Basics of Side-Channel Analysis

Abstract

13.1 Introduction Classical cryptography considers attack scenarios of adversaries getting black-box access to a cryptosystem, namely to its inputs and outputs. For example, in a chosen-ciphertext attack, an adversary can submit ciphertexts of her choice to a decryption oracle and receives in return the corresponding plaintexts. In real life, however, an adversary may be more powerful. For example, an adversary may in addition mon-itor the execution of the cryptosystem under attack and collect some side-channel information, such as the execution time or the power consumption. The idea behind side-channel analysis is to infer some secret data from this extra information. This chapter presents several applications of side-channel analysis using differ-ent types of side-channel leakage. The primary goal is to explain the basic princi-ples of side-channel analysis through concrete examples. Simple countermeasures to prevent side-channel leakage are also discussed. More sophisticated methods and advanced techniques are presented in the next chapters. 13.2 Timing Analysis The concept of using side-channel information as a means to attack cryptographic schemes first appeared in a seminal paper by Kocher [8]. In this paper, Kocher ex-ploits differences in computation times to break certain implementations of RSA and of discrete-logarithm based cryptosystems. In this section, we describe two timing attacks. We show how an attacker able to make timing measurements with some accuracy can recover secret data. The first attack applies to a password verification routine. Following [5], the second attack is against an implementation of an RSA signature scheme [2, 13].