Reply by karl malbrain December 7, 20042004-12-07
"Clay Turner" <physics@bellsouth.net> wrote in message
news:aAktd.38809$Dm2.10619@bignews1.bellsouth.net...

>
> Karl, Bryan et. al.,
>
> The guys at Stanford, were able to break the RSA code via a timing attack
> over a network within two hours. And that is for a case of using 1000

digit

> numbers.
>


Their attack used a timing difference of 10^7 cpu cycles over a local area
network.  Professor Bernstein's attack uses a timing difference of 1 cpu
cycle.

karl m
Reply by Clay Turner December 7, 20042004-12-07
"Karl Malbrain" <karl_m@acm.org> wrote in message
news:1102269765.683817.172220@f14g2000cwb.googlegroups.com...

>
> Bryan Olson wrote:
> > Bryan Olson wrote:
> >
> >  >
> >  > Tim Wescott wrote:
> >  >  > [...] This means that if the
> >  >  > variance in your network turn-around time is v, and if the
> difference
> >  >  > between message times is t_d, you need to collect somewhere on
> the
> > order
> >  >  > of N = v / t_d^2 of each type of message if you want to discern
> a
> >  >  > difference.
> >  >
> >  > I think you mean  N = (v / t_d)^2.
> >
> > Oops, my mistake.  The variance is already in seconds^2.
>
> On a wide area network I estimate the variance is going to run 10^12.
> With a DS3 connection of 45mbs that's about 50 years to gather enough
> trial encryptions.
>
> karl m
>


Karl, Bryan et. al.,

The guys at Stanford, were able to break the RSA code via a timing attack
over a network within two hours. And that is for a case of using 1000 digit
numbers.

Clay S. Turner
Reply by Wim Ton December 7, 20042004-12-07
"karl malbrain" <karl_m@acm.org> wrote in message
news:31jqstF396i8vU1@individual.net...

>
> "Clay Turner" <physics@bellsouth.net> wrote in message
> news:KCKsd.104218$IQ.17698@bignews6.bellsouth.net...
>
> > Hello Randy,
> >
> > The RSA algo has a similar vunerability and the standard work around was
> to
> > make the encryption/decryption process a constant time one.
>
> Do you have any details on this? A web url, for example?
>
> Thanks, karl m
>


Google for "Quisquater" and "RSA". This professor from Belgium has published
a lot about timing attacks.

Wim
Reply by karl malbrain December 6, 20042004-12-06
"Clay Turner" <physics@bellsouth.net> wrote in message
news:vH3td.36626$Dm2.1889@bignews1.bellsouth.net...

>
> "karl malbrain" <karl_m@acm.org> wrote in message
> news:31jqstF396i8vU1@individual.net...
> >
> > "Clay Turner" <physics@bellsouth.net> wrote in message
> > news:KCKsd.104218$IQ.17698@bignews6.bellsouth.net...
> >
> > > Hello Randy,
> > >
> > > The RSA algo has a similar vunerability and the standard work around

was

> > to
> > > make the encryption/decryption process a constant time one.
> >
> > Do you have any details on this? A web url, for example?
> >
> > Thanks, karl m
>
> Hello Karl,
>
> I think you will find the following paper more than useful.
>
> http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf


Yes, thanks.  I'd been stuck in section 5 and hadn't read section 6 yet.
karl m
Reply by Clay Turner December 6, 20042004-12-06
"karl malbrain" <karl_m@acm.org> wrote in message
news:31jqstF396i8vU1@individual.net...

>
> "Clay Turner" <physics@bellsouth.net> wrote in message
> news:KCKsd.104218$IQ.17698@bignews6.bellsouth.net...
>
> > Hello Randy,
> >
> > The RSA algo has a similar vunerability and the standard work around was
> to
> > make the encryption/decryption process a constant time one.
>
> Do you have any details on this? A web url, for example?
>
> Thanks, karl m


Hello Karl,

I think you will find the following paper more than useful.

http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf

Clay S. Turner
Reply by karl malbrain December 6, 20042004-12-06
"Clay Turner" <physics@bellsouth.net> wrote in message
news:KCKsd.104218$IQ.17698@bignews6.bellsouth.net...


> Hello Randy,
>
> The RSA algo has a similar vunerability and the standard work around was

to

> make the encryption/decryption process a constant time one.


Do you have any details on this? A web url, for example?

Thanks, karl m
Reply by karl malbrain December 6, 20042004-12-06
"Bryan Olson" <fakeaddress@nowhere.org> wrote in message
news:biYsd.29447$zx1.4950@newssvr13.news.prodigy.com...

> Karl Malbrain wrote:
>  > Over a wide area network the variance is likely 10^12.
>
> Standing by itself and with no unit, that's not meaningful.  Tim
> had it right (sorry about my previous confusion):


The unit is cpu cycles squared, estimated.


>      The key parameters in this case are the deterministic difference in
>      turn-around time due to message content and the variance in turn-
>      around time from the network.
>
> We can compress this to a single parameter: the signal to noise ratio.
> The signal is the expected time difference caused by the key/message
> values, and the noise is the standard deviation in the network turn-
> around time.  Both are in seconds, so the ratio is a unit-less constant.


Professor Bernstein's attack on the Athlon accumulates a 1 cpu-cycle timing
difference between trial encryptions -- estimated at a 1 cpu-cycle squared
variance.


> In this case, working with noise/signal is a little more convenient
> than signal/noise.  We expect the signal to become larger than the noise
> when the number of messages exceeds the square of the single-message
> noise/signal.



>  > With a message
>  > length of 1K bits and a DS3 transfer rate of 45 mbs, that's 45K
>  > encryptions/second which makes for 50+ years.
>  > Do you know the optical circuit data rate?  karl m
>
> Those numbers don't really tell us anything.  If the standard deviation
> in the time is 1000 times as large than the key-dependent effect, then
> we expect to need on the order of a million messages.


Right.

My point was that over a DS3 line with a timing variance of 10^12 there's
not much worry of a remote wide-area-network timing attack.  karl m
Reply by Bryan Olson December 6, 20042004-12-06
Karl Malbrain wrote:
 > Over a wide area network the variance is likely 10^12.

Standing by itself and with no unit, that's not meaningful.  Tim
had it right (sorry about my previous confusion):

     The key parameters in this case are the deterministic difference in
     turn-around time due to message content and the variance in turn-
     around time from the network.

We can compress this to a single parameter: the signal to noise ratio.
The signal is the expected time difference caused by the key/message
values, and the noise is the standard deviation in the network turn-
around time.  Both are in seconds, so the ratio is a unit-less constant.

In this case, working with noise/signal is a little more convenient
than signal/noise.  We expect the signal to become larger than the noise
when the number of messages exceeds the square of the single-message
noise/signal.

 > With a message
 > length of 1K bits and a DS3 transfer rate of 45 mbs, that's 45K
 > encryptions/second which makes for 50+ years.
 > Do you know the optical circuit data rate?  karl m

Those numbers don't really tell us anything.  If the standard deviation
in the time is 1000 times as large than the key-dependent effect, then
we expect to need on the order of a million messages.


-- 
--Bryan
Reply by Clay Turner December 5, 20042004-12-05
"Randy Yates" <yates@ieee.org> wrote in message
news:653hpr4e.fsf@ieee.org...

> Tim Wescott <tim@wescottnospamdesign.com> writes:
> > [...]
> > I suspect that N may be quite large, and the attack could easily be
> > defeated by wrapping your cryptographic algorithm by a process that
> > schedules the outgoing message so the reply always takes the same
> > amount of time to be sent, no matter how long the actual cryptography
> > took.
>
> Damn, Tim! Why spoil a perfectly good theoretical discussion with
> a practical suggestion like that?
> -- 



Hello Randy,

The RSA algo has a similar vunerability and the standard work around was to
make the encryption/decryption process a constant time one.

Clay
Reply by Karl Malbrain December 5, 20042004-12-05
Bryan Olson wrote:

> Bryan Olson wrote:
>
>  >
>  > Tim Wescott wrote:
>  >  > [...] This means that if the
>  >  > variance in your network turn-around time is v, and if the

difference

>  >  > between message times is t_d, you need to collect somewhere on

the

> order
>  >  > of N = v / t_d^2 of each type of message if you want to discern

a

>  >  > difference.
>  >
>  > I think you mean  N = (v / t_d)^2.
>
> Oops, my mistake.  The variance is already in seconds^2.


On a wide area network I estimate the variance is going to run 10^12.
With a DS3 connection of 45mbs that's about 50 years to gather enough
trial encryptions.

karl m