From: Matt Blaze <mab@research.att.com>
Date: Fri, 15 Dec 1995 02:26:49 +0800
To: "W. Kinney" <kinney@bogart.colorado.edu>
Subject: Re: CryptoLib 1.0 now available
In-Reply-To: <199512140448.VAA18190@bogart.Colorado.EDU>
Message-ID: <199512140526.AAA27695@nsa.tempo.att.com>
MIME-Version: 1.0
Content-Type: text/plain



>
>> CryptoLib includes the following:
>[...]
>> 		quantization (Defense against Kocher's timing attack)
>> 		quantized RSA, DSA and El Gamal private key operations.
>
>
>Maybe this is an incorrect conclusion, but here seems to be a _second_ group
>who knew about Kocher's timing attack before Kocher did. What on earth
>would ECash or ATT have to gain by keeping such knowledge a secret? 
>
>                                   -- Will
>
>

Although it's very tempting to come up with an elaborate confession to
being part of the big conspiracy of the powers-that-be to suppress our
most brilliant cryptologic discoveries, I must admit that in fact you have
reached an incorrect conclusion.  I added the quantization stuff to
CryptoLib over the weekend right after I read Kocher's paper.  I posted the
routines to cypherpunks and sci.crypt yesterday.  You must have missed it.

Also, it should be pointed out that the idea that timing information
can leak information (like bit density) about keys has been well-known
for a long time.  I understand that NSA cryptosystems have long required
fixed response time for some (but not all...) cryptographic primitives in
comsec equipment.  But understanding that timing information might be
a threat in principle is not the same as understanding how to exploit it
in practice.

Kocher's observations are very, very surprising.

-matt