Remote Timing Attacks are Still Practical Billy Brumley Nicola - - PowerPoint PPT Presentation

Remote Timing Attacks are Still Practical

Billy Brumley Nicola Tuveri

Aalto University School of Science, Finland {bbrumley,ntuveri}@tcs.hut.fi

Synopsis

New remote timing attack vulnerability in OpenSSL’s implementation of Montgomery’s ladder for elliptic curves over binary fields. Practical and leads to complete key recovery. It’s able to steal the private key of a TLS server authenticating with ECDSA.

Timing attacks: related work

• P. Kocher (1996)

“Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems”

• D. Brumley and D. Boneh (2003)

“Remote Timing Attacks are Practical”

Elliptic curve cryptography (ECC) and ECDSA

Curves over binary fields

E(F2m) : y 2 + xy = x3 + a2x2 + a6

NIST standard curves

Two types of curves for each m ∈ {163, 233, 283, 409, 571}:

• 1. a2 = 1 and a6 chosen pseudo-randomly: e.g., B-163.
• 2. a2 ∈ {0, 1} and a6 = 1: Koblitz curves, e.g., K-163.

ECDSA

#G = n prime, private key 0 < d < n, public key [d]G, nonce 0 < k < n: r = ([k]G)x mod n s = (h(m) + dr)k−1 mod n

Montgomery’s ladder

• P. L. Montogomery (1987)

◮ Scalar multiplication method computing [k]G. ◮ Proposed for performance reasons, speeding up ECM.

L´

• pez and Dahab (CHES ’99)

Version for curves over binary fields takes 6 field mults per bit.

Side-channel properties

Extremely regular: same steps regardless of bit value. Another advantage is that the same operations are performed in every iteration of the main loop, thereby potentially increasing resistance to timing attacks and power analysis attacks. (src: Guide to Elliptic Curve Cryptography)

OpenSSL’s implementation

/* find top most bit and go one past it */ i = scalar->top - 1; j = BN_BITS2 - 1; mask = BN_TBIT; while (!(scalar->d[i] & mask)) { mask >>= 1; j--; } mask >>= 1; j--; /* if top most bit was at word break, go to next word */ if (!mask) { i--; j = BN_BITS2 - 1; mask = BN_TBIT; } for (; i >= 0; i--) { for (; j >= 0; j--) { if (scalar->d[i] & mask) { if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err; if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err; } else { if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; } mask >>= 1; } j = BN_BITS2 - 1; mask = BN_TBIT; }

Timing dependence

◮ Denote the time required to process one scalar bit and compute one

ladder step as t (one nested for loop iteration).

◮ t is independent of any given ki bit value. ◮ The preceding while loop finds the MSB of k and optimizes the

number of ladder steps.

◮ So there are exactly ⌈lg(k)⌉ − 1 ladder step executions. ◮ The execution time is precisely t(⌈lg(k)⌉ − 1).

Implication

There is a direct correlation between the time to compute a scalar multiplication and the logarithm of k.

Timing dependence illustrated

500 1000 1500 2000 2500 Frequency Time <= 3 4 5 6 7 8 9 10 >= 11

Attack outline

The attack consists of two phases.

• 1. The attacker collects a number of signatures and exploits the

described time dependency to filter a smaller set of signatures. The signatures in the filtered set will have a high probability of being generated using secret nonces (k) having a leading zero bits sequence whose length is greater or equal to a fixed threshold.

• 2. The attacker mounts a lattice attack using the set of signatures

filtered in the collection phase to recover the secret key used to generate the ECDSA signatures. We use B-163 for curve parameters.

Lattices

The problem

Assume j equations of the form mi − siki + dri ≡ 0 (mod n) so j equations and j + 1 unknowns. What if we know part of each of j of the unknowns?

Howgrave-Graham and Smart (1999)

“Lattice Attacks on Digital Signature Schemes”

The solution

Here we’ve filtered signatures that suggest a “small” ki. Use lattice methods to produce a “small” solution. There’s a good chance it might be the right one.

Lattice attack: intuition

An average solution

n 111111...

• 1 1?????...
• 2 1?????...

3 1?????... 4 1?????... 5 1?????... 6 1?????... 7 1?????... 8 1?????... 1/2 9 1?????... 10 1?????... 11 1?????... 12 1?????... 13 1?????... 14 1?????... 15 1?????... 16 1?????...

• 17 01????...

18 01????... 19 01????... 20 01????... 1/4 21 01????... 22 01????... 23 01????... 24 01????...

• 25 001???...

26 001???... 1/8 27 001???... 28 001???...

• 29 0001??...

1/16 30 0001??...

• 31 00001?...

1/32

Lattice attack: intuition

An average solution

n 111111...

• 1 1?????...
• 2 1?????...

3 1?????... 4 1?????... 5 1?????... 6 1?????... 7 1?????... 8 1?????... 1/2 9 1?????... 10 1?????... 11 1?????... 12 1?????... 13 1?????... 14 1?????... 15 1?????... 16 1?????...

• 17 01????...

18 01????... 19 01????... 20 01????... 1/4 21 01????... 22 01????... 23 01????... 24 01????...

• 25 001???...

26 001???... 1/8 27 001???... 28 001???...

• 29 0001??...

1/16 30 0001??...

• 31 00001?...

1/32

Our solution

n 111111...

• 1 00000?...

2 00000?... 3 00000?... 4 00000?... 5 00000?... 6 00000?... 7 00000?... 8 00000?... 9 00000?... 10 00000?... 11 00000?... 12 00000?... 13 00000?... 14 00000?... 15 00000?... 16 00000?... 17 00000?... 18 00000?... 19 00000?... 20 00000?... 21 00000?... 22 00000?... 23 00000?... 24 00000?... 25 00000?... 26 00000?... 27 00000?... 28 00000?... 29 00000?... 30 00000?... 31 00000?...

Lattice attacks for applied cryptographers

A lattice attack experiment

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 30 40 50 60 70 80 Success probability Signature count bound: 156 bound: 157

Estimating success probability

Roughly, the number of iterations needed to succeed is inversely proportional to the probability of selecting a subset of the filtered set without “false positives”: Pr[subset without “false positives”] = 64−e

43

• 64

43

• 1e-18

1e-16 1e-14 1e-12 1e-10 1e-08 1e-06 0.0001 0.01 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Pr (subset without ’false positives’) Number of ’false positives’ in the filtered set. (e)

Local attack

Timings taken and signatures collected by calling the ECDSA sign function directly. Collected signatures count (t) 4096 8192 16384 Filtered set size (s) 64 64 64 Average “false positives” count 17.92 1.48 0.05

Transport Layer Security (TLS)

RFC 4492: ECC Cipher Suites ClientHello ServerHello Certificate ServerKeyExchange ServerHelloDone ClientKeyExchange [ChangeCipherSpec] Finished [ChangeCipherSpec] Finished Client Server time time

We use OpenSSL’s s_client and s_server in our experiments.

First remote attack

Messages exchanged over localhost loopback interface. Collected signatures count (t) 4096 8192 16384 Filtered set size (s) 64 64 64 Average “false positives” count 17.06 4.01 0.90

Second remote attack

Messages exchanged between two hosts on the same switched network segment. Collected signatures count (t) 4096 8192 16384 Filtered set size (s) 64 64 64 Average “false positives” count 19.40 8.96 11.81

A simple countermeasure

Pad the scalars: compute [k]G using the equivalent value [ˆ k]G where ˆ k =

• k + 2n

if ⌈lg(k + n)⌉ = ⌈lg n⌉, k + n

• therwise.

This makes the logarithm constant. No performance overhead.

Conclusion

◮ Practical timing attack in both local and remote scenarios. ◮ What is a “remote” attack these days? ◮ Applies to all OpenSSL ≤ 1.0.0d. You might be affected if you do

any ECC with curves over binary fields.

◮ Ladder is not a silver bullet. ◮ Cryptography engineering still isn’t easy.