Side-channel Timing Attack of RSA on a GPU

To increase computation throughput, general purpose Graphics Processing Units (GPUs) have been leveraged to accelerate computationally intensive workloads. GPUs have been used as cryptographic engines, improving encryption/decryption throughput and leveraging the GPU’s Single Instruction Multiple Thread (SIMT) model. RSA is a widely used public-key cipher and has been ported onto GPUs for signing and decrypting large files. Although performance has been significantly improved, the security of RSA on GPUs is vulnerable to side-channel timing attacks and is an exposure overlooked in previous studies. GPUs tend to be naturally resilient to side-channel attacks, given that they execute a large number of concurrent threads, performing many RSA operations on different data in parallel. Given the degree of parallel execution on a GPU, there will be a significant amount of noise introduced into the timing channel given the thousands of concurrent threads executing concurrently. In this work, we build a timing model to capture the parallel characteristics of an RSA public-key cipher implemented on a GPU. We consider optimizations that include using Montgomery multiplication and sliding-window exponentiation to implement cryptographic operations. Our timing model considers the challenges of parallel execution, complications that do not occur in single-threaded computing platforms. Based on our timing model, we launch successful timing attacks on RSA running on a GPU, extracting the private key of RSA. We also present an effective error detection and correction mechanism. Our results demonstrate that GPU acceleration of RSA is vulnerable to side-channel timing attacks. We propose several countermeasures to defend against this class of attacks.

[1]  Billy Bob Brumley,et al.  Remote Timing Attacks Are Still Practical , 2011, ESORICS.

[2]  Zhi Guan,et al.  Accelerating RSA with Fine-Grained Parallelism Using GPU , 2015, ISPEC.

[3]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[4]  Onur Aciiçmez,et al.  Improving Brumley and Boneh timing attack on unprotected SSL implementations , 2005, CCS '05.

[5]  Jean-Jacques Quisquater,et al.  A Practical Implementation of the Timing Attack , 1998, CARDIS.

[6]  Heejin Park,et al.  Analysis of the variable length nonzero window method for exponentiation , 1999 .

[7]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[8]  Tim Güneysu,et al.  Exploiting the Power of GPUs for Asymmetric Cryptography , 2008, CHES.

[9]  Nael B. Abu-Ghazaleh,et al.  Constructing and Characterizing Covert Channels on GPGPUs , 2017, 2017 50th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[10]  Werner Schindler,et al.  A Timing Attack against RSA with the Chinese Remainder Theorem , 2000, CHES.

[11]  David R. Kaeli,et al.  A complete key recovery timing attack on a GPU , 2016, 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[12]  Liwei Zhang,et al.  A statistics-based success rate model for DPA and CPA , 2015, Journal of Cryptographic Engineering.

[13]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[14]  Danfeng Zhang,et al.  RCoal: Mitigating GPU Timing Attack via Subwarp-Based Randomized Coalescing Techniques , 2018, 2018 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[15]  P. L. Montgomery Modular multiplication without trial division , 1985 .

[16]  Jean-Jacques Quisquater,et al.  Montgomery Exponentiation with no Final Subtractions: Improved Results , 2000, CHES.

[17]  David R. Kaeli,et al.  GPU Acceleration of RSA is Vulnerable to Side-channel Timing Attacks , 2018, 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[18]  Yuval Yarom,et al.  CacheBleed: a timing attack on OpenSSL constant-time RSA , 2016, Journal of Cryptographic Engineering.

[19]  Sandor Imre,et al.  An advanced timing attack scheme on RSA , 2008, Networks 2008 - The 13th International Telecommunications Network Strategy and Planning Symposium.

[20]  C. D. Walter,et al.  Montgomery exponentiation needs no final subtractions , 1999 .

[21]  Tao Wang,et al.  Improving timing attack on RSA-CRT via error detection and correction strategy , 2013, Inf. Sci..

[22]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[23]  Nael B. Abu-Ghazaleh,et al.  Rendered Insecure: GPU Side Channel Attacks are Practical , 2018, CCS.

[24]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[25]  David R. Kaeli,et al.  A Novel Side-Channel Timing Attack on GPUs , 2017, ACM Great Lakes Symposium on VLSI.

[26]  Cyril Arnaud,et al.  Timing Attack against Protected RSA-CRT Implementation Used in PolarSSL , 2013, CT-RSA.

[27]  Ç. Koç Analysis of sliding window techniques for exponentiation , 1995 .

[28]  Nigel P. Smart,et al.  Toward Acceleration of RSA Using 3D Graphics Hardware , 2007, IMACC.

[29]  Seungyeop Han,et al.  SSLShader: Cheap SSL Acceleration with Commodity Processors , 2011, NSDI.

[30]  Yuval Yarom,et al.  FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack , 2014, USENIX Security Symposium.

[31]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[32]  Gorka Irazoqui Apecechea,et al.  Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud , 2015, IACR Cryptol. ePrint Arch..