RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
-
Upload
dusan-klinec -
Category
Science
-
view
219 -
download
0
Transcript of RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
![Page 1: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/1.jpg)
Intro
Acoustic side-channel cryptanalysis
Dušan Klinec
Faculty of InformaticsMasaryk university
Brno
13. 3. 2014
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 1 / 36
![Page 2: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/2.jpg)
Intro
Source paper
RSA Key Extraction via Low-Bandwidth Acoustic CryptanalysisDaniel Genkin, Technion and Tel Aviv University;
Adi Shamir, Weizmann Institute of Science;Eran Tromer, Tel Aviv University
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 2 / 36
![Page 3: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/3.jpg)
Source of the sound
What is it about
Extracts RSA private key byobserving acoustic side-channel leak
during decryption.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 3 / 36
![Page 4: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/4.jpg)
Source of the sound
Acoustic, really?
Why does modern PC emit audiblenoise?
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 4 / 36
![Page 5: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/5.jpg)
Source of the sound
Capacitor noise
High-pitched audible noise - capacitor is culprit #1.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 5 / 36
![Page 6: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/6.jpg)
Source of the sound
Capacitor noise - why?
Piezoelectric effect.The internal generation of a mechanical strain resulting from anapplied electrical field.Note: Reversible, not interested in inverse right now.
Ti , Zr2+ Pb 4+
T < T
4+ 2– O
P
CT > TC
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 6 / 36
![Page 7: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/7.jpg)
Source of the sound
Capacitor noise - why?
Piezoelectric effect.The internal generation of a mechanical strain resulting from anapplied electrical field.Note: Reversible, not interested in inverse right now.
Ti , Zr2+ Pb 4+
T < T
4+ 2– O
P
CT > TC
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 6 / 36
![Page 8: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/8.jpg)
Source of the sound
Capacitor noise - how exactly?
L-T L-W
Beforeapplyingvoltage
Afterapplyingvoltage
LW with metalterminal
The large portion ofmodification
is made into Free.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 7 / 36
![Page 9: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/9.jpg)
Source of the sound
Capacitor noise - how exactly?
L-T L-W
Beforeapplyingvoltage
Afterapplyingvoltage
LW with metalterminal
The large portion ofmodification
is made into Free.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 7 / 36
![Page 10: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/10.jpg)
Source of the sound
Coil - culprit #2
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 8 / 36
![Page 11: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/11.jpg)
Source of the sound
Coil - culprit #2
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 8 / 36
![Page 12: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/12.jpg)
Source of the sound
Sound source
Dynamics of the pulse-width-modulation-based voltage regulatorcircuitry.Regulates emount of energy for CPU.Best mic mounting: fan exhaust, ethernet port.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 9 / 36
![Page 13: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/13.jpg)
Experiment setup
Lab grade setup
1.25M saples per second, professional HW
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 10 / 36
![Page 14: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/14.jpg)
Experiment setup
Portable setup
200k saples per second, 100kHz resolution.Attack works up to 1 m, (4 m with parabolic mic).
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 11 / 36
![Page 15: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/15.jpg)
Experiment setup
Mobile setup
48k saples per second, low sensitivity, noise, pushing to the limits.attack works up to the 30 cm distance.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 12 / 36
![Page 16: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/16.jpg)
Experiment setup
Acoustic noise – multiple devices tested
(a) Asus N55SF (b) Dell Inspiron 7720 (c) HP ProBook 4530s
(d) HP Pavilion Sleek book 15-b005ej (e) Samsung NP300V5A (f) Lenovo ThinkPad W530
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 13 / 36
![Page 17: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/17.jpg)
Experiment setup
Attack scenario
Attacking several GnuPG implementations.Goal: recovery of a 4096 bit private key.Adaptive chosen cipher text attack.Recovers priv. key bit-by-bit. Requires to observe at least 2048decryptions (n = pq).Attack vector: Enigmail - Thunderbird GPG plugin, automaticallydecrypts incoming message.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 14 / 36
![Page 18: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/18.jpg)
Experiment setup
Attack scenario
Attacking several GnuPG implementations.Goal: recovery of a 4096 bit private key.Adaptive chosen cipher text attack.Recovers priv. key bit-by-bit. Requires to observe at least 2048decryptions (n = pq).Attack vector: Enigmail - Thunderbird GPG plugin, automaticallydecrypts incoming message.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 14 / 36
![Page 19: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/19.jpg)
Experiment setup
Attack scenario
Attacking several GnuPG implementations.Goal: recovery of a 4096 bit private key.Adaptive chosen cipher text attack.Recovers priv. key bit-by-bit. Requires to observe at least 2048decryptions (n = pq).Attack vector: Enigmail - Thunderbird GPG plugin, automaticallydecrypts incoming message.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 14 / 36
![Page 20: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/20.jpg)
Experiment setup
Attack scenario
Attacking several GnuPG implementations.Goal: recovery of a 4096 bit private key.Adaptive chosen cipher text attack.Recovers priv. key bit-by-bit. Requires to observe at least 2048decryptions (n = pq).Attack vector: Enigmail - Thunderbird GPG plugin, automaticallydecrypts incoming message.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 14 / 36
![Page 21: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/21.jpg)
Experiment setup
Attack scenario
Attacking several GnuPG implementations.Goal: recovery of a 4096 bit private key.Adaptive chosen cipher text attack.Recovers priv. key bit-by-bit. Requires to observe at least 2048decryptions (n = pq).Attack vector: Enigmail - Thunderbird GPG plugin, automaticallydecrypts incoming message.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 14 / 36
![Page 22: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/22.jpg)
Experiment setup
Corelation of acoustic noise with executed code
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 15 / 36
![Page 23: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/23.jpg)
Experiment setup
Corelation of acoustic noise with code length
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 16 / 36
![Page 24: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/24.jpg)
Experiment setup
RSA implementation in GPG
n = pq where n is public modulus, p,q private prime numbers.e public, d secret private exponent, ed ≡ 1 (mod ϕ(n))Normal RSA decryption: m = cd (mod n)Optimization (by factor of 4):
dp = d (mod (p − 1))dq = d (mod (q − 1))m1 = cdp (mod p)m2 = cdq (mod q)m = combine m1 and m2 using CRT
Thus 2 modular exponentiations, attacking 2nd prime.Signal is somehow stabilized after first one, better SNR.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 17 / 36
![Page 25: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/25.jpg)
Experiment setup
RSA implementation in GPG
n = pq where n is public modulus, p,q private prime numbers.e public, d secret private exponent, ed ≡ 1 (mod ϕ(n))Normal RSA decryption: m = cd (mod n)Optimization (by factor of 4):
dp = d (mod (p − 1))dq = d (mod (q − 1))m1 = cdp (mod p)m2 = cdq (mod q)m = combine m1 and m2 using CRT
Thus 2 modular exponentiations, attacking 2nd prime.Signal is somehow stabilized after first one, better SNR.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 17 / 36
![Page 26: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/26.jpg)
Experiment setup
Attack 1 - Key distinguishability
5 GnuPG RSA signatures executed on a Lenovo ThinkPad T61.The transitions between p, q marked with yellow arrows.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 18 / 36
![Page 27: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/27.jpg)
Experiment setup
Attack 2 - Key extraction
Determines secret factor q, one bit at time, from MSB to LSB.Notation: i-th bit qi of q, starting from MSB, (i = 2048).Incremental: Assumes key bits b2048 . . . qi+1 recoveredTesting hypotheses about qi .Attacking different control flow that occurs for different ciphertexts.Targeting multiplication optimizations (multiplication by zero vs.multiplication by a random number).Notation: A = 00 . . . 0︸ ︷︷ ︸
32bit
,00 . . . 0︸ ︷︷ ︸32bit
, . . . ,00 . . . 0︸ ︷︷ ︸32bit
, array of limbs.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 19 / 36
![Page 28: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/28.jpg)
Experiment setup
Attack 2 - Key extraction
Determines secret factor q, one bit at time, from MSB to LSB.Notation: i-th bit qi of q, starting from MSB, (i = 2048).Incremental: Assumes key bits b2048 . . . qi+1 recoveredTesting hypotheses about qi .Attacking different control flow that occurs for different ciphertexts.Targeting multiplication optimizations (multiplication by zero vs.multiplication by a random number).Notation: A = 00 . . . 0︸ ︷︷ ︸
32bit
,00 . . . 0︸ ︷︷ ︸32bit
, . . . ,00 . . . 0︸ ︷︷ ︸32bit
, array of limbs.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 19 / 36
![Page 29: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/29.jpg)
Experiment setup
Attack 2 - Key extraction
Determines secret factor q, one bit at time, from MSB to LSB.Notation: i-th bit qi of q, starting from MSB, (i = 2048).Incremental: Assumes key bits b2048 . . . qi+1 recoveredTesting hypotheses about qi .Attacking different control flow that occurs for different ciphertexts.Targeting multiplication optimizations (multiplication by zero vs.multiplication by a random number).Notation: A = 00 . . . 0︸ ︷︷ ︸
32bit
,00 . . . 0︸ ︷︷ ︸32bit
, . . . ,00 . . . 0︸ ︷︷ ︸32bit
, array of limbs.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 19 / 36
![Page 30: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/30.jpg)
Experiment setup
Attack 2 - Key extraction
Determines secret factor q, one bit at time, from MSB to LSB.Notation: i-th bit qi of q, starting from MSB, (i = 2048).Incremental: Assumes key bits b2048 . . . qi+1 recoveredTesting hypotheses about qi .Attacking different control flow that occurs for different ciphertexts.Targeting multiplication optimizations (multiplication by zero vs.multiplication by a random number).Notation: A = 00 . . . 0︸ ︷︷ ︸
32bit
,00 . . . 0︸ ︷︷ ︸32bit
, . . . ,00 . . . 0︸ ︷︷ ︸32bit
, array of limbs.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 19 / 36
![Page 31: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/31.jpg)
Experiment setup
Attack 2 - Key extraction
Determines secret factor q, one bit at time, from MSB to LSB.Notation: i-th bit qi of q, starting from MSB, (i = 2048).Incremental: Assumes key bits b2048 . . . qi+1 recoveredTesting hypotheses about qi .Attacking different control flow that occurs for different ciphertexts.Targeting multiplication optimizations (multiplication by zero vs.multiplication by a random number).Notation: A = 00 . . . 0︸ ︷︷ ︸
32bit
,00 . . . 0︸ ︷︷ ︸32bit
, . . . ,00 . . . 0︸ ︷︷ ︸32bit
, array of limbs.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 19 / 36
![Page 32: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/32.jpg)
Experiment setup
Attack 2 - Key extraction
Determines secret factor q, one bit at time, from MSB to LSB.Notation: i-th bit qi of q, starting from MSB, (i = 2048).Incremental: Assumes key bits b2048 . . . qi+1 recoveredTesting hypotheses about qi .Attacking different control flow that occurs for different ciphertexts.Targeting multiplication optimizations (multiplication by zero vs.multiplication by a random number).Notation: A = 00 . . . 0︸ ︷︷ ︸
32bit
,00 . . . 0︸ ︷︷ ︸32bit
, . . . ,00 . . . 0︸ ︷︷ ︸32bit
, array of limbs.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 19 / 36
![Page 33: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/33.jpg)
Experiment setup
Attack 2 - Key extraction
Determines secret factor q, one bit at time, from MSB to LSB.Notation: i-th bit qi of q, starting from MSB, (i = 2048).Incremental: Assumes key bits b2048 . . . qi+1 recoveredTesting hypotheses about qi .Attacking different control flow that occurs for different ciphertexts.Targeting multiplication optimizations (multiplication by zero vs.multiplication by a random number).Notation: A = 00 . . . 0︸ ︷︷ ︸
32bit
,00 . . . 0︸ ︷︷ ︸32bit
, . . . ,00 . . . 0︸ ︷︷ ︸32bit
, array of limbs.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 19 / 36
![Page 34: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/34.jpg)
Experiment setup
Adaptive chosen cipher text attack
Ciphertext passed directly to modular exponentiation algorithm.Specially crafted ciphertext:gi,0 = q2048,q2047, . . . ,qi−1︸ ︷︷ ︸
topmost bits recovered
,0,1,1, . . . ,1︸ ︷︷ ︸rest are ones
Leakage: modular reduction (mod q):a) let qi = 1
q = q2048,q2047, . . . ,qi−1,1,qi−1,qi−2, . . . ,q1
gi,0 = q2048,q2047, . . . ,qi−1,0,1, 1, . . . , 1
gi,0 < q ⇒ gi,0 mod q = gi,0, preserves pattern of gi,0.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 20 / 36
![Page 35: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/35.jpg)
Experiment setup
Adaptive chosen cipher text attack
Ciphertext passed directly to modular exponentiation algorithm.Specially crafted ciphertext:gi,0 = q2048,q2047, . . . ,qi−1︸ ︷︷ ︸
topmost bits recovered
,0,1,1, . . . ,1︸ ︷︷ ︸rest are ones
Leakage: modular reduction (mod q):a) let qi = 1
q = q2048,q2047, . . . ,qi−1,1,qi−1,qi−2, . . . ,q1
gi,0 = q2048,q2047, . . . ,qi−1,0,1, 1, . . . , 1
gi,0 < q ⇒ gi,0 mod q = gi,0, preserves pattern of gi,0.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 20 / 36
![Page 36: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/36.jpg)
Experiment setup
Adaptive chosen cipher text attack
Ciphertext passed directly to modular exponentiation algorithm.Specially crafted ciphertext:gi,0 = q2048,q2047, . . . ,qi−1︸ ︷︷ ︸
topmost bits recovered
,0,1,1, . . . ,1︸ ︷︷ ︸rest are ones
Leakage: modular reduction (mod q):a) let qi = 1
q = q2048,q2047, . . . ,qi−1,1,qi−1,qi−2, . . . ,q1
gi,0 = q2048,q2047, . . . ,qi−1,0,1, 1, . . . , 1
gi,0 < q ⇒ gi,0 mod q = gi,0, preserves pattern of gi,0.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 20 / 36
![Page 37: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/37.jpg)
Experiment setup
Adaptive chosen cipher text attack
Ciphertext passed directly to modular exponentiation algorithm.Specially crafted ciphertext:gi,0 = q2048,q2047, . . . ,qi−1︸ ︷︷ ︸
topmost bits recovered
,0,1,1, . . . ,1︸ ︷︷ ︸rest are ones
Leakage: modular reduction (mod q):a) let qi = 1
q = q2048,q2047, . . . ,qi−1,1,qi−1,qi−2, . . . ,q1
gi,0 = q2048,q2047, . . . ,qi−1,0,1, 1, . . . , 1
gi,0 < q ⇒ gi,0 mod q = gi,0, preserves pattern of gi,0.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 20 / 36
![Page 38: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/38.jpg)
Experiment setup
Adaptive chosen cipher text attack
Ciphertext passed directly to modular exponentiation algorithm.Specially crafted ciphertext:gi,0 = q2048,q2047, . . . ,qi−1︸ ︷︷ ︸
topmost bits recovered
,0,1,1, . . . ,1︸ ︷︷ ︸rest are ones
Leakage: modular reduction (mod q):a) let qi = 1
q = q2048,q2047, . . . ,qi−1,1,qi−1,qi−2, . . . ,q1
gi,0 = q2048,q2047, . . . ,qi−1,0,1, 1, . . . , 1
gi,0 < q ⇒ gi,0 mod q = gi,0, preserves pattern of gi,0.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 20 / 36
![Page 39: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/39.jpg)
Experiment setup
Adaptive chosen cipher text attack
Ciphertext passed directly to modular exponentiation algorithm.Specially crafted ciphertext:gi,0 = q2048,q2047, . . . ,qi−1︸ ︷︷ ︸
topmost bits recovered
,0,1,1, . . . ,1︸ ︷︷ ︸rest are ones
Leakage: modular reduction (mod q):a) let qi = 1
q = q2048,q2047, . . . ,qi−1,1,qi−1,qi−2, . . . ,q1
gi,0 = q2048,q2047, . . . ,qi−1,0,1, 1, . . . , 1
gi,0 < q ⇒ gi,0 mod q = gi,0, preserves pattern of gi,0.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 20 / 36
![Page 40: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/40.jpg)
Experiment setup
Adaptive chosen cipher text attack
Ciphertext passed directly to modular exponentiation algorithm.Specially crafted ciphertext:gi,0 = q2048,q2047, . . . ,qi−1︸ ︷︷ ︸
topmost bits recovered
,0,1,1, . . . ,1︸ ︷︷ ︸rest are ones
Leakage: modular reduction (mod q):a) let qi = 1
q = q2048,q2047, . . . ,qi−1,1,qi−1,qi−2, . . . ,q1
gi,0 = q2048,q2047, . . . ,qi−1,0,1, 1, . . . , 1
gi,0 < q ⇒ gi,0 mod q = gi,0, preserves pattern of gi,0.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 20 / 36
![Page 41: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/41.jpg)
Experiment setup
Adaptive chosen cipher text attack
Ciphertext passed directly to modular exponentiation algorithm.Specially crafted ciphertext:gi,0 = q2048,q2047, . . . ,qi−1︸ ︷︷ ︸
topmost bits recovered
,0,1,1, . . . ,1︸ ︷︷ ︸rest are ones
Leakage: modular reduction (mod q):b) let qi = 0
q = q2048,q2047, . . . ,qi−1,0,qi−1,qi−2, . . . ,q1
gi,0 = q2048,q2047, . . . ,qi−1,0,1, 1, . . . , 1
gi,0 ≥ q ⇒ gi,0 mod q = gi,0 − q, is a (i − 1)-bit random lookingnumber.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 21 / 36
![Page 42: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/42.jpg)
Experiment setup
Adaptive chosen cipher text attack
Ciphertext passed directly to modular exponentiation algorithm.Specially crafted ciphertext:gi,0 = q2048,q2047, . . . ,qi−1︸ ︷︷ ︸
topmost bits recovered
,0,1,1, . . . ,1︸ ︷︷ ︸rest are ones
Leakage: modular reduction (mod q):b) let qi = 0
q = q2048,q2047, . . . ,qi−1,0,qi−1,qi−2, . . . ,q1
gi,0 = q2048,q2047, . . . ,qi−1,0,1, 1, . . . , 1
gi,0 ≥ q ⇒ gi,0 mod q = gi,0 − q, is a (i − 1)-bit random lookingnumber.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 21 / 36
![Page 43: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/43.jpg)
Experiment setup
Adaptive chosen cipher text attack
Ciphertext passed directly to modular exponentiation algorithm.Specially crafted ciphertext:gi,0 = q2048,q2047, . . . ,qi−1︸ ︷︷ ︸
topmost bits recovered
,0,1,1, . . . ,1︸ ︷︷ ︸rest are ones
Leakage: modular reduction (mod q):b) let qi = 0
q = q2048,q2047, . . . ,qi−1,0,qi−1,qi−2, . . . ,q1
gi,0 = q2048,q2047, . . . ,qi−1,0,1, 1, . . . , 1
gi,0 ≥ q ⇒ gi,0 mod q = gi,0 − q, is a (i − 1)-bit random lookingnumber.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 21 / 36
![Page 44: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/44.jpg)
Experiment setup
Adaptive chosen cipher text attack
Ciphertext passed directly to modular exponentiation algorithm.Specially crafted ciphertext:gi,0 = q2048,q2047, . . . ,qi−1︸ ︷︷ ︸
topmost bits recovered
,0,1,1, . . . ,1︸ ︷︷ ︸rest are ones
Leakage: modular reduction (mod q):b) let qi = 0
q = q2048,q2047, . . . ,qi−1,0,qi−1,qi−2, . . . ,q1
gi,0 = q2048,q2047, . . . ,qi−1,0,1, 1, . . . , 1
gi,0 ≥ q ⇒ gi,0 mod q = gi,0 − q, is a (i − 1)-bit random lookingnumber.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 21 / 36
![Page 45: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/45.jpg)
Experiment setup
Adaptive chosen cipher text attack
Ciphertext passed directly to modular exponentiation algorithm.Specially crafted ciphertext:gi,0 = q2048,q2047, . . . ,qi−1︸ ︷︷ ︸
topmost bits recovered
,0,1,1, . . . ,1︸ ︷︷ ︸rest are ones
Leakage: modular reduction (mod q):b) let qi = 0
q = q2048,q2047, . . . ,qi−1,0,qi−1,qi−2, . . . ,q1
gi,0 = q2048,q2047, . . . ,qi−1,0,1, 1, . . . , 1
gi,0 ≥ q ⇒ gi,0 mod q = gi,0 − q, is a (i − 1)-bit random lookingnumber.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 21 / 36
![Page 46: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/46.jpg)
Experiment setup
Adaptive chosen cipher text attack
Ciphertext passed directly to modular exponentiation algorithm.Specially crafted ciphertext:gi,0 = q2048,q2047, . . . ,qi−1︸ ︷︷ ︸
topmost bits recovered
,0,1,1, . . . ,1︸ ︷︷ ︸rest are ones
Leakage: modular reduction (mod q):b) let qi = 0
q = q2048,q2047, . . . ,qi−1,0,qi−1,qi−2, . . . ,q1
gi,0 = q2048,q2047, . . . ,qi−1,0,1, 1, . . . , 1
gi,0 ≥ q ⇒ gi,0 mod q = gi,0 − q, is a (i − 1)-bit random lookingnumber.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 21 / 36
![Page 47: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/47.jpg)
Experiment setup
Adaptive chosen cipher text attack
Ciphertext passed directly to modular exponentiation algorithm.Specially crafted ciphertext:gi,0 = q2048,q2047, . . . ,qi−1︸ ︷︷ ︸
topmost bits recovered
,0,1,1, . . . ,1︸ ︷︷ ︸rest are ones
Leakage: modular reduction (mod q):If qi = 1⇒ gi,0 < q ⇒ gi,0 mod q = gi,0, preserves pattern of gi,0.If qi = 0⇒ gi,0 ≥ q ⇒ gi,0 mod q = gi,0 − q, is a (i − 1)-bitrandom looking number.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 22 / 36
![Page 48: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/48.jpg)
Experiment setup
Modular exponentiation
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 23 / 36
![Page 49: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/49.jpg)
Experiment setup
Source of side-channel leakage
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 24 / 36
![Page 50: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/50.jpg)
Experiment setup
Karatsuba
Recursive algorithm for fast integer multiplication in Θ(nlog23).Faster than schoolbook algorithm (for suitably larger integers).Based on the following identity:
u = uH |uL concatenation of high & low part
v = vH |vL
uv =
1.mult︷ ︸︸ ︷(22n + 2n)uHvH +
2.mult︷ ︸︸ ︷2n(uH − uL)( vH − vL︸ ︷︷ ︸
will be almost zero
)+
3.mult︷ ︸︸ ︷(2n + 1)vLuL
Ciphertext c is passed to Karatsuba as a second parameter.Special form of the ciphertext causes marked part to be zero.Recursion will invoke Karatsuba(uH − uL, vH − vL), leads tomultiplication by zero.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 25 / 36
![Page 51: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/51.jpg)
Experiment setup
Karatsuba
Recursive algorithm for fast integer multiplication in Θ(nlog23).Faster than schoolbook algorithm (for suitably larger integers).Based on the following identity:
u = uH |uL concatenation of high & low part
v = vH |vL
uv =
1.mult︷ ︸︸ ︷(22n + 2n)uHvH +
2.mult︷ ︸︸ ︷2n(uH − uL)( vH − vL︸ ︷︷ ︸
will be almost zero
)+
3.mult︷ ︸︸ ︷(2n + 1)vLuL
Ciphertext c is passed to Karatsuba as a second parameter.Special form of the ciphertext causes marked part to be zero.Recursion will invoke Karatsuba(uH − uL, vH − vL), leads tomultiplication by zero.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 25 / 36
![Page 52: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/52.jpg)
Experiment setup
Karatsuba
uv =
1.mult,h︷ ︸︸ ︷(22n + 2n)uHvH +
2.mult,t︷ ︸︸ ︷2n(uH − uL)( vH − vL︸ ︷︷ ︸
will be almost zero
)+
3.mult,l︷ ︸︸ ︷(2n + 1)vLuL
Karatsuba recursive expansion
If qi = 1⇒ c = q2048,q2047, . . . ,qi−1,0,1,1, . . . ,1⇒ many zerolimbs in 2nd mult. arg.If qi = 0⇒ c random-looking number
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 26 / 36
![Page 53: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/53.jpg)
Experiment setup
Karatsuba
uv =
1.mult,h︷ ︸︸ ︷(22n + 2n)uHvH +
2.mult,t︷ ︸︸ ︷2n(uH − uL)( vH − vL︸ ︷︷ ︸
will be almost zero
)+
3.mult,l︷ ︸︸ ︷(2n + 1)vLuL
Karatsuba recursive expansion
If qi = 1⇒ c = q2048,q2047, . . . ,qi−1,0,1,1, . . . ,1⇒ many zerolimbs in 2nd mult. arg.If qi = 0⇒ c random-looking number
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 26 / 36
![Page 54: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/54.jpg)
Experiment setup
Source of side-channel leakage
Computation is very fast (GHz), acoustic channel is narrow (kHz).Would not be able without amplification.Side-channel leakage function is called multiple times during onedecryption, 7× 12× 2048 = 172032Such number of invocations create detectable pattern (random vs.zero bits) in accoustic spectrum.
Karatsuba recursive expansion
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 27 / 36
![Page 55: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/55.jpg)
Experiment setup
Source of side-channel leakage
(a) attacking 0 bit (b) attacking 1 bit
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
34 35 36 37 38 39
Pow
er (n
anov
olts
)
Frequency (kHz)
Attacked bit is 1Attacked bit is 0
(c) Frequency spectra of the second modular exponentiation
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 28 / 36
![Page 56: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/56.jpg)
Experiment setup
Attack technicalities
More bits are recovered more closer frequency peaks in spectrumare.Analysis gets complicated, but the core idea still holds.Frequency spectrum for ciphertexts of size 2048 bits with varioussizes of zero words:
0
50000
100000
150000
200000
250000
35 35.5 36 36.5 37 37.5 38 38.5 39
num
ber o
f zer
o lim
bs in
the
seco
nd o
pera
nd o
f MU
L_B
AS
EC
AS
E
frequancy (kHz)
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 29 / 36
![Page 57: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/57.jpg)
Experiment setup
Attack preview
-300
-280
-260
-240
-220
-200
-180
-160
35 35.5 36 36.5 37 37.5 38 38.5 39
Pow
er (d
B)
Frequency (kHz)
template for one bittemplate for zero bit
specturm of zero bit
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 30 / 36
![Page 58: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/58.jpg)
Experiment setup
Attack scheme
1 Obtains acoustic trace of the second modular exponentiation.Obtain templates T 0,T 1.
2 Compute frequency spectrum s of the trace (sliding window FFT,median binning).
3 Peak smoothing (noise removal).4 Normalization (remove microphone pattern).5 Compute distance of a s from template T 0 and T 1 allowing some
shift (freq. left,right).6 Classification.7 Template update. Create new templates T 0,T 1 for next bit.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 31 / 36
![Page 59: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/59.jpg)
Experiment setup
Attack scheme
1 Obtains acoustic trace of the second modular exponentiation.Obtain templates T 0,T 1.
2 Compute frequency spectrum s of the trace (sliding window FFT,median binning).
3 Peak smoothing (noise removal).4 Normalization (remove microphone pattern).5 Compute distance of a s from template T 0 and T 1 allowing some
shift (freq. left,right).6 Classification.7 Template update. Create new templates T 0,T 1 for next bit.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 31 / 36
![Page 60: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/60.jpg)
Experiment setup
Attack scheme
1 Obtains acoustic trace of the second modular exponentiation.Obtain templates T 0,T 1.
2 Compute frequency spectrum s of the trace (sliding window FFT,median binning).
3 Peak smoothing (noise removal).4 Normalization (remove microphone pattern).5 Compute distance of a s from template T 0 and T 1 allowing some
shift (freq. left,right).6 Classification.7 Template update. Create new templates T 0,T 1 for next bit.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 31 / 36
![Page 61: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/61.jpg)
Experiment setup
Attack scheme
1 Obtains acoustic trace of the second modular exponentiation.Obtain templates T 0,T 1.
2 Compute frequency spectrum s of the trace (sliding window FFT,median binning).
3 Peak smoothing (noise removal).4 Normalization (remove microphone pattern).5 Compute distance of a s from template T 0 and T 1 allowing some
shift (freq. left,right).6 Classification.7 Template update. Create new templates T 0,T 1 for next bit.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 31 / 36
![Page 62: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/62.jpg)
Experiment setup
Attack scheme
1 Obtains acoustic trace of the second modular exponentiation.Obtain templates T 0,T 1.
2 Compute frequency spectrum s of the trace (sliding window FFT,median binning).
3 Peak smoothing (noise removal).4 Normalization (remove microphone pattern).5 Compute distance of a s from template T 0 and T 1 allowing some
shift (freq. left,right).6 Classification.7 Template update. Create new templates T 0,T 1 for next bit.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 31 / 36
![Page 63: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/63.jpg)
Experiment setup
Attack scheme
1 Obtains acoustic trace of the second modular exponentiation.Obtain templates T 0,T 1.
2 Compute frequency spectrum s of the trace (sliding window FFT,median binning).
3 Peak smoothing (noise removal).4 Normalization (remove microphone pattern).5 Compute distance of a s from template T 0 and T 1 allowing some
shift (freq. left,right).6 Classification.7 Template update. Create new templates T 0,T 1 for next bit.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 31 / 36
![Page 64: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/64.jpg)
Experiment setup
Attack scheme
1 Obtains acoustic trace of the second modular exponentiation.Obtain templates T 0,T 1.
2 Compute frequency spectrum s of the trace (sliding window FFT,median binning).
3 Peak smoothing (noise removal).4 Normalization (remove microphone pattern).5 Compute distance of a s from template T 0 and T 1 allowing some
shift (freq. left,right).6 Classification.7 Template update. Create new templates T 0,T 1 for next bit.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 31 / 36
![Page 65: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/65.jpg)
Experiment setup
Attack scheme
If attack misclassifies some qi , use backtracking.Error is detected, next bits are still the same (e.g., ones).
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 32 / 36
![Page 66: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/66.jpg)
Experiment setup
Countermeasures
Artificial CPU load on another core. Does not work. Reducesleakage frequency 35− 38 kHz to 32− 35 kHZ actually helpingthe attack.Another side-channel fix (CPU cache, multiplication),multiplication is performed regardless di , doubling number ofmultiplications, helping the attack.Ciphertext randomization. Works. Let r be random 4096 bitnumber. (re × c)d × r−1 mod n = ced mod nModulus randomization. Works. Let t be random medium sizedinteger. Compute m′q = cdq mod (tq), then mq = m′qmod q.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 33 / 36
![Page 67: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/67.jpg)
Experiment setup
Countermeasures
Artificial CPU load on another core. Does not work. Reducesleakage frequency 35− 38 kHz to 32− 35 kHZ actually helpingthe attack.Another side-channel fix (CPU cache, multiplication),multiplication is performed regardless di , doubling number ofmultiplications, helping the attack.Ciphertext randomization. Works. Let r be random 4096 bitnumber. (re × c)d × r−1 mod n = ced mod nModulus randomization. Works. Let t be random medium sizedinteger. Compute m′q = cdq mod (tq), then mq = m′qmod q.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 33 / 36
![Page 68: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/68.jpg)
Experiment setup
Countermeasures
Artificial CPU load on another core. Does not work. Reducesleakage frequency 35− 38 kHz to 32− 35 kHZ actually helpingthe attack.Another side-channel fix (CPU cache, multiplication),multiplication is performed regardless di , doubling number ofmultiplications, helping the attack.Ciphertext randomization. Works. Let r be random 4096 bitnumber. (re × c)d × r−1 mod n = ced mod nModulus randomization. Works. Let t be random medium sizedinteger. Compute m′q = cdq mod (tq), then mq = m′qmod q.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 33 / 36
![Page 69: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/69.jpg)
Experiment setup
Countermeasures
Artificial CPU load on another core. Does not work. Reducesleakage frequency 35− 38 kHz to 32− 35 kHZ actually helpingthe attack.Another side-channel fix (CPU cache, multiplication),multiplication is performed regardless di , doubling number ofmultiplications, helping the attack.Ciphertext randomization. Works. Let r be random 4096 bitnumber. (re × c)d × r−1 mod n = ced mod nModulus randomization. Works. Let t be random medium sizedinteger. Compute m′q = cdq mod (tq), then mq = m′qmod q.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 33 / 36
![Page 70: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/70.jpg)
Experiment setup
Conclusions
Attack is realistic.Within one hour recovers 4096-bit private key.Attack: Mobile phone near laptop, performing attack, generatingciphertexts on the fly.Attack: hidden microphone in docking station, in table.Attack: self-spying (malware on the PC).
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 34 / 36
![Page 71: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/71.jpg)
Experiment setup
Questions?
Questions?
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 35 / 36
![Page 72: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](https://reader034.fdocuments.in/reader034/viewer/2022052701/55d57c0dbb61eb05618b45df/html5/thumbnails/72.jpg)
Experiment setup
References & sources
https://www.cs.tau.ac.il/˜tromer/acoustic/
https://68kmla.org/forums/viewtopic.php?f=10&t=13101
https://eeepitnl.tksc.jaxa.jp/mews/jp/26th/data/2_12_4.pdf
http://www.bjorn3d.com/2013/09/asus-gtx-780-directcu-ii-oc/
http://img.techpowerup.org/120520/vrm.jpg
https://en.wikipedia.org/wiki/Piezoelectricity
Disclaimer: Images are not mine own, some of them may be from unknownsource. Appologies for not referencing them correctly.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 36 / 36