Cryptographers’ Track at the RSA Conference

Topics in Cryptology - CT-RSA 2016 pp 219-235 | Cite as

ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs

  • Daniel Genkin
  • Lev Pachmanov
  • Itamar Pipman
  • Eran Tromer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9610)

Abstract

We present the first physical side-channel attack on elliptic curve cryptography running on a PC. The attack targets the ECDH public-key encryption algorithm, as implemented in the latest version of GnuPG. By measuring the target’s electromagnetic emanations, the attack extracts the secret decryption key within seconds, from a target located in an adjacent room across a wall. The attack utilizes a single carefully chosen ciphertext, and tailored time-frequency signal analysis techniques, to achieve full key extraction.

Keywords

Side-channel attack Elliptic curve cryptography Electromagnetic emanations 

References

  1. 1.
    GNU multiple precision arithmetic library. http://gmplib.org/
  2. 2.
    GNU Privacy Guard. https://www.gnupg.org
  3. 3.
  4. 4.
    Minimalist GNU for Windows. http://www.mingw.org
  5. 5.
    Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM side-channel(s). In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Akishita, T., Takagi, T.: Zero-value point attacks on elliptic curve cryptosystem. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 218–233. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Anderson, R.J.: Security Engineering – A Guide to Building Dependable Distributed Systems, 2nd edn. Wiley, Hoboken (2008)Google Scholar
  8. 8.
    Barker, E., Johnson, D., Smid, M.: NIST SP 800–56a: recommendation for pair-wise key establishment schemes using discrete logarithm cryptography (revised) (2007)Google Scholar
  9. 9.
    Benger, N., van de Pol, J., Smart, N.P., Yarom, Y.: “Ooh Aah.. Just a Little Bit” : a small amount of side channel can go a long way. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 75–92. Springer, Heidelberg (2014)Google Scholar
  10. 10.
    Bernstein, D.J.: Cache-timing attacks on AES (2005). http://cr.yp.to/papers.html#cachetiming
  11. 11.
    Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  12. 12.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005)CrossRefGoogle Scholar
  13. 13.
    Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: OpenPGP message format. RFC 4880, November 2007Google Scholar
  14. 14.
    Ciet, M., Joye, M.: (Virtually) Free randomization techniques for elliptic curve cryptography. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 348–359. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Clark, S.S., Mustafa, H.A., Ransford, B., Sorber, J., Fu, K., Xu, W.: Current events: identifying webpages by tapping the electrical outlet. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 700–717. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  16. 16.
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  17. 17.
    Elkins, M., Del Torto, D., Levien, R., Roessler, T.: MIME security with OpenPGP. RFC 3156 (2001). http://www.ietf.org/rfc/rfc3156.txt
  18. 18.
    The Enigmail Project: Enigmail: a simple interface for OpenPGP email security. https://www.enigmail.net
  19. 19.
    Fan, J., Guo, X., De Mulder, E., Schaumont, S., Preneel, B., Verbauwhede, I.: State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST 2010), pp. 76–87 (2010)Google Scholar
  20. 20.
    Fan, J., Verbauwhede, I.: An updated survey on secure ECC implementations: attacks, countermeasures and cost. In: Naccache, D. (ed.) Cryptography and Security: From Theory to Applications. LNCS, vol. 6805, pp. 265–282. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  21. 21.
    Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Genkin, D., Pachmanov, L., Pipman, I., Tromer, E.: Stealing keys from PCs using a radio: cheap electromagnetic attacks on windowed exponentiation. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 207–228. Springer, Heidelberg (2015). Extended version: Cryptology ePrint Archive, Report 2015/170CrossRefGoogle Scholar
  23. 23.
    Genkin, D., Pipman, I., Tromer, E.: Get your hands off my laptop: physical side-channel key-extraction attacks on PCs. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 242–260. Springer, Heidelberg (2014)Google Scholar
  24. 24.
    Genkin, D., Shamir, A., Tromer, E.: RSA key extraction via low-bandwidth acoustic cryptanalysis. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 444–461. Springer, Heidelberg (2014). Extended version: Cryptology ePrint Archive, Report 2013/857Google Scholar
  25. 25.
    Goller, G., Sigl, G.: Side Channel Attacks on Smartphones and Embedded Devices Using Standard Radio Equipment. In: Mangard, S., Poschmann, A.Y. (eds.) COSADE 2015. LNCS, vol. 9064, pp. 255–270. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  26. 26.
    Goubin, L.: A refined power-analysis attack on elliptic curve cryptosystems. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 199–210. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  27. 27.
    Jivsov, A.: Elliptic curve cryptography (ECC) in OpenPGP. RFC 4880 (2012)Google Scholar
  28. 28.
    Kocher, P., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. J. Cryptographic Eng. 1(1), 5–27 (2011)CrossRefGoogle Scholar
  29. 29.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks – Revealing the Secrets of Smart Cards. Springer, Heidelberg (2007)MATHGoogle Scholar
  30. 30.
    Okeya, K., Sakurai, K.: On insecurity of the side channel attack countermeasure using addition-subtraction chains under distinguishability between addition and doubling. In: Batten, L.M., Seberry, J. (eds.) ACISP 2002. LNCS, vol. 2384, pp. 420–435. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  31. 31.
    Oren, Y., Shamir, A.: How not to protect PCs from power analysis, presented at CRYPTO 2006 rump session (2006). http://iss.oy.ne.ro/HowNotToProtectPCsFromPowerAnalysis
  32. 32.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  33. 33.
    Oswald, E., Aigner, M.: Randomized addition-subtraction chains as a countermeasure against power attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 39–50. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  34. 34.
    Percival, C.: Cache missing for fun and profit. Presented at BSDCan (2005). http://www.daemonology.net/hyperthreading-considered-harmful
  35. 35.
    Quisquater, J.-J., Samyde, D.: Electromagnetic analysis (EMA): measures and counter-measures for smart cards. In: Attali, S., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  36. 36.
    Reitwiesner, G.W.: Binary arithmetic. Adv. Comput. 1, 231–308 (1960)CrossRefMathSciNetGoogle Scholar
  37. 37.
    van de Pol, J., Smart, N.P., Yarom, Y.: Just a little bit more. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 3–21. Springer, Heidelberg (2015)Google Scholar
  38. 38.
    Walter, C.D.: Issues of security with the oswald-aigner exponentiation algorithm. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 208–221. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  39. 39.
    Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, lownoise, L3 cache side-channel attac. In: USENIX Security Symposium, pp. 719–732. USENIXAssociation (2014)Google Scholar
  40. 40.
    Yarom, Y., Liu, F., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: IEEE Symposium on Security and Privacy. IEEE (2015)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Daniel Genkin
    • 1
    • 2
  • Lev Pachmanov
    • 2
  • Itamar Pipman
    • 2
  • Eran Tromer
    • 2
  1. 1.TechnionHaifaIsrael
  2. 2.Tel Aviv UniversityTel AvivIsrael

Personalised recommendations