Editing RSA cryptosystem (section)

===Timing attacks===
[[Paul Carl Kocher|Kocher]] described a new attack on RSA in 1995: if the attacker Eve knows Alice's hardware in sufficient detail and is able to measure the decryption times for several known ciphertexts, Eve can deduce the decryption key {{mvar|d}} quickly. This attack can also be applied against the RSA signature scheme. In 2003, [[Dan Boneh|Boneh]] and [[David Brumley|Brumley]] demonstrated a more practical attack capable of recovering RSA factorizations over a network connection (e.g., from a [[Secure Sockets Layer]] (SSL)-enabled webserver).<ref name="Boneh03">{{cite conference |url=http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf |title=Remote timing attacks are practical |first1=David |last1=Brumley |first2=Dan |last2=Boneh |year=2003 |series=SSYM'03 |book-title=Proceedings of the 12th Conference on USENIX Security Symposium}}</ref> This attack takes advantage of information leaked by the [[Chinese remainder theorem]] optimization used by many RSA implementations.

One way to thwart these attacks is to ensure that the decryption operation takes a constant amount of time for every ciphertext. However, this approach can significantly reduce performance. Instead, most RSA implementations use an alternate technique known as [[blinding (cryptography)|cryptographic blinding]]. RSA blinding makes use of the multiplicative property of RSA. Instead of computing {{math|''c''<sup>''d''</sup> (mod ''n'')}}, Alice first chooses a secret random value {{mvar|r}} and computes {{math|(''r''<sup>''e''</sup>''c'')<sup>''d''</sup> (mod ''n'')}}. The result of this computation, after applying [[Euler's theorem]], is {{math|''rc''<sup>''d''</sup> (mod ''n'')}}, and so the effect of {{mvar|r}} can be removed by multiplying by its inverse. A new value of {{mvar|r}} is chosen for each ciphertext. With blinding applied, the decryption time is no longer correlated to the value of the input ciphertext, and so the timing attack fails.