Remote Timing Attacks are Still Practical Billy Brumley Nicola - PowerPoint PPT Presentation

Remote Timing Attacks are Still Practical Billy Brumley Nicola Tuveri Aalto University School of Science, Finland {bbrumley,ntuveri}@tcs.hut.fi

Synopsis New remote timing attack vulnerability in OpenSSL’s implementation of Montgomery’s ladder for elliptic curves over binary fields. Practical and leads to complete key recovery. It’s able to steal the private key of a TLS server authenticating with ECDSA.

Timing attacks: related work P. Kocher (1996) “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems” D. Brumley and D. Boneh (2003) “Remote Timing Attacks are Practical”

Elliptic curve cryptography (ECC) and ECDSA Curves over binary fields E ( F 2 m ) : y 2 + xy = x 3 + a 2 x 2 + a 6 NIST standard curves Two types of curves for each m ∈ { 163 , 233 , 283 , 409 , 571 } : 1. a 2 = 1 and a 6 chosen pseudo-randomly: e.g., B-163. 2. a 2 ∈ { 0 , 1 } and a 6 = 1: Koblitz curves, e.g., K-163. ECDSA # � G � = n prime, private key 0 < d < n , public key [ d ] G , nonce 0 < k < n : r = ([ k ] G ) x mod n s = ( h ( m ) + dr ) k − 1 mod n

Montgomery’s ladder P. L. Montogomery (1987) ◮ Scalar multiplication method computing [ k ] G . ◮ Proposed for performance reasons, speeding up ECM. L´ opez and Dahab (CHES ’99) Version for curves over binary fields takes 6 field mults per bit. Side-channel properties Extremely regular: same steps regardless of bit value. Another advantage is that the same operations are performed in every iteration of the main loop, thereby potentially increasing resistance to timing attacks and power analysis attacks. (src: Guide to Elliptic Curve Cryptography)

OpenSSL’s implementation /* find top most bit and go one past it */ i = scalar->top - 1; j = BN_BITS2 - 1; mask = BN_TBIT; while (!(scalar->d[i] & mask)) { mask >>= 1; j--; } mask >>= 1; j--; /* if top most bit was at word break, go to next word */ if (!mask) { i--; j = BN_BITS2 - 1; mask = BN_TBIT; } for (; i >= 0; i--) { for (; j >= 0; j--) { if (scalar->d[i] & mask) { if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err; if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err; } else { if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; } mask >>= 1; } j = BN_BITS2 - 1; mask = BN_TBIT; }

Timing dependence ◮ Denote the time required to process one scalar bit and compute one ladder step as t (one nested for loop iteration). ◮ t is independent of any given k i bit value. ◮ The preceding while loop finds the MSB of k and optimizes the number of ladder steps. ◮ So there are exactly ⌈ lg( k ) ⌉ − 1 ladder step executions. ◮ The execution time is precisely t ( ⌈ lg ( k ) ⌉ − 1). Implication There is a direct correlation between the time to compute a scalar multiplication and the logarithm of k .

Timing dependence illustrated 2500 <= 3 4 5 6 7 8 2000 9 10 >= 11 1500 Frequency 1000 500 0 Time

Attack outline The attack consists of two phases. 1. The attacker collects a number of signatures and exploits the described time dependency to filter a smaller set of signatures. The signatures in the filtered set will have a high probability of being generated using secret nonces ( k ) having a leading zero bits sequence whose length is greater or equal to a fixed threshold. 2. The attacker mounts a lattice attack using the set of signatures filtered in the collection phase to recover the secret key used to generate the ECDSA signatures. We use B-163 for curve parameters.

Lattices The problem Assume j equations of the form m i − s i k i + dr i ≡ 0 (mod n ) so j equations and j + 1 unknowns. What if we know part of each of j of the unknowns? Howgrave-Graham and Smart (1999) “Lattice Attacks on Digital Signature Schemes” The solution Here we’ve filtered signatures that suggest a “small” k i . Use lattice methods to produce a “small” solution. There’s a good chance it might be the right one.

Lattice attack: intuition An average solution n 111111... ------------ 1 1?????... ---- 2 1?????... 3 1?????... 4 1?????... 5 1?????... 6 1?????... 7 1?????... 8 1?????... 1/2 9 1?????... 10 1?????... 11 1?????... 12 1?????... 13 1?????... 14 1?????... 15 1?????... 16 1?????... ---- 17 01????... 18 01????... 19 01????... 20 01????... 1/4 21 01????... 22 01????... 23 01????... 24 01????... ---- 25 001???... 26 001???... 1/8 27 001???... 28 001???... ---- 29 0001??... 1/16 30 0001??... ---- 31 00001?... 1/32

Lattice attack: intuition An average solution Our solution n 111111... n 111111... ------------ ------------ 1 00000?... 1 1?????... ---- 2 00000?... 2 1?????... 3 00000?... 3 1?????... 4 00000?... 4 1?????... 5 00000?... 5 1?????... 6 00000?... 6 1?????... 7 00000?... 7 1?????... 8 00000?... 8 1?????... 1/2 9 00000?... 9 1?????... 10 00000?... 10 1?????... 11 00000?... 11 1?????... 12 00000?... 12 1?????... 13 00000?... 13 1?????... 14 00000?... 14 1?????... 15 00000?... 15 1?????... 16 00000?... 16 1?????... ---- 17 00000?... 17 01????... 18 00000?... 18 01????... 19 00000?... 19 01????... 20 00000?... 20 01????... 1/4 21 00000?... 21 01????... 22 00000?... 22 01????... 23 00000?... 23 01????... 24 00000?... 24 01????... ---- 25 00000?... 25 001???... 26 00000?... 26 001???... 1/8 27 00000?... 27 001???... 28 00000?... 28 001???... ---- 29 00000?... 29 0001??... 1/16 30 00000?... 30 0001??... ---- 31 00000?... 31 00001?... 1/32

Lattice attacks for applied cryptographers

A lattice attack experiment 1 bound: 156 bound: 157 0.9 0.8 0.7 Success probability 0.6 0.5 0.4 0.3 0.2 0.1 0 30 40 50 60 70 80 Signature count

Estimating success probability Roughly, the number of iterations needed to succeed is inversely proportional to the probability of selecting a subset of the filtered set without “false positives”: � 64 − e � 43 Pr[subset without “false positives”] = � 64 � 43 1 0.01 0.0001 Pr (subset without ’false positives’) 1e-06 1e-08 1e-10 1e-12 1e-14 1e-16 1e-18 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Number of ’false positives’ in the filtered set. (e)

Local attack Timings taken and signatures collected by calling the ECDSA sign function directly. Collected signatures count ( t ) 4096 8192 16384 Filtered set size ( s ) 64 64 64 Average “false positives” count 17.92 1.48 0.05

Transport Layer Security (TLS) RFC 4492: ECC Cipher Suites Client Server ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange [ChangeCipherSpec] Finished [ChangeCipherSpec] Finished time time We use OpenSSL’s s_client and s_server in our experiments.

First remote attack Messages exchanged over localhost loopback interface. Collected signatures count ( t ) 4096 8192 16384 Filtered set size ( s ) 64 64 64 Average “false positives” count 17.06 4.01 0.90

Second remote attack Messages exchanged between two hosts on the same switched network segment. Collected signatures count ( t ) 4096 8192 16384 Filtered set size ( s ) 64 64 64 Average “false positives” count 19.40 8.96 11.81

A simple countermeasure Pad the scalars: compute [ k ] G using the equivalent value [ˆ k ] G where � k + 2 n if ⌈ lg( k + n ) ⌉ = ⌈ lg n ⌉ , ˆ k = k + n otherwise. This makes the logarithm constant. No performance overhead.

Conclusion ◮ Practical timing attack in both local and remote scenarios. ◮ What is a “remote” attack these days? ◮ Applies to all OpenSSL ≤ 1 . 0 . 0 d . You might be affected if you do any ECC with curves over binary fields. ◮ Ladder is not a silver bullet. ◮ Cryptography engineering still isn’t easy.