Re: timing attacks.

Mike Rosing (eresrch@msn.fullfeed.com)
Wed, 24 Jun 1998 08:44:03 -0500 (CDT)

• Next message: Bruce Schneier: "Re: TEA (was Re: filesystem encryption)"
• Previous message: Adam Shostack: "Re: cryptanalysis for beginners.."
• In reply to: Bruce Schneier: "Re: cryptanalysis for beginners.."
• Next in thread: burt rosenberg: "Re: timing attacks."
• Reply: burt rosenberg: "Re: timing attacks."

On Tue, 23 Jun 1998, burt rosenberg wrote:

>
> Kocher's "Timing Attacks on Implementations ..." suggests
> as a possible remedy using blinding factors.
>
> Could also the following be used, which might be simpler:
>
> given y, compute y^x (n) by selecting a random splitting
> of x as x_1 + x_2 = x (or x + k phi(n) if x is uncomfortably
> small) and use the property:
>
> y^x = y^(x_1+x_2) = y^(x_1) y^(x_2) (n)
>
> Assuming the split can be done without leaving a signature
> of x in the timing, wouldn't this leave the attacker with
> collecting statistics about timings of y^{a random x}?

A simpler solution is to fill the time so a bit set or clear in x doesn't
change the overall timing. When doing the exponentiation you double, then
if the bit is set do a multiply. If the bit is clear, do a dummy multiply
instead of nothing. That eliminates the timing (and power :-) attack.
It's also a lot simpler to code and less confusing for the next guy who
has to fix the code to follow along.

Patience, persistence, truth,
Dr. mike

• Next message: Bruce Schneier: "Re: TEA (was Re: filesystem encryption)"
• Previous message: Adam Shostack: "Re: cryptanalysis for beginners.."
• In reply to: Bruce Schneier: "Re: cryptanalysis for beginners.."
• Next in thread: burt rosenberg: "Re: timing attacks."
• Reply: burt rosenberg: "Re: timing attacks."