Time-based cryptanalysis: How to defeat it?
Bill Stewart
stewarts at ix.netcom.com
Mon Dec 11 19:35:32 PST 1995
At 10:56 PM 12/10/95 -0800, anonymous-remailer wrote:
>Assuming Alice is decrypting a secret message sent to her
>by Bob (on her very slow C64 ;), and Mallet is watching
>with a stopwatch in hand, hoping to determine Alice's secret
>key...
The modern equivalent of that very slow C64 is the smartcard/
electronic wallet. Sounds like we'll have to implement them
very carefully....
>It would be good to place inside the decryption routines
>a timer (WELL PLACED!) that waits a random-number of cycles
>(based on key-strokes, mouse position, etc.) to defeat this
>type of cryptanalysis?
The most interesting detail in the paper, to me, was:
PK> Computing optional Ri+1 calculations regardless of whether the exponent
PK> bit is set does not work and can actually make the attack easier;
PK> the computations still diverge but attackers no longer have to identify
PK> the lack of a correlation for adjacent zero exponent bits.
My immediate reaction to the description of the timing attack on
Diffie-Hellman had, of course, been to do precisely that :-)
#--
# Thanks; Bill
# Bill Stewart, Freelance Information Architect, stewarts at ix.netcom.com
# Phone +1-510-247-0663 Pager/Voicemail 1-408-787-1281
More information about the cypherpunks-legacy
mailing list