At 03:42 PM 12/14/95 +0100, Lars Johansson wrote:

...

Does the attack work for existing smartcards?

At first glance, smart cards would seem to be the most critical target to Kocher's timing attack since they usually operate in on-line environments.

Not just on-line, they also operate in untrusted (hostile?) environments.

...the terminal could get a (noisy) measure of the time by repeatingly use this command to see when the result is available.

Might a terminal also be able to monitor power consumption or electromagnetic emissions to obtain a more precise time estimate?

Most smart cards does nevertheless require that the user must first specify a PIN code before the RSA algorithms are operationable.

If I used my RSA card every day, (at a toll booth, for instance), and the "bad guys" pilfered an "exact" timing upon each use, how long before they could forge a signature?

This implies that even if the card gets stolen can't it be attacked with Kocher's method.

That is useful, but if I know my card is stolen, I can presumably limit my liability by reporting it. If I still have my card, but my secret key is stolen, then damage might be greater. On another note, timing attacks would not seem to work against most DES implementations, hardware or software. The time to execute each round does not seem to depend on the plaintext or the key. It could be made to, of course, but unless I'm missing something, the "natural" way to code it, or to construct hardware for it, is not time dependent. Rick F. Hoselton (who doesn't claim to present opinions for others)