scispace - formally typeset
Search or ask a question

Showing papers on "Timing attack published in 2004"


01 Jan 2004
TL;DR: This paper investigates timing analysis attacks on low-latency mix systems and proposes a novel technique, defensive dropping, to thwart timing attacks and shows that defensive dropping can be effective against attackers who employ timing analysis.
Abstract: A mix is a communication proxy that attempts to hide the correspondence between its incoming and outgoing messages. Timing attacks are a significant challenge for mix-based systems that wish to support interactive, low-latency applications. However, the potency of these attacks has not been studied carefully. In this paper, we investigate timing analysis attacks on low-latency mix systems and clarify the threat they pose. We propose a novel technique, defensive dropping, to thwart timing attacks. Through simulations and analysis, we show that defensive dropping can be effective against attackers who employ timing analysis.

267 citations


Book ChapterDOI
09 Feb 2004
TL;DR: In this paper, the authors investigate timing analysis attacks on low-latency mix systems and clarify the threat they pose, and propose a novel technique, defensive dropping, to thwart timing attacks.
Abstract: A mix is a communication proxy that attempts to hide the correspondence between its incoming and outgoing messages. Timing attacks are a significant challenge for mix-based systems that wish to support interactive, low-latency applications. However, the potency of these attacks has not been studied carefully. In this paper, we investigate timing analysis attacks on low-latency mix systems and clarify the threat they pose. We propose a novel technique, defensive dropping, to thwart timing attacks. Through simulations and analysis, we show that defensive dropping can be effective against attackers who employ timing analysis.

245 citations


Book ChapterDOI
Ye Zhu1, Xinwen Fu1, Bryan Graham1, Riccardo Bettati1, Wei Zhao1 
26 May 2004
TL;DR: It is found that a mix with any known batching strategy may fail against flow correlation attacks in the sense that for a given flow over an input link, the adversary can correctly determine which output link is used by the same flow.
Abstract: In this paper, we address issues related to flow correlation attacks and the corresponding countermeasures in mix networks. Mixes have been used in many anonymous communication systems and are supposed to provide countermeasures that can defeat various traffic analysis attacks. In this paper, we focus on a particular class of traffic analysis attack, flow correlation attacks, by which an adversary attempts to analyze the network traffic and correlate the traffic of a flow over an input link at a mix with that over an output link of the same mix. Two classes of correlation methods are considered, namely time-domain methods and frequency-domain methods. Based on our threat model and known strategies in existing mix networks, we perform extensive experiments to analyze the performance of mixes. We find that a mix with any known batching strategy may fail against flow correlation attacks in the sense that for a given flow over an input link, the adversary can correctly determine which output link is used by the same flow. We also investigated methods that can effectively counter the flow correlation attack and other timing attacks. The empirical results provided in this paper give an indication to designers of Mix networks about appropriate configurations and alternative mechanisms to be used to counter flow correlation attacks.

195 citations


ReportDOI
01 Jan 2004
TL;DR: A metric to determine whether one version of a system is relatively more secure than another with respect to the system’s attack surface is proposed and demonstrated and validated by measuring the relative attack surface of four versions of the Linux operatingsystem.
Abstract: We propose a metric to determine whether one version of a system is relatively more secure thananother with respect to the system’s attack surface. Intuitively, the more exposed the attack surface,the more likely the system could be successfully attacked, and hence the more insecure it is. Wedefine an attack surface in terms of the system’s actions that are externally visible to its usersand the system’s resources that each action accesses or modifies. To apply our metric in practice,rather than consider all possible system resources, we narrow our focus on a “relevant” subset ofresource types, which we call attack classes; these reflect the types of system resources that aremore likely to be targets of attack. We assign payoffs to attack classes to represent likelihoods ofattack; resources in an attack class with a high payoff value are more likely to be targets or enablersof an attack than resources in an attack class with a low payoff value. We outline a method toidentify attack classes and to measure a system’s attack surface. We demonstrate and validate ourmethod by measuring the relative attack surface of four different versions of the Linux operatingsystem.Keywords: Security metrics, attack, attack class, attack surface, threat modeling

74 citations


Book ChapterDOI
13 Jul 2004
TL;DR: In this paper, the authors combined the rectangle attack with the related-key attack and achieved a 59-round attack with a data complexity of 2149.72 chosen plaintexts and a time complexity of 2498.30 encryptions.
Abstract: The rectangle attack and the related-key attack on block ciphers are well-known to be very powerful. In this paper we combine the rectangle attack with the related-key attack. Using this combined attack we can attack the SHACAL-1 cipher with 512-bit keys up to 59 out of its 80 rounds. Our 59-round attack requires a data complexity of 2149.72 chosen plaintexts and a time complexity of 2498.30 encryptions, which is faster than exhaustive search.

63 citations


Journal ArticleDOI
TL;DR: The advanced attacker presented here, called the "majority-flipping attacker," does not decay with the parameters of the model, unlike any other attack strategy known.
Abstract: A successful attack strategy in neural cryptography is presented. The neural cryptosystem, based on synchronization of neural networks by mutual learning, has been recently shown to be secure under different attack strategies. The success of the advanced attacker presented here, called the "majority-flipping attacker," does not decay with the parameters of the model. This attacker's outstanding success is due to its using a group of attackers which cooperate throughout the synchronization process, unlike any other attack strategy known. An analytical description of this attack is also presented, and fits the results of simulations.

54 citations


Journal ArticleDOI
TL;DR: It is shown that an SIMD parallel implementation of RSA can be around twice as fast as traditional sequential code, especially useful given the larger 2,048 bit RSA keys which are now being proposed for standard security levels.
Abstract: We describe how using a redundant Montgomery representation allows for high-performance SIMD-based implementations of RSA and elliptic curve cryptography. This is in addition to the known benefits of immunity from timing attacks afforded by the use of such a representation. We present some preliminary implementation timings using the SSE2 instruction set on a Pentium 4 processor and show that an SIMD parallel implementation of RSA can be around twice as fast as traditional sequential code. This is especially useful given the larger 2,048 bit RSA keys which are now being proposed for standard security levels. Finally, we remark on other application areas that improve the security of our work in the context of side-channel analysis while maintaining high performance.

34 citations


Book ChapterDOI
14 May 2004
TL;DR: A secure and practical CRT-based RSA signature scheme that is secure against side channel attacks, including power analysis attack, timing attack, and fault analysis attack and also secure against differential power attack by using the message random blinding technique on RSA with CRT.
Abstract: A secure and practical CRT-based RSA signature scheme is proposed against side channel attacks, including power analysis attack, timing attack, and fault analysis attack. The performance advantage obtained over other existing countermeasures is demonstrated. To prevent from fault attack, the proposed countermeasure employs a fault diffusion concept which is to spread the fault into the correct term during the recombination process by using CRT. This new countermeasure is also secure against differential power attack by using the message random blinding technique on RSA with CRT.

32 citations


Book ChapterDOI
23 Aug 2004
TL;DR: In this paper, the authors investigated the degenerate divisors of HECC to scalar multiplication and showed that using the degenerates in the Harley algorithm and the Cantor algorithm can achieve a 20% increase in speed.
Abstract: It has recently been reported that the performance of hyperelliptic curve cryptosystems (HECC) is competitive to that of elliptic curve cryptosystems (ECC). However, it is expected that HECC still can be improved due to their mathematically rich structure. We consider here the application of degenerate divisors of HECC to scalar multiplication. We investigate the operations of the degenerate divisors in the Harley algorithm and the Cantor algorithm of genus 2. The timings of these operations are reported. We then present a novel efficient scalar multiplication method using the degenerate divisors. This method is applicable to cryptosystems with fixed base point, e.g., ElGamal-type encryption, sender of Diffie-Hellman, and DSA. Using a Xeon processor, we found that the double-and-add-always method using the degenerate base point can achieve about a 20% increase in speed for a 160-bit HECC. However, we mounted an timing attack using the time difference to designate the degenerate divisors. The attack assumes that the secret key is fixed and the base point can be freely chosen by the attacker. Therefore, the attack is applicable to ElGamal-type decryption and single-pass Diffie-Hellman – SSL using a hyperelliptic curve could be vulnerable to the proposed attack. Our experimental results show that one bit of the secret key for a 160-bit HECC can be recovered by calling the decryption oracle 500 times.

29 citations


Book ChapterDOI
23 Aug 2004
TL;DR: A new method for secure implementation of the Advanced Encryption Standard algorithm is described, based on a data masking technique, which is the most widely used countermeasure against power analysis and timing attacks at a software level.
Abstract: In implementing cryptographic algorithms on limited devices such as smart cards, speed and memory requirements had always presented a challenge. With the advent of side channel attacks, this task became even more difficult because a programmer must take into account countermeasures against such attacks, which often increases computational time, or memory requirements, or both. In this paper we describe a new method for secure implementation of the Advanced Encryption Standard algorithm. The method is based on a data masking technique, which is the most widely used countermeasure against power analysis and timing attacks at a software level. The change of element representation allows us to achieve an efficient solution that combines low memory requirements with high speed and resistance to attacks.

28 citations


Journal Article
TL;DR: In this article, the authors investigated two types of implementation attack: timing attack and power analysis attack on a single m-ary exponentiation using a single k-bit hardware multiplier.
Abstract: Increasing key length is a standard counter-measure to cryptanalysis. However, longer key length generally means greater side channel leakage. For embedded RSA crypto-systems the increase in leaked data outstrips the increase in secret data so that, in contrast to the improved mathematical strength, longer keys may, in fact, lead to lower security. This is investigated for two types of implementation attack. The first is a timing attack in which squares and multiplications are differentiated from the relative frequencies of conditional subtractions over several exponentiations. Once keys are large enough, longer length seems to decrease security. The second case is a power analysis attack on a single m-ary exponentiation using a single k-bit hardware multiplier. For this, despite certain counter-measures such as exponent blinding, uncertainty in determining the secret bits decreases so quickly that longer keys appear to be noticeably less secure.

Proceedings Article
01 Jan 2004
TL;DR: In this paper, the authors investigate timing analysis attacks on low-latency mix systems and clarify the threat they pose, and propose a novel technique, defensive dropping, to thwart timing attacks through simulations and analysis.
Abstract: A mix is a communication proxy that attempts to hide the correspondence between its incoming and outgoing messages Timing attacks are a significant challenge for mix-based systems that wish to support interactive, low-latency applications However, the potency of these attacks has not been studied carefully In this paper, we investigate timing analysis attacks on low-latency mix systems and clarify the threat they pose We propose a novel technique, defensive dropping, to thwart timing attacks Through simulations and analysis, we show that defensive dropping can be effective against attackers who employ timing analysis

Journal Article
TL;DR: This approach suggests a speed up process, aiming at reducing the required number of plaintext-ciphertext samples needed for a successful timing attack, based on the application of genetic algorithm of RSA cryptosystem.
Abstract: This paper presents an approach to cryptanalysis of RSA cryptosystem based on the application of genetic algorithm. The search utilizes the idea of timing attack as computation time information may leak due to different modular operations throughout the RSA encoding. This approach suggests a speed up process, aiming at reducing the required number of plaintext-ciphertext samples needed for a successful timing attack. The proposed notion of timing attack outlined in this work with its preliminary implementation, have given encouraging results on RSA cryptosystem samples. Further work carried on to implement the idea of genetic algorithm technique to practical RSA system has demonstrated encouraging results.

Proceedings ArticleDOI
05 Apr 2004
TL;DR: It is shown that not even the new advanced encryption standard (AES), when implemented in conventional hardware, is secure from power attacks; a few power samples were enough to deduce the secret key.
Abstract: New cryptanalytical techniques, in particular, power and timing analysis, pose a serious threat to cryptographic devices such as smart cards. By analyzing the power dissipation or timing of encryptions in a device, encrypted information inside can be deduced. The weakness is not in the encryption algorithms themselves, but in their implementations. We show that not even the new advanced encryption standard (AES), when implemented in conventional hardware, is secure from power attacks; a few power samples were enough to deduce the secret key. A new specially designed implementation of the AES on a clock-less dual-rail chip is presented and shown to possess a very considerable improvement against power attacks compared to the conventional design. This implementation is also resistant to timing, fault induction and clock glitch attacks.

Posted Content
TL;DR: A dynamic and differential CMOS logic style, which has a signal independent switching behavior, is presented, which will protect the encryption module in this logic against any Side Channel Attack that takes advantage of power, timing and leakage information.
Abstract: We present a dynamic and differential CMOS logic style, which has a signal independent switching behavior. It is shown that during each clock cycle, power consumption and all circuit characteristics, such as leakage current, instantaneous current and input-output delay are identical and independent of the logic value and the sequence of the input data. Implementing the encryption module in this logic will protect it against any Side Channel Attack that takes advantage of power, timing and leakage information. We have built a set of logic gates and a flip-flop needed for cryptographic functions and implemented a larger module, for which area, total power consumption and variation on the power consumption have been compared with implementations in Static Complementary CMOS logic, genuine Dynamic and Differential Logic and Current Mode Logic. -2

Book ChapterDOI
13 Jul 2004
TL;DR: In this paper, the authors investigated the security of side channel attacks on XTR and showed that XTR-SE is immune to simple power analysis under assumption that the order of the computation of XTRSE is carefully considered.
Abstract: The XTR public key system was introduced at Crypto 2000. It is regarded that XTR is suitable for a variety of environments, including low-end smart cards, and XTR is the excellent alternative to either RSA or ECC. In [LV00a, SL01], authors remarked that XTR single exponentiation (XTR-SE) is less susceptible than usual exponentiation routines to environmental attacks such as timing attacks and Differential Power Analysis (DPA). In this paper, however, we investigate the security of side channel attack (SCA) on XTR. This paper shows that XTR-SE is immune against simple power analysis under assumption that the order of the computation of XTR-SE is carefully considered. However, we show that XTR-SE is vulnerable to Data-bit DPA, Address-bit DPA, and doubling attack. Moreover, we propose countermeasures that prevent the proposed attacks. As the proposed countermeasure against doubling attack is very inefficient, a good countermeasure against doubling attack is actually necessary to maintain the advantage of efficiency of XTR.

Book ChapterDOI
08 Jun 2004
TL;DR: This paper applies Novak’s attack to Multi-Prime RSA, Multi-Exponent RSA, Rabin cryptosystem, and HIME(R) cryptos system, and presents a novel attack called zero-multiplication attack, which tries to guess the secret prime by producing ciphertexts that cause a multiplication with zero during the decryption.
Abstract: We investigate the security of several cryptosystems based on the Chinese remainder theorem (CRT) against side channel attack (SCA). Novak first proposed a simple power analysis against the CRT part using the difference of message modulo p and modulo q. In this paper we apply Novak’s attack to the other CRT-based cryptosystems, namely Multi-Prime RSA, Multi-Exponent RSA, Rabin cryptosystem, and HIME(R) cryptosystem. Novak-type attack is strictly depending how to implement the CRT. We examine the operations related to CRT of these cryptosystems, and show that an extended Novak-type attack is effective on them. Moreover, we present a novel attack called zero-multiplication attack. The attacker tries to guess the secret prime by producing ciphertexts that cause a multiplication with zero during the decryption, which is easily able to be detected by power analysis. We examine the zero-multiplication attack on the above cryptosystems. Finally, we propose countermeasures against these attacks. The proposed countermeasures are based on the ciphertext blinding, but they require no inversion operation. The overhead of the proposed scheme is only about 1% to 5% of the whole decryption.


Proceedings ArticleDOI
19 Jul 2004
TL;DR: An immune method for three-prime RSA without checking procedure is proposed in this paper, which is more efficient than the previous methods.
Abstract: In this paper, we carry out the study of the Chinese remainder theorem based three-prime RSA cryptosystem. The hardware fault attack on three-prime RSA cryptosystem is analyzed and it is proven that the three-prime RSA is more difficult to be broken than two-prime RSA by the hardware fault attack. Then, Shamir's checking procedure is extended from two-prime to three-prime RSA to increase its immunity against such attack. Finally an immune method for three-prime RSA without checking procedure is proposed in this paper, which is more efficient than the previous methods. It is expected that this proposed system will play an important role in the future cryptography applications.

01 Jan 2004
TL;DR: Attacking clients based on both approaches to obtain RSA key using OpenSSL library routines using the later approach is implemented.
Abstract: Timing attacks enable an attacker to extract secret information from a cryptosystem. It is based on the timing differences with respect to different inputs given to an encryption or decryption algorithm. Boneh and Brumley have recently showed an adaptive input attack in order to guess the upper half of an RSA prime factor. Dr. Werner Schindler has proposed an improved approach based on using different input values which are more efficient in terms of signal to noise ratio results. We implemented attacking clients based on both approaches to obtain RSA key using OpenSSL library routines using the later approach.

Posted Content
TL;DR: This paper shows that XTR-SE is immune against simple power analysis under assumption that the order of the computation of XTR -SE is carefully considered, however, it is shown thatXTR- SE is vulnerable to Data-bit DPA, Address-bitDPA, and doubling attack.
Abstract: The XTR public key system was introduced at Crypto 2000. Application of XTR in cryptographic protocols leads to substantial savings both in communication and computational overhead without compromising security. It is regarded that XTR is suitable for a variety of environments, including low-end smart cards, and XTR is the excellent alternative to either RSA or ECC. In [LV00a,SL01], authors remarked that XTR single exponentiation (XTR-SE) is less susceptible than usual exponentiation routines to environmental attacks such as timing attacks and Differential Power Analysis (DPA). In this paper, however, we investigate the security of side channel attack (SCA) on XTR. This paper shows that XTR-SE is immune against simple power analysis (SPA) under assumption that the order of the computation of XTR-SE is carefully considered. However we show that XTR-SE is vulnerable to Data-bit DPA (DDPA)[Cor99], Address-bit DPA (ADPA)[IIT02], and doubling attack [FV03]. Moreover, we propose two countermeasures that prevent from DDPA and a countermeasure against ADPA. One of the countermeasures using randomization of the base element proposed to defeat DDPA, i.e., randomization of the base element using field isomorphism, could be used to break doubling attack. Thus if we only deal with SPA, DDPA, ADPA, and doubling attack as the attack algorithm for XTR-SE, XTR-SE should be added following countermeasures: randomization of the base element using field isomorphism (DDPA and doubling attack) + randomized addressing (ADPA). But the proposed countermeasure against doubling attack is very inefficient. So to maintain the advantage of efficiency of XTR a good countermeasure against doubling attack is actually necessary.