SlideShare a Scribd company logo

Cryptanalytic timing attacks 2

S
Srilal Buddika

This document summarizes a timing attack against the IDEA block cipher. It describes how precise timing measurements of encryptions can reveal information about the secret key. The attack analyzes timing differences between encryptions to determine when operations like multiplication involve a zero value. This leaks key bits over multiple rounds of the analysis. The attack can recover the full 128-bit key without knowledge of the plaintext.

Technology
1 of 15
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Cryptanalytic Timing Attacks against IDEA Product block cipher (Ref: "Side Channel Cryptanalysis of Product Ciphers" by John Kelsey , Bruce Schneier , David Wagner , and Chris Hall in September 1998 ) Srilal Buddika
Outline 1.Motivation 2.About IDEA 3.IDEA Block Cipher Design 4.Cryptanalytic History on IDEA 5.Timing Attack against IDEA 6.Conclusion 7.Discussion 2
3About IDEA IDEAstands for International Data Encryption Algorithm (1991) IDEA is Block Cipher Block Size : 64 bits Key Size : 128 bits 8Rounds + Output Transformation (half-round) WhyIDEA ? The algorithm was designed to achieve high data throughput for use in real-time communications system, especially for wireless communication
4IDEA Block Cipher Design (1) RoundStructure Additionmodulo216 BitwiseexclusiveOR Multiplicationmodulo216+1
IDEA Block Cipher Design (2) 5 Stage–1ofaRound
6IDEA Block Cipher Design (3) SecondStageoftheround
7IDEA Block Cipher Design (4) OutputTransformation(half-round)
8IDEA Block Cipher Design (5) KeyGeneration KeySize=128bit Sub-keySize=16bit i.e.SimplyKeydividedintoeightpieces Algorithm: 1.Take1steightsub-keys 2.Thenrotatethekey25bitstotheleft 3.Repeatthestep-1
9 Cryptanalytic History on IDEA Consideredasreallysecure BestattackcanbreakIDEAreducedto6rounds(FullIDEA=8.5rounds) WeakKeyproblemwithtoomany0-bits(ExposedtoSide-ChannelAttacks)
10 IDEAcanbecryptanalyzedwithapieceofside-channelinformation E.g.Whetheroneoftheinputsintooneofthemultiplicationsiszero Timingscanbeacquiredintwosimpleways: 1.The cryptanalyst makes extremely precise timings of each encryption (A Ciphertext-Only Timing Attack) 2.The cryptanalyst measures total time to encrypt many similar plaintext blocks at a time (An Adaptive Chosen Plaintext Timing Attack) Timing Attack against IDEA (1)
11Timing Attacks against IDEA (2) Attacking Scenario 1.Recordprecisetimingsfornencryptions.AlsostoretheresultingciphertextblocksandletT0..n-1bethetimings,andC0..n-1betheciphertextblocks. 2.Grouptheciphertextblocksandtimingsinto216subsets,basedonthelow- order16bitsoftheoutput. 3.Testtheaveragetimesofeachgroupagainsttheaveragetimesofallthegroupsstatistically,tofindwhetheroneofthesetshas(withsomeacceptablyhighprobability)aloweraveragethantheothersets. 4.Ifso,thentheinputstothelastmultiplyoftheoutputtransformationmusthavebeen0forallinputsinthatset.Hencesolveforthelastmultiplicativesub-key.
12Timing Attacks against IDEA (3) 5.Ifthereisnodifference,theneitherwe'vechosensomeparameters(i.e.,n) wrong,orthesub-keyisa0. 6.Repeatsteps2-3,above,forthehigh-order16bitsandsolvethefirstmultiplicativesub-keyoftheoutputtransformation.Wenowhave32bitsofexpandedkey. 7.Wenowattackthesecondadditivesub-keyintheoutputtransformation. Foreachpossiblevalueofthissub-key,welookatwhichciphertextblocksleadustoazerovaluegoingintothefirstmultiplicationofthelastround'sMAbox. 8.Foroneofthesesub-keyguesses,theaveragetimingshouldbelessthanforalltheothersub-keyguesses.Thisrevealstherightsub-key. 9.Ifthereisnodifference,theneitherwe'vechosensomeparameterswrong, orthefirstsub-keyintheMA-boxiszero.Wehavenowrecovered48bitsofexpandedkey.
13Timing Attacks against IDEA (4) 10.Wenowattackthefirstadditivesub-keyintheoutputtransformation,andthefirstsub-keyintheMA-box.Wedothisasfollows: Breaktheciphertextblocksandtimingsupinto216subsetsbasedonthevalueoftheleftmost(first)inputtotheMA-box Foreachpossiblesub-keyvalueforthefirstadditivesub-keyoftheoutputtransformation,breakeachsubsetupinto216sub-subsets,basedonwhatthevalueofthesecondMA-boxinputwouldbeifthisweretherightsub-key Fortherightsub-key,eachsubsetwillhaveonesub-subsetwhichhasasmallertimingvaluethanalltheothersub-subsetsinthatsubset.Wehavenowfound64bitsofsub-key Wenowchooseanythreeofthesesub-subsets,andusethemtosolveforthefirstmultiplicativesub-keyoftheMA-box.Wehavenowfound80bitsofsub- key Finally,wecanbrute-force/exhaustivesearchtheremaining48bits.(Therearealsootherwaystocontinuethisattack)
Conclusion14 ThiskindofattackmightalsobepracticalforrecoveringthekeyfromaCipherswhichalwaysencryptsunderthesameIDEAkey.Thecryptanalystortheattackerdoesnotneedtoknowanythingabouttheplaintextforthisattack,butmustalwaysknowpreciselywhentheencryptionstartedandwhenitendedwiththecollectedciphertextblocks. There'ssomethingimportanttoknowthat,thisisnottheonlysidechannelthatcandiscoverthiskindofinformationbutthingslikeradiationandpowerconsumptioncanalsoleakthismultiply-by-zerocondition.
Thank You ! 15

More Related Content

PDF
ReWArDS: Reconfigurable hardWare for Artificial intelligence and Data Science
NECST Lab @ Politecnico di Milano
 
PPTX
Cryptanalytic timing attacks 1
Srilal Buddika
 
PDF
Overview of the Intel® Internet of Things Developer Kit
Intel® Software
 
PPT
OHM CAD SYSTEM Capabilities
Sivachandran Egamparam
 
PPTX
Integrated Circuits introduction and fpga
VenkataramanLakshmin1
 
PDF
VEGA Processors.pdf
jrkaran555
 
PPTX
More Mad Science for the Commodore 64 (ECCC 2015)
Leif Bloomquist
 
PDF
The Ring programming language version 1.4 book - Part 30 of 30
Mahmoud Samir Fayed
 
ReWArDS: Reconfigurable hardWare for Artificial intelligence and Data Science
NECST Lab @ Politecnico di Milano
 
Cryptanalytic timing attacks 1
Srilal Buddika
 
Overview of the Intel® Internet of Things Developer Kit
Intel® Software
 
OHM CAD SYSTEM Capabilities
Sivachandran Egamparam
 
Integrated Circuits introduction and fpga
VenkataramanLakshmin1
 
VEGA Processors.pdf
jrkaran555
 
More Mad Science for the Commodore 64 (ECCC 2015)
Leif Bloomquist
 
The Ring programming language version 1.4 book - Part 30 of 30
Mahmoud Samir Fayed
 

Similar to Cryptanalytic timing attacks 2 (20)

PDF
ScilabTEC 2015 - Embedded Solutions
Scilab
 
PDF
International Journal of Computational Engineering Research(IJCER)
ijceronline
 
PPT
OS_Chapter-12 simple concepts and design
Ranjithsingh20
 
PDF
Detailed Cv
m_y_abdulghany
 
PDF
Blockchain solutions leading to better security practices
Eric Larcheveque
 
PPTX
Developing a NodeBot using Intel XDK IoT Edition
Intel® Software
 
PDF
CHIPS Alliance_Object Automation Inc_workshop
Object Automation
 
PDF
Resume_DigitalIC_1
Eunice Chen
 
PPTX
Innovative Solutions for Cloud Gaming, Media, Transcoding, & AI Inferencing
Rebekah Rodriguez
 
PDF
585 589
Editor IJARCET
 
PDF
IRJET- Design and Implementation of 256-Bits Cryptography Algorithm used in t...
IRJET Journal
 
PDF
日本発のオープンソース・データベース GridDB
griddb
 
PDF
Scalable AI Solution cross AI platforms
KTN
 
PDF
ODSA Design Tools for Chiplet-Based Design
ODSA Workgroup
 
PDF
ODSA Design Tools for Chiplet-Based Design
jennimenni
 
PPTX
FPGA based mini Project.pptx
SatyabratBordoloi2
 
PDF
Intels presentation at blue line industrial computer seminar
Blue Line
 
PPT
CFD and FPGAs
gacaffe
 
PDF
Hari Krishna Vetsa Resume
Hari Krishna
 
PDF
The Ring programming language version 1.5.2 book - Part 179 of 181
Mahmoud Samir Fayed
 
ScilabTEC 2015 - Embedded Solutions
Scilab
 
International Journal of Computational Engineering Research(IJCER)
ijceronline
 
OS_Chapter-12 simple concepts and design
Ranjithsingh20
 
Detailed Cv
m_y_abdulghany
 
Blockchain solutions leading to better security practices
Eric Larcheveque
 
Developing a NodeBot using Intel XDK IoT Edition
Intel® Software
 
CHIPS Alliance_Object Automation Inc_workshop
Object Automation
 
Resume_DigitalIC_1
Eunice Chen
 
Innovative Solutions for Cloud Gaming, Media, Transcoding, & AI Inferencing
Rebekah Rodriguez
 
585 589
Editor IJARCET
 
IRJET- Design and Implementation of 256-Bits Cryptography Algorithm used in t...
IRJET Journal
 
日本発のオープンソース・データベース GridDB
griddb
 
Scalable AI Solution cross AI platforms
KTN
 
ODSA Design Tools for Chiplet-Based Design
ODSA Workgroup
 
ODSA Design Tools for Chiplet-Based Design
jennimenni
 
FPGA based mini Project.pptx
SatyabratBordoloi2
 
Intels presentation at blue line industrial computer seminar
Blue Line
 
CFD and FPGAs
gacaffe
 
Hari Krishna Vetsa Resume
Hari Krishna
 
The Ring programming language version 1.5.2 book - Part 179 of 181
Mahmoud Samir Fayed
 
Ad

Recently uploaded (20)

PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
A Presentation on Artificial Intelligence
memembruh336
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
August Patch Tuesday
Ivanti
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Ad

Cryptanalytic timing attacks 2

  • 1. Cryptanalytic Timing Attacks against IDEA Product block cipher (Ref: "Side Channel Cryptanalysis of Product Ciphers" by John Kelsey , Bruce Schneier , David Wagner , and Chris Hall in September 1998 ) Srilal Buddika
  • 2. Outline 1.Motivation 2.About IDEA 3.IDEA Block Cipher Design 4.Cryptanalytic History on IDEA 5.Timing Attack against IDEA 6.Conclusion 7.Discussion 2
  • 3. 3About IDEA IDEAstands for International Data Encryption Algorithm (1991) IDEA is Block Cipher Block Size : 64 bits Key Size : 128 bits 8Rounds + Output Transformation (half-round) WhyIDEA ? The algorithm was designed to achieve high data throughput for use in real-time communications system, especially for wireless communication
  • 4. 4IDEA Block Cipher Design (1) RoundStructure Additionmodulo216 BitwiseexclusiveOR Multiplicationmodulo216+1
  • 5. IDEA Block Cipher Design (2) 5 Stage–1ofaRound
  • 6. 6IDEA Block Cipher Design (3) SecondStageoftheround
  • 7. 7IDEA Block Cipher Design (4) OutputTransformation(half-round)
  • 8. 8IDEA Block Cipher Design (5) KeyGeneration KeySize=128bit Sub-keySize=16bit i.e.SimplyKeydividedintoeightpieces Algorithm: 1.Take1steightsub-keys 2.Thenrotatethekey25bitstotheleft 3.Repeatthestep-1
  • 9. 9 Cryptanalytic History on IDEA Consideredasreallysecure BestattackcanbreakIDEAreducedto6rounds(FullIDEA=8.5rounds) WeakKeyproblemwithtoomany0-bits(ExposedtoSide-ChannelAttacks)
  • 10. 10 IDEAcanbecryptanalyzedwithapieceofside-channelinformation E.g.Whetheroneoftheinputsintooneofthemultiplicationsiszero Timingscanbeacquiredintwosimpleways: 1.The cryptanalyst makes extremely precise timings of each encryption (A Ciphertext-Only Timing Attack) 2.The cryptanalyst measures total time to encrypt many similar plaintext blocks at a time (An Adaptive Chosen Plaintext Timing Attack) Timing Attack against IDEA (1)
  • 11. 11Timing Attacks against IDEA (2) Attacking Scenario 1.Recordprecisetimingsfornencryptions.AlsostoretheresultingciphertextblocksandletT0..n-1bethetimings,andC0..n-1betheciphertextblocks. 2.Grouptheciphertextblocksandtimingsinto216subsets,basedonthelow- order16bitsoftheoutput. 3.Testtheaveragetimesofeachgroupagainsttheaveragetimesofallthegroupsstatistically,tofindwhetheroneofthesetshas(withsomeacceptablyhighprobability)aloweraveragethantheothersets. 4.Ifso,thentheinputstothelastmultiplyoftheoutputtransformationmusthavebeen0forallinputsinthatset.Hencesolveforthelastmultiplicativesub-key.
  • 12. 12Timing Attacks against IDEA (3) 5.Ifthereisnodifference,theneitherwe'vechosensomeparameters(i.e.,n) wrong,orthesub-keyisa0. 6.Repeatsteps2-3,above,forthehigh-order16bitsandsolvethefirstmultiplicativesub-keyoftheoutputtransformation.Wenowhave32bitsofexpandedkey. 7.Wenowattackthesecondadditivesub-keyintheoutputtransformation. Foreachpossiblevalueofthissub-key,welookatwhichciphertextblocksleadustoazerovaluegoingintothefirstmultiplicationofthelastround'sMAbox. 8.Foroneofthesesub-keyguesses,theaveragetimingshouldbelessthanforalltheothersub-keyguesses.Thisrevealstherightsub-key. 9.Ifthereisnodifference,theneitherwe'vechosensomeparameterswrong, orthefirstsub-keyintheMA-boxiszero.Wehavenowrecovered48bitsofexpandedkey.
  • 13. 13Timing Attacks against IDEA (4) 10.Wenowattackthefirstadditivesub-keyintheoutputtransformation,andthefirstsub-keyintheMA-box.Wedothisasfollows: Breaktheciphertextblocksandtimingsupinto216subsetsbasedonthevalueoftheleftmost(first)inputtotheMA-box Foreachpossiblesub-keyvalueforthefirstadditivesub-keyoftheoutputtransformation,breakeachsubsetupinto216sub-subsets,basedonwhatthevalueofthesecondMA-boxinputwouldbeifthisweretherightsub-key Fortherightsub-key,eachsubsetwillhaveonesub-subsetwhichhasasmallertimingvaluethanalltheothersub-subsetsinthatsubset.Wehavenowfound64bitsofsub-key Wenowchooseanythreeofthesesub-subsets,andusethemtosolveforthefirstmultiplicativesub-keyoftheMA-box.Wehavenowfound80bitsofsub- key Finally,wecanbrute-force/exhaustivesearchtheremaining48bits.(Therearealsootherwaystocontinuethisattack)