Re: Random delay as a countermeasure to timing attacks

In article <BqJ3h.13$jb3.1@xxxxxxxxxxxx>,
Peter Pearson <ppearson@xxxxxxxxxxxxxxx> wrote:

On Mon, 06 Nov 2006 14:21:19 +0100, Francois Grieu <fgrieu@xxxxxxxxx> wrote:
[snip]
[to back this conjecture, I rely of the fact that the
weighted sum of n measurements with sum of absolute
values of coefficients normalized to 1 has a standard
deviation at least equal to that of the average of the
n measurements]

Huh? If each of the n measurements is always 100, then
the standard deviation of any weighted sum is zero,
while the average can easily be greater than zero.

But the standard deviation of the average is zero, too.
Maybe a wording problem with my use of "that"; I meant:

Standard dev of Sum(tj.wj) >= Standard dev of Sum(tj/n)
when the n fixed weights wj are such that Sum(|wj|)=1.


If we use a uniformly distributed random delay, the best
estimate of measurements of the SAME actual duration is
not based on the average of all the experiments (the average
of the extremes is better); is it a good reason to use another
distribution? which distribution?
is it enough to sum two uniform delays each half as long?

These are interesting questions you're asking, and I hope
somebody smarter than me will come along and answer them.
Meanwhile, it might help to simplify or clarify the goal.
Can we say that the attacker is trying to decide, with some
specified level of confidence, whether he's seeing values
from the population
1 + additive_noise_of_known_distribution
or the population
0 + additive_noise_of_known_distribution
?

Answering this question indeed has direct interest, as it
is relevant to a simplified timing attack, e.g. when the
adversary is trying to time strcmp(password,input) to
determine if she guessed the first byte of password right.

Unfortunately, the adversary performing a timing attack
against a crypto algorithm really makes something more
complex, like timing n different encryptions with additive
noise, and finding which hypothesis on key best fits her
measurements, maybe using an efficient technique such as
hillclimbing.


François Grieu
.

Relevant Pages

  • Re: Random delay as a countermeasure to timing attacks
    ... weighted sum of n measurements with sum of absolute ... values of coefficients normalized to 1 has a standard ... for attack at all and it involves the application of only ...
    (sci.crypt)
  • Re: Random delay as a countermeasure to timing attacks
    ... weighted sum of n measurements with sum of absolute ... values of coefficients normalized to 1 has a standard ... deviation at least equal to that of the average of the ...
    (sci.crypt)
  • Re: The relationship between meter, speed of light and c
    ... measurements of c since the late 1600s, ... alloy rod got longer, ... standard, but some inherent uncertainties. ... definition of the meter. ...
    (sci.physics.relativity)
  • Re: What to do with an Imac G3
    ... On 10-12-27 6:52, Jamie Kahn Genet wrote: ... The standard has been around for a very long time. ... With the caveat that for "trade" the use of imperial measurements was allowed. ... So the US still used oddball units (I was shopping in Plattsburgh a few weeks ago and the price comparison for some commodity was actually "pints".) ...
    (comp.sys.mac.system)
  • Re: Just How Much is "A Cup" -- Really!
    ... of litres gasoline per hundred kilometers. ... European and eastern Asian standard terminology. ... other land survey measurements - just to name one example (without getting ... water at its maximum density (and still defined as the mass of an ...
    (sci.med.nutrition)