1995-12-15 - Re: kocher’s timing attack

Header Data

From: Hal <hfinney@shell.portal.com>
To: jmb@FreeBSD.ORG
Message Hash: 24174d727647f83ce3df8b403f0d7780dbc8dc7a7cc98dacebb75fdab05ae6c2
Message ID: <199512151457.GAA27245@jobe.shell.portal.com>
Reply To: N/A
UTC Datetime: 1995-12-15 16:29:40 UTC
Raw Date: Sat, 16 Dec 1995 00:29:40 +0800

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Sat, 16 Dec 1995 00:29:40 +0800
To: jmb@FreeBSD.ORG
Subject: Re: kocher's timing attack
Message-ID: <199512151457.GAA27245@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


From: dreschs@austnsc.tandem.com (Sten Drescher)
> On Firewalls, "Jonathan M. Bresler" <jmb@FreeBSD.ORG> said:
> JMB> After
> JMB> several large key signing parties hundreds of known ciphertexts
> JMB> could have been generated using Alice's key--each one a public key
> JMB> of someone else.  over several years it piles up.  the known
> JMB> ciphertexts can be tested/analyzed to yield Alice's secret key.
> JMB> ouch.  ;/
> 
> 	Are you sure about this?  It would seem that the same principle
> would then apply to signed messages as well, and I find it a bit hard to
> believe that signing messages would make ones key pair vulnerable.

As Kocher's paper implies, the known ciphertext attack is a TIMING
attack.  Simply accumulating known text/signature pairs as you would have
after a "key signing party" does not help.  You must know exactly how
much time each signature took.

Hal





Thread