Further to Roger's comments that modular multiplies in software probably do not allow the timing attacks. On the internet the randomness introduced by the network probably hides the timing of the cryptography. I say probably because I am at a conference and have not got the maths texts to hand. I would guess however that Shanon's paper on communications bandwidth and some empirical results on the timing characteristics of the network would allow one to demonstrate that the attack is infeasible. On the other hand the attack is quite likely to work against some smart cards. In particular there are many which do not have specialized modular multiplication facilities. These use software to implement bignum arithmetic. Since smartcards also tend to be slow processors the arithmetic may well have been speeded up with the type of optimisation been speeded up in an RSAREF type manner. A conclusion which might be reached is that smartcards should in future contain contain a timer which is started at the beginnin of every cryptographic operation and a delay loop introduced to ensure that the time taken is always the same. The alternative of attempting to ensure that equal processing is spent on each cycle threatens an infinite regress into second and third order effects, eg frequency of page faults. Covert channel analysis is bad enough as it is. Perhaps we should concentrate on the question of how the timing attack bight be used in a workstation environment. Here covert channels are very relevant - with the proviso that we do not have a process concealment problem but a security partitioning problem. Consider the problem of a cryptographic file store where the users do not have access to a private key used to make files accessible. I suggest that we attempt to break out these attacks into categories, label the categories and produce a companion guide to the attack paper describing its system level implications. I beleive that such a task is best done in a collaborative medium such as this list. We need as many people as possible to consider the possible attack modes. Nobody is likely to think of them all. Phill