Alejandro Hevia
Abstract
We study the vulnerability of two implementations of the Data Encryption Standard (DES) cryptosystem under a timing attack. A timing attack is a method, recently proposed by Paul Kocher, that is designed to break cryptographic systems. It exploits the engineering aspects involved in the implementation of cryptosystems and might succeed even against cryptosys-tems that remain impervious to sophisticated cryptanalytic techniques. A timing attack is, essentially, a way of obtaining some users private information by carefully measuring the time it takes the user to carry out cryptographic operations. In this work, we analyze two implementations of DES. We show that a timing attack yields the Hamming weight of the key used by both DES implementations. Moreover, the attack is computationally inexpensive. We also show that all the design characteristics of the target system, necessary to carry out the timing attack, can be inferred from timing measurements.
- 1 BIHAM,E.AND SHAMIR, A. 1991. Differential cryptanalysis of DES-like cryptosystems. J. Cryptology 4, 1, 3-72.]]Google Scholar
- 2 BIHAM,E.AND SHAMIR, A. 1993. Differential cryptanalysis of the full 16-round DES. In Proceedings of the Conference on Advances in Cryptology (CRYPTO'92, Santa Barbara, CA), E. F. Brickell, Ed. Springer-Verlag, New York, 494-502.]] Google Scholar
- 3 BIHAM,E.AND SHAMIR, A. 1997. Differential fault analysis of secret key cryptosystems. CS0910. Electrical Engineering Department, Technion:Israel Institute of Technology, Haifa, Israel.]]Google Scholar
- 4 BONEH, D., DEMILLO,R.A.,AND LIPTON, R. J. 1997. On the importance of checking cryptographic protocols for faults. In Proceedings of the Conference on Advances in Cryptology (EUROCRYPT'97), W. Fumy, Ed. Springer-Verlag, New York, 37-51.]]Google Scholar
- 5 CHAUM, D. 1983. Blind signatures for untraceable payments. In Proceedings of the Conference on Advances in Cryptology (CRYPTO'82, Santa Barbara, CA), D. Chaum, R. L. Rivest, and A. T. Sherman, Eds. Plenum Press, New York, NY, 199-203.]]Google Scholar
- 6 DHEM, J.-F., KOEUNE, F., LEROUX, P.-A., MESTR~ PERSON_ID: 546906, P., QUISQUATER, J.-J., AND WILLEMS, J.-L 1998. A practical implementation of the timing attack. In Proceedings of the Symposium on Smart Card Research and Advanced Applications (CARDIS'98), J.-J. Quisquater and B. Schneider, Eds. Springer-Verlag, New York.]] Google Scholar
- 7 DIFFIE,W.AND HELLMAN, M. E. 1976. New directions in cryptography. IEEE Trans. Inf. Theor. 22, 6 (Nov.), 644-654.]]Google Scholar
- 8 ENGLISH,E.AND HAMILTON, S. 1996. Network security under siege: the timing attack. IEEE Computer 29, 3, 95-97.]] Google Scholar
- 9 FELLER, W. 1966. An Introduction to Probability Theory and its Applications. 2nd ed. John Wiley & Sons, Inc., New York, NY.]]Google Scholar
- 10 HANDSCHUH, H. 1998. A timing attack on RC5. In Proceedings of the Workshop on Selected Areas of Cryptography (SAC'98, Aug.), S. Tavares and H. Meijer, Eds. Springer-Verlag, New York, NY.]] Google Scholar
- 11 HAZEWINKEL, M., Ed 1988. Encyclopedia of Mathematics: An updated and annotated translation of the Soviet "Mathematical Encyclopaedia". Encyclopedia of Mathematics, vol. 1. Kluwer Academic Publishers, Hingham, MA.]]Google Scholar
- 12 HEIDENSTROM, K. 1995. FAQ/application notes: Timing on the PC family under DOS. (ftp://garbo.uwasa.fi/pc/programming/pctim003.zip).]]Google Scholar
- 13 HEYS, H. M. 1998. A timing attack on RC5. In Proceedings of the Workshop on Selected Areas of Cryptography (SAC'98, Aug.), S. Tavares and H. Meijer, Eds. Springer-Verlag, New York, NY.]] Google Scholar
- 14 HOGG,R.AND TANIS, E. 1997. Probability and Statistical Inference. 5th ed. Prentice-Hall, New York, NY.]]Google Scholar
- 15 KAPP, J. S. A. 1996. RSAEuro: A cryptographic toolkit. Ver. 1.04. Internet Rel. Distrib..]]Google Scholar
- 16 KOCHER, P. 1996. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Proceedings of the Conference on Advances in Cryptology (CRYPTO '96, Santa Barbara, CA), N. Koblitz, Ed. Springer-Verlag, New York, 104-113.]] Google Scholar
- 17 LOUKO, A. 1992. DES package. Helsinki Univ. Tech., Helsinki, Finland. ftp://kampi.hut.fi.]]Google Scholar
- 18 MARKOFF, J. 1996. Potential flaw seen in cash card security. The New York Times.]]Google Scholar
- 19 MATSUI, M. 1994. The first experimental crytanalysis of the data encryption standard. In Proceedings of the Conference on Advances in Cryptology (CRYPTO'94, Santa Barbara, CA), Y. G. Desmedt, Ed. Springer-Verlag, New York, 1-11.]] Google Scholar
- 20 MATSUI, M. 1994. Linear cryptanalysis method for DES cipher. In Proceedings of the Workshop on The Theory and Application of Cryptographic Techniques, Advances in Cryp-tology (EUROCRYPT'93, Lofthus, Norway, May 23-27), T. Helleseth, Ed. Springer Lecture Notes in Computer Science Springer-Verlag, Secaucus, NJ, 386-397.]] Google Scholar
- 21 MENEZES,A.J.,VAN OORSCHOT,P.C.,AND VANSTONE, S. A. 1997. Handbook of Applied Cryptography. CRC Press, Inc., Boca Raton, FL. NBS 1977. NBS FIPS PUB 46, Data Encryption Standard. U.S. Department of Commerce.]] Google Scholar
- 22 RIVEST, R., SHAMIR, A., AND ADELMAN, L. 1978. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 2 (Feb.), 120-126.]] Google Scholar
- 23 ROSS, S. 1988. A First Course in Probability. 3rd ed. Macmillan Publishing Co., Inc., Indianapolis, IN.]]Google Scholar
- 24 SCHNEIER, B. 1995. Applied Cryptography: Protocols, Algorithms, and Source Code in C. 2nd ed. John Wiley & Sons, Inc., New York, NY.]] Google Scholar
- 25 STINSON, D. R. 1995. Cryptography: Theory and Practice. 1st ed. CRC Press, Inc., Boca Raton, FL.]] Google Scholar
- 26 ZACKS, S. 1971. The Theory of Statistical Inference. John Wiley & Sons, Inc., New York, NY.]]Google Scholar
Index Terms
- Strength of two data encryption standard implementations under timing attacks
Recommendations
Breaking an ID-based encryption based on discrete logarithm and factorization problems
We cryptanalyse the new ID-based encryption scheme proposed by Meshram.We find a method to factorize N, where N is the parameter proposed by Meshram.We also give a method to recover the secret master key of Meshram's ID-based encryption scheme.We also ...
On the security of multiple encryption
Double encryption has been suggested to strengthen the Federal Data Encryption Standard (DES). A recent proposal suggests that using two 56-bit keys but enciphering 3 times (encrypt with a first key, decrypt with a second key, then encrypt with the ...
Public-Key encryption from ID-Based encryption without one-time signature
OTM'06: Proceedings of the 2006 international conference on On the Move to Meaningful Internet Systems: AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part IDesign a secure public key encryption scheme and its security proof are one of the main interests in cryptography In 2004, Canetti, Halevi and Katz [8] constructed a public key encryption (PKE) from a selective identity-based encryption scheme with a ...
Reviews
J. Wolper
The vulnerability of two implementations of the Data Encryption Standard (DES) to timing attacks—attacks that recover information by noting how long it takes to perform cryptographic operations—is clearly described. Timing attacks were first proposed by Kocher. One of the implementations analyzed is from the RSAEuro cryptographic toolkit; the other is due to Louko. The authors found that, in these implementations, there is an approximately linear relationship between the Hamming weight of the key and the duration of the operation. The statistics for this relationship were derived from 2 16 time measurements of encryption and key generation operations using random keys. (The paper includes an interesting appendix on timing under the MS-DOS operating system.) The authors present an extensive statistical analysis whose aim is to show that an attacker can derive information about the key without knowledge of the design characteristics of the target system. Finally, they suggest “blinding techniques” that normalize the encryption time and thus protect a system from attack. The fault is evidently in the code for key generation; any cryptographic protocol using a key schedule is therefore potentially vulnerable. These errors can be subtle; for example, any code of the form <__?__Pub Fmt monospaced>if (cond) block1 else block2<__?__Pub Fmt /monospaced>, where <__?__Pub Fmt monospaced>cond<__?__Pub Fmt /monospaced> depends on each bit of the key in turn, and in which the two blocks have different execution times, could enable a timing attack. I examined some DES implementations in vain, searching for such code. Thus, it appears that a programmer aware of this attack can prevent it by careful coding. In other words, vulnerability to timing attacks appears to be a function of the implementation, not of the algorithm. These results seem to apply to two specific implementations of one specific algorithm, but the possibility remains that similar attacks might be effective on other implementations of DES and other algorithms. In particular, the US National Institute of Standards and Technology is currently researching algorithms for an Advanced Encryption Standard (AES). Are these algorithms vulnerable to attack__?__ Also, even if a blinding method were to succeed in averting the attack, the system's throughput would be <__?__Pub Caret>reduced.
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments