Strength of Two Data Encryption Standard Implementations under Timing Attacks Alejandro Hevia Dept de Ciencias de la Computacion U Chile and Marcos Kiwi Dept de Ingeniera Matematica U Chile We study the vulnerability of two implementations of the Data Encryption Standard DES cryp tosystem under a timing attack A timing attack is a metho d designed to break cryptographic systems that was recently prop osed by Paul Ko cher It exploits the engineering asp ects involved in the implementation of cryptosystems and might succeed even against cryptosystems that re main imp ervious to sophisticated cryptanalytic techniques A timing attack is essentially a way of obtaining some users private information by carefully measuring the time it takes the user to carry out cryptographic op erations In this work we analyze two implementations of DES We show that a timing attack yields the Hamming weight of the key used by b oth DES implementations Moreover the attack is computationally inexp ensive We also show that all the design characteristics of the target system necessary to carry out the timing attack can b e inferred from timing measurements Categories and Sub ject Descriptors E Data Data Encryptioncode breakingstandards C Computer Systems Organization Sp ecialPurpose and ApplicationBased SystemsSmart cards General Terms Security Additional Key Words and Phrases Timing attack data encryption standard cryptography cryptanalysis A preliminary version of this pap er app eared in the Pro ceedings of the rd Latin American Symp osium on Theoretical Informatics Campinas Brazil pages April The research of A Hevia was partially supp orted by FONDAP in Applied Mathematics and by FONDECYT No The research of M Kiwi was partially supp orted by FONDECYT No Fundacion Andes and FONDAP in Applied Mathematics Name Alejandro Hevia Address Dept de Cs de la Computacion Fac de Cs Fsicas y Matematicas Av Blanco Encal ada Casilla Santiago Chile aheviadccuchilecl Name Marcos Kiwi Address Dept de Ing Matematica Fac de Cs Fsicas y Matematicas Casilla Santiago Chile mkiwidimuchilecl Permission to make digital or hard copies of part or all of this work for p ersonal or classro om use is granted without fee provided that copies are not made or distributed for prot or direct commercial advantage and that copies show this notice on the rst page or initial screen of a display along with the full citation Copyrights for comp onents of this work owned by others than ACM must b e honored Abstracting with credit is p ermitted To copy otherwise to republish to p ost on servers to redistribute to lists or to use any comp onent of this work in other works requires prior sp ecic p ermission andor a fee Permissions may b e requested from Publications Dept ACM Inc Broadway New York NY USA fax or permissionsacmorg Alejandro Hevia and Marcos Kiwi INTRODUCTION An ingenious new typ e of cryptanalytic attack was intro duced by Ko cher in Ko cher This new attack is called timing attack It exploits the fact that cryptosys tems often take slightly dierent amounts of time on dierent inputs Ko cher gave several p ossible explanations for this b ehavior among these branching and con ditional statements RAM cache hits pro cessor instructions that run in nonxed time etc Ko chers most signicant contribution was to show that running time dierentials can b e exploited in order to nd some of a target systems private infor mation Indeed in Ko cher it is shown how to cryptanalyze a simple mo dular exp onentiator Mo dular exp onentiation is a key op eration in DieHellmans key exchange proto col Die and Hellman and the RSA cryptosystem Rivest et al A mo dular exp onentiator is a pro cedure that on inputs k n N k n and y Zcomputes y mo d n In the cryptographic proto cols mentioned ab ove n is public and k is private Ko cher rep orts that if a passive eavesdropp er can k measure the time it takes a target system to compute y mo d n for several inputs y then he can recover the secret exp onent k Moreover the overall computational eort involved in the attack is prop ortional to the amount of work done by the vic tim For concreteness sake and clarity of exp osition we now describ e the essence of Ko chers metho d for recovering the secret exp onent of the xedexp onent mo dular exp onentiator shown in Fig Input y Z Code z Let k k b e k in binary 0 l For i l down to do 2 z z mo d n If k then z z y mo d n i Output z Fig Mo dular exp onentiator The attack allows someone who knows k k to recover k To obtain the l t t entire exp onent the attacker starts with t l and rep eats the attack until t The attacker rst computes l t iterations of the for lo op The next iteration requires the rst unknown bit k If the bit is set then the op eration z z y mo d t n is p erformed otherwise it is skipp ed Assume that each timing observation P l corresp onds to an observation of a random variable T e T where T li li i is the time required for the multiplication and squaring steps corresp onding to the bit k and e is a random variable representing measurement error lo op overhead li etc An attacker that correctly guesses k may factor out of T the eect of t T T and obtain an adjusted random variable of known variance provided l t the times needed to p erform mo dular multiplications are indep endent from each other and from the measurement error Incorrect guesses will pro duce an adjusted random variable with a higher variance than the one exp ected Computing the variance is easy provided the attacker collects enough timing measurements The correct guess will b e identied successfully if its adjusted values have the smaller variance Strength of Two Data Encryption Standard Implementations under Timing Attacks In theory timing attacks can yield some of a target systems private information In practice in order to successfull y mount a timing attack on a remote cryptosystem a prohibitively large numb er of timing measurements may b e required in order to comp ensate for the increased uncertainty caused by random network delays Nev ertheless there are situations where we feel it is realistic to mount a timing attack We now describ e one of them Challengeresp onse proto cols are used to establish whether two entities involved in communication are indeed genuine entities and can thus b e allowed to continue communication with each other In these proto cols one entity challenges the other with a random numb er on which a predetermined cal culation must b e p erformed often including a secret key In order to generate the correct result for the computation the other device must p osses the correct secret key and therefore can b e assumed to b e authentic Many smart cards in partic ular dynamic password generators tokens and electronic wallet cards implement challengeresp onse proto cols eg the message authentication co de generated ac cording to the ANSI X Menezes et al page standard It is exp ected that extensive use will b e made of smart cards based in general purp ose program mable integrated circuit chips Thus the sp ecic functionality of each smart card will b e achieved through programming The security of these smart cards will b e provided using tamp erpro of technology and cryptographic techniques The ab ove describ ed scenario is an ideal setting in which to carry out a timing attack The widespread availability of a particular typ e of card will make it easy and inexp ensive to determine the timing characteristics of the system on which to mount the attack Later the obtaining of precise timing measurements eg by monitoring or altering a card reader or by gaining p ossession of a card could b e used to retrieve some of the secret information stored in the card by means of a timing attack Thus cards that implement challengeresp onse proto cols where master keys are involved could give rise to a security problem See Dhem et al for a discussion of a practi cal implementation of a timing attack against an earlier version of the CASCADE smart card New unanticipated strains of timing attacks might arise Hence timing attacks should b e given some serious consideration This work contributes ultimately in furthering our understanding of the strengths of this new cryptanalytic technique the weaknesses it exploits and the ways of eliminating the p ossibility of it b ecoming practical Ko cher implemented the attack against the DieHellman key exchange proto col He also observed that timing attacks could p otentially b e used against other cryptosystems in particular against the Data Encryption Standard DES This claim is the motivation for this work SUMMARY OF RESULTS AND ORGANIZATION We study the vulnerability of one of the most widely used cryptosystems in the world DES against a timing attack The starting p oint of this work is the ob servation of Ko cher Ko cher that in DESs key schedule generation pro cess moving nonzero bit C and D values using a conditional statement which tests whether a onebit must b e wrapp ed around could b e a source of nonconstant en cryption running times Hence he conjectured that a timing attack against DES Alejandro Hevia and Marcos Kiwi could reveal the Hamming weight of the key We show that although Ko chers observation is incorrect for the DES implementations that we analyzed his con jecture is true But we do more In Sect we give a brief description of DES In Sect we describ e a timing attack against DES that assumes the attacker knows the target systems design characteristics We rst discuss exp erimental results that show