Timing Attacks on Implementations of
Die-Hellman, RSA, DSS, and Other Systems
Paul C. Ko cher
Cryptography Research, Inc.
607 Market Street, 5th Flo or, San Francisco, CA 94105, USA.
E-mail: paul@cryptography.com.
Abstract. By carefully measuring the amount of time required to p er-
form private key op erations, attackers may b e able to nd xed Die-
Hellman exp onents, factor RSA keys, and break other cryptosystems.
Against a vulnerable system, the attack is computationally inexp ensive
and often requires only known ciphertext. Actual systems are p otentially
at risk, including cryptographic tokens, network-based cryptosystems,
and other applications where attackers can make reasonably accurate
timing measurements. Techniques for preventing the attack for RSA and
Die-Hellman are presented. Some cryptosystems will need to be re-
vised to protect against the attack, and new proto cols and algorithms
may need to incorp orate measures to prevent timing attacks.
Keywords: timing attack, cryptanalysis, RSA, Die-Hellman, DSS.
1 Intro duction
Cryptosystems often take slightly di erent amounts of time to pro cess di erent
inputs. Reasons include p erformance optimizations to bypass unnecessary op-
erations, branching and conditional statements, RAM cache hits, pro cessor in-
structions (suchasmultiplication and division) that run in non- xed time, and
awidevariety of other causes. Performance characteristics typically dep end on
b oth the encryption key and the input data (e.g., plaintext or ciphertext). While
it is known that timing channels can leak data or keys across a controlled p erime-
ter, intuition might suggest that unintentional timing characteristics would only
reveal a small amount of information from a cryptosystem (such as the Ham-
ming weightofthekey). However, attacks are presented which can exploit timing
measurements from vulnerable systems to nd the entire secret key.
2 Cryptanalysis of a Simple Mo dular Exp onentiator
Die-Hellman[2] and RSA[8] private-key op erations consist of computing R =
x
y mo d n, where n is public and y can be found byan eavesdropp er. The at-
tacker's goal is to nd x, the secret key.For the attack, the victim must com-
x
pute y mo d n for several values of y ,wherey , n, and the computation time are
known to the attacker. (If a new secret exp onent x is chosen for each op eration,
the attackdoesnotwork.) The necessary information and timing measurements
might b e obtained by passively eavesdropping on an interactive proto col, since
an attacker could record the messages received by the target and measure the
amount of time taken to resp ond to each y . The attack assumes that the attacker
knows the design of the target system, although in practice this could probably
b e inferred from timing information.
The attack can b e tailored to work with virtually any implementation that
do es not run in xed time, but is rst outlined using the simple mo dular exp o-
x
nentiation algorithm b elowwhich computes R = y mo d n, where x is w bits
long:
Let s =1.
0
For k =0 upto w 1:
If (bit k of x) is 1 then
Let R =(s y )mod n.
k k
Else
Let R = s .
k k
2
Let s = R mo d n.
k +1
k
EndFor.
Return (R ).
w 1
The attackallows someone who knows exp onentbits0::(b-1) to nd bit b.To
obtain the entire exp onent, start with b equal to 0 and rep eat the attackuntil
the entire exp onentisknown.
Because the rst b exp onent bits are known, the attacker can compute the
rst b iterations of the For lo op to nd the value of s . The next iteration requires
b
the rst unknown exp onent bit. If this bit is set, R = (s y )modn will be
b b
computed. If it is zero, the op eration will b e skipp ed.
The attack will be describ ed rst in an extreme hyp othetical case. Sup-
p ose the target system uses a mo dular multiplication function that is nor-
mally extremely fast but o ccasionally takes much more time than an entire
normal mo dular exp onentiation. For a few s and y values the calculation of
b
R =(s y )mod n will b e extremely slow, and by using knowledge ab out the
b b
target system's design the attacker can determine which these are. If the total
mo dular exp onentiation time is ever fast when R =(s y )modn is slow, exp o-
b b
nentbit b must b e zero. Conversely, if slow R =(s y )modn op erations always
b b
result in slow total mo dular exp onentiation times, the exp onent bit is probably
set. Once exp onentbitb is known, the attacker can verify that the overall op er-
2
ationtimeisslow whenever s = R mo d n is exp ected to b e slow. The same
b+1
b
set of timing measurements can then b e reused to nd the following exp onent
bits.
3 Error Correction
If exp onent bit b is guessed incorrectly, the values computed for R will be
k b
incorrect and, so far as the attack is concerned, essentially random. The time 2
required for multiplies following the error will not be re ected in the overall
exp onentiation time. The attackthus has an error-detection prop erty; after an
incorrect exp onent bit guess, no more meaningful correlations are observed.
The error detection prop erty can b e used for error correction. For example,
the attacker can maintain a list of the most likely exp onentintermediates along
with a value corresp onding to the probability each is correct. The attack is
continued for only the most likely candidate. If the currently-favored value is
incorrect, it will tend to fall in ranking, while correct values will tend to rise.
Error correction techniques increase the memory and pro cessing requirements
for the attack, but can greatly reduce the numb er of samples required.
4 The General Attack
The attack can b e treated as a signal detection problem. The \signal" consists
of the timing variation due to the target exp onent bit, and \noise" results from
measurement inaccuracies and timing variations due to unknown exp onent bits.
The prop erties of the signal and noise determine the numb er of timing measure-
ments required to for the attack.
Given j messages y ;y ;:::;y with corresp onding timing measurements
0 1 j 1
T ;T ; :::; T , the probability that a guess x for the rst b exp onent bits is
0 1 j 1 b
correct is prop ortional to
j 1
Y
P (x ) / F (T t(y ;x ))
b i i b
i=0
where t(y ;x ) is the amount of time required for the rst b iterations of the
i b
x
y mo d n computation using exp onentbitsx , and F is the exp ected probability
b
i
distribution function of T t(y; x )over all y values and correct x . Because F
b b
is de ned as the probability distribution of T t(y ;x )if x is correct, it is the
i i b b
best function for predicting T t(y ;x ). Note that the timing measurements
i i b
and intermediate s values can b e used improve the estimate of F .
Given a correct guess for x , there are two p ossible values for x . The
b 1 b
0
probabilitythat x is correct and x is incorrect can b e found as
b
b
Q
j 1
F (T t(y ;x ))
i i b
i=0
:
Q Q
j 1 j 1
0
F (T t(y ;x )) + F (T t(y ;x ))
i i b i i
i=0 i=0 b
In practice, this formula is not very useful b ecause nding F would require
extraordinary e ort.
5 Simplifying the Attack
Fortunately it is generally not necessary to compute F . Each timing observation
P
w 1
consists of T = e + t , where t is the time required for the multiplication
i i
i=0
and squaring steps for bit i and e includes measurement error, lo op overhead, 3
P
b 1
etc. Given guess x , the attacker can nd t for each sample y . If x is
b i b
i=0
P P P
w 1 b 1 w 1
t . Since t = e + t correct, subtracting from T yields e +
i i i
i=b i=0 i=0
the mo dular multiplication times are e ectively indep endent from each other
P
w 1
t over all observed and from the measurement error, the variance of e +
i
i=b
samples is exp ected to b e Var(e)+(w b)Var(t). However if only the rst c
bits of the exp onent guess are correct, the exp ected variance will be Var(e)+
(w b +2c)Var(t). Correctly-emulated iterations decrease the exp ected variance
byVar(t), while iterations following an incorrect exp onent bit each increase the
variance byVar(t). Computing the variances is easy and provides a go o d wayto
identify correct exp onent bit guesses.
It is now p ossible to estimate the numb er of samples required for the attack.
Supp ose an attacker has j accurate timing measurements and has two guesses
for the rst b bits of a w -bit exp onent, one correct and the other incorrect with
the rst error at bit c.For each guess the timing measurements can b e adjusted
P
b 1
by t . The correct guess will b e identi ed successfully if its adjusted values
i
i=0
have the smaller variance.
It is p ossible to approximate t using indep endent standard normal variables.
i
If Var(e) is negligible, the exp ected probability of a correct guess is
!
j 1 j 1
X X
2 2 p
p p
P > w bX + 2(b c)Y w bX
i i i
i=0 i=0
!
j 1 j 1
X X
p
2
2(b c)(w b) X Y +2(b c) Y > 0 = P 2
i i
i
i=0 i=0
where X and Y are normal random variables with =0 and = 1. Because j
P P
j 1 j 1
2
is relatively large, Y j and X Y is approximately normal with
i i
i
i=0 i=0
p
j , yielding = 0 and =
!
p
p
p
j (b c)
p
P 2 2(b c)(w b)( jZ )+2(b c)j>0 = P Z>
2(w b)
where Z is a standard normal random variable. Finally,integrating to nd the
q
j (b c)
, where (x) is the area under probability of a correct guess yields
2(w b)
the standard normal curvefrom 1 to x. The required numb er of samples (j )is
thus prop ortional to the exp onent size (w ). The numb er of measurements might
b e reduced if attackers cho ose inputs known to have extreme timing character-
istics at exp onent lo cations of interest.
6 Exp erimental Results
6
Figure 1 shows the distribution of 10 mo dular multiplication times observed
TM
using the RSAREF to olkit[10] on a 120-MHz Pentium computer running
TM
MSDOS . The distribution was prepared by timing one million (a b mo d n)
calculations using a and b values from actual mo dular exp onentiation op erations 4
#
with random inputs. The 512-bit sample prime 1 from the RSAREF Die-
Hellman demonstration program was used for n. A few wildly ab errant samples
(whichtookover 1300s) were discarded. The Figure 1 distribution has mean
= 1167.8s and standard deviation =12:01s. The measurement error is small;
the tests were run twice and the average measurement di erence was found to
be under 1s. RSAREF uses the same function for squaring and multiplication,
so squaring and multiplication times haveidentical distributions.
2 3
RSAREF precomputes y and y mo d n and pro cesses two exp onent bits
at a time. In total, a 512-bit mo dular exp onentiation with a random 256-bit
exp onent requires 128 iterations of the mo dular exp onentiation lo op and a total
of ab out 352 mo dular multiplication and squaring op erations. Each iteration
of the mo dular exp onentiation lo op do es two squaring op erations and, if either
exp onent bit is nonzero, one multiply. The attack can be adjusted to app end
pairs of exp onent bits and to evaluate four candidate values at each exp onent
p osition instead of two.
Since mo dular multiplications consume most of the total mo dular exp onen-
tiation time, it is exp ected that the distribution of mo dular exp onentiation
times will b e approximately normal with (1167:8)(352) = 411; 065:6s and
p
12:01 352 = 225:3s. Figure 2 shows measurements from 5000 actual mo d-
ular exp onentiation op erations using the same computer and mo dulus, which
yielded = 419; 901s and =235s.
With 250 timing measurements, the probability that subtracting the time for
a correct mo dexp lo op iteration from each sample will reduce the total variance
q
j (b c)
, more than subtracting an incorrect iteration is estimated to be
2(w b)
where j = 250, b = 1, c = 0, and w = 127. (There are 128 iterations of the
RSAREF mo dexp lo op for a 256-bit exp onent, but the rst iteration is ignored.)
q
250(1 0)
0:84. The Correct guesses are thus exp ected with probability
2(126) 5
5000 samples from Figure 2 were divided into 20 groups of 250 samples each,
and variances from subtracting the time for incorrect and correct mo dexp lo op
iterations were compared at each of the 127 exp onent bit pairs. Of the 2450
trials, 2168 pro duced a larger variance after subtracting an incorrect mo dexp
lo op time than after subtracting the time for a correct mo dexp lo op, yielding a
probability of 0.885. The rst exp onent bits are most dicult, since b b ecomes
larger as more exp onent bits b ecome known and the probabilities should improve.
(The test ab ove did not take advantageofthisproperty.) It is imp ortanttonote
that accurate timing measurements were used; measurement errors which are
large relative to the total mo dular exp onentiation time standard deviation will
increase the numb er of samples needed.
The attack is computationally quite easy. With RSAREF, the attacker has
to evaluate four choices p er pair of bits. Thus the attacker only has to do four
times the numb er of op erations done by the victim, not counting e ort wasted
by incorrect guesses.
7 Montgomery Multiplication and the CRT
Mo dular reduction steps usually cause most of the timing variation in a mo du-
lar multiplication op eration. Montgomery multiplication[6] eliminates the mo d n
reduction steps and, as a result, tends to reduce the size of the timing character-
istics. However, some variation usually remains. If the remaining \signal" is not
P
w 1
dwarfed by measurement errors, the variance in t and the variance of t
b i
i=b+1
would b e reduced prop ortionally and the attackwould still work. However if the
measurement error e is large, the required number of samples will increase in
1
. prop ortion to
Var(t )
i
The Chinese Remainder Theorem (CRT) is also often used to optimize RSA
private key op erations. With CRT, (y mo d p)and(y mo d q ) are computed rst,
where y is the message. These initial mo dular reduction steps can b e vulnerable
to timing attacks. The simplest such attack is to cho ose values of y that are
close to p or q , then use timing measurements to determine whether the guessed
value is larger or smaller than the actual value of p (or q ). If y is less than
p, computing y mo d p has no e ect, while if y is larger than p,itis necessary
to subtract p from y at least once. Also, if the message is very slightly larger
than p, y mo d p will have leading zero digits, whichmay reduce the amountof
time required for the rst multiplication step. The sp eci c timing characteristics
dep end on the implementation. RSAREF's mo dular reduction function with a
512-bit mo dulus the Pentium computer with y chosen randomly b etween 0 and
2p takes an average of 42.1sif y
p. Timing
measurements from many y could b e combined to successively approximate p.
In some cases it may b e p ossible to improve the Chinese Remainder Theorem
RSA attack to use known (not chosen) ciphertexts, reducing the numb er of mes-
sages required and making it p ossible to attack RSA digital signatures. Mo dular
reduction is done by subtracting multiples of the mo dulus, and exploitable timing
variations can b e caused byvariations in the numb er of compare-and-subtract 6
steps. For example, RSAREF's division lo op integer-divides the upp ermost two
digits of y by one more than the upp er digit of p,multiplies p by the quotient,
shifts left the appropriate numb er of digits, then subtracts the result from y .If
the result is larger than p (shifted left), a extra subtraction is p erformed. The
decision whether to perform an extra subtraction step in the rst lo op of the
division algorithm usually dep ends only on y (which is known) and the upp er
two digits of p. A timing attack could be used to determine the upp er digits
of p. For example, an exhaustive search over all p ossible values for the upp er
two digits of p (or more ecient techniques) could identify value for whichthe
observed times correlate most closely with the exp ected numb er of subtraction
op erations. As with the Die-Hellman/non-CRTattack, once one digit of p has
b een found, the timing measurements could b e reused to nd subsequent digits.
It is not yet known whether timing attacks can b e adapted to directly attack
the mo d p and mo d q mo dular exp onentiations p erformed with the Chinese
Remainder Theorem.
8 Timing Cryptanalysis of DSS