[45258] in Cypherpunks
Re: Timing Cryptanalysis Attack
daemon@ATHENA.MIT.EDU (Dr. Frederick B. Cohen)
Tue Dec 12 12:56:34 1995
From: fc@all.net (Dr. Frederick B. Cohen)
To: adam@homeport.org (Adam Shostack)
Date: Tue, 12 Dec 1995 12:26:47 -0500 (EST)
Cc: cypherpunks@toad.com
In-Reply-To: <199512121525.KAA09078@homeport.org> from "Adam Shostack" at Dec 12, 95 10:25:19 am
> Jim Gillogly wrote:
>
> | > Nathaniel Borenstein <nsb@nsb.fv.com> writes:
> | > Hey, don't go for constant time, that's too hard to get perfect. Add a
> | > *random* delay. This particular crypto-flaw is pretty easy to fix.
> | > (See, I'm not *always* arguing the downside of cryptography!)
>
> Does the delay have to be random, or does the total time for a
> transacation need to be unrelated to the bits in the secret key?
> Assume that the time added is pseudo-random (and confidential).
> Further, for any non-overlapping group of N transactions, the
> distribution of the times fits some predetermined curve, say a bell
> curve.
Random time won't save you - it just increases the noise, thus reducing
the effective bandwidth of the covert channel. To get the time, I only
need to do enough repetitions of the same computation to eliminate the
effect of the randomness and I have the same resulting information about
the key.
The only way to completely remove covert channels is by making the
measurable time completely independent of the actual time.
One way with the RSA might be to do the encryption with the key and the
inverse of the key (hence all 0s become 1s and 1s become 0s).
-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
