D. J. Bernstein
Hash functions and ciphers
Notes on the ECRYPT Stream Cipher Project (eSTREAM)


Software handling secret data, and cryptographic software in particular, must be careful to avoid leaking secrets through side channels. Plugging a side-channel leak can drastically increase the cost of building and using the software. Similar comments apply to hardware.

The AES designers believed, incorrectly, that table lookup was ``not vulnerable to timing attacks.'' See Section 7 of my paper Cache-timing attacks on AES for further discussion of this design error. It is, in fact, extremely difficult to write constant-time high-speed AES software for modern CPUs. I see this as one of the big reasons that a new cipher-design process can do better than the AES design process.

So far eSTREAM has seen very little study of side-channel leaks, even the simplest timing leaks. How expensive is protected stream-cipher software? Here are my initial impressions of the timing leaks from various stream ciphers:

Fischer, Gammel, Kniffler, and Velten (SASC 2007) reported successful differential power analysis of Trivium and Grain.