Blinding against Kocher's timing attacks

Hal hfinney at shell.portal.com
Wed Dec 13 08:10:22 PST 1995


From: ljo at ausys.se (Johansson Lars)
> Does anyone know whether David Chaum's patent on
> blind digital signatures extends to this application?

I don't think it would.  Chaum's blinding protocol has one major
difference: the blinding factor is applied by a different person than
the one doing the signing.  The purpose of the blinding is different,
too; in Chaum's case the idea is to end up with a signature which is
unknown to the signer, while with Kocher's "defensive blinding" the
signature (or decryption) is an ordinary RSA one, and the blinding is
just done internally by the signer to randomize the timing.

(I gather BTW that the idea of the blinding is for the server to have
pre-chosen a random r and pre-calculated r^d mod n, and then when he is
given c to decrypt he first does c*r mod n and then decrypts this, then
takes the result and divides by r^d.)

It's conceivable that Kocher's blinding would be a patentable technique
in itself, and not impossible that he has already applied for a patent
before publishing.  Probably he would have said so if that were his
intention, though.

Hal

"Blind defensively - watch out for the other guy..."






More information about the cypherpunks-legacy mailing list