Cache-Timing Template Attacks

Cache-timing attacks are a serious threat to security-critical software. We show that the combination of vector quantization and hidden Markov model cryptanalysis is a powerful tool for automated analysis of cache-timing data; it can be used to recover critical algorithm state such as key material. We demonstrate its effectiveness by running an attack on the elliptic curve portion of OpenSSL (0.9.8k and under). This involves automated lattice attacks leading to key recovery within hours. We carry out the attack on live cache-timing data without simulating the side channel, showing these attacks are practical and realistic.

[1]  Marc Joye,et al.  Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity , 2004, IEEE Transactions on Computers.

[2]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[3]  Martin Hlavác,et al.  Extended Hidden Number Problem and Its Cryptanalytic Applications , 2006, Selected Areas in Cryptography.

[4]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[5]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2003 , 2003, Lecture Notes in Computer Science.

[6]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[7]  Teuvo Kohonen,et al.  Self-Organizing Maps , 2010 .

[8]  Nigel P. Smart,et al.  Lattice Attacks on Digital Signature Schemes , 2001, Des. Codes Cryptogr..

[9]  Çetin Kaya Koç,et al.  About Cryptographic Engineering , 2008, Cryptographic Engineering.

[10]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[11]  Bodo Möller,et al.  Improved Techniques for Fast Exponentiation , 2002, ICISC.

[12]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[13]  David Naccache,et al.  Cryptographic Hardware and Embedded Systems — CHES 2001 , 2001 .

[14]  Berk Sunar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2005, 7th International Workshop, Edinburgh, UK, August 29 - September 1, 2005, Proceedings , 2005, CHES.

[15]  C. Paar,et al.  Universal Exponentiation Algorithm – A First Step Towards Provable SPA-resistance – , 2001 .

[16]  David A. Wagner,et al.  Hidden Markov Model Cryptanalysis , 2003, CHES.

[17]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[18]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[19]  Van Nostrand,et al.  Error Bounds for Convolutional Codes and an Asymptotically Optimum Decoding Algorithm , 1967 .

[20]  Bodo Möller Algorithms for Multi-exponentiation , 2001, Selected Areas in Cryptography.

[21]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[22]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[23]  Igor E. Shparlinski,et al.  The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces , 2003, Des. Codes Cryptogr..

[24]  Nigel P. Smart,et al.  Further Hidden Markov Model Cryptanalysis , 2005, CHES.

[25]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.

[26]  S. P. Lloyd,et al.  Least squares quantization in PCM , 1982, IEEE Trans. Inf. Theory.

[27]  Elisabeth Oswald,et al.  Template Attacks on ECDSA , 2009, WISA.

[28]  Elisabeth Oswald,et al.  Enhancing Simple Power-Analysis Attacks on Elliptic Curve Cryptosystems , 2002, CHES.

[29]  Manfred Josef Aigner,et al.  Randomized Addition-Subtraction Chains as a Countermeasure against Power Attacks , 2001, CHES.

[30]  Dan Page,et al.  Defending against cache-based side-channel attacks , 2003, Inf. Secur. Tech. Rep..

[31]  L. Baum,et al.  A Maximization Technique Occurring in the Statistical Analysis of Probabilistic Functions of Markov Chains , 1970 .

[32]  C. D. Walter,et al.  Randomized Exponentiation Algorithms , 2009, Cryptographic Engineering.

[33]  Christophe Clavier,et al.  Universal Exponentiation Algorithm , 2001, CHES.

[34]  Marc Joye,et al.  Cryptographic Hardware and Embedded Systems - CHES 2004 , 2004, Lecture Notes in Computer Science.

[35]  Nigel P. Smart,et al.  Attacking DSA Under a Repeated Bits Assumption , 2004, CHES.

[36]  John Viega,et al.  Network Security with OpenSSL , 2002 .

[37]  Bodo Möller,et al.  Parallelizable Elliptic Curve Point Multiplication Method with Resistance against Side-Channel Attacks , 2002, ISC.

[38]  David Pointcheval Topics in Cryptology - CT-RSA 2006, The Cryptographers' Track at the RSA Conference 2006, San Jose, CA, USA, February 13-17, 2006, Proceedings , 2006, CT-RSA.

[39]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[40]  Chae Hoon Lim,et al.  Information Security and Cryptology — ICISC 2002 , 2003, Lecture Notes in Computer Science.

[41]  W. Bosma,et al.  Signed bits and fast exponentiation , 2001 .

[42]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[43]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[44]  Yeuvo Jphonen,et al.  Self-Organizing Maps , 1995 .