From: anonymous-remailer@shell.portal.com
Date: Sun, 10 Dec 95 22:40:19 PST
To: cypherpunks@toad.com
Subject: *fnord* Addition info *fnord*
Message-ID: <199512110638.WAA02958@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain



From: pck@netcom.com (Paul C. Kocher)
Subject: Announce: Timing cryptanalysis of RSA, DH, DSS
Message-ID: <pckDJEEzH.DJ3@netcom.com>
Organization: NETCOM On-line Communication Services (408 261-4700 guest)
Date: Mon, 11 Dec 1995 01:33:17 GMT
Lines: 67
Sender: pck@netcom20.netcom.com

I've just released details of an attack many of you will find 
interesting since quite a few existing cryptography products and 
systems are potentially at risk.  The general idea of the attack is
that secret keys can be found by measuring the amount of time used to
to process messages.  The paper describes attacks against RSA, fixed-
exponent Diffie-Hellman, and DSS, and the techniques can work with 
many other systems as well. 

My research on the subject is still in progress and the current paper 
does not include many of my findings.  I will eventually publish a full 
paper, but am releasing a preliminary draft now to alert the community 
as quickly as possible.  A copy of the abstract is attached at the end 
of this message and the full text can be downloaded in PostScript 
format from:

  ftp://ftp.cryptography.com/pub/kocher_timing_attack.ps
  ftp://ftp.cryptography.com/pub/kocher_timing_attack.ps.gz

I've also made an HTML version which is accessible at:

  http://www.cryptography.com

(The HTML uses subscripts and superscripts which aren't supported 
in older web browsers.  The PostScript version is the "official" 
one and looks nicer.)

The results have already been seen by Matt Blaze, Martin Hellman, Ron 
Rivest, Bruce Schneier, and many others.  While the full significance
of the attack is not yet known, I think everyone who has seen it 
considers it important (including Netscape who awarded me a $1000 
bugs bounty prize). 


    ABSTRACT.  Cryptosystems often take slightly different 
    amounts of time to process different messages. With network-
    based cryptosystems, cryptographic tokens, and many other 
    applications, attackers can measure the amount of time used 
    to complete cryptographic operations.  This abstract shows 
    that timing channels can, and often do, leak key material.  
    The attacks are particularly alarming because they often 
    require only known ciphertext, work even if timing 
    measurements are somewhat inaccurate, are computationally 
    easy, and are difficult to detect.  This preliminary draft 
    outlines attacks that can find secret exponents in Diffie-
    Hellman key exchange, factor RSA keys, and find DSS secret 
    parameters.  Other symmetric and asymmetric cryptographic 
    functions are also at risk. A complete description of the 
    attack will be presented in a full paper, to be released 
    later. I conclude by noting that closing timing channels 
    is often more difficult than might be expected. 


Cheers,
Paul Kocher

*********************************************************************
VERY IMPORTANT: If you send me e-mail, please understand that I
probably won't have time to respond to all who write.  Please keep
messages SHORT and send them to pck@cryptography.com (**not** my
netcom address -- misdirected messages will be ignored).  PGP when
used for e-mail is not vulnerable to the attack.  Please state in
your note whether you would like a reply.
******************************************************************** 

__________________________________________________________________________
Paul C. Kocher           Independent cryptography/data security consultant
E-mail: pck@cryptography.com (please see above before replying)

========
Xref: news2.new-york.net sci.crypt:5320
Path: news2.new-york.net!spcuna!uunet!in1.uu.net!newsfeed.internetmci.com!howland.reston.ans.net!ix.netcom.com!netnews
From: jmrubin@ix.netcom.com (Joel M. Rubin)
Newsgroups: sci.crypt
Subject: Re: Announce: Timing cryptanalysis of RSA, DH, DSS
Date: 11 Dec 1995 04:35:47 GMT
Organization: Union of anti-organizationalists
Lines: 11
Message-ID: <4agcf3$enr@ixnews2.ix.netcom.com>
References: <pckDJEEzH.DJ3@netcom.com>
NNTP-Posting-Host: ix-sf17-18.ix.netcom.com
X-NETCOM-Date: Sun Dec 10  8:35:47 PM PST 1995
X-Newsreader: WinVN 0.99.7

I just saw a small article with your name on page 1 of the N.Y. Times 
Fax 8-page Internet Edition. (Monday, December 11, 1995)

They change the edition at about 10:30-11 P.M. Eastern Standard Time 
(0330-0400 the next GMT day) so if you read this before then, you might 
want to download http://nytimesfax.com/times.pdf.

It is in Adobe Acrobat format.

Of course, there is probably a larger article in the paper edition.


========
From: jmrubin@ix.netcom.com (Joel M. Rubin)
Newsgroups: sci.crypt
Subject: Re: Announce: Timing cryptanalysis of RSA, DH, DSS
Date: 11 Dec 1995 04:38:58 GMT
Organization: Union of anti-organizationalists
Lines: 7
Message-ID: <4agcl2$enr@ixnews2.ix.netcom.com>
References: <pckDJEEzH.DJ3@netcom.com>
NNTP-Posting-Host: ix-sf17-18.ix.netcom.com
X-NETCOM-Date: Sun Dec 10  8:38:58 PM PST 1995
X-Newsreader: WinVN 0.99.7

In case you don't already know, there is an article about your work in 
Monday's N.Y. Times. I just read a very small version of it in 
http://nytimesfax.com/times.pdf. (Adobe Acrobat-format 8-page edition)

The N.Y. Times Fax on the web changes edition about 10:30 or 11 P.M. New 
York time so if you want it, get it before then.