[Haskell-cafe] Tor project

Wojtek Narczyński wojtek at power.com.pl
Fri Aug 1 07:35:37 UTC 2014

On 01.08.2014 09:10, Tobias Dammers wrote:
> Timing attacks generally work such that the attacker samples a large
> number of runs and maps their execution times; "humps" in the graph show
> different code paths being taken.
> Because they're statistical attacks, adding uniform noise (random
> delays) does not work - it's uniform noise after all, you'll just raise
> the floor, but the humps will still be there; the random delays will
> just average out. Ten million times (10 + rand()) is still going to be
> smaller than ten million times (1000 + rand()).
Okay, so basically we'd would have to add dependent random noise. For 
example send out a Normal distribution. Or a smiley (Beta, Weibull).
> Instead, a way I've seen recommended is run the entire input through a
> cryptographic hash function, and derive a delay from that, in a range
> that dwarfs the actual timing difference. This way, things will still
> average out, but the averaging will not compensate for the delay we
> added, because that delay is always the same for a given input.
> Of course designing functions to minimize execution time differences is
> still a good idea; it's just not very reliable on its own, and for many
> real-world cases, it's not even practical (or outright impossible) -
> even if your code doesn't branch based on whether a username was found
> in the database or not, your database does.
Why the gimmick, for each and every piece of crypto code? Why not just 
use the clock for timing? The crypto lib would probably have to tune 
itself on startup.

Wojtek N.

More information about the Haskell-Cafe mailing list