[masonium]

Or, ...add sleep(rand(..)) to each lookup, regardless of result.

[NeutronBoy]

This is suggested every time timing attacks are discussed. This is not a good mitigation. It increases the number of requests required to complete a timing attack, but in the end all of your rand() calls average out and you still see timing differences.

[cousin_it]

OK, then why not have the sensitive operation always take 100ms? If it finishes early, just sleep until the 100ms mark.

[daveloyall]

And in case it takes more than 100ms or a widely variable amount of time: https://news.ycombinator.com/item?id=8691076

[nyir]

That won't help in general since the noise this method adds can be filtered out over many measurements. Even without taking into account that the sleep would have to be at least in the same order of magnitude than the leaked information you want to hide.

[msellout]

Not if the random variable distribution changed over time. Calculate a new mean and variance every now and then, based on some hash of current time or whatever you want, maybe view count of Gangam Style Videos :-). Joking, but that would work.