[Cryptography] Defeating timing attacks
Benjamin Kreuter
brk7bx at virginia.edu
Fri Jul 14 19:07:24 EDT 2017
On Fri, 2017-07-14 at 09:21 -0700, Henry Baker wrote:
> [Follow-up on attackers always win.]
>
> Consider the following theoretical exercise:
>
> Suppose that a computer's instruction set was *purposely designed* to
> leak as much secret information through a timing side-channel as
> possible. E.g., *asynchronous logic* from the 1960's/1970's might
> qualify, as the timing of essentially every operation is data-
> dependent!
>
> Is there any way for a *compiler* to generate code to generate enough
> deliberate jitter to mask the leaked information?
>
> What if the compiler had additional "instructions" which simply
> generated randomly selected delays? What kinds of probability
> distribution functions could be useful to perform such masking?
If we are allowed to assume special non-leaky instructions then we can
do better. Give us an instruction that computes the AES function
without leaking anything, and we can use it to generate a garbled
circuit (which necessarily leaks nothing during its evaluation
regardless of what sort of CPU is evaluating it). This assumes a CPU
architecture where explicit load/store instructions are not required or
where load/store instructions are also not leaky.
-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 847 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170714/2849d2fe/attachment.sig>
More information about the cryptography
mailing list