[Cryptography] Defeating timing attacks

Benjamin Kreuter brk7bx at virginia.edu
Fri Jul 14 19:07:24 EDT 2017


On Fri, 2017-07-14 at 09:21 -0700, Henry Baker wrote:
> [Follow-up on attackers always win.]
> 
> Consider the following theoretical exercise:
> 
> Suppose that a computer's instruction set was *purposely designed* to
> leak as much secret information through a timing side-channel as
> possible.  E.g., *asynchronous logic* from the 1960's/1970's might
> qualify, as the timing of essentially every operation is data-
> dependent!
> 
> Is there any way for a *compiler* to generate code to generate enough
> deliberate jitter to mask the leaked information?
> 
> What if the compiler had additional "instructions" which simply
> generated randomly selected delays?  What kinds of probability
> distribution functions could be useful to perform such masking?

If we are allowed to assume special non-leaky instructions then we can
do better.  Give us an instruction that computes the AES function
without leaking anything, and we can use it to generate a garbled
circuit (which necessarily leaks nothing during its evaluation
regardless of what sort of CPU is evaluating it).  This assumes a CPU
architecture where explicit load/store instructions are not required or
 where load/store instructions are also not leaky.

-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 847 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170714/2849d2fe/attachment.sig>


More information about the cryptography mailing list