contributed articles

DOI:10.1145/2851486 needs to never output it or anything that broadcast their secrets via may reveal it. (The operating system may be misused to allow someone else’s inadvertent physical emanations that process to peek into the program’s are easily measured and exploited. memory or files, though we are getting better at avoiding such attacks, too.) BY DANIEL GENKIN, LEV PACHMANOV, ITAMAR PIPMAN, Yet programs’ control over their ADI SHAMIR, AND ERAN TROMER own outputs is a convenient fiction, for a deeper reason. The hardware run- ning the program is a physical object and, as such, interacts with its envi- ronment in complex ways, including Physical electric currents, electromagnetic fields, sound, vibrations, and light emissions. All these “side channels” may depend on the computation per- Extraction formed, along with the secrets within it. “Side-channel attacks,” which ex- ploit such information leakage, have been used to break the security of nu- merous cryptographic implementa- Attacks on PCs tions; see Anderson,2 Kocher et al.,19 and Mangard et al.23 and references therein. Side channels on small devices. Many past works addressed leakage from small devices (such as smart- cards, RFID tags, FPGAs, and simple embedded devices); for such devices, IS UBIQUITOUS. Secure websites and physical key extraction attacks have financial, personal communication, corporate, and been demonstrated with devastating effectiveness and across multiple phys- national secrets all depend on cryptographic algorithms ical channels. For example, a device’s operating correctly. Builders of cryptographic systems power consumption is often correlated with the computation it is currently ex- have learned (often the hard way) to devise algorithms ecuting. Over the past two decades, this and protocols with sound theoretical analysis, physical phenomenon has been used write software that implements them correctly, extensively for key extraction from small devices,19,23 often using power- and robustly integrate them with the surrounding ful techniques, including differential applications. Consequentially, direct attacks against .18 state-of-the-art cryptographic software are getting key insights increasingly difficult. ˽˽ Small differences in a program’s data For attackers, ramming the gates of cryptography is can cause large differences in acoustic, electric, and electromagnetic emanations not the only option. They can instead undermine the as the program runs.

fortification by violating basic assumptions made by ˽˽ These emanations can be measured through inexpensive equipment and used the cryptographic software. One such assumption is to extract secret data, even from fast and software can control its outputs. Our programming complex devices like laptop computers and mobile phones.

courses explain that programs produce their outputs ˽˽ Common hardware and software are through designated interfaces (whether print, write, vulnerable, and practical mitigation of these risks requires careful application- send, or mmap); so, to keep a secret, the software just specific engineering and evaluation.

70 COMMUNICATIONS OF THE ACM | JUNE 2016 | VOL. 59 | NO. 6 The electromagnetic emanations emanations from , as they transistors, on a motherboard with other from a device are likewise affected by the switch state, are exploitable as a side circuitry and peripherals, running an computation-correlated currents inside channel for reading internal registers operating system and handling various it. Starting with Agrawal et al.,1 Gandolfi leading and extracting keys.29 asynchronous events. All these intro- et al.,11 and Quisquater and Samyde,28 See Anderson2 for an extensive sur- duce complexity, unpredictability, and such attacks have been demonstrated vey of such attacks. noise into the physical emanations as on numerous small devices involving Vulnerability of PCs. Little was the cryptographic code executes. various cryptographic implementations. known, however, about the possibility Second is speed. Typical side-chan- Optical and thermal imaging of cir- of cryptographic attacks through physi- nel techniques require the analog leak- cuits provides layout information and cal side channels on modern commod- age signal be acquired at a bandwidth coarse activity maps that are useful for ity laptop, desktop, and server com- greater than the target’s clock rate. reverse engineering. Miniature probes puters. Such “PC-class” computers (or For PCs running GHz-scale CPUs, this can be used to access individual inter- “PCs,” as we call them here) are indeed means recording analog signals at nal wires in a chip, though such tech- very different from the aforementioned multi-GHz bandwidths requiring ex- niques require invasive disassembly small devices, for several reasons. pensive and delicate lab equipment, in of the chip package, as well as con- First, a PC is a very complex environ- addition to a lot of storage space and

IMAGE BY IWONA USAKIEWICZ/ANDRIJ BORYS ASSOCIATES BORYS USAKIEWICZ/ANDRIJ IWONA BY IMAGE siderable technical expertise. Optical ment—a CPU with perhaps one billion processing power.

JUNE 2016 | VOL. 59 | NO. 6 | COMMUNICATIONS OF THE ACM 71 contributed articles

Figure 1. An acoustic attack using a parabolic microphone (left) on a target laptop (right); various trade-offs among attack range, keys can be extracted from a distance of 10 meters. speed, and equipment cost. The follow- ing sections explore our findings, as pub- lished in several recent articles.12,15,16 Acoustic. The power consumption of a CPU and related chips changes dras- tically (by many Watts) depending on the computation being performed at each moment. Electronic compo- nents in a PC’s internal power supply, struggling to provide constant voltage to the chips, are subject to mechani- cal forces due to fluctuations of volt- ages and currents. The resulting vi- brations, as transmitted to the ambient air, create high-pitched acoustic noise, known as “coil whine,” even though it of- ten originates from capacitors. Because this noise is correlated with the ongo- Figure 2. Measuring the chassis potential by touching a conductive part of the laptop; ing computation, it leaks information the wristband is connected to signal-acquisition equipment. about what applications are running and what data they process. Most dramati- cally, it can acoustically leak secret keys during cryptographic operations. By recording such noise while a target is using the RSA algorithm to decrypt ciphertexts (sent to it by the attacker), the RSA secret key can be ex- tracted within one hour for a high-grade 4,096-bit RSA key. We experimentally demonstrated this attack from as far as 10 meters away using a parabolic micro- phone (see Figure 1) or from 30cm away through a plain mobile phone placed next to the . Electric. While PCs are typically grounded to the mains earth (through their power supply “brick,” or ground- ed peripherals), these connections are, in practice, not ideal, so the elec- tric potential of the laptop’s chassis A third difference involves attack many other effects can be used to fluctuates. These fluctuations depend scenarios. Traditional techniques for glean sensitive information across the on internal currents, and thus on the side-channel attacks require long, un- boundaries between processes or even ongoing computation. An attacker interrupted physical access to the target virtual machines. Here, we focus on can measure the fluctuations directly device. Moreover, some such attacks physical attacks that do not require de- through a plain wire connected to a involve destructive mechanical intru- ployment of malicious software on the conductive part of the laptop, or in- sion into the device (such as decapsu- target PC. directly through any cable with a con- lating chips). For small devices, these Our research thus focuses on two ductive shield attached to an I/O port scenarios make sense; such devices main questions: Can physical side- on the laptop (such as USB, Ethernet, are often easily stolen and sometimes channel attacks be used to nonintru- display, or audio). Perhaps most sur- even handed out to the attacker (such sively extract secret keys from PCs, prising, the chassis potential can be as in the form of cable TV subscription despite their complexity and operating measured, with sufficient fidelity, cards). However, when attacking other speed? And what is the cost of such at- even through a human body; human people’s PCs, the attacker’s physical tacks in time, equipment, expertise, attackers need to touch only the tar- access is often brief, constrained, and and physical access? get computer with a bare hand while must proceed unobserved. Results. We have identified multiple their body potential is measured (see Note numerous side channels in side channels for mounting physical Figure 2). PCs are known at the software level; key-extraction attacks on PCs, appli- This channel offers a higher band- timing,8 cache contention,6,26,27 and cable in various scenarios and offering width than the acoustic one, allowing

72 COMMUNICATIONS OF THE ACM | JUNE 2016 | VOL. 59 | NO. 6 contributed articles observation of the effect of individual . Most of this work remains prone to side-channel leakage due to key bits on the computation. RSA and classified. What little is declassified their physical nature and lower operat- ElGamal keys can thus be extracted confirms the existence and risk of ing speed; for example, acoustic noise from a signal obtained from just a few physical information leakage but says from keyboards can reveal keystrokes,3 seconds of measurement, by touching nothing about the feasibility of the key -noise printed content,4 and sta- a conductive part of the laptop’s chas- extraction scenarios discussed in this tus LEDs data on a communication sis, or by measuring the chassis po- article. Acoustic leakage, in particular, line.22 Computer screens inadvertently tential from the far side of a 10-meter- has been used against electromechan- broadcast their content as “van Eck” long cable connected to the target’s ical ciphers (Wright31 recounts how electromagnetic radiation that can be I/O port. the British security agencies tapped a picked up from a distance;21,30 see An- Electromagnetic. The computation phone to eavesdrop on the rotors of a derson2 for a survey. performed by a PC also affects the elec- Hagelin electromechanical cipher ma- Some observations have also been tromagnetic field it radiates. By moni- chine); but there is strong evidence it made about physical leakage from toring the computation-dependent was not recognized by the security ser- PCs, though at a coarse level. The gen- electromagnetic fluctuations through vices as effective against modern elec- eral activity level is easily gleaned from an for just a few seconds, tronic computers.16 temperature,7 fan speed, and mechan- it is possible to extract RSA and El- ical hard-disk movement. By tapping Gamal secret keys. For this channel, Non-Cryptographic Leakage the computer’s electric AC power, it the measurement setup is notably Peripheral devices attached to PCs are is possible to identify the webpages unintrusive and simple. A suitable electromagnetic probe antenna can Figure 3. An electromagnetic attack using a consumer AM radio receiver placed near the target and recorded by a . be made from a simple loop of wire and recorded through an inexpensive software-defined radio USB dongle. Al- ternatively, an attacker can sometimes use a plain consumer-grade AM radio receiver, tuned close to the target’s sig- nal frequency, with its headphone out- put connected to a phone’s audio jack for digital recording (see Figure 3). Applicability. A surprising result of our research is how practical and easy are physical key-extraction side-chan- nel attacks on PC-class devices, despite the devices’ apparent complexity and high speed. Moreover, unlike previous attacks, our attacks require very little analog bandwidth, as low as 50kHz, even when attacking multi-GHz CPUs, thus allowing us to utilize new chan- nels, as well as inexpensive and readily available hardware. We have demonstrated the fea- sibility of our attacks using GnuPG (also known as GPG), a popular open source cryptographic software that Figure 4. A spectrogram of an acoustic signal. The vertical axis is time (3.7 seconds), and the horizontal axis is frequency (0kHz–310kHz). Intensity represents instantaneous energy implements both RSA and ElGamal. in the frequency band. The target is performing one-second loops of several x86 instruc- Our attacks are effective against vari- tions: CPU sleep (HLT), integer multiplication (MUL), floating-point multiplication FMUL( ), ous versions of GnuPG that use differ- main memory access, and short-term idle (REP NOP). ent implementations of the targeted cryptographic algorithm. We tested 0 50 100 150 200 250 300 350kHz 0 various laptop computers of different 0.25 HLT models from different manufacturers 0.5 MUL and running various operating sys- 0.75 FMUL tems, all “as is,” with no modification 1 ADD or case intrusions. 1.25 MEM History. Physical side-channel at- 1.5 NOP tacks have been studied for decades in 1.75 military and espionage contexts in the sec U.S. and NATO under the codename

JUNE 2016 | VOL. 59 | NO. 6 | COMMUNICATIONS OF THE ACM 73 contributed articles

loaded by the target’s browser9 and ic algorithms and implementations, is often decoupled from the secret even some malware.10 Tapping USB so compromising any of them has a di- key, the operands to these operations power lines makes it possible to iden- rect effect on many deployed systems. are often key-dependent. Moreover, tify when cryptographic applications Consequently, our research focused on operand values with atypical prop- are running.25 key extraction from the most common erties (such as operands containing The acoustic, electric, and electro- public-key schemes—RSA many zero bits or that are unusually magnetic channels can also be used to and ElGamal—as implemented by the short) may trigger implementation- gather coarse information about a tar- popular GnuPG software. dependent corner cases. We thus craft get’s computations; Figure 4 shows a When analyzing implementations special inputs (ciphertexts to be de- microphone recording of a PC, demon- of public-key cryptographic algo- crypted) that “poison” internal values strating loops of different operations rithms, an attacker faces the difficul- occurring inside the cryptographic have distinct acoustic signatures. ties described earlier of complexity, algorithm, so atypically structured op- noise, speed, and nonintrusiveness. erands occur at key-dependent times. Cryptanalytic Approach Moreover, engineers implementing Measuring leakage during such a poi- Coarse leakage is ubiquitous and eas- cryptographic algorithms try to make soned execution can reveal at which ily demonstrated once the existence the sequence of executed operations operations these operands occurred, of the physical channel is recognized. very regular and similar for all secret and thus leak key information. However, there remains the question keys. This is done to foil past attacks Leakage self-amplification. In order of whether the physical channels can that exploit significant changes in con- to overcome a device’s complexity be used to steal finer and more devas- trol flow to deduce secrets, including and execution speed, an attacker can tating information. The crown jewels, timing attacks,8 cache contention at- exploit the algorithm’s own code to in this respect, are cryptographic keys, tacks6,26,27 (such as a recent application amplify its own leakage. By asking for for three reasons. First, direct impact, to GnuPG32,33), and many other types of decryption of a carefully chosen cipher- as compromising cryptographic keys attacks on small devices. text, we create a minute change (com- endangers all data and authorizations We now show how to overcome these pared to the decryption of a random- that depend on them. Second, difficul- difficulties, using a careful selection of looking ciphertext) during execution ty, as cryptographic keys tend to be well the ciphertext to be decrypted by the of the innermost loop of the attacked protected and used in carefully crafted algorithm. By combining the following algorithm. Since the code inside the algorithms designed to resist attacks; two techniques for ciphertext selection, innermost loop is executed many so if even these keys can be extracted, we obtain a key-dependent leakage that times throughout the algorithm, this it is a strong indication more pedes- is robustly observable, even through yields an easily observable global trian data can be also extracted. And low-bandwidth measurements. change affecting the algorithm’s third, commonality, as there is only a Internal value poisoning. While the entire execution. small number of popular cryptograph- sequence of performed operations GnuPG’S RSA Implementation Algorithm 1. Modular exponentiation using -and-always-multiply. For concreteness in describing our ba- sic attack method, we outline GnuPG’s Input: Three integers c,d, in binary representation such implementation of RSA decryption, that . . . . d = d1 dm as of version 1.4.14 from 2013. Later Output: a = c d mod q. 1: procedure MOD_EXP(c,d,q) GnuPG versions revised their imple- 2: c ← c mod q mentations to defend against the adap- 3: a ← 1 tive attack described here; we discuss 4: for i ← 1 to m do these variants and corresponding at- 5: a ← a2 6: t ← a . c tacks later in the article.

7: if di = 1 then Notation. RSA key generation is 8: a ← t done by choosing two large primes p, 9: return a q, a public exponent e and a secret ex- ponent d, such that ed ≡ 1 (mod Φ(n)) where n = pq and Φ(n) = (p − 1)(q − 1). Algorithm 2. GnuPG’s basic multiplication code. The public key is (n, e) and the private key is (p, q, d). RSA encryption of a mes- sage m is done by computing me mod n, Input: Two integers a = as . . . a1 and b = bt . . . b1 of size s. and t limbs respectively and RSA decryption of a ciphertext c is Output: a . b. done by computing cd mod n. GnuPG 1: procedure MUL_BASECASE(a,b) uses a common optimization for RSA 2: p ← a . b1 3: for i ← 2 to t do decryption; instead of directly com- d 4: if bi ≠ 0 then  (and if bi = 0 do nothing) puting m = c mod n, it first com- . . 32 .(i-1) dp dq 5: p ← p + a bi 2 putes mp = c mod p, mq = c mod q 6: return p (where dp and dq are derived from the

secret key), then combines mp and mq

74 COMMUNICATIONS OF THE ACM | JUNE 2016 | VOL. 59 | NO. 6 contributed articles into m using the Chinese Remainder by the target the side-channel leakage We have thus obtained a connec-

Theorem. To fully recover the secret reveals the value of qi. Eventually the tion between the i-th bit of q and the key, it suffices to learn any of its com- entire q is revealed. The choice of each resulting structure of c after the modu- ponents (p, q, d, dp, or dq); the rest can ciphertext depends on the key bits lar reduction—either long and repeti- be deduced. learned thus far, making it an adaptive tive or short and random looking— Square-and-always-multiply expo- chosen ciphertext attack. thereby poisoning internal values in nentiation. Algorithm 1 is pseudocode This attack requires the target to Algorithm 1. of the square-and-always-multiply ex- decrypt ciphertexts chosen by the at- Leakage self-amplification. To learn ponentiation used by GnuPG 1.4.14 tacker, which is realistic since GnuPG the i-th bit of q, we need to amplify the to compute mp and mq. As a counter- is invoked by numerous applications leakage resulting from this connection measure to the attack of Yarom and to decrypt ciphertexts arriving via so it becomes physically distinguish- Falkner,32 the sequence of squarings email messages, files, webpages, and able. Note the value c is used during and multiplications performed by chat messages. For example, Enig- the main loop of Algorithm 1 in line Algorithm 1 is independent of the mail and GpgOL are popular plugins 6. Moreover, since the multiplication secret key. Note the modular reduc- that add PGP/MIME encrypted-email in line 6 is executed once per bit of d, tion in line 2 and the multiplication capabilities to Mozilla Thunderbird we obtain that Algorithm 1 performs k in line 6. Both these lines are used by and Outlook, respectively. They de- multiplications by c, whose structure our attack on RSA—line 2 for poison- crypt incoming email messages by depends on qi. We now analyze the ef- ing internal values and line 6 for leakage passing them to GnuPG. If the target fects of repetitive vs. random-looking self-amplification. uses them, an attacker can remotely second operand on the multiplication Since our attack uses GnuPG’s mul- inject a chosen ciphertext into GnuPG routine of GnuPG. tiplication routine for leakage self-am- by encoding the ciphertext as a PGP/ Suppose c(i) = 1. Then c has its low- plification, we now analyze the code of MIME email (following RFC 3156) est k − i bits set to 1. Next, c is passed GnuPG’s multiplication routines. and sending it to the target. to the Karatsuba-based multiplication Multiplication. For multiplying large Cryptanalysis. We can now describe routine as the second operand b. The integers (line 6), GnuPG uses a variant the adaptive chosen ciphertext attack result of (bL − bH), as computed in the of the Karatsuba multiplication algo- on GnuPG’s RSA implementation. Karatsuba-based multiplication, will rithm. It computes the product of two Internal value poisoning. We begin thus contain many zero limbs. This in- k-numbers a and b recursively, using by choosing appropriate ciphertexts variant, of having the second operand 2k k k the identity ab = (2 + 2 )aHbH + 2 (aH − that will poison some of the internal containing many zero limbs, is pre- k aL) (bL − bL) + (2 + 1)aLbL, where aH, bH values inside Algorithm 1. Let p, q be served by the Karatsuba-based multi- are the most significant halves of a and two random k-bit primes compris- plication all the way until the recursion b, respectively, and, similarly, aL, bL are ing an RSA secret key; in the case of reaches the base-case multiplication the least significant halves of a and b. high-security 4,096-bit RSA, k = 2,048. routine (Algorithm 2), where it affects The recursion’s base case is a GnuPG always generates RSA keys the control flow in line 4, forcing the simple grade-school “long multipli- such that the most significant bit of loop in line 3 to perform almost no cation” algorithm, shown (in sim- p and q is set, thus qi = 1. Assume we multiplications. plified form) in Algorithm 2. GnuPG have already recovered the topmost Conversely, if qi = 0, then c is ran- stores large integers in arrays of 32-bit i − 1 bits of q and define the cipher- dom-looking, containing few (if any) words, called limbs. Note how Algo- text c(i) to be the k-bit ciphertext whose zero limbs. When the Karatsuba-based rithm 2 handles the case of zero limbs topmost i − 1 bits are the same as q, multiplication routine gets c as its sec- of b. Whenever a zero limb of b is en- its i-th bit is 0 and whose remaining ond operand b, the derived values stay countered, the operation in line 5 is bits are set to 1. Consider the effects random-looking throughout the recur- not executed, and the loop in line 3 of decrypting c(i) on the intermediate sion until the base case, where these proceeds to handle the next limb of values of Algorithm 1, depending on random-looking values affect the con- b. This optimization is exploited by the secret key bit qi. trol flow in line 4 inside the main loop (i) the leakage self-amplification compo- Suppose qi = 1. Then c ≤ q, and of Algorithm 2, making it almost al- nent of our attack. Specifically, each this c(i) is passed as the argument c to ways perform a multiplication. of our chosen ciphertexts will cause a Algorithm 1, where the modular re- Our attack thus creates a situation targeted bit of q to affect the number duction in line 2 returns c = c(i) (since where, during the entire decryption of zero limbs of b given to Algorithm 2 c(i) ≤ q), so the lowest k − i bits of c re- operation, the branch in line 4 of Algo- (i) and thus the control flow in line 4 and main 1. Conversely, if qi = 0, then c > rithm 2 is either always taken or is nev- thereby the side-channel leakage. q, so when c(i) is passed to Algorithm 1, er taken, depending on the current bit the modular reduction in line 2 modi- of q. During the decryption process, the Adaptive Chosen Ciphertext Attack fies the value of c. Since c(i) agrees with branch in line 4 is evaluated numerous We now describe our first attack on q on its topmost i − 1 bits, it holds that times (approximately 129,000 times for RSA, extracting the bits of the secret q < c(i) < 2q, so in this case the modular 4,096-bit RSA). This yields the desired prime q, one by one. For each bit of q, reduction computes c ← c − q, which self-amplification effect. Once qi is ex- denoted qi, the attack chooses a cipher- is a random-looking number of length tracted, we can compute the next cho- text c(i) such that when c (i) is decrypted k − i bits. sen ciphertext ci+1 and proceed to ex-

JUNE 2016 | VOL. 59 | NO. 6 | COMMUNICATIONS OF THE ACM 75 contributed articles

Figure 5. Measuring acoustic leakage: (a) is the attacked target; (b) is a microphone picking open question, but we conjecture that up the acoustic emanations; (c) is the microphone power supply and amplifier; (d) is the exploitable correlations will persist. digitizer; and the acquired signal is processed and displayed by the attacker’s laptop (e). Non-Adaptive Chosen Ciphertext Attacks The attack described thus far re- quires decryption of a new adaptively chosen ciphertext for every bit of the secret key, forcing the attacker to in- teract with the target computer for a long time (approximately one hour). To reduce the attack time, we turn to the electrical and electromagnetic channels, which offer greater ana- log bandwidth, though still orders of magnitude less than the target’s CPU Figure 6. Acoustic emanations (0kHz–20kHz, 0.5 seconds) of RSA decryption during an frequency. This increase in bandwidth adaptive chosen-ciphertext attack. allows the attacker to observe finer de- tails about the operations performed by the target algorithm, thus requiring 0 5 10 15 20kHz 0 5 10 15 20 kHz less leakage amplification. 0 0 Utilizing the increased bandwidth, p our next attack trades away some of the 0.25 0.25 leakage amplification in favor of reduc- ing the number of ciphertexts. This q reduction shortens the key-extraction 0.5 0.5 time to seconds and, moreover, makes sec sec (a) (b) the attack non-adaptive, meaning the chosen ciphertexts can be sent to the target all at once (such as on a CD with

tract the next secret bit—qi+1—through of the second exponentiation is dif- a few encrypted files). the same method. ferent between Figure 6a and Figure Cryptanalysis. The non-adaptive The full attack requires additional 6b. This is exactly the effect created chosen ciphertext attack against components (such as error detection by our attack, which can be utilized to square-and-always-multiply exponen- and recovery16). extract the bits of q. tiation (Algorithm 1) follows the ap- Acoustic cryptanalysis of RSA. The By applying the iterative attack al- proach of Yen et al.,34 extracting the basic experimental setup for measur- gorithm described earlier, attacking bits of d instead of q. ing acoustic leakage consists of a mi- each key bit at a time by sending the Internal value poisoning. Consider crophone for converting mechanical chosen ciphertext for decryption and the RSA decryption of c = n − 1. As in the air vibrations to electronic signals, an learning the key bit from the measured previous acoustic attack, c is passed to amplifier for amplifying the micro- acoustic signal, the attacker can fully Algorithm 1, except this time, after the phone’s signals, a digitizer for convert- extract the secret key. For 4,096-bit RSA modular reduction in line 2, it holds ing the analog signal to a digital form, keys (which, according to NIST recom- that c ≡ –1 (mod q). We now examine and software to perform signal process- mendations, should remain secure for the effect of c on the squaring opera- ing and cryptanalytic deduction. Figure decades), key extraction takes approxi- tion performed during the main loop 1 and Figure 5 show examples of such mately one hour. of Algorithm 1. setups using sensitive ultrasound mi- Parallel load. This attack assumes First note the value of a during the crophones. In some cases, it even suf- decryption is triggered on an other- execution of Algorithm 1 is always ei- fices to record the target through the wise-idle target machine. If addition- ther 1 or –1 modulo q. Next, since –12 built-in microphone of a mobile phone al software is running concurrently, ≡ 12 ≡ 1 (mod q), we have that the value placed in proximity to the target and then the signal will be affected, but of a in line 6 is always 1 modulo q. We running the attacker’s mobile app.16 the attack may still be feasible. In par- thus obtain the following connection

Figure 6 shows the results of ap- ticular, if other software is executed between the secret key bit di–1 and the plying the acoustic attack for differ- through timeslicing, then the irrel- value of a at the start of the i-th itera- ent values (0 or 1) of the attacked bit evant timeslices can be identified and tion of Algorithm 1’s main loop.

of q. Several effects are discernible. discarded. If other, sufficiently ho- Suppose di–1 = 0, so the branch in First, the transition between the two mogenous software is executed on a line 7 is not taken, making the value modular exponentiations (using the different core, then (empirically) the of a at the start of the i-th iteration modulus p and q) is clearly visible. signal of interest is merely shifted. be 1 mod q = 1. Since GnuPG’s inter- Second, note the acoustic signatures Characterizing the general case is an nal representation does not truncate

76 COMMUNICATIONS OF THE ACM | JUNE 2016 | VOL. 59 | NO. 6 contributed articles leading zeros, a contains many lead- or blocks separated by runs of zero To cope with noise, we measured ing zero limbs that are then passed to bits (in “sliding-window” exponentia- the electric potential during a few the squaring routine during the i-th tion). The main loop, instead of han- (typically 10) decryption operations. iteration. Conversely, if di–1 = 1, then dling the exponent one bit at a time, Each recording was filtered and de- the branch in line 7 is taken, making handles a whole block at every itera- modulated. We used frequency-de- the value of a at the start of the i-th tion, by multiplying a by cx, where x modulation since it produced best iteration be –1 modulo q, represented is the block’s value. The values cx are results compared to amplitude and as p – 1. Since q is a randomly generat- pre-computed and stored in a lookup phase demodulations. We then com- ed prime, the value of a, and therefore table (for all m-bit values x). bined the recordings using corre- the value sent to the squaring routine An adaptation of these techniques lation-based averaging, yielding a during the i-th iteration, is unlikely to also allows attacking windowed expo- combined signal (see Figure 8). The contain any zero limbs. nentiation.12 In a nutshell, we focus successive bits of d can be deduced We have thus poisoned some of the on each possible m-bit value x, one at a from this combined signal. Full key internal values of Algorithm 1, creating time, and identify which blocks in the extraction, using non-adaptive elec- a connection between the bits of d and exponent d, that is, which iterations of tric measurements, requires only a few the intermediate values of a during the the main loop, contain x. This is done seconds of measurements, as opposed exponentiation. by crafting a ciphertext c such that cx to an hour using the adaptive attack. Amplification. GnuPG’s squaring mod q contains many zero limbs. Leak- We obtained similar results for ElGa- routines are implemented in ways age amplification and measurement mal encryption; Genkin et al.15 offer a similar to the multiplication routines, then work similarly to the acoustic and complete discussion. including the optimizations for han- electric attacks described earlier. Once Electromagnetic attacks. The elec- dling zero limbs, yielding leakage self- we identify where each x occurred, we tromagnetic channel, which exploits amplification, as in an adaptive attack. aggregate these locations to deduce computation-dependent fluctuations Since each iteration of the exponen- the full key d. in the electromagnetic field surround- tiation’s main loop leaks one bit of the Electric attacks. As discussed earli- ing the target, can also be used for key secret d, all the bits d can be extracted er, the electrical potential on the chas- extraction. While this channel was pre- from (ideally) a single decryption of sis of laptop computers often fluctu- viously used for attacks on small devic- a single ciphertext. In practice, a few ates (in reference to the mains earth es at very close proximity,1,11,28 the PC measurements are needed to cope with ground) in a computation-dependent class of devices was only recently con- noise, as discussed here. way. In addition to measuring this po- sidered by Zajic and Prulovic35 (without Windowed exponentiation. Many tential directly using a plain wire con- cryptographic applications). RSA implementations, including nected to the laptop chassis, it is pos- Measuring the target’s electromag- GnuPG version 1.4.16 and newer, use sible to measure the chassis potential netic emanations requires an antenna, an exponentiation algorithm that is from afar using the conductive shield- for filtering and amplifi- faster than Algorithm 1. In such an ing of any cable attached to one of the cation, analog-to-digital conversion, implementation, the exponent d is laptop’s I/O ports (see Figure 7) or and software for signal processing and split into blocks of m bits (typically m = from nearby by touching an exposed cryptanalytic deduction. Prior works 5), either contiguous blocks (in “fixed metal part of the laptop’s chassis, as (on small devices) typically used cum- window” or “m-ary” exponentiation) in Figure 2. bersome and expensive lab-grade

Figure 7. Measuring the chassis potential Figure 8. A signal segment from an electric attack, after demodulating and combining from the far side of an Ethernet cable (blue) measurements of several decryptions. Note the correlation between the signal (blue) and plugged into the target laptop (10 meters the correct key bits (red). away) through an alligator clip leading to measurement equipment (green wire). 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

JUNE 2016 | VOL. 59 | NO. 6 | COMMUNICATIONS OF THE ACM 77 contributed articles

equipment. In our attacks,12 we used using the non-adaptive attack de- lets, as well as to other cryptographic highly integrated solutions that are scribed earlier, we have extracted se- libraries (such as OpenSSL and iOS small and inexpensive (such as a soft- cret keys in a few seconds from a dis- CommonCrypto), electromagnetic key ware-defined radio dongle, as in Figure tance of half a meter. extraction from implementations of 9, or a consumer-grade radio receiver Attacking other schemes and oth- the Elliptic Curve Digital Signature Al- recorded by a smartphone, as in Figure er devices. So far, we have discussed gorithm has also been demonstrated, 3). Demonstrating how an untethered attacks on the RSA and ElGamal cryp- including attacks that are non-inva- probe may be constructed from readily tosystems based on exponentiation sive,17 low-bandwidth,5,24 or both.14 available electronics, we also built the in large prime fields. Similar attacks Portable Instrument for Trace Acquisi- also target elliptic-curve cryptogra- Conclusion tion (PITA), which is compact enough phy. For example, we demonstrated Extraction of secret cryptographic keys to be concealed, as in pita bread (see key extraction from GnuPG’s imple- from PCs using physical side channels Figure 10). mentation of the Elliptic-Curve Dif- is feasible, despite their complexity Experimental results. Attacking RSA fie-Hellman scheme running on a and execution speed. We have demon- and ElGamal (in both square-and-al- PC;13 the attacker, in this case, can strated such attacks on many public- ways-multiply and windowed imple- measure the target’s electromag- key encryption schemes and digital- mentations) over the electromagnetic netic leakage from an adjacent room signature schemes, as implemented channel (sampling at 200 kSample/sec through a wall. by popular cryptographic libraries, us- around a center frequency of 1.7MHz), Turning to mobile phones and tab- ing inexpensive and readily available equipment, by various attack vectors Figure 9. Measuring electromagnetic emanations from a target laptop (left) through a loop and in multiple scenarios. of coax cable (handheld) recorded by a software-defined radio (right). Hardware countermeasures. Side-channel leakage can be attenu- ated through such physical means as sound-absorbing enclosures against acoustic attacks, Faraday cages against electromagnetic attacks, in- sulating enclosures against chassis and touch attacks, and photoelectric decoupling or fiber-optic connections against “far end of cable” attacks. However, these countermeasures are expensive and cumbersome. Devis- ing inexpensive physical leakage pro- tection for consumer-grade PCs is an open problem. Software countermeasures. Given a characterization of a side channel, algorithms and their software imple- mentations may be designed so the Figure 10. Extracting keys by measuring a laptop’s electromagnetic emanations leakage through the given channel through a PITA device. will not convey useful information. One such approach is “blinding,” or ensuring long operations (such as modular exponentiation) that in- volve sensitive values are, instead, performed on random dummy values and later corrected using an opera- tion that includes the sensitive value but is much shorter and thus more difficult to measure (such as modular multiplication). A popular example of this approach is ciphertext random- ization,20 which was added to GnuPG following our observations and in- deed prevents both the internal value poisoning and the leakage self-ampli- fication components of our attacks. However, such countermeasures require careful design and adaptation

78 COMMUNICATIONS OF THE ACM | JUNE 2016 | VOL. 59 | NO. 6 contributed articles

for every cryptographic scheme and laboration in Cryptography through Proceedings of the Annual Cryptology Conference (CRYPTO 1996). Springer, 1996, 104–113. leakage channel; moreover, they of- National Science Foundation grant 21. Kuhn, M.G. Compromising Emanations: Eavesdropping ten involve significant cost in perfor- #CNS-1523467. Risks of Computer Displays. Ph.D. Thesis and Technical Report UCAM-CL-TR-577. University of mance. There are emerging generic Cambridge Computer Laboratory, Cambridge, U.K., protection methods at the algorith- Dec. 2003; https://www.cl.cam.ac.uk/techreports/ References UCAM-CL-TR-577.pdf mic level, using fully homomorphic 1. Agrawal, D., Archambeault, B., Rao, J.R., and Rohatgi, 22. Loughry, J. and Umphress, D.A. Information leakage P. The EM side-channel(s). In Proceedings of the encryption and cryptographic leakage from optical emanations. ACM Transactions on Workshop on Cryptographic Hardware and Embedded Information Systems Security 5, 3 (Aug. 2002), 262–289. resilience; however, their overhead is Systems (CHES 2002). Springer, 2002, 29–45. 23. Mangard, S., Oswald, E., and Popp, T. Power Analysis 2. Anderson, R.J. Security Engineering: A Guide to Attacks: Revealing the Secrets of Smart Cards. currently so great as to render them Building Dependable Distributed Systems, Second Springer, Berlin, Heidelberg, 2007. impractical. Edition. Wiley, 2008. 24. Nakano, Y., Souissi, Y., Nguyen, R., Sauvage, L., 3. Asonov, D. and Agrawal, R. Keyboard acoustic Danger, J., Guilley, S., Kiyomoto, S., and Miyake, Y. A Future work. To fully understand emanations. In Proceedings of the IEEE Symposium pre-processing composition for secret key recovery the ramifications and potential of on Security and Privacy. IEEE Computer Society on Android . In Proceedings of the Press, 2004, 3–11. International Workshop on Information Security physical side-channel attacks on PCs 4. Backes, M., Dürmuth, M., Gerling, S., Pinkal, M., and Theory and Practice (WISTP 2014). Springer, Berlin, and other fast and complex devices, Sporleder, C. Acoustic side-channel attacks on printers. Heidelberg, 2014. In Proceedings of the USENIX Security Symposium 25. Oren, Y. and Shamir, A. How not to protect many questions remain open. What 2010. USENIX Association, 2010, 307–322. PCs from power analysis. Presented at the other implementations are vulner- 5. Belgarric, P., Fouque, P.-A., Macario-Rat, G., and Annual Cryptology Conference (CRYPTO Tibouchi, M. Side-channel analysis of Weierstrass and 2006) rump session. 2006; http://iss.oy.ne.ro/ able, and what other algorithms tend Koblitz curve ECDSA on Android smartphones. In HowNotToProtectPCsFromPowerAnalysis to have vulnerable implementations? Proceedings of the Cryptographers’ Track of the RSA 26. Osvik, D.A., Shamir, A., and Tromer, E. Cache Conference (CT-RSA 2016). Springer, 2016, 236–252. attacks and countermeasures: The case of AES. In In particular, can symmetric encryp- 6. Bernstein, D.J. Cache-timing attacks on AES. 2005; Proceedings of the Cryptographers’ Track of the RSA http://cr.yp.to/papers.html#cachetiming tion algorithms (which are faster and Conference (CT-RSA 2006). Springer, 2006,1–20. 7. Brouchier, J., Dabbous, N., Kean, T., Marsh, C., and 27. Percival, C. Cache missing for fun and profit. In more regular) be attacked? What oth- Naccache, D. Thermocommunication. Cryptology Proceedings of the BSDCan Conference, 2005; http:// ePrint Archive, Report 2009/002, 2009; https://eprint. er physical channels exist, and what www.daemonology.net/hyperthreading-considered- iacr.org/2009/002 harmful signal processing and cryptanalytic 8. Brumley, D. and Boneh, D. Remote timing attacks 28. Quisquater, J.-J. and Samyde, D. Electromagnetic are practical. Computer Networks 48, 5 (Aug. 2005), analysis (EMA): Measures and countermeasures techniques can exploit them? Can the 701–716. for smartcards. In Proceedings of the attacks’ range be extended (such as 9. Clark, S.S., Mustafa, H.A., Ransford, B., Sorber, J., Fu, Programming and Security: International Conference K., and Xu, W. Current events: Identifying webpages on Research in Smart Cards (E-smart 2001). Springer, in acoustic attacks via laser vibrom- by tapping the electrical outlet. In Proceedings of the 2001, 200–210. th eters)? What level of threat do such 18 European Symposium on Research in Computer 29. Skorobogatov, S. Optical Surveillance on Silicon Chips. Security (ESORICS 2013). Springer, Berlin, Heidelberg, University of Cambridge, Cambridge, U.K., 2009; channels pose in various real-world 2013, 700–717. http://www.cl.cam.ac.uk/~sps32/SG_talk_OSSC_a.pdf scenarios? Ongoing research indi- 10. Clark, S.S., Ransford, B., Rahmati, A., Guineau, S., 30. van Eck, W. Electromagnetic radiation from video Sorber, J., Xu, W., and Fu, K. WattsUpDoc: Power display units: An eavesdropping risk? Computers and cates the risk extends well beyond the side channels to nonintrusively discover untargeted Security 4, 4 (Dec. 1985), 269–286. particular algorithms, software, and malware on embedded medical devices. In 31. Wright, P. Spycatcher. Viking Penguin, New York, 1987. Proceedings of the USENIX Workshop on Health 32. Yarom, Y. and Falkner, K. FLUSH+RELOAD: A high- platforms we have covered here. Information Technologies (HealthTech 2013). USENIX resolution, low-noise, L3 cache side-channel attack. On the defensive side, we also raise Association, 2013. In Proceedings of the USENIX Security Symposium 11. Gandolfi, K., Mourtel, C., and Olivier, F. Electromagnetic 2014. USENIX Association, 2014, 719–732. three complementary questions: How analysis: Concrete results. In Proceedings of the 33. Yarom, Y., Liu, F., Ge, Q., Heiser, G., and Lee, R.B. Workshop on Cryptographic Hardware and Embedded can we formally model the feasible Last-level cache side-channel attacks are practical. Systems (CHES 2001). Springer, Berlin, Heidelberg, In Proceedings of the IEEE Symposium on Security side-channel attacks on PCs? What en- 2001, 251–261. and Privacy. IEEE Computer Society Press, 2015, 12. Genkin, D., Pachmanov, L., Pipman, I., and Tromer, gineering methods will ensure devices 606–622. E. Stealing keys from PCs using a radio: Cheap 34. Yen, S.-M., Lien, W.-C., Moon, S.-J., and Ha, J. Power comply with the model? And what al- electromagnetic attacks on windowed exponentiation. analysis by exploiting chosen message and internal In Proceedings of the Workshop on Cryptographic collisions: Vulnerability of checking mechanism for gorithms, when running on compli- Hardware and Embedded Systems (CHES 2015). RSA decryption. In Proceedings of the International ant devices, will provably protect their Springer, 2015, 207–228. Conference on Cryptology in Malaysia (Mycrypt 2005). 13. Genkin, D., Pachmanov, L., Pipman, I., and Tromer, Springer, 2005, 183–195. secrets, even in the presence of side- E. ECDH key-extraction via low-bandwidth 35. Zajic, A. and Prvulovic, M. Experimental demonstration channel attacks? electromagnetic attacks on PCs. In Proceedings of the of electromagnetic information leakage from modern Cryptographers’ Track of the RSA Conference (CT-RSA processor-memory systems. IEEE Transactions on 2016). Springer, 2016, 219–235. Electromagnetic Compatibility 56, 4 (Aug. 2014), 14. Genkin, D., Pachmanov, L., Pipman, I., Tromer, E., and 885–893. Acknowledgments Yarom, Y. ECDSA Key Extraction from Mobile Devices This article is based on our previous via Nonintrusive Physical Side Channels. Cryptology research,12,13,15,16 which was support- ePrint Archive, Report 2016/230, 2016; http://eprint. Daniel Genkin ([email protected]) is a Ph.D. iacr.org/2016/230 candidate in the Computer Science Department at ed by the Check Point Institute for 15. Genkin, E., Pipman, I., and Tromer, E. Get your hands Technion-Israel Institute of Technology, Haifa, Israel, and Information Security, the European off my laptop: Physical side-channel key-extraction a research assistant in the Blavatnik School of Computer attacks on PCs. In Proceedings of the Workshop on Science at Tel Aviv University, Israel. Union’s 10th Framework Programme Cryptographic Hardware and Embedded Systems (CHES 2014). Springer, 2014, 242–260. Lev Pachmanov ([email protected]) is a master’s candidate (FP10/2010-2016) under grant agree- 16. Genkin, D., Shamir, A., and Tromer, E. RSA key in the Blavatnik School of Computer Science at Tel Aviv ment no. 259426 ERC-CaC, a Google extraction via low-bandwidth acoustic cryptanalysis. University, Israel. In Proceedings of the Annual Cryptology Conference Faculty Research Award, the Leona M. (CRYPTO 2014). Springer, 2014, 444–461. Itamar Pipman ([email protected]) is a master’s & Harry B. Helmsley Charitable Trust, 17. Kenworthy, G. and Rohatgi, P. Mobile device security: candidate in the Blavatnik School of Computer Science at The case for side-channel resistance. In Proceedings Tel Aviv University, Israel. the Israeli Ministry of Science, Tech- of the Mobile Security Technologies Conference Adi Shamir ([email protected]) is a professor in nology and Space, the Israeli Centers (MoST), 2012; http://mostconf.org/2012/papers/21.pdf 18. Kocher, P., Jaffe, J., and Jun, B. Differential power the faculty of Mathematics and Computer Science at the of Research Excellence I-CORE pro- analysis. In Proceedings of the Annual Cryptology Weizmann Institute of Science, Rehovot, Israel. gram (center 4/11), NATO’s Public Di- Conference (CRYPTO 1999). Springer, 1999, 388–397. Eran Tromer ([email protected]) is a senior lecturer 19. Kocher, P., Jaffe, J., Jun, B., and Rohatgi, P. in the Blavatnik School of Computer Science at Tel Aviv plomacy Division in the Framework of Introduction to differential power analysis. Journal of University, Israel. Cryptographic Engineering 1, 1 (2011), 5–27. “Science for Peace,” and the Simons 20. Kocher, P.C. Timing attacks on implementations of Foundation and DIMACS/Simons Col- Diffie-Hellman, RSA, DSS, and other systems. In Copyright held by authors.

JUNE 2016 | VOL. 59 | NO. 6 | COMMUNICATIONS OF THE ACM 79