scholarly journals Cache-Timing Attacks on RSA Key Generation

2019 ◽  
pp. 213-242 ◽  
Author(s):  
Alejandro Cabrera Aldaya ◽  
Cesar Pereida García ◽  
Luis Manuel Alvarez Tapia ◽  
Billy Bob Brumley
Keyword(s):  
Constant Time ◽  
Key Generation ◽  
Limited Information ◽  
Key Recovery ◽  
Lattice Problem ◽  
Timing Attack ◽  
Problem Instances ◽  
Single Trace ◽  
Bulk Processing ◽  
Trace Cache

During the last decade, constant-time cryptographic software has quickly transitioned from an academic construct to a concrete security requirement for real-world libraries. Most of OpenSSL’s constant-time code paths are driven by cryptosystem implementations enabling a dedicated flag at runtime. This process is perilous, with several examples emerging in the past few years of the flag either not being set or software defects directly mishandling the flag. In this work, we propose a methodology to analyze security-critical software for side-channel insecure code path traversal. Applying our methodology to OpenSSL, we identify three new code paths during RSA key generation that potentially leak critical algorithm state. Exploiting one of these leaks, we design, implement, and mount a single trace cache-timing attack on the GCD computation step. We overcome several hurdles in the process, including but not limited to: (1) granularity issues due to word-size operands to the GCD function; (2) bulk processing of desynchronized trace data; (3) non-trivial error rate during information extraction; and (4) limited high-confidence information on the modulus factors. Formulating lattice problem instances after obtaining and processing this limited information, our attack achieves roughly a 27% success rate for key recovery using the empirical data from 10K trials.

scholarly journals Single Trace Analysis on Constant Time CDT Sampler and Its Countermeasure

2018 ◽  
Vol 8 (10) ◽  
pp. 1809 ◽  
Author(s):  
Suhri Kim ◽  
Seokhie Hong
Keyword(s):  
Gaussian Elimination ◽  
Cumulative Distribution ◽  
Constant Time ◽  
Key Generation ◽  
Secret Key ◽  
Secret Keys ◽  
Open Issue ◽  
Single Trace ◽  
Lattice Based Cryptography ◽  
Timing Attacks

The Gaussian sampler is an integral part in lattice-based cryptography as it has a direct connection to security and efficiency. Although it is theoretically secure to use the Gaussian sampler, the security of its implementation is an open issue. Therefore, researchers have started to investigate the security of the Gaussian sampler against side-channel attacks. Since the performance of the Gaussian sampler directly affects the performance of the overall cryptosystem, countermeasures considering only timing attacks are applied in the literature. In this paper, we propose the first single trace power analysis attack on a constant-time cumulative distribution table (CDT) sampler used in lattice-based cryptosystems. From our analysis, we were able to recover every sampled value in the key generation stage, so that the secret key is recovered by the Gaussian elimination. By applying our attack to the candidates submitted to the National Institute of Standards and Technology (NIST), we were able to recover over 99% of the secret keys. Additionally, we propose a countermeasure based on a look-up table. To validate the efficiency of our countermeasure, we implemented it in Lizard and measure its performance. We demonstrated that the proposed countermeasure does not degrade the performance.

scholarly journals One Bit is All It Takes: A Devastating Timing Attack on BLISS’s Non-Constant Time Sign Flips

2020 ◽  
Vol 15 (1) ◽  
pp. 131-142
Author(s):  
Mehdi Tibouchi ◽  
Alexandre Wallet
Keyword(s):  
Likelihood Estimation ◽  
Constant Time ◽  
Side Channel ◽  
Key Recovery ◽  
Signature Generation ◽  
Fisher Information Metric ◽  
Timing Attack ◽  
Information Metric ◽  
Key Recovery Attack ◽  
Cache Attacks

AbstractAs one of the most efficient lattice-based signature schemes, and one of the only ones to have seen deployment beyond an academic setting (e.g., as part of the VPN software suite strongSwan), BLISS has attracted a significant amount of attention in terms of its implementation security, and side-channel vulnerabilities of several parts of its signing algorithm have been identified in previous works. In this paper, we present an even simpler timing attack against it. The bimodal Gaussian distribution that BLISS is named after is achieved using a random sign flip during signature generation, and neither the original implementation of BLISS nor strongSwan ensure that this sign flip is carried out in constant time. It is therefore possible to recover the corresponding sign through side-channel leakage (using, e.g., cache attacks or branch tracing). We show that obtaining this single bit of leakage (for a moderate number of signatures) is in fact sufficient for a full key recovery attack. The recovery is carried out using a maximum likelihood estimation on the space of parameters, which can be seen as a statistical manifold. The analysis of the attack thus reduces to the computation of the Fisher information metric.

scholarly journals Cold Boot Attacks on LUOV

2020 ◽  
Vol 10 (12) ◽  
pp. 4106 ◽  
Author(s):  
Ricardo Villanueva-Polanco
Keyword(s):  
Key Generation ◽  
Secret Key ◽  
Cryptographic Primitives ◽  
Key Recovery ◽  
Recovery Algorithm ◽  
Private Key ◽  
Research Article ◽  
The Family ◽  
And Performance ◽  
First Time

This research article assesses the feasibility of cold boot attacks on the lifted unbalanced oil and Vinegar (LUOV) scheme, a variant of the UOV signature scheme. This scheme is a member of the family of asymmetric cryptographic primitives based on multivariable polynomials over a finite field K and has been submitted as candidate to the ongoing National Institute of Standards and Technology (NIST) standardisation process of post-quantum signature schemes. To the best of our knowledge, this is the first time that this scheme is evaluated in this setting. To perform our assessment of the scheme in this setting, we review two implementations of this scheme, the reference implementation and the libpqcrypto implementation, to learn the most common in-memory private key formats and next develop a key recovery algorithm exploiting the structure of this scheme. Since the LUOV’s key generation algorithm generates its private components and public components from a 256-bit seed, the key recovery algorithm works for all the parameter sets recommended for this scheme. Additionally, we tested the effectiveness and performance of the key recovery algorithm through simulations and found the key recovery algorithm may retrieve the private seed when α = 0.001 (probability that a 0 bit of the original secret key will flip to a 1 bit) and β (probability that a 1 bit of the original private key will flip to a 0 bit) in the range { 0.001 , 0.01 , 0.02 , … , 0.15 } by enumerating approximately 2 40 candidates.

scholarly journals Single-Trace Attacks on Keccak

2020 ◽  
pp. 243-268 ◽  
Author(s):  
Matthias J. Kannwischer ◽  
Peter Pessl ◽  
Robert Primas
Keyword(s):  
Template Matching ◽  
Message Passing ◽  
Graphical Model ◽  
Side Channel ◽  
Key Recovery ◽  
Single Observation ◽  
Message Passing Algorithm ◽  
Post Quantum Cryptography ◽  
Single Trace ◽  
Differential Attacks

Since its selection as the winner of the SHA-3 competition, Keccak, with all its variants, has found a large number of applications. It is, for instance, a common building block in schemes submitted to NIST’s post-quantum cryptography project. In many of these applications, Keccak processes ephemeral secrets. In such a setting, side-channel adversaries are limited to a single observation, meaning that differential attacks are inherently prevented. If, however, such a single trace of Keccak can already be sufficient for key recovery has so far been unknown. In this paper, we change the above by presenting the first single-trace attack targeting Keccak. Our method is based on soft-analytical side-channel attacks and, thus, combines template matching with message passing in a graphical model of the attacked algorithm. As a straight-forward model of Keccak does not yield satisfactory results, we describe several optimizations for the modeling and the message-passing algorithm. Their combination allows attaining high attack performance in terms of both success rate as well as computational runtime. We evaluate our attack assuming generic software (microcontroller) targets and thus use simulations in the generic noisy Hamming-weight leakage model. Hence, we assume relatively modest profiling capabilities of the adversary. Nonetheless, the attack can reliably recover secrets in a large number of evaluated scenarios at realistic noise levels. Consequently, we demonstrate the need for countermeasures even in settings where DPA is not a threat.

CacheBleed: a timing attack on OpenSSL constant-time RSA

2017 ◽  
Vol 7 (2) ◽  
pp. 99-112 ◽  
Author(s):  
Yuval Yarom ◽  
Daniel Genkin ◽  
Nadia Heninger
Keyword(s):  
Constant Time ◽  
Timing Attack

scholarly journals Classic McEliece on the ARM Cortex-M4

2021 ◽  
pp. 125-148
Author(s):  
Ming-Shing Chen ◽  
Tung Chou
Keyword(s):  
Flash Memory ◽  
Public Key ◽  
Constant Time ◽  
Key Generation ◽  
The Public ◽  
Level 3 ◽  
Level 1 ◽  
Target Platform

This paper presents a constant-time implementation of Classic McEliece for ARM Cortex-M4. Specifically, our target platform is stm32f4-Discovery, a development board on which the amount of SRAM is not even large enough to hold the public key of the smallest parameter sets of Classic McEliece. Fortunately, the flash memory is large enough, so we use it to store the public key. For the level-1 parameter sets mceliece348864 and mceliece348864f, our implementation takes 582 199 cycles for encapsulation and 2 706 681 cycles for decapsulation. Compared to the level-1 parameter set of FrodoKEM, our encapsulation time is more than 80 times faster, and our decapsulation time is more than 17 times faster. For the level-3 parameter sets mceliece460896 and mceliece460896f, our implementation takes 1 081 335 cycles for encapsulation and 6 535 186 cycles for decapsulation. In addition, our implementation is also able to carry out key generation for the level-1 parameter sets and decapsulation for level-5 parameter sets on the board.

Sign in / Sign up

Export Citation Format

Share Document