[Cryptography] Defeating timing attacks
Benjamin Kreuter
brk7bx at virginia.edu
Sun Jul 16 06:01:18 EDT 2017
On Sat, 2017-07-15 at 06:11 -0700, Henry Baker wrote:
> At 04:07 PM 7/14/2017, Benjamin Kreuter wrote:
> > If we are allowed to assume special non-leaky instructions then we
> > can
> > do better. Give us an instruction that computes the AES function
> > without leaking anything, and we can use it to generate a garbled
> > circuit (which necessarily leaks nothing during its evaluation
> > regardless of what sort of CPU is evaluating it). This assumes a
> > CPU
> > architecture where explicit load/store instructions are not
> > required or
> > where load/store instructions are also not leaky.
>
> What kind of a slowdown are we talking about here?
>
> 1X, 10X, 100X, 1000X ?
Maybe more, but this was a theoretical exercise so I gave a theoretical
answer ;)
-- Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 847 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170716/bcfdaa9e/attachment.sig>
More information about the cryptography
mailing list