Timing Cryptanalysis Attack

[Adam Shostack]

Armadillo Remailer wrote:

| >My gut & scribble-on-the-back-of-a-napkin feeling about this class of
| >attack is that it could be a problem for smartcards (almost certainly)
| 
| Is it a problem to create smartcards that do their calculations in
| fixed time? I'd guess it should be easier than on multi-purpose
| hardware.

	Not if the fixed time is in weeks.

	If you read the Crypto proceedings, you'll find a number of
papers on using an (untrusted) CPU, such as that in a cash machine, to
aid a smartcard.  This is because the CPUs in smartcards are very
slow.

	Maximchuck, at Bell Labs, has a protocol for Anonymous Credit
Cards which uses pre-chosen private keys between correspondants and a
set of remailers to anonymize credit card transactions with respsect
to a merchant. (The bank still knows who's buying how much, and I
think where.)  Anyway, he freely admits that the reason for private
key work is their cards couldn't handle the public key operations.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume