Title: Making Crypto Libraries Robust Against Physical Side-Channel Attacks

Monjur Alam

Ph.D. Candidate in Computer Science

School of Computer Science

College of Computing

Georgia Institute of Technology

Date: Friday, September 6, 2019

Time: 13:00 - 15:00 (EST)

Location: Klaus 3100

Committee:

Dr. Milos Prvulovic (Advisor), School of Computer Science, Georgia Institute of Technology

Dr. Alenka Zajic(Co-advisor), School of Computer Science, Georgia Institute of Technology

Dr. Alexandra Boldyreva, School of Computer Science, Georgia Institute of Technology

Dr. Raheem Beyah, School of Computer Science, Georgia Institute of Technology

Dr. Angelos Keromytis, School of Electrical and Computer Engineering, Georgia Institute of Technology

Abstract:

The connection between theoretical and applied cryptography is often not well established due to difficulties in translating the theoretical security proofs to real world software and hardware implementations. Physical side-channel cryptanalysis is a very effective approach to break a secure cryptographic system. Most side-channel attacks on cryptographic primitives and implementations rely on different control flow or memory access patterns. As a countermeasure, the cryptographic community has established the notion of constant time program code which avoids secret-dependent control flow and data access patterns.

This thesis focuses on detailing a set of new techniques to exploit widely used open sources for software implementations of cryptographic primitives.  First, we present One&Done,  a side-channel attack that is based on the analysis of signals that correspond to the brief computation activity that computes the value of each window during exponentiation, i.e. activity between large-integer multiplications. As the attack is message-independent, it makes the attack completely immune to existing countermeasures that focus on thwarting chosen-ciphertext attacks and/or square/multiply sequence analysis. Second, we present Nonce@Once, the first side-channel attack that recovers the secret scalar from the electromagnetic signal that corresponds to a single signing operation in current versions of Libgcrypt, OpenSSL. Our attack uses the signal differences created by systematic differences in operand values during a conditional swap operation itself to recover each bit of the secret. We also propose a mitigation that randomizes the exclusive-or mask in the conditional swap operation, is effective in preventing this and similar attacks. Next, we present a physical side-channel attack on DSA implementation, which utilizes constant-time fixed-window (m-ary) modular exponentiation. We demonstrated different implementation aspects and their effects as countermeasures which embrace the importance of re-thinking before designing and implementing PKC, in general. Lastly, We present the security issues on NAF based OpenSSL's ECDSA implementation.