From: Bill Stewart <stewarts@ix.netcom.com>
To: cypherpunks@toad.com
Message Hash: c4a5c0685fcc0d9b6f85b49b14ac0ef9007e015357f7ec98a6569b5349c6dbc6
Message ID: <199512110854.AAA14652@ix2.ix.netcom.com>
Reply To: N/A
UTC Datetime: 1995-12-12 03:35:32 UTC
Raw Date: Tue, 12 Dec 1995 11:35:32 +0800
From: Bill Stewart <stewarts@ix.netcom.com>
Date: Tue, 12 Dec 1995 11:35:32 +0800
To: cypherpunks@toad.com
Subject: Re: Time-based cryptanalysis: How to defeat it?
Message-ID: <199512110854.AAA14652@ix2.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
At 10:56 PM 12/10/95 -0800, anonymous-remailer wrote:
>Assuming Alice is decrypting a secret message sent to her
>by Bob (on her very slow C64 ;), and Mallet is watching
>with a stopwatch in hand, hoping to determine Alice's secret
>key...
The modern equivalent of that very slow C64 is the smartcard/
electronic wallet. Sounds like we'll have to implement them
very carefully....
>It would be good to place inside the decryption routines
>a timer (WELL PLACED!) that waits a random-number of cycles
>(based on key-strokes, mouse position, etc.) to defeat this
>type of cryptanalysis?
The most interesting detail in the paper, to me, was:
PK> Computing optional Ri+1 calculations regardless of whether the exponent
PK> bit is set does not work and can actually make the attack easier;
PK> the computations still diverge but attackers no longer have to identify
PK> the lack of a correlation for adjacent zero exponent bits.
My immediate reaction to the description of the timing attack on
Diffie-Hellman had, of course, been to do precisely that :-)
#--
# Thanks; Bill
# Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com
# Phone +1-510-247-0663 Pager/Voicemail 1-408-787-1281
Return to December 1995
Return to “futplex@pseudonym.com (Futplex)”