This preview shows pages 1–7. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: SideChannel Attacks See: D. Boneh, R.A. Demillo, and R.J. Lipton, On the Importance of Checking Cryptographic Computations for Errors , EUROCRYPT’97. P. Kocher, Timing Attacks on Implementations of DiffeHellman, RSA, DSS, and Other Systems , CRYPTO’96. c circlecopyrt Eli Biham  January 10, 2011 696 SideChannel Attacks (24) Side Channel Attacks Side channel attacks target the physical environment which is used for running cryptographic computations (as opposed to traditional cryptanalysis, which targets the protocols themselves). Types of side channel attacks include: • Timing attacks • Power attacks • Cache attacks • Acoustic attacks • Fault attacks c circlecopyrt Eli Biham  January 10, 2011 697 SideChannel Attacks (24) Fault Attacks Fault attacks extract information about cryptographic keys from erroneous com putations. Kinds of faults: • Transient – randomly occurring faults. • Induced – the physical surrounding of the device is manipulated in order to induce errors (e.g., a surge in the power supply, overclocking, operating devices inside a microwave oven, etc.). • Latent – caused by hardware or software bugs. c circlecopyrt Eli Biham  January 10, 2011 698 SideChannel Attacks (24) RSA Decryptions with CRT The modular exponentiations required by RSA are computationally expensive. For efficiency reasons, it is possible to perform the decryption modulo p and q separately, and then use the Chinese remainder theorem (CRT) to compute the decryption m = c d mod n . Such an implementation speeds up the decryption by a factor of 4 compared to naive implementations. Decryption of a ciphertext c using CRT: 1. Reduce the ciphertext modulo the prime factors: c p = c mod p , c q = c mod q . 2. Exponentiate the received values: m p = c p d p mod p , m q = c q d q mod q where d p ≡ d (mod p − 1) and d q ≡ d (mod q − 1). 3. Use the Chinese remainder theorem to compute m ∈ Z ∗ n such that m ≡ m p (mod p ) and m ≡ m q (mod q ). c circlecopyrt Eli Biham  January 10, 2011 699 SideChannel Attacks (24) RSA Decryptions with CRT (cont.) The last step is done by computing m = ( xm p + ym q ) mod n , where x and y are precomputed integers that satisfy: x ≡ 1 (mod p ) x ≡ (mod q ) and y ≡ (mod p ) y ≡ 1 (mod q ) Note that x and y are only computed once, and then every execution of Step 3 requires only two modular exponentiations. c circlecopyrt Eli Biham  January 10, 2011 700 SideChannel Attacks (24) A Fault Attack on CRTRSA Let c be a ciphertext decrypted using CRT, and assume that only the exponen tiation modulo the factor q is faulty (i.e., the value m q is incorrect, while the value of m p is correct)....
View Full
Document
 Spring '11
 YanivCarmeli

Click to edit the document details