Cache Timing Attacks on Public Key Encryption

The rise of cloud computing has made it a lot easier for attackers to be able to run code on the same processors as their target. This has made many attacks more viable. This thesis discusses a cache timing attack targeting the LibTomMath library. LibTom-Math is a mathematical library for computations using large integers. The library is used in some cryptographic libraries such the commercial solution WolfCrypt. The attack mainly focuses on the modular exponentiation function of LibTom-Math which is a major part of RSA implementations. The aim of the attack is to use cache timing in order to extract the long term private key used by the server for encrypting communications. Recovering the private key, gives the attacker access to past and future communications secured using this key, which usually has a lifespan of at least one year. The attack only requires that it shares a processor with the victim and works even if the attack process and the victim process are running on different Virtual Machines. The thesis includes a description of the RSA cipher as well as the various optimizations that are used in a lot of cryptographic libraries. Next, it describes how to use cache timing to exploit some of those optimizations in order to gain information about the secret exponent based on the memory access patterns of the target code. Finally, it discusses the limitations of the attack as well as how cloud service providers, cryptographic library developers, as well as processor manufacturers, may be able to mitigate this class of attacks

Exclusive Exponent Blinding May Not Suffice to Prevent Timing Attacks on RSA

The references [9,3,1] treat timing attacks on RSA with CRT and Montgomery\u27s multiplication algorithm in unprotected implementations. It has been widely believed that exponent blinding would prevent any timing attack on RSA. At cost of significantly more timing measurements this paper extends the before-mentioned attacks to RSA with CRT when Montgomery\u27s multiplication algorithm and exponent blinding are applied. Simulation experiments are conducted, which confirm the theoretical results. Effective countermeasures exist. In particular, the attack efficiency is higher than in the previous version [12] while large parts of both papers coincide

Stealing Keys from PCs using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation

We present new side-channel attacks on RSA and ElGamal implementations that use the popular sliding-window or fixed-window (m-ary) modular exponentiation algorithms. The attacks can extract decryption keys using a very low measurement bandwidth (a frequency band of less than 100 kHz around a carrier under 2 MHz) even when attacking multi-GHz CPUs. We demonstrate the attacks\u27 feasibility by extracting keys from GnuPG, in a few seconds, using a nonintrusive measurement of electromagnetic emanations from laptop computers. The measurement equipment is cheap and compact, uses readily-available components (a Software Defined Radio USB dongle or a consumer-grade radio receiver), and can operate untethered while concealed, e.g., inside pita bread. The attacks use a few non-adaptive chosen ciphertexts, crafted so that whenever the decryption routine encounters particular bit patterns in the secret key, intermediate values occur with a special structure that causes observable fluctuations in the electromagnetic field. Through suitable signal processing and cryptanalysis, the bit patterns and eventually the whole secret key are recovered

Hard Instances of the Constrained Discrete Logarithm Problem

The discrete logarithm problem (DLP) generalizes to the constrained DLP, where the secret exponent $x$ belongs to a set known to the attacker. The complexity of generic algorithms for solving the constrained DLP depends on the choice of the set. Motivated by cryptographic applications, we study sets with succinct representation for which the constrained DLP is hard. We draw on earlier results due to Erd\"os et al. and Schnorr, develop geometric tools such as generalized Menelaus' theorem for proving lower bounds on the complexity of the constrained DLP, and construct sets with succinct representation with provable non-trivial lower bounds

Yet Another MicroArchitectural Attack: Exploiting I-cache

MicroArchitectural Attacks (MA), which can be considered as a special form of Side-Channel Analysis, exploit microarchitectural functionalities of processor implementations and can compromise the security of computational environments even in the presence of sophisticated protection mechanisms like virtualization and sandboxing. This newly evolving research area has attracted significant interest due to the broad application range and the potentials of these attacks. Cache Analysis and Branch Prediction Analysis were the only types of MA that had been known publicly. In this paper, we introduce Instruction Cache (I-Cache) as yet another source of MA and present our experimental results which clearly prove the practicality and danger of I-Cache Attacks

Cache-Timing Techniques: Exploiting the DSA Algorithm

Side-channel information is any type of information leaked through unexpected channels due to physical features of a system dealing with data. The memory cache can be used as a side-channel, leakage and exploitation of side-channel information from the executing processes is possible, leading to the recovery of secret information. Cache-based side-channel attacks represent a serious threat to implementations of several cryptographic primitives, especially in shared libraries. This work explains some of the cache-timing techniques commonly used to exploit vulnerable software. Using a particular combination of techniques and exploiting a vulnerability found in the implementation of the DSA signature scheme in the OpenSSL shared library, a cache-timing attack is performed against the DSA’s sliding window exponentiation algorithm. Moreover, the attack is expanded to show that it is possible to perform cache-timing attacks against protocols relying on the DSA signature scheme. SSH and TLS are attacked, leading to a key-recovery attack: 260 SSH-2 handshakes to extract a 1024/160-bit DSA hostkey from an OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bit DSA key from an stunnel server

Power Efficient Fpga Implementation Of Rsa Algortihm

Tez (Yüksek Lisans) -- İstanbul Teknik Üniversitesi, Fen Bilimleri Enstitüsü, 2010Thesis (M.Sc.) -- İstanbul Technical University, Institute of Science and Technology, 2010Bu çalışmada Rivest, Shamir, Adleman (RSA) algoritması sahada programlanabilir kapı dizisi üzerinde gerçeklenmekte ve güç tasarruf yöntemlerinden yararlanılarak dinamik güç harcamaları azaltılmaktadır. RSA algoritması en yaygın kullanıma sahip açık anahtarlı şifreleme algoritmalarından biridir. RSA algoritmasını oluşturan matematiksel temel işlemleri iki ana başlıkta toplamak mümkündür: moduler çarpma işlemi ve moduler üs alma, exponent işlemi. RSA algoritmasında kullanılan aritmetik işlem ME mod N işlemidir. Bu işlemdeki N sayısı aralarında asal iki sayının çarpımından oluşan modulo değeri, M mesaj ya da düz metin dediğimiz bilgi, E ise açık anahtar olarak bilinen değerdir. İyi bir RSA gerçeklemesi oluşturmak istenirse; yapılması gereken en önemli şey, iyi bir modular çarpma devresi oluşturmaktır. Bu matematiksel açıklamalardan yola çıkararak anlamalıyız ki; bir RSA gerçeklemesinde en çok güç tüketen blok modular çarpma devresidir. Bu nedenle güç tüketimlerinin karşılaştırılması açısından modular çarpma devresine farklı teknikler uygulanmıştır. Daha sonra çok yaygın bir kullanıma sahip olan ardışıl ikili modular üs alma tekniği ile RSA algoritması gerçeklenmiştir. Bilgisayar benzetim programı ile yapıların test vektörü girişlerine karşılık doğru sonuçlar verdiği gösterilmiştir.In this study, dynamic power consumptions of Field Programmable Gate Array (FPGA) implementations of the Rivest, Shamir, Adleman (RSA) has been reduced by using low power design methods. RSA is one of the most popular public key cryptographic algorithms. The mathematics behind RSA algorithm, are summarized in two operations, modular multiplication and modular exponentiation. In the RSA cryptosystem, the arithmetic operation ME mod N is used, where N is a prime product of two relative prime numbers, M is the message and E is the public key. In order to create an efficient implementation of RSA, one has to design efficiently the multiplication of two modular numbers. So this mathematical background provides a good understanding that Modular Multiplication block dissipates the most of the power, dissipated in RSA. For comparison of power dissipations, different methods are used to implement Modular Multiplication block. Then RSA implemented by using Sequential Binary Modular Exponentiation which has widespread applications. Computer simulations have been used to show that the implementations of the algorithm generate correct outputs against test vectors.Yüksek LisansM.Sc

Security systems based on Gaussian integers : Analysis of basic operations and time complexity of secret transformations

Many security algorithms currently in use rely heavily on integer arithmetic modulo prime numbers. Gaussian integers can be used with most security algorithms that are formulated for real integers. The aim of this work is to study the benefits of common security protocols with Gaussian integers. Although the main contribution of this work is to analyze and improve the application of Gaussian integers for various public key (PK) algorithms, Gaussian integers were studied in the context of image watermarking as well. The significant benefits of the application of Gaussian integers become apparent when they are used with Discrete Logarithm Problem (DLP) based PK algorithms. In order to quantify the complexity of the Gaussian integer DLP, it is reduced to two other well known problems: DLP for Lucas sequences and the real integer DLP. Additionally, a novel exponentiation algorithm for Gaussian integers, called Lucas sequence Exponentiation of Gaussian integers (LSEG) is introduced and its performance assessed, both analytically and experimentally. The LSEG achieves about 35% theoretical improvement in CPU time over real integer exponentiation. Under an implementation with the GMP 5.0.1 library, it outperformed the GMP\u27s mpz_powm function (the particularly efficient modular exponentiation function that comes with the GMP library) by 40% for bit sizes 1000-4000, because of low overhead associated with LSEG. Further improvements to real execution time can be easily achieved on multiprocessor or multicore platforms. In fact, over 50% improvement is achieved with a parallelized implementation of LSEG. All the mentioned improvements do not require any special hardware or software and are easy to implement. Furthermore, an efficient way for finding generators for DLP based PK algorithms with Gaussian integers is presented. In addition to DLP based PK algorithms, applications of Gaussian integers for factoring-based PK cryptosystems are considered. Unfortunately, the advantages of Gaussian integers for these algorithms are not as clear because the extended order of Gaussian integers does not directly come into play. Nevertheless, this dissertation describes the Extended Square Root algorithm for Gaussian integers used to extend the Rabin Cryptography algorithm into the field of Gaussian integers. The extended Rabin Cryptography algorithm with Gaussian integers allows using fewer preset bits that are required by the algorithm to guard against various attacks. Additionally, the extension of RSA into the domain of Gaussian integers is analyzed. The extended RSA algorithm could add security only if breaking the original RSA is not as hard as factoring. Even in this case, it is not clear whether the extended algorithm would increase security. Finally, the randomness property of the Gaussian integer exponentiation is utilized to derive a novel algorithm to rearrange the image pixels to be used for image watermarking. The new algorithm is more efficient than the one currently used and it provides a degree of cryptoimmunity. The proposed method can be used to enhance most picture watermarking algorithms