[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Announce: Timing cryptanalysis of RSA, DH, DSS
- To: ipsec@ans.net
- Subject: Re: Announce: Timing cryptanalysis of RSA, DH, DSS
- From: Ron Rivest <rivest@news2.acs.oakland.edu>
- Date: 11 Dec 1995 20:17:01 GMT
- Newsgroups: sci.crypt
- Organization: MIT Laboratory for Computer Science
- References: <pckDJEEzH.DJ3@netcom.com> <4agcf3$enr@ixnews2.ix.netcom.com>
The simplest way to defeat Kocher's timing attack is to ensure that the
cryptographic computations take an amount of time that does not depend on the
data being operated on. For example, for RSA it suffices to ensure that
a modular multiplication always takes the same amount of time, independent of
the operands.
A second way to defeat Kocher's attack is to use blinding: you "blind" the
data beforehand, perform the cryptographic computation, and then unblind
afterwards. For RSA, this is quite simple to do. (The blinding and
unblinding operations still need to take a fixed amount of time.) This doesn't
give a fixed overall computation time, but the computation time is then a
random variable that is independent of the operands.
-
==============================================================================
Ronald L. Rivest 617-253-5880 617-253-8682(Fax) rivest@theory.lcs.mit.edu
==============================================================================