[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Time-based cryptanalysis: How to defeat it?



At 10:56 PM 12/10/95 -0800, anonymous-remailer wrote:
>Assuming Alice is decrypting a secret message sent to her
>by Bob (on her very slow C64 ;), and Mallet is watching
>with a stopwatch in hand, hoping to determine Alice's secret
>key...

The modern equivalent of that very slow C64 is the smartcard/
electronic wallet.  Sounds like we'll have to implement them
very carefully....

>It would be good to place inside the decryption routines
>a timer (WELL PLACED!) that waits a random-number of cycles
>(based on key-strokes, mouse position, etc.) to defeat this
>type of cryptanalysis?

The most interesting detail in the paper, to me, was:

PK> Computing optional Ri+1 calculations regardless of whether the exponent 
PK> bit is set does not work and can actually make the attack easier;
PK> the computations still diverge but attackers no longer have to identify
PK> the lack of a correlation for adjacent zero exponent bits. 

My immediate reaction to the description of the timing attack on 
Diffie-Hellman had, of course, been to do precisely that :-)
#--
#				Thanks;  Bill
# Bill Stewart, Freelance Information Architect, [email protected]
# Phone +1-510-247-0663 Pager/Voicemail 1-408-787-1281