[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Blinding against Kocher's timing attacks



From: [email protected] (Johansson Lars)
> Does anyone know whether David Chaum's patent on
> blind digital signatures extends to this application?

I don't think it would.  Chaum's blinding protocol has one major
difference: the blinding factor is applied by a different person than
the one doing the signing.  The purpose of the blinding is different,
too; in Chaum's case the idea is to end up with a signature which is
unknown to the signer, while with Kocher's "defensive blinding" the
signature (or decryption) is an ordinary RSA one, and the blinding is
just done internally by the signer to randomize the timing.

(I gather BTW that the idea of the blinding is for the server to have
pre-chosen a random r and pre-calculated r^d mod n, and then when he is
given c to decrypt he first does c*r mod n and then decrypts this, then
takes the result and divides by r^d.)

It's conceivable that Kocher's blinding would be a patentable technique
in itself, and not impossible that he has already applied for a patent
before publishing.  Probably he would have said so if that were his
intention, though.

Hal

"Blind defensively - watch out for the other guy..."