Revisiting and Evaluating Software Side-channel Vulnerabilities and Countermeasures in Cryptographic Applications Tianwei Zhang Jun Jiang Yinqian Zhang Nanyang Technological University Two Sigma Investments, LP The Ohio State University [email protected] [email protected] [email protected] Abstract—We systematize software side-channel attacks with three questions: (1) What are the common and distinct a focus on vulnerabilities and countermeasures in the cryp- features of various vulnerabilities? (2) What are common tographic implementations. Particularly, we survey past re- mitigation strategies? (3) What is the status quo of cryp- search literature to categorize vulnerable implementations, tographic applications regarding side-channel vulnerabili- and identify common strategies to eliminate them. We then ties? Past work only surveyed attack techniques and media evaluate popular libraries and applications, quantitatively [20–31], without offering unified summaries for software measuring and comparing the vulnerability severity, re- vulnerabilities and countermeasures that are more useful. sponse time and coverage. Based on these characterizations This paper provides a comprehensive characterization and evaluations, we offer some insights for side-channel of side-channel vulnerabilities and countermeasures, as researchers, cryptographic software developers and users. well as evaluations of cryptographic applications related We hope our study can inspire the side-channel research to side-channel attacks. We present this study in three di- community to discover new vulnerabilities, and more im- rections. (1) Systematization of literature: we characterize portantly, to fortify applications against them. the vulnerabilities from past work with regard to the im- plementations; for each vulnerability, we describe the root cause and the technique required to launch a successful 1. Introduction attack. (2) Identification and abstraction of key counter- measure techniques: we summarize the common strategies Side-channel attacks have become a severe threat to mitigate different categories of vulnerabilities; we also to computer applications and systems. They exploit the explore and compare the effectiveness of each counter- vulnerabilities in the implementations instead of the al- measure implementation under different threat models. (3) gorithms. Vulnerable implementations can exhibit input- Evaluation of cryptographic applications: we perform a dependent non-functional behaviors at runtime, which can timeline analysis of side-channel vulnerabilities and the be observed by an adversary to fully or partially recover corresponding patches in various libraries and products, the sensitive input. Over the past few years, numerous and evaluate the vulnerability severity, patch release speed side-channel vulnerabilities were discovered and exploited and coverage from a practical perspective. to defeat modern cryptographic schemes, allowing adver- saries to break strong ciphers in a short period of time Scope. There are generally two types of side-channel with very few trials. attacks. In software attacks, an adversary interacts with Defeating side-channel vulnerabilities has been a long- the victim application through a local malicious program standing goal for providing robust cryptographic protec- or over the network to collect information such as exe- tion. Although security-aware systems [1–6] and archi- cution time [32, 33] and memory access pattern [34] for tectures [7–11] were designed to mitigate side-channel recovering the victim’s secrets. Such vulnerabilities are attacks, a more efficient and practical approach is to elimi- usually caused by critical control flow or data flow leak- nate side-channel sources from software implementations. age. In physical attacks, an adversary physically interferes arXiv:1911.09312v2 [cs.CR] 12 Dec 2019 Various tools and methods were proposed to facilitate cre- with the victim’s execution (e.g., fault injection [35]) or ating software free of side channels [12, 13] or verifying approaches the victim to collect physical signals such as their non-existence [14–19]. It is however still very chal- acoustic emission [36], electromagnetic radiation [37, 38] lenging to remove all side-channel vulnerabilities from and power trace [39, 40]. The adversary utilizes special critical implementations, since cryptographic applications analysis (e.g., power analysis [41, 42]) to obtain finer usually have a large code base and high performance grained information (e.g., intermediate values, Hamming requirement. As such, the arms race between side-channel weights) than control flow or data flow. In this paper, attacks and defenses remains heated. we mainly focus on software attacks, which are more ex- Past several decades have seen a large amount of ploitable and common. Physical attacks and vulnerabilities literature about side-channel vulnerabilities. Meanwhile, are out of the scope of this paper. various open-source libraries and commercial products Contributions. The main purpose of this work is to help have introduced different mitigation solutions. Thus, it researchers, software developers and users better under- becomes necessary to systematize the knowledge about stand the status quo and future direction of side-channel the characteristics and evolution of these vulnerabilities research and countermeasure development. Based on our and countermeasures. We are particularly interested in systematization, we: 1) propose three possible directions (r) (r) for researchers to consider in their future exploration; 2) (x0 ; :::; x15 ) at each round r as a 4 × 4 matrix. The provide three recommendations for developers to follow (0) initial state is computed as xi = pi ⊕ ki (i = 0; :::; 15), in security enhancement of their applications against side- known as AddRoundKey. Each of the following 9 channel attacks; 3) identify three indications for users rounds consists of SubBytes (byte substitution based to utilize in selecting libraries and implementations most on a lookup table), ShiftRows (transposition of bytes suitable for their usage scenarios. The key contributions within each of the three last rows in the 4 × 4 matrix), of this paper are: MixColumns (matrix multiplication to make each byte • Characterization of side-channel vulnerabilities in im- represents a weighted sum of all bytes in its column) plementations of cryptographic operations (Sec. 3). and AddRoundKey operations. The final round has only • Identification and dissection of common countermea- SubBytes, ShiftRow and AddRoundKey operations, sure technique designs (Sec. 4). and its output is the ciphertext. • Evaluation of cryptographic applications, and analysis of vulnerabilities and countermeasures (Sec. 5). 2.1.3. Post-Quantum Cryptography. This cipher family • Insights and recommendations for side-channel re- was proposed to sustain attacks by a quantum computer. searchers, software developers and users (Sec. 6). One popular scheme is lattice-based cryptography. NTRU [47]. It utilizes simple polynomial multiplication N 2. Background in the ring of truncated polynomials Zq[X]=(X − 1). For encryption, the private key consists of a pair of −1 polynomials f and g, and the public key h = p · fq · g 2.1. Basics of Cryptography −1 mod q, where fq denotes the inverse of f modulo q. To encrypt a message m, one needs to compute a hash 2.1.1. Asymmetric Cryptography. Each user has a pub- function r = G(m) and m0 = m⊕H(r ·h mod q). Then lic key that is widely distributed and a private key that the ciphertext is e = (r · h + m0) mod q. To decrypt is kept to herself. This pair of keys can be used for data the message, one needs to first recover m0 = ((f · e encryption/decryption and digital signature. −1 mod q) mod p) · fp mod p and then the plaintext is RSA [43]. Two different large prime numbers, p and q, computed as M = m0 ⊕ H(e − m0 mod q). The security and an integer e, are chosen to satisfy that gcd(p−1; e) = of NTRU relies on the difficulty of solving the shortest 1 and gcd(q − 1; e) = 1. Let N = pq and d = e−1 vector problem in a lattice. mod (p−1)(q−1), then the public key is the tuple (N; e), Ring Learning With Errors (RLWE) [48]. To generate and the private key is d. For a message m, the ciphertext a key pair, one needs to create a polynomial a 2 R with is calculated as c ≡ me mod N. For a ciphertext c, the q coefficients chosen uniformly in Zq, sample two polyno- message is decrypted as m ≡ cd mod N. The security mials r1; r2 2 Rq from χ and compute p = r1−a·r2 2 Rq. of RSA relies on the difficulty of factoring large integers. Then the public key is (a; p) and the private key is ElGamal [44]. A large cyclic group G is chosen. Let q be r2. To encrypt a message m, one needs to first encode its order, g be its generator, x be a random positive integer m to a polynomial m, and sample three polynomials x smaller than q, and h = g , then the public key is the tuple e1; e2; e3 2 Rq from χ. Then the ciphertext is (c1; c2), (G; q; g; h), and the private key is x. To encrypt a message where c1 = a·e1 +e2 and c2 = p·e1 +e3 +m. To decrypt 0 m, one chooses a random positive integer smaller than q, the message, one needs to compute m = c1 ·r2 +c2 2 Rq denoted by y, and calculate the ciphertext as (gy; m · hy). and decode the coefficients of m0 to either 0 or 1. To decrypt a ciphertext (c1; c2), one can compute m = x −1 Bimodal Lattice Signature Scheme (BLISS) [49]. The c2 ·(c ) . The security of ElGamal relies on the difficulty N 1 private key is S = (s1; s2) where s1; s2 2 Zq[X]=(X − of solving the Discrete Logarithm Problem. 1) and the corresponding public key is A = (2aq; q − 2) Elliptic Curve Cryptography (ECC) [45, 46]. An ellip- mod 2q where aq = s2=s1. To sign a message µ, two tic curve group is chosen with prime order p and generator blinding values y1; y2 2 R are sampled from a discrete G.