At 06:02 PM 3/2/96 -0500, Rich Salz wrote:
I'm at home without my documents, but I thought Fortezza was required
to do each operation in a specified number of clock ticks.
Its useful to distinguish between Fortezza and Capstone here, then.
And then project this onto the more commercially-sensitive RSA case.
I can believe (though I dont know) that Fortezza engineering
considered many threats from the form factor's environment
not usually relevant to the design of an algorithm chip.
I can also believe capstone was produced as an independent design
from Fortezza work.
As people begin to counter Kocher's work, we have to get some
idea where to *best* apply the solution - at the crypto layer, or
in the environment in which asymmetric or variable round
crypto is used.
If one considers the myriad of RSA chip hardware available now -
on lots of smartcards, and increasingly in PCMCIA and Cylink
link encryptors - does the impact of Kocher fall upon
the chip (expensive) or the hardware peripheral exploiting the chip.
If the Intel P6+ mask gets RSA capability, does the CPU have to
become timing limited?!
IN the case of smartcard RSA chips, there isnt very much protective
hardware around the chip. So the chip itself better protect the user
against key leakage .This is especially relevenat if smartcards are
to be used as online signers for CAs or other services, as some
commercial RFPs are suggesting.
Tradiational offline CAs, and NSA LAWs, using BBN-type signing units,
or offline Fortezza cards, of course dont suffer.