sliding right into disaster left to right sliding windows
play

Sliding right into disaster - Left-to-right sliding windows leak - PowerPoint PPT Presentation

Sep 27, 2022 •125 likes •581 views

Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink , Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom September 28th, 2017 Sliding

  1. Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink , Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom September 28th, 2017 Sliding right into disaster - Left-to-right sliding windows leak 1

  2. Side-channel attacks on RSA Side-channel attacks on RSA: modular exponentiation Constant-time implementations cannot use sliding windows Common belief: sliding windows do not leak enough for key recovery Sliding right into disaster - Left-to-right sliding windows leak 2

  3. This work We show that right-to-left sliding window method does not leak enough Sliding right into disaster - Left-to-right sliding windows leak 3

  4. This work We show that right-to-left sliding window method does not leak enough We show that left-to-right sliding window method does leak enough Two methods to extract information from square and multiply sequence Demonstrated real-world applicability by attacking Libgcrypt We analyze the reasons why left-to-right leaks more than right-to-left Sliding right into disaster - Left-to-right sliding windows leak 3

  5. RSA Sliding right into disaster - Left-to-right sliding windows leak 4

  6. RSA signatures Keygen: Public key ( e , N ) where N = pq for primes p , q Secret key ( d , p , q ) where ed ≡ 1 mod φ ( N ) and φ ( N ) = ( p − 1)( q − 1) Sliding right into disaster - Left-to-right sliding windows leak 5

  7. RSA signatures Keygen: Public key ( e , N ) where N = pq for primes p , q Secret key ( d , p , q ) where ed ≡ 1 mod φ ( N ) and φ ( N ) = ( p − 1)( q − 1) Sign and verify: Let H be a padded secure hash-function Signature: s of message m : s = H ( m ) d mod N Verification: compute z = s e mod N and verify z ? = H ( m ) Sliding right into disaster - Left-to-right sliding windows leak 5

  8. RSA signatures Keygen: Public key ( e , N ) where N = pq for primes p , q Secret key ( d , p , q ) where ed ≡ 1 mod φ ( N ) and φ ( N ) = ( p − 1)( q − 1) Sign and verify: Let H be a padded secure hash-function Signature: s of message m : s = H ( m ) d mod N Verification: compute z = s e mod N and verify z ? = H ( m ) CRT: Common optimization based on Chinese Remainder Theorem (CRT) Compute s p ≡ H ( m ) d p mod p and s q ≡ H ( m ) d q mod q Combine to s using CRT Sliding right into disaster - Left-to-right sliding windows leak 5

  9. Sliding-window method Implement modular exponentiation using sliding-windows Window size w , sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i for odd 0 ≤ d i ≤ 2 w − 1 In general, compute b d mod p as follows: Sliding right into disaster - Left-to-right sliding windows leak 6

  10. Sliding-window method Implement modular exponentiation using sliding-windows Window size w , sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i for odd 0 ≤ d i ≤ 2 w − 1 In general, compute b d mod p as follows: Precompute small, odd powers of b mod p 1 (i.e. b mod p , b 3 mod p , . . . , b 2 w − 1 mod p ). Sliding right into disaster - Left-to-right sliding windows leak 6

  11. Sliding-window method Implement modular exponentiation using sliding-windows Window size w , sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i for odd 0 ≤ d i ≤ 2 w − 1 In general, compute b d mod p as follows: Precompute small, odd powers of b mod p 1 (i.e. b mod p , b 3 mod p , . . . , b 2 w − 1 mod p ). Set a = 1 2 For i ← n − 1 to 0: 3 a = a · a mod p (Square) 4 If d i � = 0: 5 a = a · b d i mod p (Multiply) 6 Return a 7 Sliding right into disaster - Left-to-right sliding windows leak 6

  12. Sliding-window method Implement modular exponentiation using sliding-windows Window size w , sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i for odd 0 ≤ d i ≤ 2 w − 1 In general, compute b d mod p as follows: Precompute small, odd powers of b mod p 1 (i.e. b mod p , b 3 mod p , . . . , b 2 w − 1 mod p ). Set a = 1 2 For i ← n − 1 to 0: 3 a = a · a mod p (Square) 4 If d i � = 0: 5 a = a · b d i mod p (Multiply) 6 Return a 7 This leaks a Square and Multiply Sequence For sufficiently large w , too many options to try Sliding right into disaster - Left-to-right sliding windows leak 6

  13. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Sliding right into disaster - Left-to-right sliding windows leak 7

  14. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Right-to-left Windowed form Binary form 1 0 0 0 1 1 0 1 1 0 0 0 1 1 Sliding right into disaster - Left-to-right sliding windows leak 7

  15. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Right-to-left Windowed form 0 0 0 3 Binary form 1 0 0 0 1 1 0 1 1 0 0 0 1 1 Sliding right into disaster - Left-to-right sliding windows leak 7

  16. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Right-to-left Windowed form 0 0 0 0 3 Binary form 1 0 0 0 1 1 0 1 1 0 0 0 1 1 Sliding right into disaster - Left-to-right sliding windows leak 7

  17. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Right-to-left Windowed form 0 0 0 11 0 0 0 0 3 Binary form 1 0 0 0 1 1 0 1 1 0 0 0 1 1 Sliding right into disaster - Left-to-right sliding windows leak 7

  18. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Right-to-left Windowed form 0 0 0 1 0 0 0 11 0 0 0 0 3 Binary form 1 0 0 0 1 1 0 1 1 0 0 0 1 1 Sliding right into disaster - Left-to-right sliding windows leak 7

  19. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Right-to-left Windowed form 1 0 0 0 1 0 0 0 11 0 0 0 0 3 Binary form 1 0 0 0 1 1 0 1 1 0 0 0 1 1 2 Leaking on average a fraction of w +1 bits Sliding right into disaster - Left-to-right sliding windows leak 7

  20. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Left-to-right Windowed form Binary form 1 0 0 0 1 1 0 1 1 0 0 0 1 1 Sliding right into disaster - Left-to-right sliding windows leak 7

  21. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Left-to-right Windowed form Binary form 1 0 0 0 1 1 0 1 1 0 0 0 1 1 Sliding right into disaster - Left-to-right sliding windows leak 7

  22. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Left-to-right Windowed form 1 Binary form 1 0 0 0 1 1 0 1 1 0 0 0 1 1 Sliding right into disaster - Left-to-right sliding windows leak 7

  23. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Left-to-right Windowed form 1 0 Binary form 1 0 0 0 1 1 0 1 1 0 0 0 1 1 Sliding right into disaster - Left-to-right sliding windows leak 7

  24. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Left-to-right Windowed form 1 0 0 Binary form 1 0 0 0 1 1 0 1 1 0 0 0 1 1 Sliding right into disaster - Left-to-right sliding windows leak 7

  25. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Left-to-right Windowed form 1 0 0 0 Binary form 1 0 0 0 1 1 0 1 1 0 0 0 1 1 Sliding right into disaster - Left-to-right sliding windows leak 7

  26. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Left-to-right Windowed form 1 0 0 0 0 0 0 13 Binary form 1 0 0 0 1 1 0 1 1 0 0 0 1 1 Sliding right into disaster - Left-to-right sliding windows leak 7

  27. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Left-to-right Windowed form 1 0 0 0 0 0 0 13 1 Binary form 1 0 0 0 1 1 0 1 1 0 0 0 1 1 Sliding right into disaster - Left-to-right sliding windows leak 7

  28. Sliding-window form How to compute sliding-window form d n − 1 . . . d 0 s.t. d = � n − 1 i =0 d i 2 i Example with w = 4, d = 9059 = 10001101100011 Left-to-right Windowed form 1 0 0 0 0 0 0 13 1 0 0 0 Binary form 1 0 0 0 1 1 0 1 1 0 0 0 1 1 Sliding right into disaster - Left-to-right sliding windows leak 7

Recommend

Glacier Sliding Ian Hewitt, University of Oxford hewitt@maths.ox.ac.uk Sliding / friction laws -

Glacier Sliding Ian Hewitt, University of Oxford hewitt@maths.ox.ac.uk Sliding / friction laws -

Glacier Sliding Ian Hewitt, University of Oxford hewitt@maths.ox.ac.uk Sliding / friction laws - Numerical models Classical sliding theory ( hard bed ) - Regelation - Viscous deformation - Cavitation Soft bed sliding - Till strength - Bed

235 views • 22 slides
Data stream statistics over sliding windows: How to summarize 150 Million updates per second on a

Data stream statistics over sliding windows: How to summarize 150 Million updates per second on a

Data stream statistics over sliding windows: How to summarize 150 Million updates per second on a single node Grigorios Chrysos, Odysseas Papapetrou, Dionisios Pnevmatikatos , Apostolos Dollas, Minos Garofalakis Technical

463 views • 27 slides
Beyond Sliding Windows: Object Localization by Efficient Subwindow Search Christoph H. Lampert

Beyond Sliding Windows: Object Localization by Efficient Subwindow Search Christoph H. Lampert

Beyond Sliding Windows: Object Localization by Efficient Subwindow Search Christoph H. Lampert , Matthew B. Blaschko , & Thomas Hofmann Max Planck Institute for Biological Cybernetics T ubingen, Germany Google, Inc. Z

627 views • 42 slides
Optimal Matching For SLiding Window Compression With Suffix Tries An advantage of sliding

Optimal Matching For SLiding Window Compression With Suffix Tries An advantage of sliding

Optimal Matching For SLiding Window Compression With Suffix Tries An advantage of sliding window compression is fast decoding. However, encoding is a different story. Simple hashing schemes such as that employed by gzip work well in

609 views • 21 slides
Lecture 3: Introduction to Sliding Mode Control Reference: S.C. Tan, Chapter 1. Sliding Mode

Lecture 3: Introduction to Sliding Mode Control Reference: S.C. Tan, Chapter 1. Sliding Mode

ELEC8406 Sliding Mode Control of Power Electronics Lecture 3: Introduction to Sliding Mode Control Reference: S.C. Tan, Chapter 1. Sliding Mode Control of Switching Power Converters History (1) SM control can be traced back to the 1930s

882 views • 45 slides
Brief Announcement: Tracking Distributed Aggregates over Time-based Sliding Windows Graham

Brief Announcement: Tracking Distributed Aggregates over Time-based Sliding Windows Graham

Brief Announcement: Tracking Distributed Aggregates over Time-based Sliding Windows Graham Cormode AT&T Labs Ke Yi HKUST Continuous Distributed Model Track f(S 1 ,,S m ) Coordinator local stream(s) seen at each site k sites S 1 S m

70 views • 4 slides
Sliding windows and face detection Tuesday, Nov 10 Kristen Grauman UT Austin Last time

Sliding windows and face detection Tuesday, Nov 10 Kristen Grauman UT Austin Last time

11/10/2009 Sliding windows and face detection Tuesday, Nov 10 Kristen Grauman UT Austin Last time Modeling categories with local features and spatial information: Histograms, configurations of visual words to capture Histograms

937 views • 40 slides
The Sliding Window Algorithm The Sliding Window algorithm sums several small

The Sliding Window Algorithm The Sliding Window algorithm sums several small

The Sliding Window Algorithm The Sliding Window algorithm sums several small sub-matrices of a matrix of values. The maximum of these sums is then located and it's coordinates passed out of the program. This is used as a

466 views • 22 slides
1 Sliding Windows Flow Control Sliding Window Diagram Allow multiple frames to be in transit

1 Sliding Windows Flow Control Sliding Window Diagram Allow multiple frames to be in transit

William Stallings Flow Control Data and Computer Communications Ensuring the sending entity does not overwhelm 7 th Edition the receiving entity Preventing buffer overflow Transmission time Chapter 7 Time taken to emit all

522 views • 8 slides
Sliding Window Protocol Sliding window protocol: Stop & Wait: inefficient if a is

Sliding Window Protocol Sliding window protocol: Stop & Wait: inefficient if a is

Computer Networks Prof. Hema A Murthy Sliding Window Protocol Sliding window protocol: Stop & Wait: inefficient if a is large. Data: - stream of bulk data - data can be pipelined - transmit window of date - donot

1.71k views • 13 slides
Adaptable Two-Dimension Sliding Windows on NVIDIA GPUs with Runtime Compilation Nicholas Moore

Adaptable Two-Dimension Sliding Windows on NVIDIA GPUs with Runtime Compilation Nicholas Moore

Adaptable Two-Dimension Sliding Windows on NVIDIA GPUs with Runtime Compilation Nicholas Moore and Miriam Leeser Dept. of Electrical and Computer Engineering Northeastern University Boston, MA Laurie Smith King Dept. of Mathematics and

405 views • 25 slides
Sliding Windows Sanja Fidler CSC420: Intro to Image Understanding 1 / 49 Type of Approaches Di

Sliding Windows Sanja Fidler CSC420: Intro to Image Understanding 1 / 49 Type of Approaches Di

Object Detection Sliding Windows Sanja Fidler CSC420: Intro to Image Understanding 1 / 49 Type of Approaches Di ff erent approaches tackle detection di ff erently. They can roughly be categorized into three main types: Find interest points ,

1.2k views • 51 slides
Sliding system for concertina doors 271 Sliding system for concertina doors - Technical features

Sliding system for concertina doors 271 Sliding system for concertina doors - Technical features

Sliding system for concertina doors Sliding system for concertina doors 271 Sliding system for concertina doors - Technical features The Salice system for concertina doors has been designed to open both doors on one side only, giving good access

512 views • 10 slides
Sliding Windows Sanja Fidler CSC420: Intro to Image Understanding 1 / 49 Type of Approaches

Sliding Windows Sanja Fidler CSC420: Intro to Image Understanding 1 / 49 Type of Approaches

Object Detection Sliding Windows Sanja Fidler CSC420: Intro to Image Understanding 1 / 49 Type of Approaches Different approaches tackle detection differently. They can roughly be categorized into three main types: Find interest points ,

883 views • 51 slides
Identifying Frequent Items in Sliding Windows over On-Line Packet Streams Alejandro Lpez-Ortiz

Identifying Frequent Items in Sliding Windows over On-Line Packet Streams Alejandro Lpez-Ortiz

Identifying Frequent Items in Sliding Windows over On-Line Packet Streams Alejandro Lpez-Ortiz School of Computer Science University of Waterloo Joint work with Lukasz Golab (Waterloo), David DeHaan (Waterloo), Erik Demaine (MIT), and J.

673 views • 12 slides
Sliding Windows Zhewei Wei 1 , Xuancheng Liu 1 , Feifei Li 2 , Shuo Shang 1 Xiaoyong Du 1 , Ji-Rong

Sliding Windows Zhewei Wei 1 , Xuancheng Liu 1 , Feifei Li 2 , Shuo Shang 1 Xiaoyong Du 1 , Ji-Rong

Matrix Sketching over Sliding Windows Zhewei Wei 1 , Xuancheng Liu 1 , Feifei Li 2 , Shuo Shang 1 Xiaoyong Du 1 , Ji-Rong Wen 1 1 School of Information, Renmin University of China 2 School of Computing, The University of Utah Matrix data

332 views • 14 slides
Sliding blocks puzzle solver Mike Clancy U.C. Berkeley CS Division The assignment Write a

Sliding blocks puzzle solver Mike Clancy U.C. Berkeley CS Division The assignment Write a

Sliding blocks puzzle solver Mike Clancy U.C. Berkeley CS Division The assignment Write a program to solve sliding blocks puzzles. Example: Take over the human part of http://www.puzzleworld.org/Slidin gBlockPuzzles/pennant.htm

217 views • 4 slides
Sliding tokens on block graphs Duc A. Hoang 1 Eli Fox-Epstein 2 Ryuhei Uehara 1 1 JAIST, Japan 2

Sliding tokens on block graphs Duc A. Hoang 1 Eli Fox-Epstein 2 Ryuhei Uehara 1 1 JAIST, Japan 2

WALCOM 2017 (March 29-31, 2017, Hsinchu, Taiwan) Sliding tokens on block graphs Duc A. Hoang 1 Eli Fox-Epstein 2 Ryuhei Uehara 1 1 JAIST, Japan 2 Brown University, USA Outline Reconfiguration problems and moving tokens on graphs 1 Sliding

657 views • 32 slides
Sliding DFT for Fun and Musical Profit John ffitch Richard Dobson Russell Bradford

Sliding DFT for Fun and Musical Profit John ffitch Richard Dobson Russell Bradford

Sliding DFT for Fun and Musical Profit John ffitch Richard Dobson Russell Bradford Codemist Ltd Composers Desktop Project University of Bath LAC K oln, Mar 2008 ffitch, Dobson, Bradford Sliding DFT for Fun Where are

425 views • 23 slides
Sliding window - Sender side Cumulative Acknowledgments Not sent Sent, no ACK ACK:ed Free

Sliding window - Sender side Cumulative Acknowledgments Not sent Sent, no ACK ACK:ed Free

Sliding window - Sender side Cumulative Acknowledgments Not sent Sent, no ACK ACK:ed Free Sending buffer at the sender: Sliding Window New data sent to transport layer by application, but not yet sent Free buffer space where application

564 views • 3 slides
V = k L s L is the normal load s is the sliding distance at constant sliding speed H soft H

V = k L s L is the normal load s is the sliding distance at constant sliding speed H soft H

Trends in Archards Wear law at the Macroscale Nanotribology 2017 Adhesive wear process Assumptions - Multi-asperity contact - Plastic or fracture deformations (governed by hardness) - Real contact area is proportional to the normal load

329 views • 17 slides
able to: Understand what the components of a muscle fibres Describe the sliding

able to: Understand what the components of a muscle fibres Describe the sliding

Neuromuscular Arrangement, Sliding Filament Theory Image used with consent from Lecture 5 McArdle, et al ., (2009) Aims By the end of the session you should be able to: Understand what the components of a muscle fibres Describe the

394 views • 6 slides
Stream Statistics Over Sliding Window Sum Problem Trends References Anil Maheshwari School of

Stream Statistics Over Sliding Window Sum Problem Trends References Anil Maheshwari School of

Stream Statistics Over Sliding Window Anil Maheshwari Introduction Algorithm Stream Statistics Over Sliding Window Sum Problem Trends References Anil Maheshwari School of Computer Science Carleton University Canada Outline Stream

297 views • 19 slides
Bit-Sliding: A Generic Technique for Bit-Serial Implementations of SPN-based Primitives 28. Sep.

Bit-Sliding: A Generic Technique for Bit-Serial Implementations of SPN-based Primitives 28. Sep.

Bit-Sliding: A Generic Technique for Bit-Serial Implementations of SPN-based Primitives 28. Sep. 2017 Jrmy Jean, Amir Moradi, Thomas Peyrin, Pascal Sasdrich ANSSI Crypto Lab, Paris, France Ruhr University Bochum, Germany Temasek

663 views • 35 slides

More recommend