> Why do you need to separate f from f+d? The attack is based on a timing > variation that is a function of k and x, that's all. Think of it this way: > Your implementation with the new d(k,x) added in is indistinguishable, in > externally visible behavior, from a *different* implementation f'(k,x) > which has the undesired property: That the time is a function of the > inputs.
Suppose that the total computation time was equal to a one way function of the inputs k and x. How does he go about obtaining k? It is not enough that it is a function, it must be a function that can leak k given x and f(k,x) with an efficiency greater than a brute-force of the input space of k (because, presumably, f and the output are known to an attacker, so he could simply search for k that gives the correct value(s)). In reality, the time it takes to compute the crypto function is just another output to the attacker, and should have the same properties that any other output has with respect to the inputs one wishes to keep secret. It does not have to be constant. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
