Journal of Cryptology

, Volume 29, Issue 4, pp 775–805 | Cite as

Bug Attacks

Article

Abstract

In this paper we present a new kind of cryptanalytic attack which utilizes bugs in the hardware implementation of computer instructions. The best-known example of such a bug is the Intel division bug, which resulted in slightly inaccurate results for extremely rare inputs. Whereas in most applications such bugs can be viewed as a minor nuisance, we show that in the case of RSA (even when protected by OAEP), Pohlig–Hellman and ElGamal encryption such bugs can be a security disaster: decrypting ciphertexts on any computer which multiplies even one pair of numbers incorrectly can lead to full leakage of the secret key, sometimes with a single well-chosen ciphertext. As shown by recent revelation of top secret NSA documents by Edward Snowden, intentional hardware modifications is a method that was used by the USA to weaken the security of commercial equipment sent to targeted organizations.

Keywords

Bug attack Fault attack RSA Pohlig–Hellman  ElGamal encryption 

References

  1. 1.
    AMD, Linux Kernel Issue with Systems Using AGP Graphics—Application Note, August 2002. http://www.amd.com/us-en/assets/content_type/white_papers_and_tech_docs/26698.pdf
  2. 2.
    J. Appelbaum, J. Horchert, C. Stöcker, Shopping for Spy Gear: Catalog Advertises NSA Toolbox, Der Spiegel, 29 December 2013. Online edition: http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
  3. 3.
    A.D. Balsa, The Cyrix 6x86 Coma Bug. http://www.tux.org/~balsa/linux/cyrix/index.html
  4. 4.
    M. Bellare and P. Rogaway, Optimal Asymmetric Encryption—How to Encrypt with RSA (Extended Abstract), Advances in Cryptology, Proceedings of EUROCRYPT’94, LNCS 950 (Springer, Berlin, 1995), pp. 92–111Google Scholar
  5. 5.
    E. Biham, Y. Carmeli, A. Shamir, Bug attacks, in Advances in Cryptology, Proceedings of CRYPTO’08, LNCS 5157 (Springer, Berlin, 2008) pp. 221–240.Google Scholar
  6. 6.
    J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway, UMAC: fast and secure message authentication, in Advances in Cryptology, Proceedings of CRYPTO’99, LNCS 1666 (Springer, Berlin, 1999) pp. 215–233.Google Scholar
  7. 7.
    M. Boesgaard, M. Vesterager, T. Pedersen, J. Christiansen, O. Scavenius, Rabbit: a new high performance stream cipher, in Proceedings of Fast Software Encryption 10, LNCS 2887 (Springer, Berlin, 2004) pp. 307–329.Google Scholar
  8. 8.
    D. Boneh, R.A. DeMillo, R.J. Lipton, On the importance of checking cryptographic protocols for faults, in Advances in Cryptology, Proceedings of EUROCRYPT’97, LNCS 1233 (Springer, Berlin, 1997) pp. 37–51.Google Scholar
  9. 9.
    C. Burwick, D. Coppersmith, E. D’Avignon, R. Gennaro, S. Halevi, C. Jutla, S.M. Matyas Jr., L. O’Connor, M. Peyravian, D. Safford, N. Zunic, MARS: a candidate cipher for AES, in AES—The First Advanced Encryption Standard Candidate Conference, Conference Proceedings, 1998.Google Scholar
  10. 10.
    D. Chaum, Blind signatures for untraceable payments, in Advances in Cryptology, Proceedings of CRYPTO’82 (Plenum Press, Berlin, 1983) pp. 199–203.Google Scholar
  11. 11.
    R.R. Collins, Inside the Pentium II Math Bug, Dr. Dobb’s Portal, August 1997. http://www.ddj.com/184410254
  12. 12.
    T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985).MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    H. Gilbert, M. Girault, P. Hoogvorst, F. Noilhan, T. Pornin, G. Poupard, J. Stern, S. Vaudenay, Decorrelated fast cipher: an AES candidate, in AES—The First Advanced Encryption Standard Candidate Conference, Conference Proceedings, 1998.Google Scholar
  14. 14.
    T.R. Halfhill, The truth behind the Pentium bug, in BYTE Magazine, March 1995. http://www.byte.com/art/9503/sec13/art1.htm
  15. 15.
    Intel, FDIV Replacement Program—Statistical Analysis of Floating Point Flaw: Intel White Paper, July 2004. http://support.intel.com/support/processors/pentium/sb/CS-013007.htm
  16. 16.
    Intel, Intel \({\textregistered }\,Core^{TM}\) 2 Duo Processor E8000 and E7000 Series, July 2004. http://www.intel.com/design/processor/specupdt/318733.pdf
  17. 17.
    Intel, Intel \(\textregistered \) Processor—Invalid Instruction Erratum Overview, November 1997. http://www.intel.com/support/processors/pentium/ppiie/
  18. 18.
    X. Lai and J.L. Massey and S. Murphy, Markov ciphers and differential cryptanalysis, in Advances in Cryptology, Proceedings of EUROCRYPT’91, LNCS 547 (Springer, Berlin, 1992) pp. 17–38.Google Scholar
  19. 19.
    A.J. Menezes, P.C. van Oorschot and S.A. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1996).Google Scholar
  20. 20.
    S. Mueller Upgrading and Repairing PCs, Eighth edition, Que Publishing, 1998. http://www.informit.com/content/downloads/que/upgrading/fourteenth_edition/DVD/PCs8th.pdf
  21. 21.
    L. Osterman, Remembering Old CPU Bugs, Larry Osterman’s WebLog, February, 2007. http://blogs.msdn.com/larryosterman/archive/2007/02/06/remembering-old-cpu-bugs.aspx
  22. 22.
    S.C. Pohlig, M.E. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inf. Theory 24(1), 106–111 (1978).MathSciNetCrossRefMATHGoogle Scholar
  23. 23.
    R.L. Rivest, M.J.B. Robshaw, R. Sidney, and Y.L. Yin, The RC6 block cipher, in AES—The First Advanced Encryption Standard Candidate Conference, Conference Proceedings, 1998.Google Scholar
  24. 24.
    R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems. Commun. of the ACM 21(2), 120–126 (1978).MathSciNetCrossRefMATHGoogle Scholar
  25. 25.
    B. Screamer, Microsoft’s Digital Rights Management Scheme—Technical Details, October 2001. http://cryptome.org/ms-drm.htm
  26. 26.
    A. Shamir, RSA for paranoids. CryptoBytes 1(3), 1–4 (1995).Google Scholar
  27. 27.
    A. Shamir, R.L. Rivest, L.M. Adleman, Mental poker, in D.A. Klarner (ed.), The Mathematical Gardner (Wadsworth, Belmont, 1981) pp. 37–43.CrossRefGoogle Scholar
  28. 28.
    V. Shoup, OAEP Reconsidered (Extended Abstract), Advances in Cryptology, Proceedings of CRYPTO 2001, LNCS 2139 (Springer, Berlin, 2001) pp. 239–259.Google Scholar
  29. 29.
    S. Staff, Inside TAO: Documents Reveal Top NSA Hacking Unit, Der Spiegel, 29 December 2013. Online edition: http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969-3.html
  30. 30.
    U.S.D. of Defense, Defense Science Board Tas Force on High Performance Microchip Supply, February 2005. http://www.acq.osd.mil/dsb/reports/2005-02-HPMS_Report_Final.pdf
  31. 31.
    Theo Valich, AMD delays Phenom 2.4 GHz due to TLB errata in The Inquirer, November 2007. http://www.theinquirer.net/gb/inquirer/news/2007/11/18/amd-delays-phenom-ghz-due-tlb
  32. 32.
    A. Warner Machado, The Nimbus cipher: a proposal for NESSIE, in NESSIE Proposal, September 2000.Google Scholar
  33. 33.
    Wikipedia, MOS Technology 6502. http://en.wikipedia.org/wiki/MOS_Technology_6502

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.Computer Science DepartmentTechnion - Israel Institute of TechnologyHaifa Israel
  2. 2.Computer Science DepartmentThe Weizmann Institute of ScienceRehovot Israel

Personalised recommendations