An advanced timing attack scheme on RSA

Abstract

This paper describes an advanced timing attack scheme on cryptographic algorithms. An attacker can use our method to break a cryptographic algorithm by reconstructing the secret key. The paper contains a detailed explanation of our novel algorithm, furthermore, a practical example for its use. As a proof-of-concept, the method is shown on a specific implementation of the RSA algorithm revealing a 128-bit secret key. Timing attacks assume that the attacker has partial or full knowledge of the internal structure of the attacked algorithm and have gathered time-specific information on a number of known messages, that were encrypted or decrypted with the specific key. In our simplified proof-of-concept example, the attacker knows the total number of extra-reduction steps of the Montgomery multiplication in the RSA for a number of known messages. We demonstrate in practice how this information can be used to achieve complete and fast key recovery with statistical tools, i.e. analysis of variance (ANOVA) and t-test. Similar timing attacks have already been presented by others, however to our knowledge, none of them applied these statistical tools in their methods with such efficiency, and showed the complete recovery in practice by attacking the Montgomery multiplication. However, this is not the main contribution of the paper. The main contribution is, that we have introduced the new concept of key trees and goodness values, which lets the recovery algorithm examine only a very small key space, even if the decision criteria for guessing the key bits are highly biased. This concept can be extended to any other timing attack.