1995-12-14 - Kocher’s RSA attack

Header Data

From: rschlafly@attmail.com (Roger Schlafly)
To: cypherpunks@toad.com
Message Hash: 48b5ec56b47ce3272c20291233f62b2b54d799662c5c501e254f9753188e3e05
Message ID: <rschlafly3480927310>
Reply To: N/A
UTC Datetime: 1995-12-14 15:41:17 UTC
Raw Date: Thu, 14 Dec 1995 23:41:17 +0800

Raw message

From: rschlafly@attmail.com (Roger  Schlafly)
Date: Thu, 14 Dec 1995 23:41:17 +0800
To: cypherpunks@toad.com
Subject: Kocher's RSA attack
Message-ID: <rschlafly3480927310>
MIME-Version: 1.0
Content-Type: text/plain



I read Kocher's paper, but I question its applicability.  One of his
premises is that the time of a modular multiplication varies with
the data.  I've checked my code for modular multiplication, and
the clock cycles to execute don't depend on the data at all.  The
same instructions get executed, and assuming the processor has a
hardware multiply, they take the same time.

When I timed the modular multiplication, I was able to detect some
slight variation, but I attribute this to cache misses, as the variance
with the same data was the same as the variance with different data.

Apparently RSAREF has modular multiplies which vary significantly
with the data, but I maintain this is not necessary.

A good test case for his analysis might be to pull a secret key
from a smart card.  If, say, the Capstone chip modular multiplication
has some timing anomalies, this might be a good way to defeat the
Fortezza card.

Roger Schlafly





Thread