Good points all. I was implicitly assuming that d(k, x) is related to the timing of f(k,x) -- tailored to the algorithm(s) used, and that the attacker cannot control k. Actually the idea was to have k merely provide a unique function d_k(x) for each host.
> The only way to avoid this is to make d(k,x) somehow related to > f(k,x). That's the idea behind things like having software or > hardware go through both the 0 and 1 case for each bit processed in an > exponent. In that case, we get d(k,x) being fast when f(k,x) is slow, > and vice versa, and we close the timing channel. Interestingly, I read a book that says that there's no reason for a computer which performs only reversible operations needs to dissipate heat. Basically, destroying information requires generating heat, but actual computation does not. I can't quite place my finger on it, but something in my head says this is related to doing operations on both inputs and their complements. Or more accurately, it involves having as many output bits as input bits. I wonder if there is any more significant relationship. Wouldn't it be neat if the same countermeasure could prevent both timing and power consumption side-channel attacks? -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]