[19026] in cryptography@c2.net mail archive
Re: timing attack countermeasures (nonrandom but unpredictable de lays)
daemon@ATHENA.MIT.EDU (Travis H.)
Wed Nov 30 10:43:45 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 22 Nov 2005 04:46:31 -0600
From: "Travis H." <solinym@gmail.com>
To: "leichter_jerrold@emc.com" <leichter_jerrold@emc.com>
Cc: daw@cs.berkeley.edu, cryptography@metzdowd.com
In-Reply-To: <Pine.SOL.4.61.0511171024310.4869@frame>
> Why do you need to separate f from f+d? The attack is based on a timing
> variation that is a function of k and x, that's all. Think of it this wa=
y:
> Your implementation with the new d(k,x) added in is indistinguishable, in
> externally visible behavior, from a *different* implementation f'(k,x)
> which has the undesired property: That the time is a function of the
> inputs.
Suppose that the total computation time was equal to a one way
function of the inputs k and x. How does he go about obtaining k?
It is not enough that it is a function, it must be a function that can
leak k given x and f(k,x) with an efficiency greater than a
brute-force of the input space of k (because, presumably, f and the
output are known to an attacker, so he could simply search for k that
gives the correct value(s)).
In reality, the time it takes to compute the crypto function is just
another output to the attacker, and should have the same properties
that any other output has with respect to the inputs one wishes to
keep secret. It does not have to be constant.
--
http://www.lightconsulting.com/~travis/ -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
