Showing papers on "Timing attack published in 2020"

A Key-Recovery Timing Attack on Post-quantum Primitives Using the Fujisaki-Okamoto Transformation and Its Application on FrodoKEM

Abstract: In the implementation of post-quantum primitives, it is well known that all computations that handle secret information need to be implemented to run in constant time Using the Fujisaki-Okamoto transformation or any of its different variants, a CPA-secure primitive can be converted into an IND-CCA secure KEM In this paper we show that although the transformation does not handle secret information apart from calls to the CPA-secure primitive, it has to be implemented in constant time Namely, if the ciphertext comparison step in the transformation is leaking side-channel information, we can launch a key-recovery attack

Toward Active and Passive Confidentiality Attacks on Cryptocurrency Off-chain Networks.

Abstract: Cryptocurrency off-chain networks such as Lightning (e.g., Bitcoin) or Raiden (e.g., Ethereum) aim to increase the scalability of traditional on-chain transactions. To support nodes in learning about possible paths to route their transactions, these networks need to provide gossip and probing mechanisms. This paper explores whether these mechanisms may be exploited to infer sensitive information about the flow of transactions, and eventually harm privacy. In particular, we identify two threats, related to an active and a passive adversary. The first is a probing attack: here the adversary aims to detect the maximum amount which is transferable in a given direction over a target channel by actively probing it and differentiating the response messages it receives. The second is a timing attack: the adversary discovers how close the destination of a routed payment actually is, by acting as a passive man-in-the middle and analyzing the time deltas between sent messages and their corresponding responses. We then analyze the limitations of these attacks and propose remediations for scenarios in which they are able to produce accurate results.

Brutus : Refuting the Security Claims of the Cache Timing Randomization Countermeasure Proposed in CEASER

Abstract: Cache timing attacks are a serious threat to the security of computing systems. It permits sensitive information, such as cryptographic keys, to leak across virtual machines and even to remote servers. Encrypted Address Cache, proposed by CEASER – a best paper candidate at MICRO 2018 – is a promising countermeasure that stymies the timing channel by employing cryptography to randomize the cache address space. The author claims strong security guarantees by providing randomization both spatially (randomizing every address) and temporally (changing the encryption key periodically). In this letter, we point out a serious flaw in their encryption approach that undermines the proposed security guarantees. Specifically, we show that the proposed Low-Latency Block Cipher, used for encryption in CEASER , is composed of only linear functions which neutralizes the spatial and temporal randomization. Thus, we show that the complexity of a cache timing attack remains unaltered even with the presence of CEASER . Further, we compare the encryption overheads if CEASER is implemented with a stronger encryption algorithm.

Counting Down Thunder: Timing Attacks on Privacy in Payment Channel Networks

Abstract: The Lightning Network is a scaling solution for Bitcoin that promises to enable rapid and private payment processing. In Lightning, multi-hop payments are secured by utilizing Hashed Time-Locked Contracts (HTLCs) and encrypted on the network layer by an onion routing scheme to avoid information leakage to intermediate nodes. In this work, we however show that the privacy guarantees of the Lightning Network may be subverted by an on-path adversary conducting timing attacks on the HTLC state negotiation messages. To this end, we provide estimators that enable an adversary to reduce the anonymity set and infer the likeliest payment endpoints. We developed a proof-of-concept measurement node that shows the feasibility of attaining time differences and evaluate the adversarial success in model-based network simulations. We find that controlling a small number of malicious nodes is sufficient to observe a large share of all payments, emphasizing the relevance of the on-path adversary model. Moreover, we show that adversaries of different magnitudes could employ timing-based attacks to deanonymize payment endpoints with high precision and recall.

One Bit is All It Takes: A Devastating Timing Attack on BLISS’s Non-Constant Time Sign Flips

Abstract: Abstract As one of the most efficient lattice-based signature schemes, and one of the only ones to have seen deployment beyond an academic setting (e.g., as part of the VPN software suite strongSwan), BLISS has attracted a significant amount of attention in terms of its implementation security, and side-channel vulnerabilities of several parts of its signing algorithm have been identified in previous works. In this paper, we present an even simpler timing attack against it. The bimodal Gaussian distribution that BLISS is named after is achieved using a random sign flip during signature generation, and neither the original implementation of BLISS nor strongSwan ensure that this sign flip is carried out in constant time. It is therefore possible to recover the corresponding sign through side-channel leakage (using, e.g., cache attacks or branch tracing). We show that obtaining this single bit of leakage (for a moderate number of signatures) is in fact sufficient for a full key recovery attack. The recovery is carried out using a maximum likelihood estimation on the space of parameters, which can be seen as a statistical manifold. The analysis of the attack thus reduces to the computation of the Fisher information metric.

A Benchmark Suite for Evaluating Caches' Vulnerability to Timing Attacks

Abstract: Based on improvements to an existing three-step model for cache timing-based attacks, this work presents 88 Strong types of theoretical timing-based vulnerabilities in processor caches. It also presents and implements a new benchmark suite that can be used to test if processor cache is vulnerable to one of the attacks. In total, there are 1094 automatically-generated test programs which cover the 88 Strong theoretical vulnerabilities. The benchmark suite generates the Cache Timing Vulnerability Score (CTVS) which can be used to evaluate how vulnerable a specific cache implementation is to different attacks. A smaller CTVS means the design is more secure. Evaluation is conducted on commodity Intel and AMD processors and shows how the differences in processor implementations can result in different types of attacks that they are vulnerable to. Further, the benchmarks and the CTVS can be used in simulation to help designers of new secure processors and caches evaluate their designs' susceptibility to cache timing-based attacks.

BCoal: Bucketing-Based Memory Coalescing for Efficient and Secure GPUs

Abstract: Graphics Processing Units (GPUs) are becoming a de facto choice for accelerating applications from a wide range of domains ranging from graphics to high-performance computing. As a result, it is getting increasingly desirable to improve the cooperation between traditional CPUs and accelerators such as GPUs. However, given the growing security concerns in the CPU space, closer integration of GPUs has further expanded the attack surface. For example, several side-channel attacks have shown that sensitive information can be leaked from the CPU end. In the same vein, several side-channel attacks are also now being developed in the GPU world. Overall, it is challenging to keep emerging CPU-GPU heterogeneous systems secure while maintaining their performance and energy efficiency. In this paper, we focus on developing an efficient defense mechanism for a type of correlation timing attack on GPUs. Such an attack has been shown to recover AES private keys by exploiting the relationship between the number of coalesced memory accesses and total execution time. Prior state-of-the-art defense mechanisms use inefficient randomized coalescing techniques to defend against such GPU attacks and require turning-off bandwidth conserving techniques such as caches and miss-status holding registers (MSHRs) to ensure security. To address these limitations, we propose BCoal – a new bucketing-based coalescing mechanism. BCoal significantly reduces the information leakage by always issuing pre-determined numbers of coalesced accesses (called buckets). With the help of a detailed application-level analysis, BCoal determines the bucket sizes and pads, if necessary, the number of real accesses with additional (padded) accesses to meet the bucket sizes ensuring the security against the correlation timing attack. Furthermore, BCoal generates the padded accesses such that the security is ensured even in the presence of MSHRs and caches. In effect, BCoal significantly improves GPU security at a modest performance loss.

Constant-Time BCH Error-Correcting Code

Abstract: Error-correcting codes can be useful in reducing decryption failure rate of several lattice-based and code-based public-key encryption schemes. Two schemes, namely LAC and HQC, in NIST's round 2 phase of its post-quantum cryptography standardisation project use the strong error-correcting BCH code. However, direct application of the BCH code in decryption algorithms of public-key schemes could open new avenues to the attacks. For example, a recent attack [1] exploited non-constant-time execution of BCH code to reduce the security of LAC. In this paper we analyse the BCH error-correcting code, identify computation steps that cause timing variations and design a constant-time BCH implementation. We implement our algorithm in software and evaluate its resistance against timing attacks by performing leakage detection tests. To study the computational overhead of the countermeasures, we integrated our constant-time BCH code in the reference and optimised implementations of the LAC scheme as a case study, and observed nearly 1.1 and 1.4 factor slowdown respectively for the CCA-secure primitives.

Profiling Dilithium Digital Signature Traces for Correlation Differential Side Channel Attacks

Abstract: A significant concern for the candidate schemes of the NIST postquantum cryptography standardization project is the protection they support against side-channel attacks. One of these candidate schemes currently in the NIST standardization race is the Dilithium signature scheme. This postquantum signature solution has been analyzed for side channel attack resistance especially against timing attacks. Expanding our attention on other types of side-channel analysis, this work is focused on correlation based differential side channel attacks on the polynomial multiplication operation of Dilithium digital signature generation. In this paper, we describe how a Correlation Power Attack should be adapted for the Dilithium signature generation and describe the attack process to be followed. We determine the conditions to be followed in order for such an attack to be feasible, (isolation of polynomial coefficient multiplication inpower traces) and we create a power trace profiling paradigm for the Dilithium signature scheme executed in embedded systems to showcase that the conditions can be met in practice. Expanding the methodology of recent works that mainly use simulations for power trace collection, in this paper, power trace capturing and profiling analysis of the signature generation process was succesfully done on a, noisy, Commercial off-the-shelf ARM Cortex-M4 embedded system.

Simple Electromagnetic Analysis Against Activation Functions of Deep Neural Networks

Abstract: From cloud computing to edge computing, the deployment of artificial intelligence (AI) has been evolving to fit a wide range of applications. However, the security over edge AI is not sufficient. Edge AI is computed close to the device and user, therefore allowing physical attacks such as side-channel attack (SCA). Reverse engineering the neural network architecture using SCA is an active area of research. In this work, we investigate how to retrieve an activation function in a neural network implemented to an edge device by using side-channel information. To this end, we consider multilayer perceptron as the machine learning architecture of choice. We assume an attacker capable of measuring side channel leakages, in this case electromagnetic (EM) emanations. The results are shown on an Arduino Uno microcontroller to achieve high quality measurements. Our experiments show that the activation functions used in the architecture can be obtained by a side-channel attacker using one or a few EM measurements independent of inputs. We replicate the timing attack in previous research by Batina et al., and analyzed it to explain how the timing behavior acts on different implementations of the activation function operations. We also prove that our attack method has the potential to overcome constant time mitigations.

Public key certificate privacy in VoNDN: voice over named data networks

Abstract: Named Data Network (NDN) is a network paradigm that attempts to answer today's needs for distribution. One of the NDN key features is in-network caching to increase content distribution and network efficiency. However, this feature may increase the privacy concerns, as the adversary may identify the call history, and the callee/caller location through side-channel timing responses from the cache of trusted Voice over NDN (VoNDN) application routers. The side-channel timing attack can be mitigated by countermeasures, such as additional unpredictable delay, random caching, group signatures, and no-caching configurations. However, the content distribution may be affected by pre-configured countermeasures, which may be against the original purpose of NDN. In this work, the detection and defense (DaD) approach is proposed to mitigate the attack efficiently and effectively. With the DaD usage, an attack can be detected by a multi-level detection mechanism, in order to apply the countermeasures against the adversarial faces. Also, the detections can be used to determine the severity of the attack. In order to detect the behavior of an adversary, a brute-force timing attack was implemented and simulated of the VoNDN application on NDN-testbed. A trusted application that mimics the VoNDN and identifies the cached certificate on a worldwide NDN-testbed. In simulation primary results showed that the multi-level detection based on DaD mitigated the attack about 39.1% in best-route, and 36.5% in multicast communications. Additionally, the results showed that DaD preserves privacy without compromising the efficiency benefits of in-network caching in the VoNDN application.

Clockwork: Tracking Remote Timing Attacks

Abstract: Timing leaks have been a major concern for the security community. A common approach is to prevent secrets from affecting the execution time, thus achieving security with respect to a strong, local attacker who can measure the timing of program runs. However, this approach becomes restrictive as soon as programs branch on a secret. This paper focuses on timing leaks under remote execution. A key difference is that the remote attacker does not have a reference point of when a program run has started or finished, which significantly restricts attacker capabilities. We propose an extensional security characterization that captures the essence of remote timing attacks. We identify patterns of combining clock access, secret branching, and output in a way that leads to timing leaks. Based on these patterns, we design Clockwork, a monitor that rules out remote timing leaks. We implement the approach for JavaScript, leveraging JSFlow, a state-of-the-art information flow tracker. We demonstrate the feasibility of the approach on case studies with IFTTT, a popular IoT app platform, and VJSC, an advanced JavaScript library for e-voting.

Toward Active and Passive Confidentiality Attacks On Cryptocurrency Off-Chain Networks

Abstract: Cryptocurrency off-chain networks such as Lightning (e.g., Bitcoin) or Raiden (e.g., Ethereum) aim to increase the scalability of traditional on-chain transactions. To support nodes in learning about possible paths to route their transactions, these networks need to provide gossip and probing mechanisms. This paper explores whether these mechanisms may be exploited to infer sensitive information about the flow of transactions, and eventually harm privacy. In particular, we identify two threats, related to an active and a passive adversary. The first is a probing attack: here the adversary aims to detect the maximum amount which is transferable in a given direction over a target channel by actively probing it and differentiating the response messages it receives. The second is a timing attack: the adversary discovers how close the destination of a routed payment actually is, by acting as a passive man-in-the middle and analyzing the time deltas between sent messages and their corresponding responses. We then analyze the limitations of these attacks and propose remediations for scenarios in which they are able to produce accurate results.

Experimental test of ECDSA digital signature robustness from timing-lattice attack

Abstract: An experimental test of robustness to timing attack is reported for the widely used public-key cryptographic algorithm in IoT transducers, the Elliptic Curve Digital Signature Algorithm (ECDSA). To this aim, a timing-lattice attack is addressed on ECDSA of the firmware Library MbedTLS for ARM microcontrollers. Timing is assessed by measuring the execution time of ecdsa_write_signature of MbedTLS library implemented on an ARM Cortex-M4 microcontroller. The time intervals required to sign the messages, the messages themselves, and the signatures, are used to mount a lattice attack in order to discover ECDSA private key. Experimental results highlight the security of ECDSA function in MbedTLS library to the implemented attack.

Counting Down Thunder: Timing Attacks on Privacy in Payment Channel Networks

Abstract: The Lightning Network is a scaling solution for Bitcoin that promises to enable rapid and private payment processing. In Lightning, multi-hop payments are secured by utilizing Hashed Time-Locked Contracts (HTLCs) and encrypted on the network layer by an onion routing scheme to avoid information leakage to intermediate nodes. In this work, we however show that the privacy guarantees of the Lightning Network may be subverted by an on-path adversary conducting timing attacks on the HTLC state negotiation messages. To this end, we provide estimators that enable an adversary to reduce the anonymity set and infer the likeliest payment endpoints. We developed a proof-of-concept measurement node that shows the feasibility of attaining time differences and evaluate the adversarial success in model-based network simulations. We find that controlling a small number malicious nodes is sufficient to observe a large share of all payments, emphasizing the relevance of the on-path adversary model. Moreover, we show that adversaries of different magnitudes could employ timing-based attacks to deanonymize payment endpoints with high precision and recall.

Parallel Implementation of SM2 Elliptic Curve Cryptography on Intel Processors with AVX2

Abstract: This paper presents an efficient and secure implementation of SM2, the Chinese elliptic curve cryptography standard that has been adopted by the International Organization of Standardization (ISO) as ISO/IEC 14888-3:2018. Our SM2 implementation uses Intel’s Advanced Vector Extensions version 2.0 (AVX2), a family of three-operand SIMD instructions operating on vectors of 8, 16, 32, or 64-bit data elements in 256-bit registers, and is resistant against timing attacks. To exploit the parallel processing capabilities of AVX2, we studied the execution flows of Co-Z Jacobian point arithmetic operations and introduce a parallel 2-way Co-Z addition, Co-Z conjugate addition, and Co-Z ladder algorithm, which allow for fast Co-Z scalar multiplication. Furthermore, we developed an efficient 2-way prime-field arithmetic library using AVX2 to support our Co-Z Jacobian point operations. Both the field and the point operations utilize branch-free (i.e. constant-time) implementation techniques, which increase their ability to resist Simple Power Analysis (SPA) and timing attacks. Our software for scalar multiplication on the SM2 curve is, to our knowledge, the first constant-time implementation of the Co-Z based ladder that leverages the parallelism of AVX2.

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM.

Abstract: In the implementation of post-quantum primitives, it is well known that all computations that handle secret information need to be implemented to run in constant time. Using the Fujisaki-Okamoto transformation or any of its different variants, a CPA-secure primitive can be converted into an IND-CCA secure KEM. In this paper we show that although the transformation does not handle secret information apart from calls to the CPA-secure primitive, it has to be implemented in constant time. Namely, if the ciphertext comparison step in the transformation is leaking side-channel information, we can launch a key-recovery attack.

Fast Number Theoretic Transform for Ring-LWE on 8-bit AVR Embedded Processor

Abstract: In this paper, we optimized Number Theoretic Transform (NTT) and random sampling operations on low-end 8-bit AVR microcontrollers. We focused on the optimized modular multiplication with secure countermeasure (i.e., constant timing), which ensures high performance and prevents timing attack and simple power analysis. In particular, we presented combined Look-Up Table (LUT)-based fast reduction techniques in a regular fashion. This novel approach only requires two times of LUT access to perform the whole modular reduction routine. The implementation is carefully written in assembly language, which reduces the number of memory access and function call routines. With LUT-based optimization techniques, proposed NTT implementations outperform the previous best results by 9.0% and 14.6% for 128-bit security level and 256-bit security level, respectively. Furthermore, we adopted the most optimized AES software implementation to improve the performance of pseudo random number generation for random sampling operation. The encryption of AES-256 counter (CTR) mode used for random number generator requires only 3184 clock cycles for 128-bit data input, which is 9.5% faster than previous state-of-art results. Finally, proposed methods are applied to the whole process of Ring-LWE key scheduling and encryption operations, which require only 524,211 and 659,603 clock cycles for 128-bit security level, respectively. For the key generation of 256-bit security level, 1,325,171 and 1,775,475 clock cycles are required for H/W and S/W AES-based implementations, respectively. For the encryption of 256-bit security level, 1,430,601 and 2,042,474 clock cycles are required for H/W and S/W AES-based implementations, respectively.

Robust security framework with bit-flipping attack and timing attack for key derivation functions

Abstract: A Key Derivation Function (KDF) derives cryptographic keys from private string and public information. The security property for the cryptographic keys is indistinguishable from the random strings of equal length. The security analysis of KDFs has received increasing attention. The practice important of KDFs is reflected in the adoption of industry standards such as NIST800-135 and PKCS5. This study proposes a robust security framework that takes into consideration the side-channel attacks. The robust security framework consists of the proposed security model and existing security models. The proposed security model is known as Adaptive Chosen All Inputs Model (CAM), which analyses the security of KDFs in terms of the bit-flipping attack and timing attack. The existing security model is the Adaptive Chosen Public Inputs Model (CPM). This research shows the implication of relationship and the non-implication relationship between CAM and CPM. The simulation of security models is according to the indistinguishable game played between a challenger and an adversary. These security models are used to evaluate existing KDFs. The result shows that none of the existing KDFs are secure in CAM for both the bit-flipping attack and timing attack. Hence, this research introduces an alternative KDF that is proven secure in CAM.

Methods, systems, and computer readable media for detecting and mitigating effects of timing attacks in time sensitive networks

Abstract: A method for providing timing security in a time sensitive network (TSN), includes monitoring TSN times in timing synchronization packets exchanged between TSN network nodes. The method further includes monitoring TSN timing values calculated by TSN network nodes. The method further includes determining, using TSN times and TSN timing values, whether a timing attack is indicated. The method further includes, in response to determining that a timing attack is indicated, performing a timing attack effects mitigation action.

Bucketing and information flow analysis for provable timing attack mitigation

Abstract: This paper investigates the effect of bucketing in security against timing-channel attacks. Bucketing is a technique proposed to mitigate timing-channel attacks by restricting a system’s outputs to only occur at designated time intervals, and has the effect of reducing the possible timing-channel observations to a small number of possibilities. However, there is little formal analysis on when and to what degree bucketing is effective against timing-channel attacks. In this paper, we show that bucketing is in general insufficient to ensure security. Then, we present two conditions that can be used to ensure security of systems against adaptive timing-channel attacks. The first is a general condition that ensures that the security of a system decreases only by a limited degree by allowing timing-channel observations, whereas the second condition ensures that the system would satisfy the first condition when bucketing is applied and hence becomes secure against timing-channel attacks. A main benefit of the conditions is that they allow separation of concerns whereby the security of the regular channel can be proven independently of concerns of side-channel information leakage, and certain conditions are placed on the side channel to guarantee the security of the whole system. Further, we show that the bucketing technique can be applied compositionally in conjunction with the constant-time-implementation technique to increase their applicability. While we instantiate our contributions to timing channel and bucketing, many of the results are actually quite general and are applicable to any side channels and techniques that reduce the number of possible observations on the channel. It is interesting to note that our results make non-trivial (and somewhat unconventional) uses of ideas from information flow research such as channel capacity and refinement order relation.

A practicable timing attack against HQC and its countermeasure

Abstract: In this paper, we present a practicable chosen ciphertext timing attack retrieving the secret key of HQC. The attack exploits a correlation between the weight of the error to be decoded and the running time of the decoding algorithm of BCH codes. For the 128-bit security parameters of HQC, the attack runs in less than a minute on a desktop computer using roughly 6000 decoding requests and has a success probability of approximately 93 percent. To prevent this attack, we provide an implementation of a constant time algorithm for the decoding of BCH codes. Our implementation of the countermeasure achieves a constant time execution of the decoding process without a significant performance penalty.

Timing attacks and local timing attacks against Barrett's modular multiplication algorithm.

Abstract: Montgomery’s and Barrett’s modular multiplication algorithms are widely used in modular exponentiation algorithms, e.g. to compute RSA or ECC operations. While Montgomery’s multiplication algorithm has been studied extensively in the literature and many side-channel attacks have been detected, to our best knowledge no thorough analysis exists for Barrett’s multiplication algorithm. This article closes this gap. For both Montgomery’s and Barrett’s multiplication algorithm, differences of the execution times are caused by conditional integer subtractions, so-called extra reductions. Barrett’s multiplication algorithm allows even two extra reductions, and this feature increases the mathematical difficulties significantly. We formulate and analyse a two-dimensional Markov process, from which we deduce relevant stochastic properties of Barrett’s multiplication algorithm within modular exponentiation algorithms. This allows to transfer the timing attacks and local timing attacks (where a second side-channel attack exhibits the execution times of the particular modular squarings and multiplications) on Montgomery’s multiplication algorithm to attacks on Barrett’s algorithm. However, there are also differences. Barrett’s multiplication algorithm requires additional attack substeps, and the attack efficiency is much more sensitive to variations of the parameters. We treat timing attacks on RSA with CRT, on RSA without CRT, and on Diffie–Hellman, as well as local timing attacks against these algorithms in the presence of basis blinding. Experiments confirm our theoretical results.

Identification of users via ssh timing attack

Abstract: Identification of Users via SSH Timing Attack

Montgomery Multiplication for Public Key Cryptography on MSP430X

Abstract: For traditional public key cryptography and post-quantum cryptography, such as elliptic curve cryptography and supersingular isogeny key encapsulation, modular multiplication is the most performance-critical operation among basic arithmetic of these cryptographic schemes. For this reason, the execution timing of such cryptographic schemes, which may highly determine that the service availability for low-end microprocessors (e.g., 8-bit AVR, 16-bit MSP430X, and 32-bit ARM Cortex-M), mainly relies on the efficiency of modular multiplication on target embedded processors. In this article, we present new optimal modular multiplication techniques based on the interleaved Montgomery multiplication on 16-bit MSP430X microprocessors, where the multiplication part is performed in a hardware multiplier and the reduction part is performed in a basic arithmetic logic unit (ALU) with the optimal modular multiplication routine, respectively. This two-step approach is effective for the special modulus of NIST curves, SM2 curves, and supersingular isogeny key encapsulation. We further optimized the Montgomery reduction by using techniques for “Montgomery-friendly” prime. This technique significantly reduces the number of partial products. To demonstrate the superiority of the proposed implementation of Montgomery multiplication, we applied the proposed method to the NIST P-256 curve, of which the implementation improves the previous modular multiplication operation by 23.6% on 16-bit MSP430X microprocessors and to the SM2 curve as well (first implementation on 16-bit MSP430X microcontrollers). Moreover, secure countermeasures against timing attack and simple power analysis are also applied to the scalar multiplication of NIST P-256 and SM2 curves, which achieve the 8,582,338 clock cycles (0.53 seconds@16 MHz) and 10,027,086 clock cycles (0.62 seconds@16 MHz), respectively. The proposed Montgomery multiplication is a generic method that can be applied to other cryptographic schemes and microprocessors with minor modifications.

Timing Attack on Random Forests for Generating Adversarial Examples

Abstract: The threat of implementation attacks to machine learning has become an issue recently. These attacks include side-channel attacks that use information acquired from implemented devices and fault attacks that inject faults into implemented devices using external tools such as lasers. Thus far, these attacks have targeted mainly deep neural networks; however, other popular methods such as random forests can also be targets. In this paper, we investigate the threat of implementation attacks to random forests. Specifically, we propose a novel timing attack that generates adversarial examples, and experimentally evaluate its attack success rate. The proposed attack exploits a fundamental property of random forests: the response time from the input to the output depends on the number of conditional branches invoked during prediction. More precisely, we generate adversarial examples by optimizing the response time. This optimization affects predictions because changes in the response time imply changes in the results of the conditional branches. For the optimization, we use an evolution strategy that tolerates measurement error in the response time. Experiments are conducted in a black-box setting where attackers can use only prediction labels and response times. Experimental results show that the proposed attack generates adversarial examples with higher probability than a state-of-the-art attack that uses only predicted labels. This suggests the attacker motivation for implementation attacks on random forests.

Detecting Electromagnetic Injection Attack on FPGAs Using In-situ Timing Sensors

Abstract: With the proliferation of embedded systems and our ever-increasing dependence on them, their security has never been more critical. Electromagnetic fault injection (EMFI) has garnered significant attention after it was found that electromagnetic (EM) pulses can cause faults in hardware and can be used to break security algorithms. In this work, we present an EMFI detector that excels at all quality metrics of a detection mechanism, namely, precision, accuracy, detection rate, and specificity. We developed this detector after careful evaluation of the most recent existing techniques for EMFI detection. We have conducted these evaluations on two different FPGA platforms and presented them in this paper. One of the most unexpected results of our study is that a previously designed sensor that was built based on a particular bit-set/reset fault model and achieved a relatively high-quality detection was, in fact, performing the detection based on a timing/sampling fault model. We conclude that despite the mixed interpretations in the previous work, the timing/sampling fault model is the most plausible way to describe EMFI effects. This work suggests that the EMFI attacks act like localized timing attacks in FPGAs, and we can detect them with low false-positive and false-negative rates using the newly proposed in-situ timing sensors. Our proposed sensors have low cost, are scalable, and can be integrated into any digital design with ease.

Information leakage through passive timing attacks on RSA decryption system

Abstract: The threat of timing attacks is especially serious when an attacker actively controls the input to a target program. Countermeasures are studied to deter such active attacks, but the attacker still has the chance to learn something about the concealed information by passively watching the running time of the target program. The risk of passive timing attacks can be measured by the mutual information between the concealed information and the running time. However, the computation of the mutual information is hardly possible except for toy examples. This study focuses on three algorithms for RSA decryption, derives formulas of the mutual information under several assumptions and approximations, and calculates the mutual information numerically for practical security parameters.

Leveling the risks of timing attacks based on permutation decoding

Abstract: The telecommunication systems development based on single-mode and multimode optical fibers is aimed at the rapidly increasing demand for bandwidth not only transport networks, but also intra-site data centers networks, cloud computing, and web servers. The solution to this problem is provided by the signal processing technologies complexity. In this case, the requirements for the receiver complexity can be reduced by using technologies to combat signal distortion due to equalizers together with FEC. There was known that the use of FEC based on permutation decoding in relation to the RS codes provides a significant gain in the data processing speed by the receiver due to the use of a cognitive procedure for searching the generating matrix of the equivalent code. The paper shows that the use of this technology can be successful in solving another important task related to minimizing the timing attacks consequences on the protection confidential information system. This is due to the active development of quantum computers and the problems of post-quantum cryptography that arose on this basis. The essence of leveling the timing attacks risks is to equalize the time spent on processing vectors of redundant BCH or RS codes. The use of permutation decoding fully matches these requirements by replacing the algebraic system of detection and errors correction in the data on the procedure of lexicographic search for the desired result. It is shown that the data processing time when using permutation decoding in conjunction with the cognitive search for the decoding result varies slightly.