1996-01-04 - Kocher timing attack in RISKS

Header Data

From: stevenw@best.com (Steven Weller)
To: cypherpunks@toad.com
Message Hash: 9903e52be184a53f73df4717609b088ade6a19baa0ac0e3f5e4592c3b2286a75
Message ID: <v0153050dad10efd26ebd@[206.86.1.35]>
Reply To: N/A
UTC Datetime: 1996-01-04 03:20:43 UTC
Raw Date: Thu, 4 Jan 1996 11:20:43 +0800

Raw message

From: stevenw@best.com (Steven Weller)
Date: Thu, 4 Jan 1996 11:20:43 +0800
To: cypherpunks@toad.com
Subject: Kocher timing attack in RISKS
Message-ID: <v0153050dad10efd26ebd@[206.86.1.35]>
MIME-Version: 1.0
Content-Type: text/plain



Reproduced here from RISKS digest:

------------------------------

Date: Tue, 26 Dec 1995 17:23:09 -0100
From: Saso Tomazic <saso.tomazic@fer.uni-lj.si>
Subject: Re: Timing cryptanalysis of RSA, DH, DSS (Kocher, RISKS-17.53)

The timing attack presented by Paul C. Kocher in his extended abstract
of the paper "Cryptanalysis of Diffie-Helman, RSA, DSS, and Other
Systems Using Timing Attacks"
  (ftp://ftp.cryptography.com/pub/kocher_timing_attack.ps)
is really worth consideration, however I would like to stress there is no
need for panic, mainly for two reasons:

1) Security of practical cryptosystems do not rest solely on security of
crypt algorithm. In fact, cryptoanalysis attacks are rare, due to strong
crypto algorithms that are presently known. More often cryptosystems are
broken using other weak points of cryptosystems as insecurity of keys, bad
key management, easy to guess passwords, computer screen radiation,
monitoring the keystrokes of computer in network, ...  The timing attack can
be considered just as one of them, not the most dangerous one. For practical
cryptosystem, it would be extremely difficult to measure exact timing of
encryption process, at least much more difficult as to monitor keystrokes or
to capture entire message from the screen. The intruder, who would be able
to measure the exact timing of encryption in a multitasking environment,
would probably also have access to everything else (i.e., secret message,
secret key, passwords, ...) and thus no need to measure timing.

2.) It is not so difficult to rewrite algorithms to be resistant to timing
attacks, i.e., to have execution time independent of secret key.  For
example, the algorithm to compute R = y^x mod n given in the Kocher paper
can be simply rewritten as:

Let R = 1.
Let A = 1.
Let z = y.
For i=0 upto (bits_in_x-1):
   If (bit i of x) is 1 then
         Let A = (R*z) mod n
   Else
         Let B = (R*z) mod n
Let y = y^2 mod n.
Let R = A.
End.

to be resistant to timing attacks.

------------------------------

-------------------------------------------------------------------------
Steven Weller                      |  "The Internet, of course, is more
                                   |  than just a place to find pictures
                                   |  of people having sex with dogs."
stevenw@best.com                   |       -- Time Magazine, 3 July 1995







Thread