In order for a timing leak to be useful for cryptanalysis, it cannot leak a publicly-known input to the cryptographic operation.
Because anyone who’s made a serious effort has, at least once, started to think they’ve found an interesting side-channel. And only after way too much effort realized that the only thing the side-channel could, even theoretically, leak was a public value.
I should probably be embarrassed that it’s happened more than once. Now it’s a reflex… when I think I see a timing side channel, I look at what it could possibly be leaking before I spend any time digging in.
I really love the TLDR:
Because anyone who’s made a serious effort has, at least once, started to think they’ve found an interesting side-channel. And only after way too much effort realized that the only thing the side-channel could, even theoretically, leak was a public value.
I should probably be embarrassed that it’s happened more than once. Now it’s a reflex… when I think I see a timing side channel, I look at what it could possibly be leaking before I spend any time digging in.
Thanks, I’m glad you enjoyed it, and that I’m not alone in stumbling onto dead-end roads in cryptanalysis. :)