RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

Genkin, Daniel; Shamir, Adi; Tromer, Eran

doi:10.1007/978-3-662-44371-2_25

Cited by 269 publications

(179 citation statements)

References 18 publications

Supporting

Mentioning

158

Contrasting

Unclassified

Order By: Relevance

“…Accordingly, a great deal of research is conducted to find out which side channels can be used [77,138] and how they can be optimally exploited [91]. Different algorithms are analyzed with respect to their susceptibility towards these attacks [33,99,141].…”

Section: Thesis Statementmentioning

confidence: 99%

“…In 2013, the acoustic side channel was presented [77]. The authors show how a 4096-bit RSA key can be extracted by analyzing the acoustic frequency spectrum during decryption.…”

Section: Other Side Channelsmentioning

confidence: 99%

“…Only recently two more assessments of physical complexity proved to be wrong: the acoustic side channel and cloning of PUFs. The acoustic side channel, which exploits variations in the sound generated by a computer, was known for ten years, but it has not been taken seriously until practical results were presented in 2013 [77]. Measuring acoustic emanations with a sufficient signal strength was considered impossible with a good quality due to the low bandwidth and the low emission strength of this side channel.…”

Section: Advice For Cryptographersmentioning

confidence: 99%

See 2 more Smart Citations

Why Cryptography Should Not Rely on Physical Attack Complexity

Krämer

2015

T-Labs Series in Telecommunication Services

View full text Add to dashboard Cite

Ich versichere an Eides statt, dass ich diese Dissertation selbständig verfasst und nur die angegebenen Quellen und Hilfsmittel verwendet habe. Datum Für meine Eltern AbstractEver since the first side channel attacks and fault attacks on cryptographic devices were introduced in the mid-nineties, new possibilities of physical attacks have been consistently explored. The risk that these attacks pose is reduced by reacting to known attacks and by developing and implementing countermeasures against them. For physical attacks whose theory is known but which have not been conducted yet, however, the situation is different. Attacks whose physical realization is assumed to be very complex are taken less seriously. The trust that these attacks will not be realized due to their physical complexity means that no countermeasures are developed at all. This leads to unprotected devices once the assessment of the complexity turns out to be wrong.This thesis presents two practical physical attacks whose theory is known for several years. Since neither attack has previously been successfully implemented in practice, however, they were not considered a serious threat. Their physical attack complexity has been overestimated and the implied security threat has been underestimated. First, we introduce the photonic side channel, which offers not only temporal resolution, but also the highest possible spatial resolution. Due to the high cost of its first realization, it has not been taken seriously. We show both simple and differential photonic side channel analyses. Then, we present a fault attack against pairing-based cryptography. Due to the need for at least two independent precise faults in a single pairing computation, it has also not been taken seriously. We show how attackers can reveal the secret key of symmetric as well as asymmetric cryptographic algorithms based on these physical attacks. We present countermeasures on the software and the hardware level, which help to prevent these attacks in the future.Based on these two presented attacks, this thesis shows that the assessment of physical attack complexity is error-prone. Hence, cryptography should not rely on it. Cryptographic technologies have to be protected against all physical attacks, have they already been realized or not. The development of countermeasures does not require the successful execution of an attack but can already be carried out as soon as the principle of a side channel or a fault attack is understood.

show abstract

Section: Thesis Statementmentioning

confidence: 99%

“…In 2013, the acoustic side channel was presented [77]. The authors show how a 4096-bit RSA key can be extracted by analyzing the acoustic frequency spectrum during decryption.…”

Section: Other Side Channelsmentioning

confidence: 99%

Section: Advice For Cryptographersmentioning

confidence: 99%

See 1 more Smart Citation

Why Cryptography Should Not Rely on Physical Attack Complexity

Krämer

2015

T-Labs Series in Telecommunication Services

View full text Add to dashboard Cite

show abstract

“…Applying them in practice is a matter of adapting them to the corresponding hardware implementation. The security of microcontrollers has been extensively examined, and a number of fault and side-channel attacks have been found, e.g., [4,12,20,21]. Therefore, we focus on smart-card based wallets, which provide guarantees against physical and interdiction attacks and have traditionally been used for key management and cryptographic operations.…”

Section: Introductionmentioning

confidence: 99%

Low-Level Attacks in Bitcoin Wallets

Gkaniatsou

Arapinis

Kiayias

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. As with every financially oriented protocol, there has been a great interest in studying, verifying, attacking, identifying problems, and proposing solutions for Bitcoin. Within that scope, it is highly recommended that the keys of user accounts are stored offline. To that end, companies provide solutions that range from paper wallets to tamper-resistant smart-cards, offering different level of security. While incorporating expensive hardware for the wallet purposes is though to bring guarantees, it is often that the low-level implementations introduce exploitable back-doors. This paper aims to bring to attention how the overlooked low-level protocols that implement the hardware wallets can be exploited to mount Bitcoin attacks. To demonstrate that, we analyse the general protocol behind LEDGER Wallets, the only EAL5+ certified against side channel analysis attacks hardware. In this work we conduct a throughout analysis on the Ledger Wallet communication protocol and show how to successfully attack it in practice. We address the lack of well-defined security properties that Bitcoin wallets should conform by articulating a minimal threat model against which any hardware wallet should defend. We further use that threat model to propose a lightweight fix that can be adopted by different technologies.

show abstract

“…Passive side-channel attacks, or leakage attacks, such as timing attacks, power analysis attacks, acoustic attacks, and more [1,6,24,30,36,37], have proven highly detrimental. Indeed, it has been shown that leakage attacks can be used to recover the entire secret key in common implementations of the RSA [25], AES [45] and DES [35] cryptosystems. These attacks are not just theoretical, and can be launched in complex, reallife settings, e.g.…”

Section: Introductionmentioning

confidence: 99%

Leakage-Resilient Circuits Revisited – Optimal Number of Computing Components Without Leak-Free Hardware

Dachman-Soled

Liu

Zhou

2015

Advances in Cryptology - EUROCRYPT 2015

View full text Add to dashboard Cite

Side channel attacks -attacks that exploit implementation-dependent information of a cryptosystem -have been shown to be highly detrimental, and the cryptographic community has recently focused on developing techniques for securing implementations against such attacks. An important model called Only Computation Leaks (OCL) [Micali and Reyzin, TCC '04] and its stronger variants were proposed to model a broad class of leakage attacks (a type of side-channel attack). These models allow for unbounded, arbitrary leakage as long as (1) information in each leakage observation is bounded, and (2) different parts of the computation leak independently. Various results and techniques have been developed for these models and we continue this line of research in the current work.We address the problem of compiling any circuit into a circuit secure against OCL attacks. In order to leverage the OCL assumption, the resulting circuit will be split into components, where at any point in time only a single component is active. Optimally, we would like to output a circuit that has only one component, and no part of the computation needs to be leak-free. However, this task is impossible due to the result of Barak et al. [JACM '12]. The current state-of-the-art constructions achieve either two components with additional leak-free hardware, or many components without leak-free hardware.In this work, we show how to achieve the best of both worlds: We construct two-component OCL schemes without relying on leak-free components. Our approach is general and modular -we develop generic techniques to remove the hardware component from hardware-based constructions, when the functionality provided by the hardware satisfies some properties. Our techniques use universal deniable encryption (recently constructed by Sahai and Water [STOC '14] using indistinguishable obfuscation) and non-committing encryption in a novel way. Then, we observe that the functionalities of the hardware used in previous two-component constructions of Juma and Vahlis [Crypto '10], and Dziembowski and Faust [TCC '12] satisfy the required properties.The techniques developed in this paper have deep connections with adaptively secure and leakage tolerant multi-party computation (MPC). Our constructions immediately yield adaptively secure and leakage tolerant MPC protocols for any no-input randomized functionality in the semi-honest model. The result holds in the CRS model, without pre-processing. Our results also have implications to twoparty leakage tolerant computation for arbitrary functionalities, which we obtain by combining our constructions with a recent result of Bitansky, and Lin [Crypto '14].

show abstract

RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

Cited by 269 publications

References 18 publications

Why Cryptography Should Not Rely on Physical Attack Complexity

Why Cryptography Should Not Rely on Physical Attack Complexity

Low-Level Attacks in Bitcoin Wallets

Leakage-Resilient Circuits Revisited – Optimal Number of Computing Components Without Leak-Free Hardware

Contact Info

Product

Resources

About