crypto-slides-24-sc.1x1

crypto-slides-24-sc.1x1 - Side-Channel Attacks See: D....

Info iconThis preview shows pages 1–7. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Side-Channel Attacks See: D. Boneh, R.A. Demillo, and R.J. Lipton, On the Importance of Checking Cryptographic Computations for Errors , EUROCRYPT’97. P. Kocher, Timing Attacks on Implementations of Diffe-Hellman, RSA, DSS, and Other Systems , CRYPTO’96. c circlecopyrt Eli Biham - January 10, 2011 696 Side-Channel Attacks (24) Side Channel Attacks Side channel attacks target the physical environment which is used for running cryptographic computations (as opposed to traditional cryptanalysis, which targets the protocols themselves). Types of side channel attacks include: • Timing attacks • Power attacks • Cache attacks • Acoustic attacks • Fault attacks c circlecopyrt Eli Biham - January 10, 2011 697 Side-Channel Attacks (24) Fault Attacks Fault attacks extract information about cryptographic keys from erroneous com- putations. Kinds of faults: • Transient – randomly occurring faults. • Induced – the physical surrounding of the device is manipulated in order to induce errors (e.g., a surge in the power supply, overclocking, operating devices inside a microwave oven, etc.). • Latent – caused by hardware or software bugs. c circlecopyrt Eli Biham - January 10, 2011 698 Side-Channel Attacks (24) RSA Decryptions with CRT The modular exponentiations required by RSA are computationally expensive. For efficiency reasons, it is possible to perform the decryption modulo p and q separately, and then use the Chinese remainder theorem (CRT) to compute the decryption m = c d mod n . Such an implementation speeds up the decryption by a factor of 4 compared to naive implementations. Decryption of a ciphertext c using CRT: 1. Reduce the ciphertext modulo the prime factors: c p = c mod p , c q = c mod q . 2. Exponentiate the received values: m p = c p d p mod p , m q = c q d q mod q where d p ≡ d (mod p − 1) and d q ≡ d (mod q − 1). 3. Use the Chinese remainder theorem to compute m ∈ Z ∗ n such that m ≡ m p (mod p ) and m ≡ m q (mod q ). c circlecopyrt Eli Biham - January 10, 2011 699 Side-Channel Attacks (24) RSA Decryptions with CRT (cont.) The last step is done by computing m = ( xm p + ym q ) mod n , where x and y are pre-computed integers that satisfy: x ≡ 1 (mod p ) x ≡ (mod q ) and y ≡ (mod p ) y ≡ 1 (mod q ) Note that x and y are only computed once, and then every execution of Step 3 requires only two modular exponentiations. c circlecopyrt Eli Biham - January 10, 2011 700 Side-Channel Attacks (24) A Fault Attack on CRT-RSA Let c be a ciphertext decrypted using CRT, and assume that only the exponen- tiation modulo the factor q is faulty (i.e., the value m q is incorrect, while the value of m p is correct)....
View Full Document

Page1 / 18

crypto-slides-24-sc.1x1 - Side-Channel Attacks See: D....

This preview shows document pages 1 - 7. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online