AES timing variability graphs
D. J. Bernstein
Authenticators and signatures
A state-of-the-art message-authentication code
AES timing variability graphs
Introduction
Understanding the graphs
AMD Athlon
Intel Pentium M
IBM PowerPC RS64 IV
Sun UltraSPARC III
Introduction
See the separate page of
pictures
for an introduction.
Understanding the graphs
Each graph reports cycle counts for 256 AES keys and 256 AES inputs.
Each key was applied repeatedly to each input,
31000 times on average (or 310000 times when a second graph is shown),
in a random order.
The times for each (key,input) pair were averaged,
producing 65536 numbers,
which were then sorted and graphed.
In other words,
the graph shows the distribution of average cycle counts.
Averages are interesting from a timing-attack perspective
because they can easily be computed from noisy samples.
For example, a 10-cycle difference in averages
can be seen through 10000 cycles of noise
after roughly 1 million samples.
``Good'' graphs are close to a normal distribution,
with a small variance that depends on the CPU's time variance.
``Bad'' graphs have much larger variance,
and often several changes in convexity.
Here's how to generate your own graphs:
./v2 \
| sort -n \
| graph -a -x 0 65535 -N X -h 0.9 -u 0.05 -w 0.8 -r 0.17 -Tpng \
> v2.png
AMD Athlon
OpenSSL:
Gladman:
My aes_athlon:
Intel Pentium M
OpenSSL:
Gladman:
Gladman, using 1K tables:
My aes_ppro:
IBM PowerPC RS64 IV
OpenSSL:
My aes_aix:
Sun UltraSPARC III
OpenSSL:
My aes_sparc:
