exclusive exponent blinding may not suffice
play

Exclusive Exponent Blinding May Not Suffice Attacks on RSA to - PowerPoint PPT Presentation

Nov 13, 2023 •304 likes •553 views

Exclusive Exponent Blinding May Not Suffice to Prevent Timing Exclusive Exponent Blinding May Not Suffice Attacks on RSA to Prevent Timing Attacks on RSA Werner Schindler Bundesamt f ur Sicherheit in der Werner Schindler

  1. Exclusive Exponent Blinding May Not Suffice to Prevent Timing Exclusive Exponent Blinding May Not Suffice Attacks on RSA to Prevent Timing Attacks on RSA Werner Schindler Bundesamt f¨ ur Sicherheit in der Werner Schindler Information- stechnik Bundesamt f¨ ur Sicherheit in der Informationstechnik (BSI) (BSI) Bonn, Germany State of the art and motivation A new timing attack Saint-Malo, September 15, 2015 Counter- measures Conclusion

  2. Outline Exclusive Exponent Blinding May Not Suffice to Prevent Timing Attacks on State of the art and motivation RSA A new timing attack Werner Schindler Attack scenario Bundesamt f¨ ur Sicherheit Theoretical Background in der Information- Attack algorithm stechnik (BSI) Empirical Results Countermeasures State of the art and Conclusion motivation A new timing attack Counter- measures Conclusion

  3. Timing Attacks on RSA Exclusive Exponent Blinding May Timing attacks on RSA without CRT Not Suffice to Prevent Kocher (Crypto 1996) [pioneer work] Timing Attacks on Dhem, Koeune, Leroux, Mestr´ e, Quisquater, Willems RSA (Cardis 1998) Werner Schindler Schindler, Koeune, Quisquater (Cryptography and Coding Bundesamt 2001) f¨ ur Sicherheit in der Timing attacks on RSA with CRT Information- stechnik Schindler (CHES 2000) (BSI) Brumley, Boneh (Usenix 2003) State of the Acıi¸ cmez, Schindler, Quisquater (CCS 2005) art and motivation A new timing attack NOTE: All these timing attacks are only applicable to Counter- unprotected implementations. measures Conclusion

  4. Algorithmic countermeasures against side channel attacks Exclusive Exponent Blinding May Not Suffice Base blinding (Kocher 1996) to Prevent Timing Attacks on Exponent blinding (Kocher 1996) RSA Werner Modulus blinding Schindler Bundesamt Combination of blinding techniques f¨ ur Sicherheit in der . . . Information- stechnik (BSI) Crucial question in the context of security State of the art and evaluations: motivation Are these blinding techniques effective against side A new timing attack channel attacks? Counter- measures Conclusion

  5. Side channel Attacks on blinded implementations Exclusive Exponent Acıi¸ cmez, Schindler (2007, 2008): Instruction cache attack Blinding May Not Suffice on OpenSSL v.0.9.8e, RSA with CRT, base blinding to Prevent Timing Attacks on Fouque et al. (2006), Bauer (2012): Power attacks on RSA RSA without CRT, exponent blinding Werner Schindler Schindler, Itoh (2011), Schindler, Wiemers (2014, 2015): Bundesamt f¨ ur Sicherheit Generic power attacks on exponent blinding (RSA, with in der Information- and without CRT) and scalar blinding (ECC), also in stechnik (BSI) combination with base blinding State of the art and motivation It has widely been assumed that blinding techniques would A new timing effectively prevent (pure) timing attacks. attack Counter- For exponent blinding this assumption is not true in measures general. Conclusion

  6. (Additive) exponent blinding Exclusive Exponent Blinding May Not Suffice to Prevent RSA with CRT Timing Attacks on n = p 1 p 2 RSA d = private exponent Werner d i = d (mod ( p i − 1)) Schindler Bundesamt r i , j ∈ { 0 , . . . , 2 eb − 1 } ( eb -bit random number = j th f¨ ur Sicherheit in der blinding factor for the exponentiation modulo p i ) Information- stechnik for i = 1 , 2 compute y d i + r i , j ( p i − 1) (mod p i ) (BSI) in place of y d i (mod p i ) State of the art and motivation Exponent blinding shall prevent that an attack can focus A new timing on particular exponent bits. attack Counter- measures Conclusion

  7. Montgomery’s multiplication algorithm (MM) Exclusive Exponent Blinding May Input: M modulus, a , b ∈ Z M := { 0 , 1 , . . . , M − 1 } Not Suffice to Prevent Output: MM ( a , b ; M ) := abR − 1 (mod M ) Timing Attacks on M < R = 2 x ( R = Montgomery constant) RSA Werner Schindler Bundesamt s := 0 1 f¨ ur Sicherheit in der for i = 0 to v − 1 do { 2 Information- stechnik u := ( s + a i b 0 ) m ∗ (mod r ) /* r -adic representation*/ (BSI) /* r = 2 ws */ s := ( s + a i b + uM ) / r State of the } art and If ( s ≥ M ) then s := s − M [= extra reduction (ER)] 3 motivation return MM ( a , b ; M ) 4 A new timing attack Counter- measures The extra reduction causes timing differences. Conclusion

  8. Pseudoalgorithm: RSA with CRT, MM, exponent blinding Exclusive Exponent Blinding May 1 Not Suffice to Prevent y 1 := y (mod p 1 ) and d 1 := d (mod ( p 1 − 1)) Timing Attacks on (Exponent blinding) Generate the blinded exponent RSA d 1 , b := d 1 + r 1 φ ( p 1 ) = d 1 + r 1 ( p 1 − 1). Werner Compute v 1 := y d 1 , b Schindler (mod p 1 ) (expo algorithm with MM). 1 Bundesamt f¨ ur Sicherheit 2 in der Information- y 2 := y (mod p 2 ) and d 2 := d (mod ( p 2 − 1)) stechnik (Exponent blinding) Generate the blinded exponent (BSI) d 2 , b := d 2 + r 2 φ ( p 2 ) = d 2 + r 2 ( p 2 − 1). State of the Compute v 2 := y d 2 , b (mod p 2 ) (expo algorithm with MM). art and 2 motivation A new timing attack 3 (Recombination) Compute v := y d (mod n ) from ( v 1 , v 2 ), Counter- e.g. with Garner’s algorithm measures Conclusion

  9. Theoretical background (I) Exclusive Exponent Blinding May Not Suffice Our attack targets the exponentiation steps to Prevent Timing Compute v 1 := y d 1 , b (mod p 1 ) Attacks on 1 RSA Compute v 2 := y d 2 , b (mod p 2 ) 2 Werner Schindler In the following we assume Bundesamt f¨ ur Sicherheit in der Time ( MM ( a , b ; p i )) ∈ { c , c + c ER } for all a , b ∈ Z p i Information- stechnik (BSI) c = time for MM without extra reduction c ER = time for an extra reduction State of the art and motivation Time ( v i := y d i , b (mod p i )) = A new timing i attack const + c ∗ #(squarings and multiplications) + c ER ∗ #ERs. Counter- measures Conclusion

  10. Theoretical background (II) Exclusive Exponent Blinding May Not Suffice to Prevent Timing Attacks on Central task: Understand how the blinding and the input RSA data affect the number of squarings, multiplications and Werner Schindler ERs. Bundesamt f¨ ur Sicherheit in der Information- Problems & Difficulties: The moduli p i and the bases stechnik (BSI) y i = y (mod p i ) are unknown. Addititionally to the State of the unblinded case the secret exponents d i , b change in every art and motivation exponentiation. A new timing attack Counter- measures Conclusion

  11. Theoretical background (III) Exclusive Our attack is an adaptive chosen-input attack with input Exponent Blinding May values y u := uR − 1 (mod n ). Not Suffice to Prevent The execution times Time (( y u ) d (mod n )) are interpreted Timing Attacks on RSA as realizations of a random variable Z ( u ). Werner The computation of E ( Z ( u )) and Var ( Z ( u )) requires Schindler Bundesamt extensive calculations (details: paper). f¨ ur Sicherheit in der Information- stechnik (BSI) We assume 0 < u 1 < u 2 < n and u 2 − u 1 ≪ p 1 , p 2 . Three cases are possible: State of the art and Case A: The interval { u 1 + 1 , . . . , u 2 } does not contain a motivation multiple of p 1 or p 2 . A new timing attack Case B: The interval { u 1 + 1 , . . . , u 2 } contains a multiple Counter- of p s but not of p 3 − s . measures Case C: The interval { u 1 + 1 , . . . , u 2 } contains a multiple Conclusion of p 1 and p 2 .

  12. Theoretical background (IV) Exclusive Exponent For square & multiply exponentiation we have Blinding May Not Suffice to Prevent Timing E ( Z ( u 2 ) − Z ( u 1 )) Attacks on RSA  0 for Case A Werner   √ n � � Schindler − 1  (log 2 ( R ) + eb − 1) R − 1 for Case B c ER ≈ Bundesamt 4 f¨ ur Sicherheit √ n � �  − 1 in der (log 2 ( R ) + eb − 1) R − 1 c ER for Case C   Information- 2 stechnik (BSI) This property allows to construct a distinguisher to decide State of the whether some interval ( u 1 , u 2 ] contains a multiple of p 1 or art and motivation p 2 . The decision boundary is given by A new timing √ n attack � � decbound := − 1 (log 2 ( R ) + eb − 1 ) R − 1 c ER Counter- measures 8 Conclusion

  13. The distinguisher Exclusive Exponent Blinding May Since Var ( Z ( u 2 ) − Z ( u 1 )) is large each individual decision Not Suffice to Prevent requires many timing measurements. Timing Attacks on RSA N MeanTime ( u , N ) := 1 Werner � Time( y d j (mod n )) Schindler N Bundesamt j = 1 f¨ ur Sicherheit in der with y j := uR − 1 (mod n ) Information- stechnik (BSI) Decision rule: State of the If ( MeanTime ( u 2 , N ) − MeanTime ( u 1 , N ) > decbound ) art and motivation decide for A new timing ’( u 1 , u 2 ] does not contain a multiple of p 1 or p 2 ’ attack else decide for Counter- ’ ( u 1 , u 2 ] contains a multiple of p 1 or p 2 ’. measures Conclusion

  14. The Attack: Phase 1 Exclusive Exponent Blinding May Not Suffice Goal: Find an interval, which contains the larger prime p 2 . to Prevent Timing Set (e.g.) u 1 := ⌊√ n ⌋ and ∆ := 2 − 6 R Attacks on RSA u 2 := u 1 + ∆ Werner Schindler while ( MeanTime ( u 2 , N ) − MeanTime ( u 1 , N ) > decbound ) Bundesamt f¨ ur Sicherheit do ∗ { in der u 1 := u 2 , u 2 := u 2 + ∆ Information- stechnik } (BSI) State of the art and * ≡ The attacker believes that Case A is correct motivation A new timing attack Status: The interval ( u 1 , u 2 ] contains p 2 . Counter- measures Conclusion

Recommend

Four colours suffice Robin Wilson Four colours suffice Robin Wilson This talk is dedicated to

Four colours suffice Robin Wilson Four colours suffice Robin Wilson This talk is dedicated to

Four colours suffice Robin Wilson Four colours suffice Robin Wilson This talk is dedicated to Wolfgang Haken and the late Kenneth Appel Guthries map -color problem Can every map be colored with four colors so that neighboring countries

820 views • 39 slides
Recursion continued Exercise solution // Returns base ^ exponent. // Precondition: exponent

Recursion continued Exercise solution // Returns base ^ exponent. // Precondition: exponent

Recursion continued Exercise solution // Returns base ^ exponent. // Precondition: exponent &gt;= 0 public static int pow(int x, int n) { if (n == 0) { // base case; any number to 0th power is 1 return 1; } else { // recursive case: x^n =

614 views • 32 slides
(Construction) Grammar does not Suffice for NLU Jerome Feldman, ICSI &amp; UC Berkeley Natural

(Construction) Grammar does not Suffice for NLU Jerome Feldman, ICSI &amp; UC Berkeley Natural

(Construction) Grammar does not Suffice for NLU Jerome Feldman, ICSI &amp; UC Berkeley Natural Language Understanding (NLU) is a manifest goal for applied linguistics, but its theoretical importance is not as obvious. Integrated form-meaning

841 views • 67 slides
Power - a way of describing the exponent in exponential notation We can say the base is raised to

Power - a way of describing the exponent in exponential notation We can say the base is raised to

D AY 96 E XPONENTIAL R ULES REVIEW V OCABULARY Base - the value that is raised to a power when a number is written in exponential notation In the tone 5 3 , 5 is the base and 3 is the exponent. Exponent - the value that indicates the number of

408 views • 14 slides
Common types of clinical trial design, study objectives, randomisation and blinding, hypothesis

Common types of clinical trial design, study objectives, randomisation and blinding, hypothesis

Common types of clinical trial design, study objectives, randomisation and blinding, hypothesis testing, p-values and confidence intervals, sample size calculation David Brown Statistics Statistics looks at design and analysis Our

873 views • 64 slides
Exponent Laws With Numerical Bases MPM1D: Principles of Mathematics Recap 3 5 3 5 9

Exponent Laws With Numerical Bases MPM1D: Principles of Mathematics Recap 3 5 3 5 9

a l g e b r a a l g e b r a Exponent Laws With Numerical Bases MPM1D: Principles of Mathematics Recap 3 5 3 5 9 Simplify, then evaluate, . 5 4 Use the product, quotient and power of a power rules. Exponent Laws (Variable Bases)

329 views • 3 slides
dm EXCLUSIVE - Show Room Decor Marketing SINCE 2007 SINCE 1997 SHOWROOM dm Exclusive Decor

dm EXCLUSIVE - Show Room Decor Marketing SINCE 2007 SINCE 1997 SHOWROOM dm Exclusive Decor

dm EXCLUSIVE - Show Room Decor Marketing SINCE 2007 SINCE 1997 SHOWROOM dm Exclusive Decor Marketing dm Exclusive Decor Marketing dm Exclusive Decor Marketing dm Exclusive Decor Marketing PRODUCT LIST dm ANGLE GUARD (AL.) dm

923 views • 32 slides
Logarithms A Quick Review of Exponents Exponent 5 7 Base Exponents have two parts: 1. Base: The

Logarithms A Quick Review of Exponents Exponent 5 7 Base Exponents have two parts: 1. Base: The

Logarithms A Quick Review of Exponents Exponent 5 7 Base Exponents have two parts: 1. Base: The number of variable being multiplied 2. Exponent (or power or index): number of times it is multiplied 5 7 = 5 5 5 5 5 5 5 = 78125 a

568 views • 54 slides
Harnessing the potential of stem cells Harnessing the potential of stem cells for the treatment

Harnessing the potential of stem cells Harnessing the potential of stem cells for the treatment

3D Retinal Organoids: New frontiers for regenerative therapies in the eye Harnessing the potential of stem cells Harnessing the potential of stem cells for the treatment of blinding diseases for the treatment of blinding diseases Natalia

525 views • 26 slides
Three Edge Lengths Suffice For Drawing Outerplanar Graphs Noga Alon Ohad N. Feldheim Tel-Aviv

Three Edge Lengths Suffice For Drawing Outerplanar Graphs Noga Alon Ohad N. Feldheim Tel-Aviv

Preliminaries Results Approaching the Problem Remarks and Open Problems Three Edge Lengths Suffice For Drawing Outerplanar Graphs Noga Alon Ohad N. Feldheim Tel-Aviv University IMU, 2012 Noga Alon and Ohad N. Feldheim Three Edge Lengths

717 views • 55 slides
On the relation between the magnitude and exponent of OTOCs (Based on the paper with Alexei Kitaev

On the relation between the magnitude and exponent of OTOCs (Based on the paper with Alexei Kitaev

On the relation between the magnitude and exponent of OTOCs (Based on the paper with Alexei Kitaev [1812.00120] ) Yingfei Gu Harvard University YITP, June 24, 2019 Outline Introduction: OTOC in SYK Kinetic equation approach: an

419 views • 20 slides
Lesson 50 Say the base and exponent for that group. Note: Students will need a calculator

Lesson 50 Say the base and exponent for that group. Note: Students will need a calculator

Lesson 50 Say the base and exponent for that group. Note: Students will need a calculator (Signal.) 3 10 . with function for exercise 2. How many 10s are in the other group? (Signal.) 3. Say the base and the exponent for that Exercise

312 views • 5 slides
F.I.L.A. IN EXCLUSIVE NEGOTIATIONS FOR ACQUISITION OF THE CANSON GROUP Disclaimer This document

F.I.L.A. IN EXCLUSIVE NEGOTIATIONS FOR ACQUISITION OF THE CANSON GROUP Disclaimer This document

F.I.L.A. IN EXCLUSIVE NEGOTIATIONS FOR ACQUISITION OF THE CANSON GROUP Disclaimer This document has been prepared by F.I.L.A. Fabbrica Italiana Lapis ed Affini S.p.A. (FILA) exclusively for use in the presentation of the exclusive

461 views • 10 slides
Exponential Functions - Population growth 6.1 Definition of Exponents Definition An exponent is

Exponential Functions - Population growth 6.1 Definition of Exponents Definition An exponent is

Exponential Functions - Population growth 6.1 Definition of Exponents Definition An exponent is a convenient way to write repeated multiplication. Given a natural number b the following notation represents a product of b many as. b many

883 views • 60 slides
On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory

On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory

On Error Correction in the Exponent Chris Peikert MIT Computer Science and AI Laboratory Theory of Cryptography Conference 5 March 2006 Chris Peikert (MIT) On Error Correction in the Exponent TCC 2006 1 / 9 Error Correction (in the

1.04k views • 58 slides
Dispersion Modeling of Commodity and Structural Fumigation Applications Rick Reiss, Exponent

Dispersion Modeling of Commodity and Structural Fumigation Applications Rick Reiss, Exponent

1 Dispersion Modeling of Commodity and Structural Fumigation Applications Rick Reiss, Exponent Presented at Kansas State University May 12 th , 2010 2 Overview of Presentation Risk assessment process for bystander exposure to fumigants

658 views • 31 slides
Lyapunov exponent and integrated density of states for slowly oscillating perturbations of

Lyapunov exponent and integrated density of states for slowly oscillating perturbations of

The Model First result Second result Thank you ! Lyapunov exponent and integrated density of states for slowly oscillating perturbations of periodic Schrdinger operators Asya M ETELKINA FernUniversitt in Hagen Saint-Petersburg July 2010

194 views • 8 slides
Exponent Laws MPM2D: Principles of Mathematics Consider the expression x 2 x 3 . Using the

Exponent Laws MPM2D: Principles of Mathematics Consider the expression x 2 x 3 . Using the

p o l y n o m i a l s p o l y n o m i a l s Exponent Laws MPM2D: Principles of Mathematics Consider the expression x 2 x 3 . Using the definition of exponentiation, x 2 x 3 can be expressed as ( x x )( x x x ) = x x x x

175 views • 3 slides
On 2d CFT with One Critical Exponent Sunil Mukhi Quantum Information and String Theory

On 2d CFT with One Critical Exponent Sunil Mukhi Quantum Information and String Theory

On 2d CFT with One Critical Exponent Sunil Mukhi Quantum Information and String Theory 2019 YITP Kyoto, May 28 2019 Based on: Towards a classification of two-character rational conformal field theories, A. Ramesh Chandra and

1.17k views • 49 slides
Suresh H. Moolgavkar, M.D., Ph.D. Exponent, Inc. 2 Inhalation Unit Risk (IUR) for Cancer IUR

Suresh H. Moolgavkar, M.D., Ph.D. Exponent, Inc. 2 Inhalation Unit Risk (IUR) for Cancer IUR

1 Comments to SAB on the EPA draft risk assessment (2011 Draft) for Libby asbestos February 6, 2012 Suresh H. Moolgavkar, M.D., Ph.D. Exponent, Inc. 2 Inhalation Unit Risk (IUR) for Cancer IUR based on consideration of lung cancer and

348 views • 12 slides
Exclusive A Rated Workers Compensation Program Overview MBA appointment benefits for agency

Exclusive A Rated Workers Compensation Program Overview MBA appointment benefits for agency

Exclusive A Rated Workers Compensation Program Overview MBA appointment benefits for agency partners Exclusive new market of last resort, leading to future cross sell opportunities Book protection from increased Experience Mods or

280 views • 12 slides
CREATING AN EXCLUSIVE EVENT Perfect for a holiday or a regenerating weekend, Terme di Saturnia

CREATING AN EXCLUSIVE EVENT Perfect for a holiday or a regenerating weekend, Terme di Saturnia

CREATING AN EXCLUSIVE EVENT Perfect for a holiday or a regenerating weekend, Terme di Saturnia Spa and Golf Resort offers the possibility of organizing meetings and incentives in an exclusive and prestigious setting, to make your work even more

557 views • 18 slides
Enhanced Digital Signature using Splitted Exponent Digit Representation Christophe Ngre ( 1 ) ,

Enhanced Digital Signature using Splitted Exponent Digit Representation Christophe Ngre ( 1 ) ,

Enhanced Digital Signature using Splitted Exponent Digit Representation Christophe Ngre ( 1 ) , Thomas Plantard ( 2 ) , Jean-Marc Robert ( 1 , 3 ) 1: Team DALI/LIRMM, University of Perpignan, France 2: CCISR, SCIT, University of Wollongong,

763 views • 55 slides
Finite-Blocklength and Error-Exponent Analyses for LDPC Codes in Point-to-Point and Multiple

Finite-Blocklength and Error-Exponent Analyses for LDPC Codes in Point-to-Point and Multiple

Finite-Blocklength and Error-Exponent Analyses for LDPC Codes in Point-to-Point and Multiple Access Communication* Yuxin Liu and Michelle Effros Department of Electrical Engineering, California Institute of Technology June 21-26, 2020 IEEE

667 views • 23 slides

More recommend