[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Announce: Timing cryptanalysis of RSA, DH, DSS

To: ipsec@ans.net
Subject: Re: Announce: Timing cryptanalysis of RSA, DH, DSS
From: Ron Rivest <rivest@theory.lcs.mit.edu>
Date: Mon, 11 Dec 95 15:17:03 -0500
Newsgroups: sci.crypt
References: <pckDJEEzH.DJ3@netcom.com> <4agcf3$enr@ixnews2.ix.netcom.com>
Sender: rivest@theory.lcs.mit.edu

The simplest way to defeat Kocher's timing attack is to ensure that the
cryptographic computations take an amount of time that does not depend on the
data being operated on.  For example, for RSA it suffices to ensure that
a modular multiplication always takes the same amount of time, independent of
the operands.

A second way to defeat Kocher's attack is to use blinding: you "blind" the
data beforehand, perform the cryptographic computation, and then unblind
afterwards.  For RSA, this is quite simple to do.  (The blinding and 
unblinding operations still need to take a fixed amount of time.) This doesn't
give a fixed overall computation time, but the computation time is then a
random variable that is independent of the operands.
- 
==============================================================================
Ronald L. Rivest  617-253-5880  617-253-8682(Fax) rivest@theory.lcs.mit.edu
==============================================================================

Prev by Date: Re: Announce: Timing cryptanalysis of RSA, DH, DSS
Next by Date: SPIs, etc.
Prev by thread: Re: Announce: Timing cryptanalysis of RSA, DH, DSS
Next by thread: SPIs, etc.
Index(es):
- Main
- Thread