Why do you need to separate f from f+d? The attack is based on a timing
variation that is a function of k and x, that's all. Think of it this way:
Your implementation with the new d(k,x) added in is indistinguishable, in
externally visible behavior, from a *different* implementation f'(k,x)
| Why do you need to separate f from f+d? The attack is based on a timing
| variation that is a function of k and x, that's all. Think of it this
way:
| Your implementation with the new d(k,x) added in is indistinguishable,
in
| externally visible behavior, from a *different* implementation
| In many cases, the observed time depends both on the input and on some
| other random noise. In such cases, averaging attacks that use the same
| input over and over again will continue to work, despite the use of
| a pseudorandom input-dependent delay. For instance, think of a timing
|