so even a chosen-plaintext attack
is considered to be a fatal flaw in a cryptographic standard. The user
isn't supposed to have to worry that someone who influences part of the
plaintext will be able to read all the rest.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
S
prompted me to start
investigating cache-timing attacks.
(Subsequent versions of the poly1305 paper report even more timing
information but, for space reasons, have to compress the information
into small graphs. Big tables are on the web.)
---D. J. Bernstein, Associate Professor, Department of Mathe
g attack; I'm sure that some
bored undergraduate will figure out a remote exploit for a less extreme
form of the effect.
Section 13 of my paper discusses a solution to the interrupt problem,
but that solution requires massive software changes. I'm not aware of
simpler solutions.
-
de earlier
(and, I think, more clearly) in my paper. My paper also analyzes the
merits of various defenses against the attack.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illi
