Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations
|
|
- Scott Blake
- 5 years ago
- Views:
Transcription
1 Introduction Clavier et al s Paper This Paper Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations Aurélie Bauer Éliane Jaulmes Emmanuel Prouff Justine Wild ANSSI Session ID: CRYP-T18 Session Classification: Advanced Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 1 / 17
2 Introduction Clavier et al s Paper This Paper 1 Introduction 2 Clavier et al s Paper Attack: Horizontal Correlation Analysis s against Horizontal Attacks 3 This Paper Attacks on Clavier et al s New against Horizontal Attacks Simulation Results of Our Attacks 4 Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 2 / 17
3 Introduction Clavier et al s Paper This Paper 1 Introduction 2 Clavier et al s Paper Attack: Horizontal Correlation Analysis s against Horizontal Attacks 3 This Paper Attacks on Clavier et al s New against Horizontal Attacks Simulation Results of Our Attacks 4 Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 3 / 17
4 Introduction Clavier et al s Paper This Paper Side-Channel Analysis On RSA consumption time emanations exploited leak m = c d mod N Big Mac SPA DPA Horizontal CPA MIA Correlation Timing Attack Analysis Attacks Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 3 / 17
5 Introduction Clavier et al s Paper This Paper Side-Channel Analysis On RSA consumption time emanations exploited leak m = c d mod N Big Mac SPA DPA Horizontal CPA MIA Correlation Timing Attack Analysis Attacks Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 3 / 17
6 Introduction Clavier et al s Paper This Paper Side-Channel Analysis On RSA consumption time emanations exploited leak m = c d mod N Big Mac HCA Horizontal SPA DPA CPA TA MIA Vertical Attacks Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 3 / 17
7 Introduction Clavier et al s Paper This Paper A Unified Framework [This paper] Vertical Analysis Horizontal Analysis 1 st execution 2 nd period 1 st period N th period 2 nd execution N th execution several acquisitions traces treatment a single acquisition sub-traces treatment SPA, DPA, CPA, Big Mac, MIA, Template, Timing, HCA, Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 4 / 17
8 Introduction Clavier et al s Paper This Paper Exponentiation: c = m d mod N, secret d = (1,d l 2,,d 0 ) 2 Square & Multiply Atomic R 0 = 1, R 1 = m, i = l 1, k = 0 while i 0 do R 0 = R 0 R k k = k d i i = i k Return R 0 Example: d = 1011 R 0 = 1 1, d 3 = 1, k = 1, i = 3 Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 5 / 17
9 Introduction Clavier et al s Paper This Paper Exponentiation: c = m d mod N, secret d = (1,d l 2,,d 0 ) 2 Square & Multiply Atomic R 0 = 1, R 1 = m, i = l 1, k = 0 while i 0 do R 0 = R 0 R k k = k d i i = i k Return R 0 Example: d = 1011 R 0 = 1 1, d 3 = 1, k = 1, i = 3 R 0 = 1 m, d 3 = 1, k = 0, i = 2 Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 5 / 17
10 Introduction Clavier et al s Paper This Paper Exponentiation: c = m d mod N, secret d = (1,d l 2,,d 0 ) 2 Square & Multiply Atomic R 0 = 1, R 1 = m, i = l 1, k = 0 while i 0 do R 0 = R 0 R k k = k d i i = i k Return R 0 Example: d = 1011 R 0 = 1 1, d 3 = 1, k = 1, i = 3 R 0 = 1 m, d 3 = 1, k = 0, i = 2 R 0 = m m, d 2 = 0, k = 0, i = 1 Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 5 / 17
11 Introduction Clavier et al s Paper This Paper Exponentiation: c = m d mod N, secret d = (1,d l 2,,d 0 ) 2 Square & Multiply Atomic R 0 = 1, R 1 = m, i = l 1, k = 0 while i 0 do R 0 = R 0 R k k = k d i i = i k Return R 0 Example: d = 1011 R 0 = 1 1, d 3 = 1, k = 1, i = 3 R 0 = 1 m, d 3 = 1, k = 0, i = 2 R 0 = m m, d 2 = 0, k = 0, i = 1 R 0 = m 2 m 2, d 1 = 1, k = 1, i = 1 Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 5 / 17
12 Introduction Clavier et al s Paper This Paper Exponentiation: c = m d mod N, secret d = (1,d l 2,,d 0 ) 2 Square & Multiply Atomic R 0 = 1, R 1 = m, i = l 1, k = 0 while i 0 do R 0 = R 0 R k k = k d i i = i k Return R 0 Example: d = 1011 R 0 = 1 1, d 3 = 1, k = 1, i = 3 R 0 = 1 m, d 3 = 1, k = 0, i = 2 R 0 = m m, d 2 = 0, k = 0, i = 1 R 0 = m 2 m 2, d 1 = 1, k = 1, i = 1 R 0 = m 4 m, d i = 1 R R R d i = 0 d i = 1 d i+1 = 1 d i+1 = 0 R M R R Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 5 / 17
13 Introduction Clavier et al s Paper This Paper 1 Introduction 2 Clavier et al s Paper Attack: Horizontal Correlation Analysis s against Horizontal Attacks 3 This Paper Attacks on Clavier et al s New against Horizontal Attacks Simulation Results of Our Attacks 4 Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 6 / 17
14 Introduction Clavier et al s Paper This Paper Attack: Horizontal Correlation Analysis Horizontal Side-Channel Analysis [Clavier et al, Horizontal Correlation Analysis on Exponentiation, (ICICS 2010)] Square & Multiply Atomic Only multiplications: R R R or R R M (bit 1) 1 Multiplication Do we multiply by the message or not? Horizontal core idea: distinguish R R from R M with a single trace Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 6 / 17
15 Introduction Clavier et al s Paper This Paper Attack: Horizontal Correlation Analysis Zoom on the Long Integer Multiplication R = (r t 1,,r 1,r 0 ) 2 ω X = (x t 1,,x 1,x 0 ) 2 ω Mult(R,X ) leak trace leak value time Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 7 / 17
16 Introduction Clavier et al s Paper This Paper Attack: Horizontal Correlation Analysis Zoom on the Long Integer Multiplication R = (r t 1,,r 1,r 0 ) 2 ω X = (x t 1,,x 1,x 0 ) 2 ω Mult(R,X ) leak trace modeling leak value time Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 7 / 17
17 Introduction Clavier et al s Paper This Paper Attack: Horizontal Correlation Analysis Zoom on the Long Integer Multiplication R = (r t 1,,r 1,r 0 ) 2 ω X = (x t 1,,x 1,x 0 ) 2 ω Mult(R,X ) leak trace modeling leak value time l(r 0 x 0 ) l(r 0 x 1 ) l(r 0 x t 1 ) l(r 1 x 0 ) l(r 1 x 1 ) l(r 1 x t 1 ) l(r t 1 x 0 ) l(r t 1 x 1 ) l(r t 1 x t 1 ) Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 7 / 17
18 Introduction Clavier et al s Paper This Paper Attack: Horizontal Correlation Analysis Horizontal Correlation Analysis M known Hypothesis: X = M Simulation l(r 0 x 0 ) l(r 0 x 1 ) l(r 0 x t 1 ) l(r 1 x 0 ) l(r 1 x 1 ) l(r 1 x t 1 ) l(r t 1 x 0 ) l(r t 1 x 1 ) l(r t 1 x t 1 ) Observation { X = M bit = 1 X M bit = 0 HW (r 0 m 0 ) HW (r 0 m 1 ) HW (r 0 m t 1 ) HW (r 1 m 0 ) HW (r 1 m 1 ) HW (r 1 m t 1 ) HW (r t 1 m 0 ) HW (r t 1 m 1 ) HW (r t 1 m t 1 ) ρ( l(r i x j ), HW (r i m j ) ) Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 8 / 17
19 Introduction Clavier et al s Paper This Paper s against Horizontal Attacks Actual s Analysis Single curve Exposant/Message randomisation ineffective Clavier et al s countermeasures Blind the r i x j Replace r i x j by (r i a 1 )(x j a 2 ) Blind the x j, permute the r i Replace r i x j by r α[i] (x j a 2 ) l( r 0 x 0 ) l( r 0 x t 1 ) l( r 1 x 0 ) l( r 1 x t 1 ) l( r t 1 x 0 ) l( r t 1 x t 1 ) Permute the r i and the x j Replace r i x j by r α[i] x β[j] Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 9 / 17
20 Introduction Clavier et al s Paper This Paper s against Horizontal Attacks Actual s Analysis Single curve Exposant/Message randomisation ineffective Clavier et al s countermeasures Blind the r i x j Replace r i x j by (r i a 1 )(x j a 2 ) Blind the x j, permute the r i Replace r i x j by s α[i] (x j a 2 ) l(r α[0] x 0 ) l(r α[0] x t 1 ) l(r α[1] x 0 ) l(r α[1] x t 1 ) l(r α[t 1] x 0 ) l(r α[t 1] x t 1 ) Permute the r i and the x j Replace r i x j by r α[i] x β[j] Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 9 / 17
21 Introduction Clavier et al s Paper This Paper s against Horizontal Attacks Actual s Analysis Single curve Exposant/Message randomisation ineffective Clavier et al s countermeasures Blind the r i x j Replace r i x j by (r i a 1 )(x j a 2 ) Blind the x j, permute the r i Replace r i x j by s α[i] (x j a 2 ) l(r α[0] x β[0] ) l(r α[0] x β[t 1] ) l(r α[1] x β[0] ) l(r α[1] x β[t 1] ) l(r α[t 1] x β[0] ) l(r α[t 1] x β[t 1] ) Permute the r i and the x j Replace r i x j by r α[i] x β[j] Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 9 / 17
22 Introduction Clavier et al s Paper This Paper 1 Introduction 2 Clavier et al s Paper Attack: Horizontal Correlation Analysis s against Horizontal Attacks 3 This Paper Attacks on Clavier et al s New against Horizontal Attacks Simulation Results of Our Attacks 4 Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 10 / 17
23 Introduction Clavier et al s Paper This Paper Attacks on Clavier et al s Attacks on the Clavier et al s countermeasures Blind the r i x j (Replace r i x j by (r i a 1 )(x j a 2 )) R = (r i a 1 ) i Mult( R X ) X = (x j a 2 ) j r 0 x 0 r 0 x 1 r 0 x t 1 r 1 x 0 r 1 x 1 r 1 x t 1 r t 1 x 0 r t 1 x 1 r t 1 x t 1 Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 10 / 17
24 Introduction Clavier et al s Paper This Paper Attacks on Clavier et al s Attacks on the Clavier et al s countermeasures Blind the r i x j (Replace r i x j by (r i a 1 )(x j a 2 )) R = (r i a 1 ) i Mult( R X ) X = (x j a 2 ) j r 0 x 0 r 0 x 1 r 0 x t 1 R R R r 1 x 0 r 1 x 1 r 1 x t 1 r t 1 x 0 r t 1 x 1 r t 1 x t 1 Correlation between the r i x j and the r i m j When t increases, R = R Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 10 / 17
25 Introduction Clavier et al s Paper This Paper Attacks on Clavier et al s Attacks on the Clavier et al s countermeasures Blind the x j and permute the r i r α[0] x 0 r α[0] x t 1 r α[1] x 0 r α[1] x t 1 r α[t 1] x 0 r α[t 1] x t 1 Permute the r i and the x j r α[0] x β[0] r α[0] x β[t 1] r α[1] x β[0] r α[1] x β[t 1] r α[t 1] x β[0] r α[t 1] x β[t 1] Weakness: α and β are independent Exhaustive research on β t! possibilities Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 11 / 17
26 Introduction Clavier et al s Paper This Paper New against Horizontal Attacks New Permute simultaneously the r i and the x j Use a t 2 -size permutation in order to randomize simultaneously the r i and the x j Leak modelisation: l(r 1 x 2 ) l(r 1 x 0 ) l(r 2 x 0 ) l(r 0 x 2 ) l(r 2 x 2 ) l(r 1 x 1 ) l(r 2 x 1 ) l(r 0 x 1 ) l(r 0 x 0 ) Find the permutation: t 2! possibilities Third countermeasure of Clavier et al: t! possibilities Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 12 / 17
27 Introduction Clavier et al s Paper This Paper Simulation Results of Our Attacks Attack on Architecture 8 bits size of R and X in base 2 ω RSA 1024 SECURE INSECURE Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 13 / 17
28 Introduction Clavier et al s Paper This Paper Simulation Results of Our Attacks Architecture 8 bits Architecture 16 bits SECURE RSA 1024 RSA 2048 SECURE INSECURE INSECURE RSA 4096 SECURE INSECURE t: size of R and X in base 2 ω Works also on 16 and 32 bits When ω, security level Architecture 32 bits Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 14 / 17
29 Introduction Clavier et al s Paper This Paper 1 Introduction 2 Clavier et al s Paper Attack: Horizontal Correlation Analysis s against Horizontal Attacks 3 This Paper Attacks on Clavier et al s New against Horizontal Attacks Simulation Results of Our Attacks 4 Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 15 / 17
30 Introduction Clavier et al s Paper This Paper Several traces Side-Channel Analysis Methods One trace Vertical Horizontal s Exposant Blinding Message Blinding Regular Algorithm Clavier et al Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 15 / 17
31 Introduction Clavier et al s Paper This Paper Several traces Side-Channel Analysis Methods One trace Vertical Horizontal s Exposant Blinding Message Blinding Regular Algorithm Clavier et al New countermeasure Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 15 / 17
32 Introduction Clavier et al s Paper This Paper And more in our paper Framework: model both Horizontal and Vertical Attacks Attacks on Square and Multiply Always More Simulations: Attacks on variant Clavier et al first countermeasure Variant of our attack (no average) Test the robustness of our countermeasure Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 16 / 17
33 Introduction Clavier et al s Paper This Paper Thank you for your attention Questions? Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Justine Wild ANSSI Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations 17 / 17
34 Detecting a Timing Bias on RSA implementation of POLARSSL Timing Attack against protected RSA-CRT implementation used in PolarSSL Cyril Arnaud and Pierre-Alain Fouque Defense Ministry and Rennes 1 University February 26, 2013 C Arnaud and PA Fouque Timing Attack 1/ 32
35 Detecting a Timing Bias on RSA implementation of POLARSSL Overview 1 Detecting a Timing Bias on RSA implementation of POLARSSL Introduction Finding a bias is the set of extra bit observable? 2 Cryptographic Analysis Statistical Tools Results against PolarSSL State of the Art Alternatives to blinding 4 C Arnaud and PA Fouque Timing Attack 2/ 32
36 Detecting a Timing Bias on RSA implementation of POLARSSL Overview Introduction Finding a bias is the set of extra bit observable? 1 Detecting a Timing Bias on RSA implementation of POLARSSL Introduction Finding a bias is the set of extra bit observable? 2 Cryptographic Analysis Statistical Tools Results against PolarSSL State of the Art Alternatives to blinding 4 C Arnaud and PA Fouque Timing Attack 3/ 32
37 Detecting a Timing Bias on RSA implementation of POLARSSL State of the Art Introduction Finding a bias is the set of extra bit observable? Related Work 1996 : Timing Attacks on Implementations of Diffie-Hellman,RSA, DSS, and Other Systems [Kocher] at CRYPTO : Timing attack on RSA-CRT [Schindler] at CHES : Remote timing attacks are practical [Brumley et Boneh] at Usenix : Improving Brumley and Boneh timing attack on unprotected SSL implementation [O Aciiçmez, et al] at CCS 05 Attacks s of OPENSSL avoided Exploit timing bias induced by RSA optimizations Old monocore processors C Arnaud and PA Fouque Timing Attack 4/ 32
38 Detecting a Timing Bias on RSA implementation of POLARSSL State of the Art Introduction Finding a bias is the set of extra bit observable? Related Work 1996 : Timing Attacks on Implementations of Diffie-Hellman,RSA, DSS, and Other Systems [Kocher] at CRYPTO : Timing attack on RSA-CRT [Schindler] at CHES : Remote timing attacks are practical [Brumley et Boneh] at Usenix : Improving Brumley and Boneh timing attack on unprotected SSL implementation [O Aciiçmez, et al] at CCS 05 Attacks s of OPENSSL avoided Exploit timing bias induced by RSA optimizations Old monocore processors C Arnaud and PA Fouque Timing Attack 4/ 32
39 Detecting a Timing Bias on RSA implementation of POLARSSL Why using a Timing Attack? Introduction Finding a bias is the set of extra bit observable? Side-Channel Cryptanalysis Electromagnetic emanation and power consumption hard to apply on a computer Computation Time : cannot be detected allows to factor RSA modulus by measuring the time to decrypt possible on network Timing measurement : 2 instructions C Arnaud and PA Fouque Timing Attack 5/ 32
40 Detecting a Timing Bias on RSA implementation of POLARSSL Measurement of computation time Introduction Finding a bias is the set of extra bit observable? Time Stamp Counter (TSC) 64-bit counter that records cycle of the FSB bus Common to each CPU core Use of RDTSC instruction : do not use any privilege Performance Counter (PMC) Counter used in the CPU microarchitecture Allow to measure each tick of a core Reading using the RDMSR instruction : require privilege Require a specific kernel module C Arnaud and PA Fouque Timing Attack 6/ 32
41 Detecting a Timing Bias on RSA implementation of POLARSSL Target choice Introduction Finding a bias is the set of extra bit observable? RSA of POLARSSL 114 Opensource library developed in C Operational version (Adobe flash player, ) Use countermeasures suggested by Boneh and Brumley and Schindler (One subroutine for multiplication and a dummy substraction) RSA decryption in constant time Protected against timing attacks C Arnaud and PA Fouque Timing Attack 7/ 32
42 Detecting a Timing Bias on RSA implementation of POLARSSL Goals and Results Introduction Finding a bias is the set of extra bit observable? Goals Evaluate the countermeasure Mount an attack Determining efficient countermeasures Work on recent processors (Intel Core 2 Duo and Core i7) Results Detection of an unknown bias Attack verified on a chosen ciphertext attack for RSA 512, 1024 and 2048 bits Propose two countermeasures avoiding this attack C Arnaud and PA Fouque Timing Attack 8/ 32
43 Detecting a Timing Bias on RSA implementation of POLARSSL Goals and Results Introduction Finding a bias is the set of extra bit observable? Goals Evaluate the countermeasure Mount an attack Determining efficient countermeasures Work on recent processors (Intel Core 2 Duo and Core i7) Results Detection of an unknown bias Attack verified on a chosen ciphertext attack for RSA 512, 1024 and 2048 bits Propose two countermeasures avoiding this attack C Arnaud and PA Fouque Timing Attack 8/ 32
44 Detecting a Timing Bias on RSA implementation of POLARSSL RSA Implementation of POLARSSL Introduction Finding a bias is the set of extra bit observable? RSA Decryption To decrypt c (Z/nZ) : modular exponentiation using the private exponent : m = c d mod n RSA decryption optimizations of POLARSSL Chinese Remainder Theorem using Garner recombination Montgomery Multiplication using one countermeasure Modular Exponentiation using the sliding window method C Arnaud and PA Fouque Timing Attack 9/ 32
45 Detecting a Timing Bias on RSA implementation of POLARSSL Introduction Finding a bias is the set of extra bit observable? Multiprecision Montgomery Modular Multiplication Number representations A = i=s 1 i=0 a i r i, size of words is denoted by w s represents the number of required words of size w r = 2 w R = r s w w-bit multiplication to multiply a word with a large integer C Arnaud and PA Fouque Timing Attack 10/ 32
46 Detecting a Timing Bias on RSA implementation of POLARSSL Schindler s observation Introduction Finding a bias is the set of extra bit observable? Extra reduction - Time variance in MULTIMONTMUL Montgomery representation Ā = AR mod P Suppose B is uniformly distributed in Z P P (extra-reduction in MULTIMONTMUL( X,B,P)) = X mod P 2R P (extra-reduction in MULTIMONTMUL(B,B,P)) = P 3R C Arnaud and PA Fouque Timing Attack 11/ 32
47 Detecting a Timing Bias on RSA implementation of POLARSSL Introduction Finding a bias is the set of extra bit observable? PolarSSL s Multiprecision Montgomery multiplication Ṛunning times to execute the branch condition is identical for all inputs Dummy subtraction used in MULTIMONTMUL(A, B, P) makes the time to perform the multiplication independent on the A and B C Arnaud and PA Fouque Timing Attack 12/ 32
48 Detecting a Timing Bias on RSA implementation of POLARSSL Extra bit Introduction Finding a bias is the set of extra bit observable? The condition of MULTIMONTMUL is ABR 1 Z < P + ABR 1 We suppose that R <P< R (key lengths multiple of world size) 2 Then Z < 2R Hence, if Z > R then z s = 1, this bit is called extra bit Extra bit in source code in the s th loop of MULTIMONTMUL, if Z > R then the extra bit is set by a carry propagation up to the top most significant word of Z is extra bit imply a timing variance? C Arnaud and PA Fouque Timing Attack 13/ 32
49 Detecting a Timing Bias on RSA implementation of POLARSSL Introduction Finding a bias is the set of extra bit observable? An attacker can observe a timing difference Methodology We generate : We sort : Random numbers A, B with known size, converted in Montgomery representation a prime number Q where R 2 < Q < R the time in CPU s clock ticks to perform MULTIMONTMUL(A, B, Q) according to the size numbers if an extra bit, an extra-reduction without extra bit or neither of them is carried out C Arnaud and PA Fouque Timing Attack 14/ 32
50 Detecting a Timing Bias on RSA implementation of POLARSSL Results Introduction Finding a bias is the set of extra bit observable? Z<Q R<Z Q<Z<R Z<Q R<Z Q<Z<R Time in CPU cycles Time in CPU cycles A size B size A size B size FIGURE: Q = 512 FIGURE: Q = 1024 A timing difference is observable when Z > R Extra-reduction (Q Z < R) : masked by dummy subtraction Bias is proportional to the bitsize of Q C Arnaud and PA Fouque Timing Attack 15/ 32
51 Detecting a Timing Bias on RSA implementation of POLARSSL Introduction Finding a bias is the set of extra bit observable? Results of timing attacks against POLARSSL Kocher Attack (1996) ḍoes not apply to RSA-CRT Schindler s Attack (2000) ẉorks only with the square-&-multiply algorithm Schindler s Attack (2005) ḍoes not work due to the window in the sliding windows exponentiation Brumley-Boneh Attacks (2003) can work C Arnaud and PA Fouque Timing Attack 16/ 32
52 Detecting a Timing Bias on RSA implementation of POLARSSL Overview Cryptographic Analysis Statistical Tools Results against PolarSSL Detecting a Timing Bias on RSA implementation of POLARSSL Introduction Finding a bias is the set of extra bit observable? 2 Cryptographic Analysis Statistical Tools Results against PolarSSL State of the Art Alternatives to blinding 4 C Arnaud and PA Fouque Timing Attack 17/ 32
53 Detecting a Timing Bias on RSA implementation of POLARSSL Probability of an extra bit Cryptographic Analysis Statistical Tools Results against PolarSSL 114 ṀULTIMONTMUL(A,B,P), 0 A,B < P The probability of an extra bit is not null iff P > Probability of an extra bit B is uniformly distributed and C is a fixed value : For P > R P MULTIMONTMUL(B,B,P) = P + 2(R P) (R P)R (R P) 3R 3P 2 R P C = P MULTIMONTMUL(C,B,P) = C 2R + (R P)2 R 2CP R and X,Y (R P) R ( ) (R P)R,P, if X > Y then P P X > P Y C Arnaud and PA Fouque Timing Attack 18/ 32
54 Detecting a Timing Bias on RSA implementation of POLARSSL Cryptographic Analysis Statistical Tools Results against PolarSSL 114 Attack Characteristics Allows to recover the p most significant bits of p or q 2 Search each bit gradually using an approximation of p or q Use Coppersmith algorithm to complete the attack Recovering a 1024 key size with RDMSR instruction in inter-process Around ten minutes queries C Arnaud and PA Fouque Timing Attack 19/ 32
55 Detecting a Timing Bias on RSA implementation of POLARSSL Cryptographic Analysis Statistical Tools Results against PolarSSL 114 Attack Characteristics Allows to recover the p most significant bits of p or q 2 Search each bit gradually using an approximation of p or q Use Coppersmith algorithm to complete the attack Recovering a 1024 key size with RDMSR instruction in inter-process Around ten minutes queries C Arnaud and PA Fouque Timing Attack 19/ 32
56 Detecting a Timing Bias on RSA implementation of POLARSSL Searching the p k bit Cryptographic Analysis Statistical Tools Results against PolarSSL 114 Assume the adversary knows the k most significant bits of p He can generate the integers c 1 and c 2 : c 1 = (p 0,p 1,,p k 1,0,0,,0) 2 c 2 = (p 0,p 1,,p k 1,1,0,,0) 2 p k = 0 Decryption time p k = 1 Decryption time c q c p 1 c 2 c q c c p 1 2 C Arnaud and PA Fouque Timing Attack 20/ 32
57 Detecting a Timing Bias on RSA implementation of POLARSSL Searching the p k bit Cryptographic Analysis Statistical Tools Results against PolarSSL 114 Assume the adversary knows the k most significant bits of p He can generate the integers c 1 and c 2 : c 1 = (p 0,p 1,,p k 1,0,0,,0) 2 c 2 = (p 0,p 1,,p k 1,1,0,,0) 2 p k = 0 Decryption time p k = 1 Decryption time c q c p 1 c 2 c q c c p 1 2 C Arnaud and PA Fouque Timing Attack 20/ 32
58 Detecting a Timing Bias on RSA implementation of POLARSSL Searching the p k bit Cryptographic Analysis Statistical Tools Results against PolarSSL 114 Assume the adversary knows the k most significant bits of p He can generate the integers c 1 and c 2 : c 1 = (p 0,p 1,,p k 1,0,0,,0) 2 c 2 = (p 0,p 1,,p k 1,1,0,,0) 2 p k = 0 Decryption time p k = 1 Decryption time c q c p 1 c 2 c q c c p 1 2 C Arnaud and PA Fouque Timing Attack 20/ 32
59 Detecting a Timing Bias on RSA implementation of POLARSSL Searching the p k bit Cryptographic Analysis Statistical Tools Results against PolarSSL 114 Assume the adversary knows the k most significant bits of p He can generate the integers c 1 and c 2 : c 1 = (p 0,p 1,,p k 1,0,0,,0) 2 c 2 = (p 0,p 1,,p k 1,1,0,,0) 2 p k = 0 Decryption time p k = 1 Decryption time c q c p 1 c 2 c q c c p 1 2 C Arnaud and PA Fouque Timing Attack 20/ 32
60 Detecting a Timing Bias on RSA implementation of POLARSSL Searching the p k bit Cryptographic Analysis Statistical Tools Results against PolarSSL 114 Assume the adversary knows the k most significant bits of p He can generate the integers c 1 and c 2 : c 1 = (p 0,p 1,,p k 1,0,0,,0) 2 Decryption time c 2 = (p 0,p 1,,p k 1,1,0,,0) 2 Decryption time c q c p 1 c 2 Ṭwo timing samples for values close to c 1 + ε 1 and c 2 + ε 2 : ζ c1 and ζ c2 c q c c p 1 2 C Arnaud and PA Fouque Timing Attack 21/ 32
61 Detecting a Timing Bias on RSA implementation of POLARSSL Cryptographic Analysis Statistical Tools Results against PolarSSL 114 How can we quantify the difference between the two samples ζ c1 and ζ c2? C Arnaud and PA Fouque Timing Attack 22/ 32
62 Detecting a Timing Bias on RSA implementation of POLARSSL Cryptographic Analysis Statistical Tools Results against PolarSSL 114 How can we check that the measure of the two samples ζ c1 and ζ c2 is correct? C Arnaud and PA Fouque Timing Attack 22/ 32
63 Detecting a Timing Bias on RSA implementation of POLARSSL Statistical Tests Cryptographic Analysis Statistical Tools Results against PolarSSL 114 T-test Allow to compare the means of two samples generated by 2 populations with equal variance If t observed > t threshold, p k = 0 otherwise p k = 1 Fisher-Snedecor Test Allows to compare the variances of two samples generated from 2 populations If F observed > F threshold : replay otherwise the value of t observed allows to determine p k In practice Ṣearch the intervalle I or F observed is maximal then compute t-test on I C Arnaud and PA Fouque Timing Attack 23/ 32
64 Detecting a Timing Bias on RSA implementation of POLARSSL Same process Cryptographic Analysis Statistical Tools Results against PolarSSL 114 Modulus size #query/bit ratio of replay # query 512 bits 600 2% bits % bits % TABLE: RDTSC instruction Modulus size #query/bit ratio of replay # query 512 bits 600 2% bits % bits % TABLE: RDMSR instruction C Arnaud and PA Fouque Timing Attack 24/ 32
65 Detecting a Timing Bias on RSA implementation of POLARSSL Inter-process via TCP IP Cryptographic Analysis Statistical Tools Results against PolarSSL 114 Modulus size #query/bit ratio of replay # query 512 bits % bits % bits % TABLE: RDTSC instruction Modulus size #query/bit ratio of replay # query 512 bits % bits % bits % TABLE: RDMSR instruction C Arnaud and PA Fouque Timing Attack 25/ 32
66 Detecting a Timing Bias on RSA implementation of POLARSSL Amplifying the bias by repetiting Cryptographic Analysis Statistical Tools Results against PolarSSL 114 Ṭhe bias in our case is very small and is consequently hard to detect Sliding Exponentiation PolarSSL uses a CLNW (Constant Length Non-Zero Window) method whereas OpenSSL uses a VLNW method (Variable) Precomputation phase As in the CCS 05 paper, we use the precomputation phase many multiplications are used with the same value c 1 or c 2 to compute the precomputation table 31 multiplications with the same value if the window length is 5 C Arnaud and PA Fouque Timing Attack 26/ 32
67 Detecting a Timing Bias on RSA implementation of POLARSSL Distribution of modulus Cryptographic Analysis Statistical Tools Results against PolarSSL 114 We generated randomly keys with PolarSSL s key generation routine (p > q) ]05R; 5 1 R] ] 5 1 R, 07R] ]07R; 08R] ]08R; R] 2 2 Distribution of p size 0% 0011% 1333% 8666% Distribution of q size 1878% 2446% 3132% 2544% TABLE: Distribution of modulus Our attack is always feasible in practice C Arnaud and PA Fouque Timing Attack 27/ 32
68 Detecting a Timing Bias on RSA implementation of POLARSSL Overview State of the Art Alternatives to blinding 1 Detecting a Timing Bias on RSA implementation of POLARSSL Introduction Finding a bias is the set of extra bit observable? 2 Cryptographic Analysis Statistical Tools Results against PolarSSL State of the Art Alternatives to blinding 4 C Arnaud and PA Fouque Timing Attack 28/ 32
69 Detecting a Timing Bias on RSA implementation of POLARSSL OPENSSL State of the Art Alternatives to blinding Blinding Use a random before each decryption Efficient for all parameter size Slow down performance by a factor between 10 to 25% C Arnaud and PA Fouque Timing Attack 29/ 32
70 Detecting a Timing Bias on RSA implementation of POLARSSL Cancelling out extra bit State of the Art Alternatives to blinding Use particular modulus size ịf Q = kw, extra-bit is cancelling out Modify PolarSSL s key generation routine Generate keys where prime factors are less than R C Arnaud and PA Fouque Timing Attack 30/ 32
71 Detecting a Timing Bias on RSA implementation of POLARSSL Overview 1 Detecting a Timing Bias on RSA implementation of POLARSSL Introduction Finding a bias is the set of extra bit observable? 2 Cryptographic Analysis Statistical Tools Results against PolarSSL State of the Art Alternatives to blinding 4 C Arnaud and PA Fouque Timing Attack 31/ 32
72 Detecting a Timing Bias on RSA implementation of POLARSSL s Constant time cryptographic implementations are hard to achieve Known attacks exploit the bias of the extra-reduction due to an extra bit Our contributions Practical Timing Attack against a protected implementation Use statistical tests to reduce the number of chosen ciphertexts Introduce a new bias Propose 2 countermeasures for specific key sizes C Arnaud and PA Fouque Timing Attack 32/ 32
Timing Attack against protected RSA-CRT implementation used in PolarSSL
Timing Attack against protected RSA-CRT implementation used in PolarSSL Cyril Arnaud 1 and Pierre-Alain Fouque 1 École de l Air, cy.arnaud@orange.fr Université Rennes 1 pierre-alain.fouque@ens.fr Abstract.
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationRemote Timing Attacks are Practical
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationEfficient randomized regular modular exponentiation using combined Montgomery and Barrett multiplications
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2016 Efficient randomized regular modular exponentiation
More informationSide-channel attacks on PKC and countermeasures with contributions from PhD students
basics Online Side-channel attacks on PKC and countermeasures (Tutorial @SPACE2016) with contributions from PhD students Lejla Batina Institute for Computing and Information Sciences Digital Security Radboud
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationA DPA attack on RSA in CRT mode
A DPA attack on RSA in CRT mode Marc Witteman Riscure, The Netherlands 1 Introduction RSA is the dominant public key cryptographic algorithm, and used in an increasing number of smart card applications.
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationSquare Always Exponentiation
Square Always Exponentiation Christophe Clavier 1 Benoit Feix 1,2 Georges Gagnerot 1,2 Mylène Roussellet 2 Vincent Verneuil 2,3 1 XLIM-Université de Limoges, France 2 INSIDE Secure, Aix-en-Provence, France
More informationTiming Attacks on Software Implementation of RSA
Timing Attacks on Software Implementation of RSA Project Report Harshman Singh School of Electrical Engineering and Computer Science Oregon State University Major Professor: Dr. Çetin Kaya Koç 2 Acknowledgements
More informationBranch Prediction based attacks using Hardware performance Counters IIT Kharagpur
Branch Prediction based attacks using Hardware performance Counters IIT Kharagpur March 19, 2018 Modular Exponentiation Public key Cryptography March 19, 2018 Branch Prediction Attacks 2 / 54 Modular Exponentiation
More informationFormal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August
More informationBlinded Fault Resistant Exponentiation FDTC 06
Previous Work Our Algorithm Guillaume Fumaroli 1 David Vigilant 2 1 Thales Communications guillaume.fumaroli@fr.thalesgroup.com 2 Gemalto david.vigilant@gemalto.com FDTC 06 Outline Previous Work Our Algorithm
More informationAlgorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis
Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis Christophe Negre ici joined work with T. Plantard (U. of Wollongong, Australia) Journees Nationales GDR IM January
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationExclusive Exponent Blinding May Not Suffice to Prevent Timing Attacks on RSA
Exclusive Exponent Blinding May Not Suffice to Prevent Timing Attacks on RSA Werner Schindler Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee 185 189 53175 Bonn, Germany Werner.Schindler@bsi.bund.de
More informationOn the Use of Masking to Defeat Power-Analysis Attacks
1/32 On the Use of Masking to Defeat Power-Analysis Attacks ENS Paris Crypto Day February 16, 2016 Presented by Sonia Belaïd Outline Power-Analysis Attacks Masking Countermeasure Leakage Models Security
More informationLazy Leak Resistant Exponentiation in RNS
Lazy Leak Resistant Exponentiation in RNS Andrea Lesavourey, Christophe Negre, Thomas Plantard To cite this version: Andrea Lesavourey, Christophe Negre, Thomas Plantard. Lazy Leak Resistant Exponentiation
More informationExponent Blinding Does not Always Lift (Partial) SPA Resistance to Higher-Level Security
Exponent Blinding Does not Always Lift (Partial) SPA Resistance to Higher-Level Security Werner Schindler (Bundesamt für Sicherheit in der Informationstechnik (BSI)) and Kouichi Itoh (Fujitsu Laboratories
More informationDynamic Runtime Methods to Enhance Private Key Blinding
Dynamic Runtime Methods to Enhance Private Key Blinding Karine Gandolfi-Villegas and Nabil Hamzi Gemalto Security Labs {nabil.hamzi,karine.villegas}@gemalto.com Abstract. In this paper we propose new methods
More informationEfficient Leak Resistant Modular Exponentiation in RNS
Efficient Leak Resistant Modular Exponentiation in RNS Andrea Lesavourey (1), Christophe Negre (1) and Thomas Plantard (2) (1) DALI (UPVD) and LIRMM (Univ. of Montpellier, CNRS), Perpignan, France (2)
More informationHardware Security Side channel attacks
Hardware Security Side channel attacks R. Pacalet renaud.pacalet@telecom-paristech.fr May 24, 2018 Introduction Outline Timing attacks P. Kocher Optimizations Conclusion Power attacks Introduction Simple
More informationComparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
International Conference on Manufacturing Science and Engineering (ICMSE 2015) Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
More informationSide-Channel Analysis on Blinded Regular Scalar Multiplications
Side-Channel Analysis on Blinded Regular Scalar Multiplications Extended Version Benoit Feix 1 and Mylène Roussellet 2 and Alexandre Venelli 3 1 UL Security Transactions, UK Security Lab benoit.feix@ul.com
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationIn fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.
Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is
More informationLow-Cost Solutions for Preventing Simple Side-Channel Analysis: Side-Channel Atomicity
Low-Cost Solutions for Preventing Simple Side-Channel Analysis: Side-Channel Atomicity [Published in IEEE Transactions on Computers 53(6):760-768, 00.] Benoît Chevallier-Mames 1, Mathieu Ciet, and Marc
More informationSide Channel Analysis. Chester Rebeiro IIT Madras
Side Channel Analysis Chester Rebeiro IIT Madras Modern ciphers designed with very strong assumptions Kerckhoff s Principle The system is completely known to the attacker. This includes encryption & decryption
More informationA DPA Attack against the Modular Reduction within a CRT Implementation of RSA
A DPA Attack against the Modular Reduction within a CRT Implementation of RSA Bert den Boer, Kerstin Lemke, and Guntram Wicke T-Systems ISS GmbH Rabinstr. 8, D-53111 Bonn, Germany BdenBoer@tpd.tno.nl,
More informationThéorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1
Théorie de l'information et codage Master de cryptographie Cours 10 : RSA 20,23 et 27 mars 2009 Université Rennes 1 Master Crypto (2008-2009) Théorie de l'information et codage 20,23 et 27 mars 2009 1
More informationEfficient regular modular exponentiation using multiplicative half-size splitting
J Cryptogr Eng (17) 7:45 53 DOI 1.17/s13389-16-134-5 SHORT COMMUNICATION Efficient regular modular exponentiation using multiplicative half-size splitting Christophe Negre 1, Thomas Plantard 3,4 Received:
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationFormal Verification of Side-Channel Countermeasures
Formal Verification of Side-Channel Countermeasures Sonia Belaïd June 5th 2018 1 / 35 1 Side-Channel Attacks 2 Masking 3 Formal Tools Verification of Masked Implementations at Fixed Order Verification
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive key-search do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem
More informationKnown Plaintext Only Attack on RSA CRT with Montgomery Multiplication
Known Plaintext Only Attack on RSA CRT with Montgomery Multiplication Martin Hlaváč hlavm1am@artax.karlin.mff.cuni.cz Department of Algebra, Charles University in Prague, Sokolovská 83, 186 75 Prague 8,
More informationIntroduction to Side Channel Analysis. Elisabeth Oswald University of Bristol
Introduction to Side Channel Analysis Elisabeth Oswald University of Bristol Outline Part 1: SCA overview & leakage Part 2: SCA attacks & exploiting leakage and very briefly Part 3: Countermeasures Part
More informationEfficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand
Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe Negre, Thomas Plantard, Jean-Marc Robert Team DALI (UPVD) and LIRMM (UM2, CNRS), France CCISR, SCIT, (University
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationLeakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi
Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi Wednesday, September 16 th, 015 Motivation Security Evaluation Motivation Security Evaluation
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationToward Secure Implementation of McEliece Decryption
Toward Secure Implementation of McEliece Decryption Mariya Georgieva & Frédéric de Portzamparc Gemalto & LIP6, 13/04/2015 1 MCELIECE PUBLIC-KEY ENCRYPTION 2 DECRYPTION ORACLE TIMING ATTACKS 3 EXTENDED
More informationInvestigations of Power Analysis Attacks on Smartcards *
Investigations of Power Analysis Attacks on Smartcards * Thomas S. Messerges Ezzy A. Dabbish Robert H. Sloan 1 Dept. of EE and Computer Science Motorola Motorola University of Illinois at Chicago tomas@ccrl.mot.com
More informationReduce-by-Feedback: Timing resistant and DPA-aware Modular Multiplication plus: How to Break RSA by DPA
Reduce-by-Feedback: Timing resistant and DPA-aware Modular Multiplication plus: How to Break RSA by DPA M. Vielhaber vielhaber@gmail.com Hochschule Bremerhaven und/y Universidad Austral de Chile CHES 2012
More informationFour-Dimensional GLV Scalar Multiplication
Four-Dimensional GLV Scalar Multiplication ASIACRYPT 2012 Beijing, China Patrick Longa Microsoft Research Francesco Sica Nazarbayev University Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationHardware Architectures for Public Key Algorithms Requirements and Solutions for Today and Tomorrow
Hardware Architectures for Public Key Algorithms Requirements and Solutions for Today and Tomorrow Cees J.A. Jansen Pijnenburg Securealink B.V. Vught, The Netherlands ISSE Conference, London 27 September,
More informationCorrecting Errors in Private Keys Obtained from Cold Boot Attacks
Correcting Errors in Private Keys Obtained from Cold Boot Attacks Hyung Tae Lee, HongTae Kim, Yoo-Jin Baek, and Jung Hee Cheon ISaC & Department of Mathmathical Sciences, SNU 2011. 11. 30. 1 / 17 Contents
More informationDeep Learning to Evaluate Secure RSA Implementations
Deep Learning to Evaluate Secure RSA Implementations Mathieu Carbone 1, Vincent Conin 1, Marie-Angela Cornélie 2, François Dassance 3, Guillaume Dufresne 3, Cécile Dumas 2, Emmanuel Prouff 4 and Alexandre
More informationExercise Sheet Cryptography 1, 2011
Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit
More informationIntroduction to Cryptology. Lecture 20
Introduction to Cryptology Lecture 20 Announcements HW9 due today HW10 posted, due on Thursday 4/30 HW7, HW8 grades are now up on Canvas. Agenda More Number Theory! Our focus today will be on computational
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationIntro to Physical Side Channel Attacks
Intro to Physical Side Channel Attacks Thomas Eisenbarth 15.06.2018 Summer School on Real-World Crypto & Privacy Šibenik, Croatia Outline Why physical attacks matter Implementation attacks and power analysis
More informationAttacking DSA Under a Repeated Bits Assumption
Attacking DSA Under a Repeated Bits Assumption P.J. Leadbitter, D. Page, and N.P. Smart Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB, United
More informationAttacks on RSA & Using Asymmetric Crypto
Attacks on RSA & Using Asymmetric Crypto Luke Anderson luke@lukeanderson.com.au 7 th April 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Breaking RSA 2.1 Chinese Remainder Theorem 2.2 Common
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationEfficient Application of Countermeasures for Elliptic Curve Cryptography
Efficient Application of Countermeasures for Elliptic Curve Cryptography Vladimir Soukharev, Ph.D. Basil Hess, Ph.D. InfoSec Global Inc. May 19, 2017 Outline Introduction Brief Summary of ECC Arithmetic
More informationAttacking unbalanced RSA-CRT using SPA. Our goal
Attacking unbalance RSA-CRT using SPA P.A. Fouque*, G. Martinet, G. Poupar (with the participation of Barnaby Martinet-Fouque) DCSSI Crypto ab, France (*) Ecole Normal Supérieure, France CHES 23 - P.A.
More informationLeak Resistant Arithmetic
Leak Resistant Arithmetic Jean-Claude Bajard 1, Laurent Imbert 1, Pierre-Yvan Liardet 2, and Yannick Teglia 2 1 LIRMM, CNRS UMR 5506, Université Montpellier II 161 rue Ada, 34392 Montpellier cedex 5, FRANCE
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationFPGA IMPLEMENTATION FOR ELLIPTIC CURVE CRYPTOGRAPHY OVER BINARY EXTENSION FIELD
University of Windsor Scholarship at UWindsor Electronic Theses and Dissertations 10-5-2017 FPGA IMPLEMENTATION FOR ELLIPTIC CURVE CRYPTOGRAPHY OVER BINARY EXTENSION FIELD Che Chen University of Windsor
More informationResistance of Randomized Projective Coordinates Against Power Analysis
Resistance of Randomized Projective Coordinates Against Power Analysis William Dupuy and Sébastien Kunz-Jacques DCSSI Crypto Lab 51, bd de Latour-Maubourg, 75700 PARIS 07 SP william.dupuy@laposte.net,
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationStart Simple and then Refine: Bias-Variance Decomposition as a Diagnosis Tool for Leakage Profiling
IEEE TRANSACTIONS ON COMPUTERS, VOL.?, NO.?,?? 1 Start Simple and then Refine: Bias-Variance Decomposition as a Diagnosis Tool for Leakage Profiling Liran Lerman, Nikita Veshchikov, Olivier Markowitch,
More informationMASKING is the most widely deployed countermeasure
1 Corrections to Further Improving Efficiency of Higher-Order Masking Schemes by Decreasing Randomness Complexity Shuang Qiu, Rui Zhang, Yongbin Zhou, Wei Cheng Abstract Provably secure masking schemes
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationPractical Fault Countermeasures for Chinese Remaindering Based RSA
Practical Fault Countermeasures for Chinese Remaindering Based RSA (Extended Abstract) Mathieu Ciet 1 and Marc Joye 2, 1 Gemplus R&D, Advanced Research and Security Centre La Vigie, ZI Athélia IV, Av.
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationPower Consumption Analysis. Arithmetic Level Countermeasures for ECC Coprocessor. Arithmetic Operators for Cryptography.
Power Consumption Analysis General principle: measure the current I in the circuit Arithmetic Level Countermeasures for ECC Coprocessor Arnaud Tisserand, Thomas Chabrier, Danuta Pamula I V DD circuit traces
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationRecovering Private Keys Generated With Weak PRNGs
Recovering Private Keys Generated With Weak PRNGs Pierre-Alain Fouque (Univ. Rennes 1) Mehdi Tibouchi (NTT Secure Platform Lab.) Jean-Christophe Zapalowicz (Inria) Journées C2 2014 Jean-Christophe Zapalowicz
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationrecover the secret key [14]. More recently, the resistance of smart-card implementations of the AES candidates against monitoring power consumption wa
Resistance against Dierential Power Analysis for Elliptic Curve Cryptosystems Jean-Sebastien Coron Ecole Normale Superieure Gemplus Card International 45 rue d'ulm 34 rue Guynemer Paris, F-75230, France
More informationPower Analysis Attacks and Algorithmic Approaches to their Countermeasures for Koblitz Curve Cryptosystems
Power Analysis Attacks and Algorithmic Approaches to their Countermeasures for Koblitz Curve Cryptosystems M. Anwar Hasan Department of Electrical and Computer Engineering University of Waterloo, Waterloo,
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More informationone eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th
Exposing an RSA Private Key Given a Small Fraction of its Bits Dan Boneh Glenn Durfee y Yair Frankel dabo@cs.stanford.edu gdurf@cs.stanford.edu yfrankel@cs.columbia.edu Stanford University Stanford University
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More informationNew attacks on RSA with Moduli N = p r q
New attacks on RSA with Moduli N = p r q Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationPublic Key Perturbation of Randomized RSA Implementations
Public Key Perturbation of Randomized RSA Implementations A. Berzati, C. Dumas & L. Goubin CEA-LETI Minatec & Versailles St Quentin University Outline 1 Introduction 2 Public Key Perturbation Against R2L
More informationIntroduction to Public-Key Cryptosystems:
Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Applied Statistics Unit, Indian Statistical Institute, 203 B. T. Road,
More informationNumbers. Çetin Kaya Koç Winter / 18
Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 18 Number Systems and Sets We represent the set of integers as Z = {..., 3, 2, 1,0,1,2,3,...} We denote the set of positive integers modulo n as
More informationReconstruction and Error Correction of RSA Secret Parameters from the MSB Side
Reconstruction and Error Correction of RSA Secret Parameters from the MSB Side Sarkar Santanu, Gupta Sourav Sen, Maitra Subhamoy To cite this version: Sarkar Santanu, Gupta Sourav Sen, Maitra Subhamoy.
More informationPower Analysis to ECC Using Differential Power between Multiplication and Squaring
Power Analysis to ECC Using Differential Power between Multiplication and Squaring Toru Akishita 1 and Tsuyoshi Takagi 2 1 Sony Corporation, Information Technologies Laboratories, Tokyo, Japan akishita@pal.arch.sony.co.jp
More informationMultiple-Differential Side-Channel Collision Attacks on AES
Multiple-Differential Side-Channel Collision Attacks on AES Andrey Bogdanov Horst Görtz Institute for IT Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. In
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More information