From: ljo@ausys.se (Johansson Lars)
To: cypherpunks@toad.com
Message Hash: c12058d58b3d80b57a7b017d5b2ad3dbd6d79c3f79f674c99f77b3cc64b636d8
Message ID: <95Dec12.160243gmt+0100.53783@void.ausys.se>
Reply To: N/A
UTC Datetime: 1995-12-12 17:26:07 UTC
Raw Date: Wed, 13 Dec 1995 01:26:07 +0800
From: ljo@ausys.se (Johansson Lars)
Date: Wed, 13 Dec 1995 01:26:07 +0800
To: cypherpunks@toad.com
Subject: Blinding against Kocher's timing attacks
Message-ID: <95Dec12.160243gmt+0100.53783@void.ausys.se>
MIME-Version: 1.0
Content-Type: text/plain
Ron Rivest wrote (at sci.crypt):
>The simplest way to defeat Kocher's timing attack is to ensure that the
>cryptographic computations take an amount of time that does not depend on
the
>data being operated on. For example, for RSA it suffices to ensure that
>a modular multiplication always takes the same amount of time, independent
of
>the operands.
>
>A second way to defeat Kocher's attack is to use blinding: you "blind" the
>data beforehand, perform the cryptographic computation, and then unblind
>afterwards. For RSA, this is quite simple to do. (The blinding and
>unblinding operations still need to take a fixed amount of time.) This
doesn't
>give a fixed overall computation time, but the computation time is then a
>random variable that is independent of the operands.
Does anyone know whether David Chaum's patent on
blind digital signatures extends to this application?
Kind regards,
/Lars Johansson
ljo@ausys.se
http://www.ausys.se/defaulte.htm
Return to December 1995
Return to “ljo@ausys.se (Johansson Lars)”
1995-12-12 (Wed, 13 Dec 1995 01:26:07 +0800) - Blinding against Kocher’s timing attacks - ljo@ausys.se (Johansson Lars)