Optimisation Considered Harmful
Victor Duchovni
Victor.Duchovni at MorganStanley.com
Fri Jun 24 08:54:35 EDT 2005
On Fri, Jun 24, 2005 at 10:00:55AM +0100, Ben Laurie wrote:
> > - Find reasonably efficient masking strategies, that assume
> > that side-channel attacks are here to stay, and randomly choose
> > one of many isomorphic ways to perform the computation. The
> > masking would have to eliminate key/data correlation from all
> > "observables" other than the final output.
>
> If it does that, why do you want to choose one of many? Surely a single
> one will do?
>
The idea is that each choice leaks side-channel information about its
algorithm, but the attacker does not know which one was chosen. And,
repeated observations do not on average (over all algorithms) show
correlation between the key or data and side-channel information (other
than the final output). Is this possible? There is a paper that claims
no correlation with any any single intermediate result, is that strong
enough?
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list