Title: Making Crypto Libraries Robust Against Physical Side-Channel Attacks

Monjur Alam

Ph.D. student in Computer Science

School of Computer Science

College of Computing

Georgia Institute of Technology

Date: Thursday, May 23, 2019

Time: 10:00 - 11:30 AM (EST)

Location: Klaus 3100

Committee:

Dr. Milos Prvulovic (Advisor), School of Computer Science, Georgia Institute of Technology

Dr. Alenka Zajic(Co-advisor), School of Computer Science, Georgia Institute of Technology

Dr. Alexandra Boldyreva, School of Computer Science, Georgia Institute of Technology

Dr. Raheem Beyah, School of Computer Science, Georgia Institute of Technology

Dr. Angelos Keromytis, School of Electrical and Computer Engineering, Georgia Institute of Technology

Abstract:

Often the connection between theoretical and applied cryptography is not well established due to problems of translating the theoretical security proofs to real world software and hardware implementations. Cryptanalysis is one important branch in cryptology and focuses on breaking cryptographic primitives and protocols. Side-channel analysis is a cryptanalytic technique born from practice. Physical side-channel cryptanalysis is a very effective approach to breaking a secure crypto system. Most side-channel attacks on cryptographic primitives and implementations rely on different control flow or memory access patterns. As a countermeasure, the cryptographic community has established the notion of constant time code. At a high level, constant time design aims to mitigate side-channel attacks by decoupling the program’s secrets from attacker-observable leakage sources. Specifically, constant time coding avoids secret-dependent control flow and data access patterns.

This proposal focuses on detailing a set of new techniques to exploit widely used open sources for software implementations of cryptographic primitives which enforces constant-time implementations. First, we present One&Done,  a side-channel attack that is based on the analysis of signals that correspond to the brief computation activity that computes the value of each window during exponentiation, i.e. activity between large-integer multiplications. As the attack is message-independent, it makes the attack completely immune to existing countermeasures that focus on thwarting chosen-ciphertext attacks and/or square/multiply sequence analysis. Next, we present Nonce@Once, the first side-channel attack that recovers the secret scalar from the electromagnetic signal that corresponds to a single signing operation in current versions of Libgcrypt, OpenSSL, Hacl* and curve25519-donna. Rather than relying on different control-flow or memory access patterns, our attack uses the signal differences created by systematic differences in operand values during a conditional swap operation itself to recover each bit of the secret. We also propose a mitigation that randomizes the exclusive-or mask in the conditional swap operation, is effective in preventing this and similar attacks.