[3696] in cryptography@c2.net mail archive
Re: Is a serial cable as good as thin air?
daemon@ATHENA.MIT.EDU (Adam Back)
Thu Dec 3 19:33:51 1998
Date: Thu, 3 Dec 1998 23:35:24 GMT
From: Adam Back <aba@dcs.ex.ac.uk>
To: drc@adni.net
CC: cryptography@c2.net
In-reply-to: <Pine.LNX.4.05.9812031432190.4256-100000@darwin.adni.net>
(drc@adni.net)
David Conrad writes:
> On Wed, 2 Dec 1998, Dianelos Georgoudis wrote:
> > I will include a random delay to invalidate timing attacks.
>
> The right solution is to ensure that all encryptions, decryptions,
> signings, or signature verifications take the same amount of time.
> (The maximum, worst case time.)
For RSA there is also the approach of using blinding which Ron Rivest
proposed.
> Of course, this applies (as I understand it; see parenthetical disclaimer
> above) only to public key operations.
John Kelsey found a timing attack on IDEA also, so not necessarily.
Probably you are correct for most block ciphers but IDEA includes mod
65537 code encoded in 16 bit shorts by using the 0 value to represent
65536, which typically involves tests for values which need special
treatment. Here's the relevant bit out of pgp2.x:
static uint16 mul(register uint16 a, register uint16 b)
{
register word32 p;
p = (word32) a *b;
if (p) {
b = low16(p);
a = p >> 16;
return (b - a) + (b < a);
} else if (a) {
return 1 - a;
} else {
return 1 - b;
}
} /* mul */
There was some discussion of approaches to coding a constant time
multiplication mod 65537 function on sci.crypt around October 96.
Adam
