Timing Attacks on Implementations of Die-Hellman, RSA, DSS, and Other Systems Paul C. Ko cher Cryptography Research, Inc. 607 Market Street, 5th Flo or, San Francisco, CA 94105, USA. E-mail: [email protected]. Abstract. By carefully measuring the amount of time required to p er- form private key op erations, attackers may b e able to nd xed Die- Hellman exp onents, factor RSA keys, and break other cryptosystems. Against a vulnerable system, the attack is computationally inexp ensive and often requires only known ciphertext. Actual systems are p otentially at risk, including cryptographic tokens, network-based cryptosystems, and other applications where attackers can make reasonably accurate timing measurements. Techniques for preventing the attack for RSA and Die-Hellman are presented. Some cryptosystems will need to be re- vised to protect against the attack, and new proto cols and algorithms may need to incorp orate measures to prevent timing attacks. Keywords: timing attack, cryptanalysis, RSA, Die-Hellman, DSS. 1 Intro duction Cryptosystems often take slightly di erent amounts of time to pro cess di erent inputs. Reasons include p erformance optimizations to bypass unnecessary op- erations, branching and conditional statements, RAM cache hits, pro cessor in- structions (suchasmultiplication and division) that run in non- xed time, and awidevariety of other causes. Performance characteristics typically dep end on b oth the encryption key and the input data (e.g., plaintext or ciphertext). While it is known that timing channels can leak data or keys across a controlled p erime- ter, intuition might suggest that unintentional timing characteristics would only reveal a small amount of information from a cryptosystem (such as the Ham- ming weightofthekey). However, attacks are presented which can exploit timing measurements from vulnerable systems to nd the entire secret key. 2 Cryptanalysis of a Simple Mo dular Exp onentiator Die-Hellman[2] and RSA[8] private-key op erations consist of computing R = x y mo d n, where n is public and y can be found byan eavesdropp er. The at- tacker's goal is to nd x, the secret key.For the attack, the victim must com- x pute y mo d n for several values of y ,wherey , n, and the computation time are known to the attacker. (If a new secret exp onent x is chosen for each op eration, the attackdoesnotwork.) The necessary information and timing measurements might b e obtained by passively eavesdropping on an interactive proto col, since an attacker could record the messages received by the target and measure the amount of time taken to resp ond to each y . The attack assumes that the attacker knows the design of the target system, although in practice this could probably b e inferred from timing information. The attack can b e tailored to work with virtually any implementation that do es not run in xed time, but is rst outlined using the simple mo dular exp o- x nentiation algorithm b elowwhich computes R = y mo d n, where x is w bits long: Let s =1. 0 For k =0 upto w 1: If (bit k of x) is 1 then Let R =(s y )mod n. k k Else Let R = s . k k 2 Let s = R mo d n. k +1 k EndFor. Return (R ). w 1 The attackallows someone who knows exp onentbits0::(b-1) to nd bit b.To obtain the entire exp onent, start with b equal to 0 and rep eat the attackuntil the entire exp onentisknown. Because the rst b exp onent bits are known, the attacker can compute the rst b iterations of the For lo op to nd the value of s . The next iteration requires b the rst unknown exp onent bit. If this bit is set, R = (s y )modn will be b b computed. If it is zero, the op eration will b e skipp ed. The attack will be describ ed rst in an extreme hyp othetical case. Sup- p ose the target system uses a mo dular multiplication function that is nor- mally extremely fast but o ccasionally takes much more time than an entire normal mo dular exp onentiation. For a few s and y values the calculation of b R =(s y )mod n will b e extremely slow, and by using knowledge ab out the b b target system's design the attacker can determine which these are. If the total mo dular exp onentiation time is ever fast when R =(s y )modn is slow, exp o- b b nentbit b must b e zero. Conversely, if slow R =(s y )modn op erations always b b result in slow total mo dular exp onentiation times, the exp onent bit is probably set. Once exp onentbitb is known, the attacker can verify that the overall op er- 2 ationtimeisslow whenever s = R mo d n is exp ected to b e slow. The same b+1 b set of timing measurements can then b e reused to nd the following exp onent bits. 3 Error Correction If exp onent bit b is guessed incorrectly, the values computed for R will be k b incorrect and, so far as the attack is concerned, essentially random. The time 2 required for multiplies following the error will not be re ected in the overall exp onentiation time. The attackthus has an error-detection prop erty; after an incorrect exp onent bit guess, no more meaningful correlations are observed. The error detection prop erty can b e used for error correction. For example, the attacker can maintain a list of the most likely exp onentintermediates along with a value corresp onding to the probability each is correct. The attack is continued for only the most likely candidate. If the currently-favored value is incorrect, it will tend to fall in ranking, while correct values will tend to rise. Error correction techniques increase the memory and pro cessing requirements for the attack, but can greatly reduce the numb er of samples required. 4 The General Attack The attack can b e treated as a signal detection problem. The \signal" consists of the timing variation due to the target exp onent bit, and \noise" results from measurement inaccuracies and timing variations due to unknown exp onent bits. The prop erties of the signal and noise determine the numb er of timing measure- ments required to for the attack. Given j messages y ;y ;:::;y with corresp onding timing measurements 0 1 j 1 T ;T ; :::; T , the probability that a guess x for the rst b exp onent bits is 0 1 j 1 b correct is prop ortional to j 1 Y P (x ) / F (T t(y ;x )) b i i b i=0 where t(y ;x ) is the amount of time required for the rst b iterations of the i b x y mo d n computation using exp onentbitsx , and F is the exp ected probability b i distribution function of T t(y; x )over all y values and correct x . Because F b b is de ned as the probability distribution of T t(y ;x )if x is correct, it is the i i b b best function for predicting T t(y ;x ). Note that the timing measurements i i b and intermediate s values can b e used improve the estimate of F . Given a correct guess for x , there are two p ossible values for x . The b1 b 0 probabilitythat x is correct and x is incorrect can b e found as b b Q j 1 F (T t(y ;x )) i i b i=0 : Q Q j 1 j 1 0 F (T t(y ;x )) + F (T t(y ;x )) i i b i i i=0 i=0 b In practice, this formula is not very useful b ecause nding F would require extraordinary e ort. 5 Simplifying the Attack Fortunately it is generally not necessary to compute F . Each timing observation P w 1 consists of T = e + t , where t is the time required for the multiplication i i i=0 and squaring steps for bit i and e includes measurement error, lo op overhead, 3 P b1 etc. Given guess x , the attacker can nd t for each sample y . If x is b i b i=0 P P P w 1 b1 w 1 t . Since t = e + t correct, subtracting from T yields e + i i i i=b i=0 i=0 the mo dular multiplication times are e ectively indep endent from each other P w 1 t over all observed and from the measurement error, the variance of e + i i=b samples is exp ected to b e Var(e)+(w b)Var(t). However if only the rst c<b bits of the exp onent guess are correct, the exp ected variance will be Var(e)+ (w b +2c)Var(t). Correctly-emulated iterations decrease the exp ected variance byVar(t), while iterations following an incorrect exp onent bit each increase the variance byVar(t). Computing the variances is easy and provides a go o d wayto identify correct exp onent bit guesses. It is now p ossible to estimate the numb er of samples required for the attack. Supp ose an attacker has j accurate timing measurements and has two guesses for the rst b bits of a w -bit exp onent, one correct and the other incorrect with the rst error at bit c.For each guess the timing measurements can b e adjusted P b1 by t .