416:
413:
410:
407:
404:
401:
398:
395:
392:
389:
386:
383:
380:
377:
374:
371:
368:
365:
362:
359:
356:
353:
350:
347:
344:
341:
338:
335:
332:
329:
326:
323:
320:
317:
314:
311:
308:
305:
302:
299:
296:
293:
290:
287:
284:
281:
278:
275:
272:
269:
266:
263:
260:
257:
254:
251:
136:error correction
96:branch-free code
2348:
2347:
2341:
2340:
2339:
2337:
2336:
2335:
2321:
2320:
2319:
2310:
2292:
2221:
1977:
1972:
1931:
1905:
1874:Standardization
1869:
1798:Electromagnetic
1750:Integral/Square
1707:Piling-up lemma
1691:Biclique attack
1680:EFF DES cracker
1664:
1658:
1589:Feistel network
1577:
1202:CIPHERUNICORN-E
1197:CIPHERUNICORN-A
1129:
1123:
1056:
1050:
1004:
998:
988:
932:
909:
904:
874:Lipton, Richard
872:
862:
860:Further reading
857:
856:
847:
846:
842:
832:
830:
822:Kario, Hubert.
821:
820:
816:
803:
802:
798:
785:
784:
780:
767:
766:
762:
752:
751:
747:
738:
734:
725:
721:
712:
708:
698:
696:
692:
691:
687:
677:
675:
667:
666:
657:
652:
635:
603:
602:
599:
596:
593:
590:
587:
584:
581:
578:
575:
572:
569:
566:
563:
560:
557:
554:
551:
548:
545:
542:
539:
536:
533:
530:
527:
524:
521:
518:
515:
512:
509:
506:
503:
500:
497:
494:
491:
488:
485:
482:
479:
476:
473:
470:
467:
464:
461:
458:
455:
452:
449:
446:
443:
440:
437:
434:
431:
428:
418:
417:
414:
411:
408:
405:
402:
399:
396:
393:
390:
387:
384:
381:
378:
375:
372:
369:
366:
363:
360:
357:
354:
351:
348:
345:
342:
339:
336:
333:
330:
327:
324:
321:
318:
315:
312:
309:
306:
303:
300:
297:
294:
291:
288:
285:
282:
279:
276:
273:
270:
267:
264:
261:
258:
255:
252:
249:
238:
123:
107:CPUs without a
71:
17:
12:
11:
5:
2346:
2345:
2342:
2334:
2333:
2323:
2322:
2316:
2315:
2312:
2311:
2309:
2308:
2297:
2294:
2293:
2291:
2290:
2285:
2283:Random numbers
2280:
2275:
2270:
2265:
2260:
2255:
2250:
2245:
2240:
2235:
2229:
2227:
2223:
2222:
2220:
2219:
2214:
2209:
2207:Garlic routing
2204:
2199:
2194:
2189:
2184:
2179:
2174:
2169:
2164:
2159:
2154:
2149:
2144:
2139:
2134:
2129:
2127:Secure channel
2124:
2118:
2117:
2116:
2105:
2100:
2095:
2090:
2088:Key stretching
2085:
2080:
2075:
2070:
2065:
2060:
2055:
2054:
2053:
2048:
2038:
2036:Cryptovirology
2033:
2028:
2023:
2021:Cryptocurrency
2018:
2013:
2008:
2007:
2006:
1996:
1991:
1985:
1983:
1979:
1978:
1973:
1971:
1970:
1963:
1956:
1948:
1941:
1940:
1937:
1936:
1933:
1932:
1930:
1929:
1924:
1919:
1913:
1911:
1907:
1906:
1904:
1903:
1898:
1893:
1888:
1883:
1877:
1875:
1871:
1870:
1868:
1867:
1862:
1857:
1852:
1847:
1842:
1837:
1832:
1827:
1822:
1817:
1812:
1811:
1810:
1805:
1800:
1795:
1790:
1780:
1775:
1770:
1765:
1757:
1752:
1747:
1740:Distinguishing
1737:
1732:
1731:
1730:
1725:
1720:
1710:
1700:
1699:
1698:
1693:
1683:
1672:
1670:
1660:
1659:
1657:
1656:
1646:
1641:
1636:
1631:
1626:
1621:
1616:
1611:
1606:
1604:Product cipher
1601:
1596:
1591:
1585:
1583:
1579:
1578:
1576:
1575:
1570:
1565:
1560:
1555:
1550:
1545:
1540:
1535:
1530:
1525:
1520:
1515:
1510:
1505:
1500:
1495:
1490:
1485:
1480:
1475:
1470:
1465:
1460:
1455:
1450:
1445:
1440:
1435:
1430:
1425:
1420:
1415:
1410:
1405:
1400:
1395:
1390:
1385:
1380:
1375:
1370:
1359:
1354:
1349:
1344:
1339:
1334:
1329:
1324:
1319:
1314:
1309:
1304:
1299:
1294:
1289:
1284:
1279:
1274:
1269:
1264:
1259:
1254:
1249:
1244:
1239:
1234:
1232:Cryptomeria/C2
1229:
1224:
1219:
1214:
1209:
1204:
1199:
1194:
1189:
1184:
1179:
1174:
1169:
1164:
1159:
1154:
1149:
1144:
1139:
1133:
1131:
1125:
1124:
1122:
1121:
1116:
1111:
1106:
1101:
1096:
1091:
1086:
1081:
1076:
1071:
1066:
1060:
1058:
1052:
1051:
1049:
1048:
1043:
1038:
1033:
1019:
1014:
1008:
1006:
1000:
999:
989:
987:
986:
979:
972:
964:
950:
949:
930:
902:
884:(3): 239–252.
870:
861:
858:
855:
854:
840:
814:
811:. 14 May 2019.
809:IBM PSIRT Blog
796:
778:
760:
745:
732:
719:
706:
685:
654:
653:
651:
648:
634:
631:
427:
248:
240:The following
237:
234:
205:virtual memory
122:
119:
118:
117:
116:
115:
112:
109:barrel shifter
105:
99:
85:
70:
67:
15:
13:
10:
9:
6:
4:
3:
2:
2344:
2343:
2332:
2329:
2328:
2326:
2307:
2299:
2298:
2295:
2289:
2288:Steganography
2286:
2284:
2281:
2279:
2276:
2274:
2271:
2269:
2266:
2264:
2261:
2259:
2256:
2254:
2251:
2249:
2246:
2244:
2243:Stream cipher
2241:
2239:
2236:
2234:
2231:
2230:
2228:
2224:
2218:
2215:
2213:
2210:
2208:
2205:
2203:
2202:Onion routing
2200:
2198:
2195:
2193:
2190:
2188:
2185:
2183:
2182:Shared secret
2180:
2178:
2175:
2173:
2170:
2168:
2165:
2163:
2160:
2158:
2155:
2153:
2150:
2148:
2145:
2143:
2140:
2138:
2135:
2133:
2130:
2128:
2125:
2122:
2119:
2114:
2111:
2110:
2109:
2106:
2104:
2101:
2099:
2096:
2094:
2091:
2089:
2086:
2084:
2081:
2079:
2078:Key generator
2076:
2074:
2071:
2069:
2066:
2064:
2061:
2059:
2056:
2052:
2049:
2047:
2044:
2043:
2042:
2041:Hash function
2039:
2037:
2034:
2032:
2029:
2027:
2024:
2022:
2019:
2017:
2016:Cryptanalysis
2014:
2012:
2009:
2005:
2002:
2001:
2000:
1997:
1995:
1992:
1990:
1987:
1986:
1984:
1980:
1976:
1969:
1964:
1962:
1957:
1955:
1950:
1949:
1946:
1942:
1928:
1925:
1923:
1920:
1918:
1915:
1914:
1912:
1908:
1902:
1899:
1897:
1894:
1892:
1889:
1887:
1884:
1882:
1879:
1878:
1876:
1872:
1866:
1863:
1861:
1858:
1856:
1853:
1851:
1848:
1846:
1843:
1841:
1838:
1836:
1833:
1831:
1828:
1826:
1823:
1821:
1820:Interpolation
1818:
1816:
1813:
1809:
1806:
1804:
1801:
1799:
1796:
1794:
1791:
1789:
1786:
1785:
1784:
1781:
1779:
1776:
1774:
1771:
1769:
1766:
1764:
1763:
1758:
1756:
1753:
1751:
1748:
1745:
1741:
1738:
1736:
1733:
1729:
1726:
1724:
1721:
1719:
1716:
1715:
1714:
1711:
1708:
1704:
1701:
1697:
1694:
1692:
1689:
1688:
1687:
1684:
1681:
1677:
1674:
1673:
1671:
1668:
1667:cryptanalysis
1661:
1654:
1650:
1649:Key whitening
1647:
1645:
1642:
1640:
1637:
1635:
1632:
1630:
1627:
1625:
1622:
1620:
1617:
1615:
1612:
1610:
1607:
1605:
1602:
1600:
1597:
1595:
1592:
1590:
1587:
1586:
1584:
1580:
1574:
1571:
1569:
1566:
1564:
1561:
1559:
1556:
1554:
1551:
1549:
1546:
1544:
1541:
1539:
1536:
1534:
1531:
1529:
1526:
1524:
1521:
1519:
1516:
1514:
1511:
1509:
1506:
1504:
1501:
1499:
1496:
1494:
1491:
1489:
1486:
1484:
1481:
1479:
1476:
1474:
1471:
1469:
1466:
1464:
1461:
1459:
1456:
1454:
1451:
1449:
1446:
1444:
1441:
1439:
1438:New Data Seal
1436:
1434:
1431:
1429:
1426:
1424:
1421:
1419:
1416:
1414:
1411:
1409:
1406:
1404:
1401:
1399:
1396:
1394:
1391:
1389:
1386:
1384:
1381:
1379:
1376:
1374:
1371:
1368:
1364:
1360:
1358:
1355:
1353:
1350:
1348:
1345:
1343:
1340:
1338:
1335:
1333:
1330:
1328:
1325:
1323:
1320:
1318:
1315:
1313:
1310:
1308:
1305:
1303:
1300:
1298:
1295:
1293:
1290:
1288:
1285:
1283:
1280:
1278:
1275:
1273:
1270:
1268:
1265:
1263:
1260:
1258:
1255:
1253:
1250:
1248:
1245:
1243:
1240:
1238:
1235:
1233:
1230:
1228:
1225:
1223:
1220:
1218:
1215:
1213:
1210:
1208:
1205:
1203:
1200:
1198:
1195:
1193:
1190:
1188:
1185:
1183:
1180:
1178:
1177:BEAR and LION
1175:
1173:
1170:
1168:
1165:
1163:
1160:
1158:
1155:
1153:
1150:
1148:
1145:
1143:
1140:
1138:
1135:
1134:
1132:
1126:
1120:
1117:
1115:
1112:
1110:
1107:
1105:
1102:
1100:
1097:
1095:
1092:
1090:
1087:
1085:
1082:
1080:
1077:
1075:
1072:
1070:
1067:
1065:
1062:
1061:
1059:
1053:
1047:
1044:
1042:
1039:
1037:
1034:
1031:
1027:
1023:
1020:
1018:
1015:
1013:
1010:
1009:
1007:
1001:
996:
992:
991:Block ciphers
985:
980:
978:
973:
971:
966:
965:
962:
958:
954:
947:
941:
937:
933:
927:
923:
919:
915:
908:
903:
899:
895:
891:
887:
883:
879:
875:
871:
868:
864:
863:
859:
850:
844:
841:
829:
825:
818:
815:
810:
806:
800:
797:
792:
788:
782:
779:
774:
770:
764:
761:
756:
749:
746:
742:
736:
733:
729:
723:
720:
716:
710:
707:
695:
689:
686:
674:
670:
664:
662:
660:
656:
649:
647:
645:
641:
632:
630:
629:can be used.
628:
624:
613:or OpenBSD's
425:
423:
246:
243:
235:
233:
229:
226:
222:
217:
214:
210:
206:
202:
197:
194:
189:
184:
180:
175:
173:
168:
164:
160:
156:
151:
149:
145:
141:
137:
132:
128:
120:
113:
110:
106:
103:
102:
100:
97:
93:
89:
86:
83:
82:
81:
78:
76:
68:
66:
64:
59:
55:
53:
52:cryptanalysis
48:
44:
40:
39:timing attack
36:
28:
23:
19:
2238:Block cipher
2083:Key schedule
2073:Key exchange
2063:Kleptography
2026:Cryptosystem
1975:Cryptography
1825:Partitioning
1787:
1783:Side-channel
1761:
1728:Higher-order
1713:Differential
1594:Key schedule
913:
881:
878:Algorithmica
877:
843:
831:. Retrieved
827:
817:
808:
799:
790:
781:
772:
763:
748:
735:
722:
709:
697:. Retrieved
688:
676:. Retrieved
672:
636:
604:
419:
239:
230:
218:
213:cache misses
201:cache memory
198:
187:
182:
176:
152:
124:
79:
74:
72:
60:
56:
47:cryptosystem
38:
35:cryptography
32:
18:
2226:Mathematics
2217:Mix network
1910:Utilization
1896:NSA Suite B
1881:AES process
1830:Rubber-hose
1768:Related-key
1676:Brute-force
1055:Less common
833:19 December
209:page faults
193:brute-force
2177:Ciphertext
2147:Decryption
2142:Encryption
2103:Ransomware
1860:Chi-square
1778:Rotational
1718:Impossible
1639:Block size
1533:Spectr-H64
1357:Ladder-DES
1352:Kuznyechik
1297:Hierocrypt
1167:BassOmatic
1130:algorithms
1057:algorithms
1030:Triple DES
1005:algorithms
678:10 January
650:References
146:, and the
2167:Plaintext
1835:Black-bag
1755:Boomerang
1744:Known-key
1723:Truncated
1548:Threefish
1543:SXAL/MBAL
1433:MultiSwap
1388:MacGuffin
1347:KN-Cipher
1287:Grand Cru
1242:CS-Cipher
1222:COCONUT98
627:libsodium
236:Algorithm
219:The 2017
153:In 2003,
69:Avoidance
27:web cache
2325:Category
2306:Category
2212:Kademlia
2172:Codetext
2115:(CSPRNG)
1886:CRYPTREC
1850:Weak key
1803:Acoustic
1644:Key size
1488:Red Pike
1307:IDEA NXT
1187:Chiasmus
1182:CAST-256
1162:BaseKing
1147:Akelarre
1142:Adiantum
1109:Skipjack
1074:CAST-128
1069:Camellia
1017:Blowfish
940:35428223
898:19163221
607:memcmp()
221:Meltdown
172:blinding
129:used in
121:Examples
1982:General
1927:Padding
1845:Rebound
1553:Treyfer
1503:SAVILLE
1463:PRESENT
1453:NOEKEON
1398:MAGENTA
1393:Madryga
1373:Lucifer
1237:CRYPTON
1046:Twofish
1036:Serpent
791:Reuters
743:, 2005.
730:, 2005.
673:BearSSL
623:OpenSSL
225:Spectre
211:and/or
159:Brumley
144:ElGamal
2093:Keygen
1891:NESSIE
1840:Davies
1788:Timing
1703:Linear
1663:Attack
1582:Design
1573:Zodiac
1538:Square
1513:SHACAL
1508:SC2000
1468:Prince
1448:Nimbus
1443:NewDES
1428:MULTI2
1418:MISTY1
1361:LOKI (
1337:KHAZAD
1332:KeeLoq
1327:KASUMI
1322:Kalyna
1207:CLEFIA
1192:CIKS-1
1152:Anubis
1003:Common
946:dudect
938:
928:
896:
594:result
591:return
576:&=
573:result
558:length
537:size_t
519:result
471:length
468:size_t
406:return
397:return
364:length
343:size_t
292:length
289:size_t
2123:(PRN)
1773:Slide
1629:Round
1614:P-box
1609:S-box
1568:XXTEA
1528:Speck
1523:Simon
1518:SHARK
1498:SAFER
1483:REDOC
1408:Mercy
1367:89/91
1317:Iraqi
1282:G-DES
1272:FEA-M
1252:DES-X
1217:Cobra
1172:BATON
1157:Ascon
1137:3-Way
1128:Other
936:S2CID
910:(PDF)
894:S2CID
699:9 May
633:Notes
480:const
453:const
438:const
400:false
301:const
274:const
259:const
188:login
183:crypt
155:Boneh
41:is a
1901:CNSA
1760:Mod
1686:MITM
1458:NUSH
1413:MESH
1403:MARS
1277:FROG
1267:FEAL
1247:DEAL
1227:Crab
1212:CMEA
1119:XTEA
1104:SEED
1084:IDEA
1079:GOST
1064:ARIA
926:ISBN
835:2023
701:2021
680:2017
625:and
617:and
555:<
525:true
516:bool
483:char
456:void
441:void
429:bool
409:true
361:<
304:char
277:void
262:void
250:bool
223:and
179:Unix
157:and
37:, a
1855:Tau
1815:XSL
1619:SPN
1563:xmx
1558:UES
1493:S-1
1478:RC2
1423:MMB
1302:ICE
1257:DFC
1114:TEA
1099:RC6
1094:RC5
1089:LEA
1041:SM4
1022:DES
1012:AES
918:doi
886:doi
531:for
337:for
203:or
163:SSL
140:RSA
33:In
2327::
1383:M8
1378:M6
1365:,
1363:97
1262:E2
1028:,
934:.
924:.
912:.
892:.
880:.
826:.
807:.
789:.
771:.
671:.
658:^
585:cb
582:==
579:ca
567:++
504:cb
489:ca
391:cb
388:!=
385:ca
379:if
373:++
325:cb
310:ca
150:.
142:,
1967:e
1960:t
1953:v
1762:n
1746:)
1742:(
1709:)
1705:(
1682:)
1678:(
1669:)
1665:(
1655:)
1651:(
1473:Q
1369:)
1032:)
1024:(
997:)
993:(
983:e
976:t
969:v
942:.
920::
900:.
888::
882:9
851:.
837:.
775:.
703:.
682:.
600:}
597:;
588:;
570:)
564:i
561:;
552:i
549:;
546:0
543:=
540:i
534:(
528:;
522:=
513:;
510:b
507:=
501:*
498:,
495:a
492:=
486:*
477:{
474:)
465:,
462:b
459:*
450:,
447:a
444:*
435:(
415:}
412:;
403:;
394:)
382:(
376:)
370:i
367:;
358:i
355:;
352:0
349:=
346:i
340:(
334:;
331:b
328:=
322:*
319:,
316:a
313:=
307:*
298:{
295:)
286:,
283:b
280:*
271:,
268:a
265:*
256:(
242:C
98:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.