[openssl-users] Why do we try out all possible combinations of top bits in OpenSSL timing attack?

Dipanjan Das mail.dipanjan.das at gmail.com
Mon Feb 6 07:20:03 UTC 2017


down votefavorite

In the paper titled Remote Timing Attacks are Practical
<https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf>, the authors
mention the following:

Initially our guess g of q lies between 25122512 (i.e. 2log2(N/2)2log2(N/2))
and 25112511 (i.e. 2log2(N/2)−12log2(N/2)−1). We then time the decryption
of all possible combinations of the top few bits (typically 2-3). When
plotted, the decryption times will show two peaks: one for q and one for p.
We pick the values that bound the first peak, which in OpenSSL will always
be q.

I don't understand the following:

   - Does the initial guess of g start from an arbitrary range?
   - What's the rationale behind trying out top 2-3 bits?
   - What will the remaining bits be in this case?


Thanks & Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170205/5a867e95/attachment-0001.html>

More information about the openssl-users mailing list