timing attack countermeasures (nonrandom but unpredictable de lays)
leichter_jerrold at emc.com
leichter_jerrold at emc.com
Tue Nov 22 07:05:04 EST 2005
| > Why do you need to separate f from f+d? The attack is based on a timing
| > variation that is a function of k and x, that's all. Think of it this
way:
| > Your implementation with the new d(k,x) added in is indistinguishable,
in
| > externally visible behavior, from a *different* implementation f'(k,x)
| > which has the undesired property: That the time is a function of the
| > inputs.
|
| Suppose that the total computation time was equal to a one way
| function of the inputs k and x. How does he go about obtaining k?
Why would it matter? None of the attacks depend on inverting f in any
analytical sense. They depend on making observations. The assumption is
not
that f is invertible, it's that it's countinous in some rough sense.
| It is not enough that it is a function, it must be a function that can
| leak k given x and f(k,x) with an efficiency greater than a
| brute-force of the input space of k (because, presumably, f and the
| output are known to an attacker, so he could simply search for k that
| gives the correct value(s)).
Well, yes ... but the point is to characterize such functions in some useful
way other than "they don't leak". I suppose if d(k,x) were to be computed
as D(SHA1(k | x)) for some function D, timing information would be lost
(assuming that your computation of SHA1 didn't leak!); but that's a very
expensive way to do things: SHA1 isn't all that much cheaper to compute
than
an actual encryption.
| In reality, the time it takes to compute the crypto function is just
| another output to the attacker, and should have the same properties
| that any other output has with respect to the inputs one wishes to
| keep secret. It does not have to be constant.
Agreed. The problem is to (a) characterize those properties; (b) attain
them
at acceptable cost.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list