1995-12-12 - Re: Timing Cryptanalysis Attack

Header Data

From: Adam Shostack <adam@lighthouse.homeport.org>
To: jim@acm.org
Message Hash: e9178517df96af0ff85c8065ce7dd8d8670aad81bd7287300609dbb8b6581906
Message ID: <199512121525.KAA09078@homeport.org>
Reply To: <199512111920.LAA24338@mycroft.rand.org>
UTC Datetime: 1995-12-12 17:21:21 UTC
Raw Date: Wed, 13 Dec 1995 01:21:21 +0800

Raw message

From: Adam Shostack <adam@lighthouse.homeport.org>
Date: Wed, 13 Dec 1995 01:21:21 +0800
To: jim@acm.org
Subject: Re: Timing Cryptanalysis Attack
In-Reply-To: <199512111920.LAA24338@mycroft.rand.org>
Message-ID: <199512121525.KAA09078@homeport.org>
MIME-Version: 1.0
Content-Type: text


Jim Gillogly wrote:

| > Nathaniel Borenstein <nsb@nsb.fv.com> writes:
| > Hey, don't go for constant time, that's too hard to get perfect.  Add a
| > *random* delay.  This particular crypto-flaw is pretty easy to fix. 
| > (See, I'm not *always* arguing the downside of cryptography!)
| 
| Random delay may be harder to get perfect than constant time.  Note that
| the actual time for the transaction is the minimum of all the transaction
| times you measure, since you can't add a negative delay to them.  It's
| presumably even easier if the random distribution is known.  Adding a
| random delay means more transactions are required to find each new bit,
| but information is still leaking.

	Does the delay have to be random, or does the total time for a
transacation need to be unrelated to the bits in the secret key?
Assume that the time added is pseudo-random (and confidential).
Further, for any non-overlapping group of N transactions, the
distribution of the times fits some predetermined curve, say a bell
curve.

	We've added a non random number, but since those numbers end
up being a curve, it would be difficult to determine which transaction
got which time added to it.  This resembles the 'make them all a
constant time', but allows us to send out some in a shorter time than
the maximum (although most transactions should probably take longer
than the average.)

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

Thread

• Return to December 1995

• Return to “Adam Shostack <adam@lighthouse.homeport.org>”
• Return to “anon-remailer@utopia.hacktic.nl (Anonymous)”
• Return to “Black Unicorn <unicorn@schloss.li>”
• Return to “Eric Young <eay@mincom.oz.au>”
• Return to “fc@all.net (Dr. Frederick B. Cohen)”
• Return to “Jeff Weinstein <jsw@netscape.com>”
• Return to “Jim Gillogly <jim@acm.org>”
• Return to ““Josh M. Osborne” <stripes@va.pubnix.com>”
• Return to “Matt Blaze <mab@crypto.com>”
• Return to “Nathaniel Borenstein <nsb@nsb.fv.com>”
• Return to ““Perry E. Metzger” <perry@piermont.com>”
• Return to “Peter Monta <pmonta@qualcomm.com>”
• Return to “Simon Spero <ses@tipper.oit.unc.edu>”

• Return to “Tom Weinstein <tomw@netscape.com>”

• 1995-12-11 (Mon, 11 Dec 1995 17:12:49 +0800) - Timing Cryptanalysis Attack - anon-remailer@utopia.hacktic.nl (Anonymous)
  • 1995-12-11 (Mon, 11 Dec 1995 17:55:55 +0800) - Re: Timing Cryptanalysis Attack - Eric Young <eay@mincom.oz.au>
    • 1995-12-11 (Tue, 12 Dec 1995 06:50:02 +0800) - Re: Timing Cryptanalysis Attack - “Perry E. Metzger” <perry@piermont.com>
  • 1995-12-11 (Mon, 11 Dec 1995 18:27:46 +0800) - Re: Timing Cryptanalysis Attack - Tom Weinstein <tomw@netscape.com>
    • 1995-12-11 (Tue, 12 Dec 1995 05:04:23 +0800) - Re: Timing Cryptanalysis Attack - Eric Young <eay@mincom.oz.au>
    • 1995-12-11 (Tue, 12 Dec 1995 05:31:37 +0800) - Re: Timing Cryptanalysis Attack - “Perry E. Metzger” <perry@piermont.com>
      • 1995-12-11 (Tue, 12 Dec 1995 07:02:56 +0800) - Re: Timing Cryptanalysis Attack - Matt Blaze <mab@crypto.com>
        • 1995-12-12 (Tue, 12 Dec 1995 13:05:05 +0800) - Re: Timing Cryptanalysis Attack - Peter Monta <pmonta@qualcomm.com>
          • 1995-12-13 (Wed, 13 Dec 1995 22:33:48 +0800) - Re: Timing Cryptanalysis Attack - “Josh M. Osborne” <stripes@va.pubnix.com>
        • 1995-12-12 (Wed, 13 Dec 1995 05:53:55 +0800) - Re: Timing Cryptanalysis Attack - “Perry E. Metzger” <perry@piermont.com>
      • 1995-12-12 (Tue, 12 Dec 1995 14:01:08 +0800) - Re: Timing Cryptanalysis Attack - Tom Weinstein <tomw@netscape.com>
        • 1995-12-12 (Tue, 12 Dec 1995 14:55:20 +0800) - Re: Timing Cryptanalysis Attack - “Perry E. Metzger” <perry@piermont.com>
          • 1995-12-12 (Tue, 12 Dec 1995 11:25:32 +0800) - Re: Timing Cryptanalysis Attack - Tom Weinstein <tomw@netscape.com>
    • 1995-12-12 (Tue, 12 Dec 1995 14:37:57 +0800) - Re: Timing Cryptanalysis Attack - Peter Monta <pmonta@qualcomm.com>
  • 1995-12-11 (Tue, 12 Dec 1995 05:10:34 +0800) - Re: Timing Cryptanalysis Attack - Nathaniel Borenstein <nsb@nsb.fv.com>
    • 1995-12-12 (Wed, 13 Dec 1995 05:54:04 +0800) - Re: Timing Cryptanalysis Attack - Jim Gillogly <jim@acm.org>
      • 1995-12-12 (Wed, 13 Dec 1995 01:21:21 +0800) - Re: Timing Cryptanalysis Attack - Adam Shostack <adam@lighthouse.homeport.org>
        • 1995-12-12 (Wed, 13 Dec 1995 02:06:25 +0800) - Re: Timing Cryptanalysis Attack - fc@all.net (Dr. Frederick B. Cohen)
        • 1995-12-12 (Wed, 13 Dec 1995 04:31:34 +0800) - Re: Timing Cryptanalysis Attack - Adam Shostack <adam@lighthouse.homeport.org>
        • 1995-12-13 (Wed, 13 Dec 1995 17:31:54 +0800) - Re: Timing Cryptanalysis Attack - Tom Weinstein <tomw@netscape.com>
  • 1995-12-11 (Tue, 12 Dec 1995 05:53:30 +0800) - Re: Timing Cryptanalysis Attack - Jeff Weinstein <jsw@netscape.com>
    • 1995-12-12 (Tue, 12 Dec 1995 14:39:12 +0800) - Re: Timing Cryptanalysis Attack - Adam Shostack <adam@lighthouse.homeport.org>
      • 1995-12-12 (Tue, 12 Dec 1995 11:39:15 +0800) - Re: Timing Cryptanalysis Attack - Jeff Weinstein <jsw@netscape.com>
      • 1995-12-12 (Tue, 12 Dec 95 01:45:37 PST) - Re: Timing Cryptanalysis Attack - Black Unicorn <unicorn@schloss.li>
    • 1995-12-12 (Wed, 13 Dec 1995 00:56:02 +0800) - Re: Timing Cryptanalysis Attack - Simon Spero <ses@tipper.oit.unc.edu>
  • 1995-12-11 (Tue, 12 Dec 1995 06:50:11 +0800) - Re: Timing Cryptanalysis Attack - “Perry E. Metzger” <perry@piermont.com>