1995-12-12 - Re: Timing Cryptanalysis Attack

Header Data

From: Peter Monta <pmonta@qualcomm.com>
To: cypherpunks@toad.com
Message Hash: 32457fef380fd5da252471fb3f77e956b59b7ebb4e71c0f8665231528b5c27b8
Message ID: <199512112049.MAA26431@mage.qualcomm.com>
Reply To: <30CC02F5.4487@netscape.com>
UTC Datetime: 1995-12-12 06:37:57 UTC
Raw Date: Tue, 12 Dec 1995 14:37:57 +0800

Raw message

From: Peter Monta <pmonta@qualcomm.com>
Date: Tue, 12 Dec 1995 14:37:57 +0800
To: cypherpunks@toad.com
Subject: Re: Timing Cryptanalysis Attack
In-Reply-To: <30CC02F5.4487@netscape.com>
Message-ID: <199512112049.MAA26431@mage.qualcomm.com>
MIME-Version: 1.0
Content-Type: text/plain


> > I for one will probably add a flag for conditional compilation of my
> > bignumber library so that it will take constant time.  This may be a
> > %10 slow down (using small windows exponentiation) which is trivial
> > compared to the %30 speedup I will probably get when I implement a
> > faster mod function :-).
> 
> Careful.  Even if you can make the number of executed instructions the
> same, you still have to worry about timing differences due to branches
> and the way the hardware multiplier handles different operands.

No, he's saying to equalize wall-clock time---just pad out beyond the
largest possible execution time with a timer.  Surely with a sufficient
pad the timing-channel leak can be made negligible (though the author
seems to claim otherwise---I should read the explanation!).

Peter Monta






Thread