Paper 2011/232

Remote Timing Attacks are Still Practical

Billy Bob Brumley and Nicola Tuveri

Abstract

For over two decades, timing attacks have been an active area of research within applied cryptography. These attacks exploit cryptosystem or protocol implementations that do not run in constant time. When implementing an elliptic curve cryptosystem with a goal to provide side-channel resistance, the scalar multiplication routine is a critical component. In such instances, one attractive method often suggested in the literature is Montgomery's ladder that performs a fixed sequence of curve and field operations. This paper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. We use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, we mount a lattice attack that recovers the private key. Finally, we describe and implement an effective countermeasure.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
side-channel attackstiming attackselliptic curve cryptographylattice attacks.
Contact author(s)
bbrumley @ tcs hut fi
History
2011-06-08: revised
2011-05-17: received
See all versions
Short URL
https://ia.cr/2011/232
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2011/232,
      author = {Billy Bob Brumley and Nicola Tuveri},
      title = {Remote Timing Attacks are Still Practical},
      howpublished = {Cryptology ePrint Archive, Paper 2011/232},
      year = {2011},
      note = {\url{https://eprint.iacr.org/2011/232}},
      url = {https://eprint.iacr.org/2011/232}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.