Abstract

Cache-timing attacks are a serious threat to security-critical software. We show that the combination of vector quantization and hidden Markov model cryptanalysis is a powerful tool for automated analysis of cache-timing data; it can be used to recover critical algorithm state such as key material. We demonstrate its effectiveness by running an attack on the elliptic curve portion of OpenSSL (0.9.8k and under). This involves automated lattice attacks leading to key recovery within hours. We carry out the attack on live cache-timing data without simulating the side channel, showing these attacks are practical and realistic.

Keywords

cache-timing attacks side channel attacks elliptic curve cryptography 

References

  1. 1.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  2. 2.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  3. 3.
    Page, D.: Defending against cache based side-channel attacks. Information Security Technical Report 8(1), 30–44 (2003)CrossRefGoogle Scholar
  4. 4.
    Oswald, E.: Enhancing simple power-analysis attacks on elliptic curve cryptosystems. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 82–97. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Karlof, C., Wagner, D.: Hidden Markov model cryptanalysis. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 17–34. Springer, Heidelberg (2003)Google Scholar
  6. 6.
    Green, P.J., Noad, R., Smart, N.P.: Further hidden Markov model cryptanalysis. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 61–74. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Medwed, M., Oswald, E.: Template attacks on ECDSA. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 14–27. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Percival, C.: Cache missing for fun and profit (2005), http://www.daemonology.net/papers/cachemissing.pdf
  10. 10.
    Hlavác, M., Rosa, T.: Extended hidden number problem and its cryptanalytic applications. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 114–133. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Bernstein, D.J.: Cache-timing attacks on AES (2004), http://cr.yp.to/papers.html#cachetiming
  12. 12.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: The case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    Möller, B.: Algorithms for multi-exponentiation. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 165–180. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Möller, B.: Improved techniques for fast exponentiation. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 298–312. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Bosma, W.: Signed bits and fast exponentiation. Journal de Théorie des Nombres de Bordeaux 13(1), 27–41 (2001)MATHMathSciNetGoogle Scholar
  16. 16.
    Kohonen, T.: Self-Organizing Maps. Springer, Heidelberg (1995)Google Scholar
  17. 17.
    Lloyd, S.: Least squares quantization in PCM. IEEE Transactions on Information Theory 28(2), 129–137 (1982)MATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Rabiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. Proceedings of the IEEE 77(2), 257–286 (1989)CrossRefGoogle Scholar
  19. 19.
    Viterbi, A.J.: Error bounds for convolutional codes and an asymptotically optimum decoding algorithm. IEEE Transactions on Information Theory 13(2), 260–269 (1967)MATHCrossRefGoogle Scholar
  20. 20.
    Baum, L.E., Petrie, T., Soules, G., Weiss, N.: A maximization technique occurring in the statistical analysis of probabilistic functions of Markov chains. The Annals of Mathematical Statistics 41(1), 164–171 (1970)MATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography, 5th edn. CRC Press, Boca Raton (2001)Google Scholar
  22. 22.
    Howgrave-Graham, N., Smart, N.P.: Lattice attacks on digital signature schemes. Designs, Codes and Cryptography 23(3), 283–290 (2001)MATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Nguyen, P.Q., Shparlinski, I.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Designs, Codes and Cryptography 30(2), 201–217 (2003)MATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    Leadbitter, P.J., Page, D., Smart, N.P.: Attacking DSA under a repeated bits assumption. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 428–440. Springer, Heidelberg (2004)Google Scholar
  25. 25.
    Coron, J.S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  26. 26.
    Clavier, C., Joye, M.: Universal exponentiation algorithm: a first step towards provable SPA-resistance. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 300–308. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  27. 27.
    Möller, B.: Parallelizable elliptic curve point multiplication method with resistance against side-channel attacks. In: Chan, A.H., Gligor, V.D. (eds.) ISC 2002. LNCS, vol. 2433, pp. 402–413. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  28. 28.
    Oswald, E., Aigner, M.: Randomized addition-subtraction chains as a countermeasure against power attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 39–50. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  29. 29.
    Walter, C.D.: Randomized exponentiation algorithms. In: Koç, Ç.K. (ed.) Cryptographic Engineering. Springer, Heidelberg (2009)Google Scholar
  30. 30.
    Viega, J., Messier, M., Chandra, P.: Network Security with OpenSSL. O’Reilly Media, Inc., Sebastopol (2002)Google Scholar
  31. 31.
    Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: Side-channel atomicity. IEEE Transactions on Computers 53(6), 760–768 (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Billy Bob Brumley
    • 1
  • Risto M. Hakala
    • 1
  1. 1.Department of Information and Computer ScienceHelsinki University of TechnologyFI-02015Finland

Personalised recommendations