| > Why do you need to separate f from f+d? The attack is based on a timing
| > variation that is a function of k and x, that's all. Think of it this
way:
| > Your implementation with the new d(k,x) added in is indistinguishable,
in
| > externally visible behavior, from a *different* implementati
> Why do you need to separate f from f+d? The attack is based on a timing
> variation that is a function of k and x, that's all. Think of it this way:
> Your implementation with the new d(k,x) added in is indistinguishable, in
> externally visible behavior, from a *different* implementation f'(k,
| > In many cases, the observed time depends both on the input and on some
| > other random noise. In such cases, averaging attacks that use the same
| > input over and over again will continue to work, despite the use of
| > a pseudorandom input-dependent delay. For instance, think of a timing
|