[45220] in Cypherpunks
Re: Timing Cryptanalysis Attack
daemon@ATHENA.MIT.EDU (Peter Monta)
Tue Dec 12 00:33:19 1995
To: cypherpunks@toad.com
In-Reply-To: Your message of "Mon, 11 Dec 1995 02:07:49 PST."
<30CC02F5.4487@netscape.com>
Date: Mon, 11 Dec 1995 12:49:43 -0800
From: Peter Monta <pmonta@qualcomm.com>
> > I for one will probably add a flag for conditional compilation of my
> > bignumber library so that it will take constant time. This may be a
> > %10 slow down (using small windows exponentiation) which is trivial
> > compared to the %30 speedup I will probably get when I implement a
> > faster mod function :-).
>
> Careful. Even if you can make the number of executed instructions the
> same, you still have to worry about timing differences due to branches
> and the way the hardware multiplier handles different operands.
No, he's saying to equalize wall-clock time---just pad out beyond the
largest possible execution time with a timer. Surely with a sufficient
pad the timing-channel leak can be made negligible (though the author
seems to claim otherwise---I should read the explanation!).
Peter Monta
