The simplest way to defeat Kocher's timing attack is to ensure that the cryptographic computations take an amount of time that does not depend on

Ron Rivest wrote (at sci.crypt): the

data being operated on. For example, for RSA it suffices to ensure that a modular multiplication always takes the same amount of time, independent of the operands.

A second way to defeat Kocher's attack is to use blinding: you "blind" the data beforehand, perform the cryptographic computation, and then unblind afterwards. For RSA, this is quite simple to do. (The blinding and unblinding operations still need to take a fixed amount of time.) This doesn't give a fixed overall computation time, but the computation time is then a random variable that is independent of the operands.

Does anyone know whether David Chaum's patent on blind digital signatures extends to this application? Kind regards, /Lars Johansson ljo@ausys.se http://www.ausys.se/defaulte.htm