Anonymous (nobody@replay.com)
Sat, 10 Oct 1998 23:41:30 +0200
James Donald explains blinding in ECC. If the standard ECC calculation is
Y = eK
then blind by choosing a random value R and calculating
Q = eR
and when the calculation is done, do
Y = e(K-R) + Q
This may be more familiar expressed in terms of integer exponentiation.
The group operations used in ECC is addition, while that used in
typical integer cryptography is multiplication. In ECC, repeated
addition is multiplication, and in integers, repeated multiplication
is exponentiation. Using this mapping, we can convert James' method
literally to the following:
A typical operation in an integer public key cryptosystem is
Y = K^e
where K is known to the attacker and he wants to find e. This is what
happens with RSA signatures, for example.
The operation can be blinded by choosing a random value R and calculating
Q = R^e
then when the calculation is done, do:
Y = (K/R)^e * Q
Because the attacker doesn't know K/R, he doesn't know what value is
being exponentiated. This prevents him from using Kocher's methods.
Perhaps this explanation of blinding will make it clearer what is
happening in the ECC case.
For more information on Kocher's method see:
http://www.cryptography.com/timingattack.html
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:15:21