Re: timing attacks.

burt rosenberg (burt@passaic.cs.miami.edu)
Wed, 24 Jun 1998 20:45:35 -0400 (EDT)

• Next message: Peter Gutmann: "Re: TEA (was Re: filesystem encryption)"
• Previous message: Matt Blaze: "Re: difference distribution table for Skipjack"
• In reply to: Matt Blaze: "difference distribution table for Skipjack"
• Next in thread: Mike Rosing: "Re: timing attacks."
• Reply: Mike Rosing: "Re: timing attacks."

>
>
> On Wed, 24 Jun 1998, burt rosenberg wrote:
>
> >
> > this solution, to fill time, is most likely faster, and possibly
> > simpler, but it doesn't fully cover the calculation's tracks.
>
> How do you mean it doesn't cover the calculations tracks? Every
> y^x will take the exact same time no matter what x is. This is slower,
> not faster, but it's a defense.
>

say we do:

        t1 = multiply( s, s ) ; // the square
        t2 = multiply( s, y ) ; // the multiply, just in case
        if ( bit(i,x) ) s = t2 ;
        else s = t1 ;

to keep the times for one stage the same, but s is now
either y*s*s or s*s, and it is possible that in the next
stage (y*s*s)^2 gives a different timing than (s*s)^2.

actually, this is covered in a parenthetical remark in the
orig. paper. even w/ this care, it cannot be said that
timing{y^x} is not a function of x, hence can possibly
be leaking info. about x.

-burt

• Next message: Peter Gutmann: "Re: TEA (was Re: filesystem encryption)"
• Previous message: Matt Blaze: "Re: difference distribution table for Skipjack"
• In reply to: Matt Blaze: "difference distribution table for Skipjack"
• Next in thread: Mike Rosing: "Re: timing attacks."
• Reply: Mike Rosing: "Re: timing attacks."