• Corpus ID: 51840365

One&Done: A Single-Decryption EM-Based Attack on OpenSSL's Constant-Time Blinded RSA

  title={One\&Done: A Single-Decryption EM-Based Attack on OpenSSL's Constant-Time Blinded RSA},
  author={Monjur Alam and Haider Adnan Khan and Moumita Dey and Nishith Sinha and Robert Locke Callan and Alenka G. Zaji{\'c} and Milos Prvulovi{\'c}},
  booktitle={USENIX Security Symposium},
This paper presents the first side channel attack approach that, without relying on the cache organization and/or timing, retrieves the secret exponent from a single decryption on arbitrary ciphertext in a modern (current version of OpenSSL) fixed-window constant-time implementation of RSA. Specifically, the attack recovers the exponent’s bits during modular exponentiation from analog signals that are unintentionally produced by the processor as it executes the constant-time code that… 
Online Template Attack on ECDSA: - Extracting Keys via the Other Side
This thesis compromising the secret ECDSA key used while signing a message is extended by applying the concept of an online template attack via its verification counterpart by making it nearly impossible for an attacker to build meaningful templates.
Breaking Mobile Firmware Encryption through Near-Field Side-Channel Analysis
This paper describes how a secret AES key was retrieved from the hardware cryptoprocessor of a smartphone as part of an attack scenario targeting the bootloader decryption.
Real-World Snapshots vs. Theory: Questioning the t-Probing Security Model
A novel laser-assisted SCA technique is presented, called Laser Logic State Imaging (LLSI), which offers an unlimited number of contactless probes, and therefore, violates the probing security model assumption.
Stochastic methods defeat regular RSA exponentiation algorithms with combined blinding methods
This article derives stochastic attacks to defeat Rivest-Shamir-Adleman (RSA) with Montgomery ladder regular exponentiation coupled with base blinding by leveraging on precharacterized multivariate probability mass functions of extra-reductions between pairs of (multiplication, square) in one iteration of the RSA algorithm and that of the next one(s) to build a maximum likelihood distinguisher.
Maya: Using Formal Control to Obfuscate Power Side Channels
Maya is presented, a simple and effective defense against power side channels to use formal control to re-shape the power dissipated by a computer in an application-transparent manner—preventing attackers from learning any information about the applications that are running.
PITEM: Permutations-Based Instruction Tracking Via Electromagnetic Side-Channel Signal Analysis
PITEM, a framework for instruction-level monitoring and malware detection using electromagnetic (EM) side-channels using hierarchical clustering, is proposed and its ability to detect fine-grained malware with 99.89 percent accuracy is demonstrated.
Maya: Falsifying Power Sidechannels with Dynamic Control
This paper presents Maya, a simple and effective solution against power side-channels, to re-shape the power dissipated by an application in an application-transparent manner using control theory techniques - preventing attackers from learning any information.
Graphics Peeping Unit: Exploiting EM Side-Channel Information of GPUs to Eavesdrop on Your Neighbors
This paper presents a new electromagnetic (EM) side-channel vulnerability that has been discovered in many GPUs of both NVIDIA and AMD and can be exploited to mount realistic attacks through two case studies, which are website fingerprinting and keystroke timing inference attacks.
Leveraging EM Side-Channel Information to Detect Rowhammer Attacks
This paper has found that there are recognizable hammering-correlated sideband patterns in the spectrum of the DRAM clock signal that can "expose" any potential rowhammer attacks including the extremely elusive ones hidden inside encrypted and isolated environments like Intel SGX enclaves.
A Study on the Side-Channel Analysis Trends for Application to IoT Devices
The urgency of developing countermeasures to single-trace attacks that only use side-channel information, which can be applied not only to public-key cryptography but also to post-quantum cryptography, which is actively being studied to counter the quantum computing era are suggested.


Stealing Keys from PCs Using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation
New side-channel attacks on RSA and ElGamal implementations that use the popular sliding-window or xed-window modular exponentiation algorithms are presented, which can extract decryption keys using a very low measurement bandwidth even when attacking multi-GHz CPUs.
Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice
This paper considers the AES block cipher and presents an attack which is capable of recovering the full secret key in almost real time for AES-128, requiring only a very limited number of observed encryptions, and is the first working attack on AES implementations using compressed tables.
A first step towards automatic application of power analysis countermeasures
This work introduces a systematic methodology for automatic application of software countermeasures and demonstrates its effectiveness on an AES software implementation running on an 8-bit AVR microcontroller.
Get your hands off my laptop: physical side-channel key-extraction attacks on PCs
We demonstrate physical side-channel attacks on a popular software implementation of RSA and ElGamal, running on laptop computers. Our attacks use novel side channels, based on the observation that
New cache designs for thwarting software cache-based side channel attacks
The results show that the new cache designs with built-in security can defend against cache-based side channel attacks in general-rather than only specific attacks on a given cryptographic algorithm-with very little performance degradation and hardware cost.
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
  • P. Kocher
  • Computer Science, Mathematics
  • 1996
By carefully measuring the amount of time required tm perform private key operalions, attackers may be able to find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems.
DES and Differential Power Analysis (The "Duplication" Method)
It is shown that it is possible to build an implementation that is provably DPA-resistant, in a "local" and restricted way (i.e. when - given a chip with a fixed key - the attacker only tries to detect predictable local deviations in the differentials of mean curves).
DPA, Bitslicing and Masking at 1 GHz
It is shown that, despite the complex hardware and software, high clock frequencies and practical measurement issues, the AES implementation can be broken with DPA starting from a few thousand measurements of the electromagnetic emanation of a decoupling capacitor near the processor.
FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack
This paper presents FLUSH+RELOAD, a cache side-channel attack technique that exploits a weakness in the Intel X86 processors to monitor access to memory lines in shared pages and recovers 96.7% of the bits of the secret key by observing a single signature or decryption round.
Template Attacks
This work presents template attacks, the strongest form of side channel attack possible in an information theoretic sense, and describes in detail how an implementation of RC4, not amenable to techniques such as SPA and DPA, can be broken using template attacks with a single sample.