Stealing Keys from PCs Using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation

  • Daniel Genkin
  • Lev Pachmanov
  • Itamar Pipman
  • Eran Tromer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9293)


We present new side-channel attacks on RSA and ElGamal implementations that use sliding-window or fixed-window (m-ary) modular exponentiation. The attacks extract decryption keys using a very low measurement bandwidth (a frequency band of less than 100 kHz around a carrier under 2 MHz) even when attacking multi-GHz CPUs.

We demonstrate the attacks’ feasibility by extracting keys from GnuPG (unmodified ElGamal and non-blinded RSA), within seconds, using a nonintrusive measurement of electromagnetic emanations from laptop computers. The measurement equipment is cheap and compact, uses readily-available components (a Software Defined Radio USB dongle or a consumer-grade radio receiver), and can operate untethered while concealed, e.g., inside pita bread.

The attacks use a few non-adaptive chosen ciphertexts, crafted so that whenever the decryption routine encounters particular bit patterns in the secret key, intermediate values occur with a special structure that causes observable fluctuations in the electromagnetic field. Through suitable signal processing and cryptanalysis, the bit patterns and eventually the whole secret key are recovered.


Side channel Electromagnetic analysis RSA ElGamal 



We thank Werner Koch, lead developer of GnuPG, for the prompt response to our disclosure and the productive collaboration in adding suitable countermeasures. We thank Sharon Kessler for editorial advice.

This work was sponsored by the Check Point Institute for Information Security; by European Union’s Tenth Framework Programme (FP10/2010-2016) under grant agreement no. 259426 ERC-CaC, by the Leona M. and Harry B. Helmsley Charitable Trust; by the Israeli Ministry of Science and Technology; by the Israeli Centers of Research Excellence I-CORE program (center 4/11); and by NATO’s Public Diplomacy Division in the Framework of “Science for Peace".


  1. 1.
  2. 2.
    GNU multiple precision arithmetic library.
  3. 3.
    GNU Privacy Guard.
  4. 4.
  5. 5.
    Minimalist GNU for Windows.
  6. 6.
    SPA/SEMA vulnerabilities of popular RSA-CRT sliding window implementations. Presented During Workshop on Cryptographic Hardware and Embedded Systems (CHES) 2012 Rump Session (2012).
  7. 7.
    Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM side—channel(s). In: Kalisk, B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Anderson, R.J.: Security Engineering - A Guide to Building Dependable Distributed Systems, 2nd edn. Wiley, New York (2008)Google Scholar
  9. 9.
    Bernstein, D.J.: Cache-timing attacks on AES (2005).
  10. 10.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005)CrossRefGoogle Scholar
  11. 11.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  12. 12.
    Clark, S.S., Mustafa, H., Ransford, B., Sorber, J., Fu, K., Xu, W.: Current events: identifying webpages by tapping the electrical outlet. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 700–717. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  13. 13.
    Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  14. 14.
    Clavier, C., Joye, M.: Universal exponentiation algorithm. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 300–308. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  15. 15.
    Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Elkins, M., Torto, D.D., Levien, R., Roessler, T.: MIME security with OpenPGP. RFC 3156 (2001).
  17. 17.
    Enigmail Project, T.: Enigmail: A simple interface for OpenPGP email security.
  18. 18.
    Fouque, P.-A., Kunz-Jacques, S., Martinet, G., Muller, F., Valette, F.: Power attack on small RSA public exponent. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 339–353. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  19. 19.
    Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  20. 20.
    Genkin, D., Pipman, I., Tromer, E.: Get your hands off my laptop: physical side-channel key-extraction attacks on PCs. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 242–260. Springer, Heidelberg (2014) Google Scholar
  21. 21.
    Genkin, D., Shamir, A., Tromer, E.: RSA key extraction via low-bandwidth acoustic cryptanalysis. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 444–461. Springer, Heidelberg (2014) Google Scholar
  22. 22.
    Goubin, L.: Method for protecting an electronic system with modular exponentiation-based cryptography against attacks by physical analysis, US Patent 6,973,190 (2005)Google Scholar
  23. 23.
    Heyszl, J., Ibing, A., Mangard, S., De Santis, F., Sigl, G.: Clustering algorithms for non-profiled single-execution attacks on exponentiations. In: Francillon, A., Rohatgi, P. (eds.) CARDIS 2013. LNCS, vol. 8419, pp. 79–93. Springer, Heidelberg (2014) Google Scholar
  24. 24.
    Homma, N., Miyamoto, A., Aoki, T., Satoh, A., Shamir, A.: Collision-based power analysis of modular exponentiation using chosen-message pairs. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 15–29. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  25. 25.
    Kocher, P., Jaffe, J., Jun, B., Rohatgi, P.: Introduction to differential power analysis. J. Cryptograph. Eng. 1(1), 5–27 (2011)CrossRefGoogle Scholar
  26. 26.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996) Google Scholar
  27. 27.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, New york (2007)Google Scholar
  28. 28.
    Menezes, A.J., Vanstone, S.A., Oorschot, P.C.V.: Handbook of Applied Cryptography, 1st edn. CRC Press Inc., Boca Raton (1996)CrossRefGoogle Scholar
  29. 29.
    MITRE: Common vulnerabilities and exposures list, entry CVE-2014-3591 (2014).
  30. 30.
    Oren, Y., Shamir, A.: How not to protect PCs from power analysis. Presented During CRYPTO 2006 Rump Session (2006).
  31. 31.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  32. 32.
    Percival, C.: Cache missing for fun and profit. Presented at BSDCan (2005).
  33. 33.
    Quisquater, J.-J., Samyde, D.: ElectroMagnetic analysis (EMA): measures and counter-measures for smart cards. In: Attali, S., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  34. 34.
    Smith, D.: Signal and noise measurement techniques using magnetic field probes. In: IEEE International Symposium on Electromagnetic Compatibility (EMC 1999), vol. 1, pp. 559–563. IEEE (1999)Google Scholar
  35. 35.
    Walter, C.D.: Sliding windows succumbs to big mac attack. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 286–299. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  36. 36.
    van Woudenberg, J.G.J., Witteman, M.F., Bakker, B.: Improving differential power analysis by elastic alignment. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 104–119. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  37. 37.
    Yarom, Y., Falkner, K.: FLUSH+RELOAD: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security Symposium 2014, pp. 719–732. USENIX Association (2014)Google Scholar
  38. 38.
    Yarom, Y., Liu, F., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: IEEE Symposium on Security and Privacy (S&P). IEEE (2015)Google Scholar
  39. 39.
    Zajic, A., Prvulovic, M.: Experimental demonstration of electromagnetic information leakage from modern processor-memory systems. IEEE Trans. Electromagn. Compat. (EMC) 56(4), 885–893 (2014)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Daniel Genkin
    • 1
    • 2
  • Lev Pachmanov
    • 2
  • Itamar Pipman
    • 2
  • Eran Tromer
    • 2
  1. 1.TechnionHaifaIsrael
  2. 2.Tel Aviv UniversityTel AvivIsrael

Personalised recommendations