This repository has been archived by the owner on Dec 13, 2022. It is now read-only.
Parameterize AES proof over s-box #734
Labels
P3
Very low priority item
Comments
|
We're prioritizing HMAC development instead, so I'm downgrading the priority of this change. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The AES s-box can be implemented in a wide variety of ways, with different timing properties and side-channel resistances. However, all of these implementations can easily be tested exhaustively, because the s-box has only 256 cases. Therefore, it seems to me that it's low-hanging fruit to write our AES proofs in such a way that any s-box implementation can be plugged in. We can still provide an end-to-end proof that plugs in the LUT or Canright s-box, but that proof would be just a specialization of one that can take any s-box.
Some of the s-box implementations take multiple cycles, so this would involve changing the
cipherimplementation to accept subroutines -- at leastsub_bytes-- asCircuits instead of purely combinational components. Likewise,sub_byteswould need to allow a multi-cycle s-box.The text was updated successfully, but these errors were encountered: