David Conrad writes:
> On Wed, 2 Dec 1998, Dianelos Georgoudis wrote:
> > I will include a random delay to invalidate timing attacks.
>
> The right solution is to ensure that all encryptions, decryptions,
> signings, or signature verifications take the same amount of time.
> (The maximum, worst case time.)
For RSA there is also the approach of using blinding which Ron Rivest
proposed.
> Of course, this applies (as I understand it; see parenthetical disclaimer
> above) only to public key operations.
John Kelsey found a timing attack on IDEA also, so not necessarily.
Probably you are correct for most block ciphers but IDEA includes mod
65537 code encoded in 16 bit shorts by using the 0 value to represent
65536, which typically involves tests for values which need special
treatment. Here's the relevant bit out of pgp2.x:
static uint16 mul(register uint16 a, register uint16 b)
{
register word32 p;
p = (word32) a *b;
if (p) {
b = low16(p);
a = p >> 16;
return (b - a) + (b < a);
} else if (a) {
return 1 - a;
} else {
return 1 - b;
}
} /* mul */
There was some discussion of approaches to coding a constant time
multiplication mod 65537 function on sci.crypt around October 96.
Adam
