Ben Laurie ben at
Tue Jan 3 17:10:50 EST 2006

Jack Lloyd wrote:
> Some relevant and recent data: in some tests I ran this weekend (GMP 4.1.2,
> OpenSSL 0.9.8a, Athlon/gcc/Linux) RSA operations using GMP were somewhat faster
> than ones using OpenSSL even when blinding was used with both (typical
> performance boost was 15-20%).
> I'm assume "both of which are needed" should have been "at least one of which
> is needed"? AFAIK blinding alone can protect against all (publicly known)
> timing attacks; am I wrong about this?

Yes, you are - there's the cache attack, which requires the attacker to
have an account on the same machine. I guess I shouldn't have called it
constant time, since its really constant memory access that defends
against this.

Incidentally, I think the main component of the difference on Athlon,
like many other platforms, is simply a question of which library has
hand-optimised assembler for the platform. That is, it tells us little
about architectural differences and plenty about whether anyone has been
bothered to optimise for that particular platform recently.




"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list