Other Systems Using Timing Attacks. Paul C. Kocher? EXTENDED ABSTRACT (7 December 1995)

Similar documents
Side-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck

CS669 Network Security

0x1A Great Papers in Computer Security

D eepa.g.m 3 G.S.Raghavendra 4

Public Key Cryptography and RSA

Public Key Encryption. Modified by: Dr. Ramzi Saifan

An overview and Cryptographic Challenges of RSA Bhawana

Chapter 3 Public Key Cryptography

Channel Coding and Cryptography Part II: Introduction to Cryptography

RSA (algorithm) History

ECE 646 Fall 2009 Final Exam December 15, Multiple-choice test

CSC 474/574 Information Systems Security

Encryption. INST 346, Section 0201 April 3, 2018

Public Key Cryptography

Public Key Algorithms

Kurose & Ross, Chapters (5 th ed.)

A New Attack with Side Channel Leakage during Exponent Recoding Computations

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Applied Cryptography and Computer Security CSE 664 Spring 2018

Computer Security 3/23/18

Improving Implementable Meet-in-the-Middle Attacks by Orders of Magnitude

INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)

Public Key Algorithms

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

On the Diculty of Software Key Escrow. Abstract. At Eurocrypt'95, Desmedt suggested a scheme which allows individuals to encrypt

Some Stuff About Crypto

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Public-Key Cryptanalysis

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Overview. Public Key Algorithms I

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Cryptography Research, Inc. http:

Related-key Attacks on Triple-DES and DESX Variants

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Part VI. Public-key cryptography

Chapter 9. Public Key Cryptography, RSA And Key Management

Cryptography and Network Security. Sixth Edition by William Stallings

- 0 - CryptoLib: Cryptography in Software John B. Lacy 1 Donald P. Mitchell 2 William M. Schell 3 AT&T Bell Laboratories ABSTRACT

Lecture 6: Overview of Public-Key Cryptography and RSA

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

LECTURE 4: Cryptography

CS408 Cryptography & Internet Security

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Lecture 2 Applied Cryptography (Part 2)

Security against Timing Analysis Attack

Public-key encipherment concept

Technion - Computer Science Department - Technical Report CS

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Lecture Note 9 ATTACKS ON CRYPTOSYSTEMS II. Sourav Mukhopadhyay

HOST Differential Power Attacks ECE 525

Introduction to Cryptology Dr. Sugata Gangopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Roorkee

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

A Weight Based Attack on the CIKS-1 Block Cipher

Computer Security: Principles and Practice

SECURITY IN NETWORKS

CS 161 Computer Security

CPSC 467b: Cryptography and Computer Security

Timing Cryptanalysis Final Report Kevin Magee, ECE 646, Fall 2003, Prof. Kris Gaj

Fault-Based Attack of RSA Authentication

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Chapter 9 Public Key Cryptography. WANG YANG

Chapter 7 Public Key Cryptography and Digital Signatures

Differential Cryptanalysis of Madryga

SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation

Topics. Number Theory Review. Public Key Cryptography

Technion - Computer Science Department - Technical Report CS

Side-Channel Attack against RSA Key Generation Algorithms

SECURITY IN NETWORKS 1

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

T Cryptography and Data Security

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Keywords Security, Cryptanalysis, RSA algorithm, Timing Attack

Lecture IV : Cryptography, Fundamentals

CSC/ECE 774 Advanced Network Security

Elliptic Curve Public Key Cryptography

Improved Truncated Differential Attacks on SAFER

Modification on the Algorithm of RSA Cryptography System

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

A nice outline of the RSA algorithm and implementation can be found at:

All-Or-Nothing Encryption and The Package. Ronald L. Rivest.

RSA. Public Key CryptoSystem

Distributed ID-based Signature Using Tamper-Resistant Module

International Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

Timing Attack Prospect for RSA Cryptanalysts Using Genetic Algorithm Technique

VHDL for RSA Public Key System

Secret Key Cryptography

2 Handout 20: Midterm Quiz Solutions Problem Q-1. On-Line Gambling In class, we discussed a fair coin ipping protocol (see lecture 11). In it, Alice a

Cryptographic Techniques. Information Technologies for IPR Protections 2003/11/12 R107, CSIE Building

Ref:

ASYMMETRIC CRYPTOGRAPHY

Introduction to Cryptography Lecture 7

Public-key Cryptography: Theory and Practice

Dierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel

Research, Universiti Putra Malaysia, Serdang, 43400, Malaysia. 1,2 Department of Mathematics, Faculty of Sciences, Universiti Putra Malaysia,

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Using Genetic Algorithm to Break Super-Pascal Knapsack Cipher

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Scalable Montgomery Multiplication Algorithm

Transcription:

Cryptanalysis of Die-Hellman, RSA, DSS, and Other Systems Using Timing Attacks Paul C. Kocher? EXTENDED ABSTRACT (7 December 1995) Since many existing security systems can be broken with timing attacks, I am releasing this preliminary abstract to alert vendors and users. Research in this area is still in progress. Abstract. Cryptosystems often take slightly dierent amounts of time to process dierent messages. With network-based cryptosystems, cryptographic tokens, and many other applications, attackers can measure the amount of time used to complete cryptographic operations. This abstract shows that timing channels can, and often do, leak key material. The attacks are particularly alarming because they often require only known ciphertext, work even if timing measurements are somewhat inaccurate, are computationally easy, and are dicult to detect. This preliminary draft outlines attacks that can nd secret exponents in Die-Hellman key exchange, factor RSA keys, and nd DSS secret parameters. Other symmetric and asymmetric cryptographic functions are also at risk. A complete description of the attack will be presented in a full paper, to be released later. I conclude by noting that closing timing channels is often more dicult than might be expected. 1 Introduction Cryptosystem implementations often take dierent amounts of time to process dierent inputs. Reasons include performance optimizations to bypass unnecessary operations, branching and conditional statements, RAM cache hits, processor instructions (such as multiplication and division) that run in non-xed time, and a wide variety of other causes. Performance characteristics typically depend on both the encryption key and the input data (e.g. plaintext or ciphertext). Although intuition might suggest that only a small amount of information, such as the Hamming weight of the key, would be revealed, timing measurements can often be analyzed to nd the entire secret key.? Independent Cryptography Consultant, P.O. Box 8243, Stanford, CA 94309, USA. E-mail: pck@cryptography.com, FAX: 1-(415)-321-1483.

2 Timing cryptanalysis of xed-exponent Die-Hellman If a party uses the same secret exponent (x) for multiple Die-Hellman[2] key exchanges, the exponent can often be found from timing measurements. (The attack does not work if a new exponent is generated for every exchange.) The attacker rst observes k operations, measuring the time (t) taken by the victim to compute each z =(y x mod n). The attacker is also assumed to know the y values, the public parameter n, and the general design of the target system. The attack is explained using the simple modular exponentiation algorithm below, but can be tailored easily to work with virtually any implementation that does not run in xed time. Algorithm to compute R = y x mod n: Let R 0 =1. Let y 0 = y. For i =0 upto (bits in x 1): If (bit i of x) is 1 then Let R i+1 =(R i y i )modn. Else Let R i+1 = R i. Let y i+1 = y 2 mod n. i End. The attack will allow someone who knows exponent bits 0::(b-1) to nd bit b. (To obtain the entire exponent, start with b equal to 0 and repeat the attack until the entire exponent is known.) The attack is simplest to understand in an extreme case. Suppose the target system uses a modular multiplication function that is extremely fast in the vast majority of cases but occasionally takes much more time than an entire normal modular exponentiation. Because the rst b exponent bits are known, the rst b iterations of the For loop can be completed by the attacker. However, the operation of the subsequent step depends on an unknown exponent bit. If the bit is set, R b+1 =(R b y)modn will be computed. If it is zero, the operation will be skipped. As indicated earlier, for a few R b and y values the calculation of R b+1 will be extremely slow, and the attacker knows which these are. If slow (R b y)modn operations are always associated with slow overall times, exponent bit b is probably set. If there is no relationship between time required to compute R b+1 and the total processing time, the exponent bit is zero. In practice, modular exponentiation implementations do not usually have such extreme timing characteristics, but do have enough variation for the attack to work. For each y, the attacker can estimate d, a measure of the time it would take for the (R b y) modncalculation, if done. The attacker also knows the total time t. Because the rst b exponent bits are known, the attacker knows R b and can measure c, the amount of time required for the rst b iterations of the exponentiation loop. 2

Given these values for one timing measurement, the probability that exponent bit b is set can then be found as follows: P (bit=1 j y; t; c; d) (t c d) (t c d) ( ) (t c d) (t c) (t c) (t c d) (t c d) ( )+( ) (t c) (t c d) where (x) = e x2 =2 p 2 is the standard normal function, (X) is the mean of X, and (X) is the standard deviation of X. The overall probability is: P (bit=1) Q k 1 i=0 P (bit=1 j y i;t i ;c i ;d i ) Q k 1 i=0 P (bit=1 j y i;t i ;c i ;d i )+ Q k 1 i=0 (1 P (bit=1 j y i;t i ;c i ;d i )) : For the attack towork, the actual probabilities do not need to be very large, since incorrect exponent bit guesses will destroy all future correlations. After a mistake, no new signicant correlations will be detected, so one can identify that there has been an error, back up, and correct it. Errors can thus be detected and corrected, since after a mistake no new signicant correlations will be detected. A preliminary implementation of the attack using the RSAREF toolkit[8] has been written. RSAREF scans across the exponent from MSB to LSB and does two exponent bits at a time, so corresponding adjustments to the attack were made. Using a 120-MHz Pentium TM computer running MSDOS TM, a 512-bit modulus, and a 256-bit secret exponent, processing times ranged from 392411 s to 393612 s and closely approximated a normal distribution with a mean of 393017 s and a standard deviation of 188 s. Timing measurements were taken for 2000 operations, each using a dierent starting value. (Each of these values would normally be a g x value computed by the other party.) Measurements of c and d were also made using RSAREF. Even though only 2000 samples were used, strong bit correlations (often 95 percent or better), were found. As noted before, the attack is self-correcting, so much weaker correlations would do. (The full version of this paper will show how the self-correction property works and will show how the probability equations can be adjusted for dierent implementations.) The attack is computationally quite inexpensive. In particular, the attacker only has to do a small multiple of the number of modular multiplications done by server, not counting operations wasted due to incorrect exponent bit guesses. The experiment above used random inputs, as might be gathered by a passive eavesdropper. As will be explained in the full paper, the required number of ciphertexts can often be reduced if attackers choose inputs known to have extreme timing characteristics under the target implementation. 3 Factoring RSA private keys using a timing attack A private-key RSA operation consists of computing m =(c d mod pq), where pq is publicly known but d and the factorization of pq are secret. 3

RSA signatures not performed using the Chinese Remainder Theorem can be attacked using identical techniques as were described for Die-Hellman in Section 2. If the Chinese Remainder Theorem (CRT) is used, a slightly dierent attack is required. With CRT, the rst operations are to compute (c mod p) and (c mod q). As a rule, modular reduction operations do not run in constant time. The conceptually simplest attack is to simply choose values of c that are close to p (or q), then use timing measurements to determine whether the guessed value is larger or smaller than the actual value of p (or q). If c is less than p, computing c mod p has no eect, while if c is slightly larger than c, it is necessary to subtract p from c once. RSAREF's modular reduction function with a 512-bit modulus on the same 120-MHz Pentium TM computer takes an average of approximately 17 s less time if c is slightly smaller than p, as opposed to slightly larger than p. Timing measurements of many ciphertexts can be combined to detect whether the chosen ciphertexts are larger or smaller than p. More sophisticated variants of the attack can be even more eective. For example, if the approximate value of p is rst shifted several digits to the left, guesses of p that are slightly too high will develop leading zero digits which will tend to increase the performance of the rst modular multiply. The Chinese Remainder Theorem RSA attack can also be adapted to use only known ciphertext, and thus can be used to attack RSA digital signatures. Modular reduction is done by subtracting multiples of the modulus. The number of subtraction steps is usually not constant. RSAREF's division loop, for example, integer-divides the uppermost two digits of c by one more than the upper digit of p, multiplies p by the quotient, shifts left the appropriate number of digits, then subtracts the result from c. If the result is larger than p (shifted left), another subtraction is performed. This additional subtraction aects the modular exponentiation time. The decision whether to perform an additional subtraction in the rst loop of the division algorithm depends on c and, in the vast majorityof cases, only the upper two digits of p. The next division loop's decision depends on the upper three digits of p, and so forth. One can thus test candidates for digits of p by measuring whether expected additional subtractions are reected in the total modular exponentiation time. As with the Die-Hellman/non-CRT attack, once one digit of p has been found, the same timing measurements can be reused to nd subsequent digits. (Additional details will be presented in the full paper.) 4 Timing cryptanalysis of DSS The Digital Signature Standard[5] computes s =(k 1 (H(m)+xr)) mod q, where r and q are known to attackers, k 1 is usually precomputed, H(m) is the hash of the message, and x is the private key. In practice, (H(m)+xr)modq would normally be computed rst, then be multiplied by k 1 (mod q). If the modular reduction function runs in non-xed time, the overall signature time should be correlated with the time for the (xr mod q) computation. (Since 4

H(m) is of approximately the same size as q, its addition has little eect.) The most signicant bits of x r are the rst used in the modular reduction. These depend on r, which is known, and the most signicant bits of the secret value x. There should thus be a correlation between values of the upper bits of x and the total time for the modular reduction. A simple attack would be to use this correlation to test candidate values for upper bits of x. As more upper bits of x become known, more of x r becomes known, allowing the attacker to proceed through more iterations of the modular reduction loop to attack new bits of x. (The nal version of this paper will describe DSS attacks in detail.) Because DSS signatures require just two modular multiplication operations, variations in the computation time can be detected from relatively few timing measurements. 5 Other applications of timing attacks Timing attacks can be eective against other cryptosystems as well. For example, the 28-bit C and D values in the DES[4]key schedule are sometimes rotated using a conditional to test whether a one-bit must be wrapped around. The additional time required to move nonzero bits will slightly degrade the cipher's overall performance, revealing the Hamming weight of the key. This provides an average of P 56 n=0 56 n log 2 56 2 56 2 56 n 3:95 bits of key information. IDEA[3] uses an f() function with a modulo (2 16 +1)multiplication operation, which will almost always run in non-constant time. RC5[6] is also at risk on platforms where rotates run in non-constant time. RAM cache hits can produce timing characteristics in implementations of Blowsh[9], SEAL[7], DES, and other ciphers if tables in memory are not used identically in every encryption. 6 Conclusions Writing software that runs in xed time can be hard, especially for platformindependent implementations, since many factors aect performance, including compiler optimizations, RAM cache hits, and instruction timings. Fixed-time code must always exhibit worst-case performance. A better alternative would be to use blinding techniques, such as those used for blind signatures[1], to prevent attackers from knowing actual inputs to the modular exponentiation function. Random delays added to the processing time may increase the number of ciphertexts required, but do not completely solve the problem since attackers can compensate for the delay by collecting more measurements. (If enough random noise is added, the attack can become infeasible.) Computing optional R i+1 calculations regardless of whether the exponent bit is set does not work and can actually make the attack easier; the computations still diverge but attackers no longer have to identify the lack of a correlation for adjacent zero exponent bits. If a timer is used to delay returning results until a pre-specied time, attackers 5

may be able to monitor other aspects of the system performance to determine when the cryptographic computation completes. 7 Acknowledgements I am grateful to Matt Blaze, Ron Rivest, and Bruce Schneier for a number of helpful comments and suggestions for improving the manuscript. References 1. D. Chaum, \Blind Signatures for Untraceable Payments," Advances in Cryptology: Proceedings of Crypto 82, Plenum Press, 1983, pp. 199-203. 2. W. Die and M.E. Hellman, \New Directions in Cryptography," IEEE Transactions on Information Theory, v. IT-22, n. 6, Nov 1976, pp. 644-654. 3. X. Lai, On the Design and Security of Block Ciphers, ETH Series in Information Processing, v. 1, Konstanz: Hartung-Gorre Verlag, 1992. 4. National Bureau of Standards, NBS FIPS PUB 46-1, \Data Encryption Standard," U.S. Department of Commerce, Apr 1981. 5. National Institute of Standards and Technology, NIST FIPS PUB 186, \Digital Signature Standard," U.S. Department of Commerce, May 1994. 6. R.L. Rivest, \The RC5 Encryption Algorithm," Fast Software Encryption: Second International Workshop, Leuven, Belgium, December 1994, proceedings, Springer- Verlag, 1994, pp. 86-96. 7. P.R. Rogaway and D. Coppersmith, \A Software-Optimized Encryption Algorithm," Fast Software Encryption: Cambridge Security Workshop, Cambridge, U.K., December 1993, proceedings, Springer-Verlag, 1993, pp. 56-63. 8. RSA Laboratories, \RSAREF: A Cryptographic Toolkit," version 2.0, 1994, available via FTP from rsa.com. 9. B. Schneier, \Description of a New Variable-Length Key, 64-bit Block Cipher (Blowsh)," Fast Software Encryption: Second International Workshop, Leuven, Belgium, December 1994, proceedings, Springer-Verlag, 1994, pp. 191-204. All trademarks are the property of their respective holders. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback