research-article

Open Access

Side-Channel Analysis of SM2: A Late-Stage Featurization Case Study

Authors:
Nicola Tuveri

Tampere University of Technology, Tampere, Finland

Tampere University of Technology, Tampere, Finland
View Profile

,
Sohaib ul Hassan

Tampere University of Technology, Tampere, Finland

Tampere University of Technology, Tampere, Finland
View Profile

,
Cesar Pereida Garcia

Tampere University of Technology, Tampere, Finland

Tampere University of Technology, Tampere, Finland
View Profile

,
Billy Bob Brumley

Tampere University of Technology, Tampere, Finland

Tampere University of Technology, Tampere, Finland
View Profile

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications ConferenceDecember 2018Pages 147–160https://doi.org/10.1145/3274694.3274725

Published:03 December 2018Publication History

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Pages 147–160

ABSTRACT

SM2 is a public key cryptography suite originating from Chinese standards, including digital signatures and public key encryption. Ahead of schedule, code for this functionality was recently mainlined in OpenSSL, marked for the upcoming 1.1.1 release. We perform a security review of this implementation, uncovering various deficiencies ranging from traditional software quality issues to side-channel risks. To assess the latter, we carry out a side-channel security evaluation and discover that the implementation hits every pitfall seen for OpenSSL's ECDSA code in the past decade. We carry out remote timings, cache timings, and EM analysis, with accompanying empirical data to demonstrate secret information leakage during execution of both digital signature generation and public key decryption. Finally, we propose, implement, and empirically evaluate countermeasures.

References

1999. Standard Specifications for Public Key Cryptography. IEEE P1363/D13. Institute of Electrical and Electronics Engineers.Google Scholar
2009. Elliptic Curve Cryptography. SEC 1. Standards for Efficient Cryptography Group. http://www.secg.org/sec1-v2.pdfGoogle Scholar
2013. Digital Signature Standard (DSS). FIPS PUB 186-4. National Institute of Standards and Technology.Google Scholar
Onur Acıiçmez, Shay Gueron, and Jean-Pierre Seifert. 2007. New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures. In Cryptography and Coding, 11th IMA International Conference, Cirencester, UK, December 18--20, 2007, Proceedings (Lecture Notes in Computer Science), Steven D. Galbraith (Ed.), Vol. 4887. Springer, 185--203. Google ScholarDigital Library
Onur Acıiçmez, Werner Schindler, and Çetin Kaya Koç. 2005. Improving Brumley and Boneh timing attack on unprotected SSL implementations. In Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, Alexandria, VA, USA, November 7--11, 2005, Vijay Atluri, Catherine A. Meadows, and Ari Juels (Eds.). ACM, 139--146. Google ScholarDigital Library
Toru Akishita and Tsuyoshi Takagi. 2005. Zero-Value Register Attack on Elliptic Curve Cryptosystem. IEICE Transactions 88-A, 1 (2005), 132--139.Google Scholar
Alejandro Cabrera Aldaya, Alejandro J. Cabrera Sarmiento, and Santiago Sánchez-Solano. 2017. SPA vulnerabilities of the binary extended Euclidean algorithm. J. Cryptographic Engineering 7, 4 (2017), 273--285.Google ScholarCross Ref
Alejandro Cabrera Aldaya, Cesar Pereida García, Luis Manuel Alvarez Tapia, and Billy Bob Brumley. 2018. Cache-Timing Attacks on RSA Key Generation. IACR Cryptology ePrint Archive 2018, 367 (2018). https://eprint.iacr.org/2018/367Google Scholar
Thomas Allan, Billy Bob Brumley, Katrina E. Falkner, Joop van de Pol, and Yuval Yarom. 2016. Amplifying side channels through performance degradation. In Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, Los Angeles, CA, USA, December 5--9, 2016, Stephen Schwab, William K. Robertson, and Davide Balzarotti (Eds.). ACM, 422--435. Google ScholarDigital Library
Aurélie Bauer, Éliane Jaulmes, Emmanuel Prouff, Jean-René Reinhard, and Justine Wild. 2015. Horizontal collision correlation attack on elliptic curves -- Extended Version. Cryptography and Communications 7, 1 (2015), 91--119. Google ScholarDigital Library
Naomi Benger, Joop van de Pol, Nigel P. Smart, and Yuval Yarom. 2014. "Ooh Aah... Just a Little Bit": A Small Amount of Side Channel Can Go a Long Way. In Cryptographic Hardware and Embedded Systems - CHES 2014 - 16th International Workshop, Busan, South Korea, September 23--26, 2014. Proceedings (Lecture Notes in Computer Science), Lejla Batina and Matthew Robshaw (Eds.), Vol. 8731. Springer, 75--92. Google ScholarDigital Library
Daniel J. Bernstein. 2005. Cache-timing attacks on AES. http://cr.yp.to/papers.html#cachetimingGoogle Scholar
Daniel J. Bernstein. 2006. Curve25519: New Diffie-Hellman Speed Records. In Public Key Cryptography - PKC 2006, 9th International Conference on Theory and Practice of Public-Key Cryptography, New York, NY, USA, April 24--26, 2006, Proceedings (Lecture Notes in Computer Science), Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin (Eds.), Vol. 3958. Springer, 207--228. Google ScholarDigital Library
Daniel J. Bernstein. 2009. Batch Binary Edwards. In Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16--20, 2009. Proceedings (Lecture Notes in Computer Science), Shai Halevi (Ed.), Vol. 5677. Springer, 317--336. Google ScholarDigital Library
Eli Biham, Yaniv Carmeli, and Adi Shamir. 2016. Bug Attacks. J. Cryptology 29, 4 (2016), 775--805. Google ScholarDigital Library
Daniel Bleichenbacher. 1998. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. In Advances in Cryptology - CRYPTO 98, 18th Annual International Cryptology Conference, Santa Barbara, California, USA, August 23--27, 1998, Proceedings (Lecture Notes in Computer Science), Hugo Krawczyk (Ed.), Vol. 1462. Springer, 1--12. Google ScholarDigital Library
Eric Brier, Christophe Clavier, and Francis Olivier. 2004. Correlation Power Analysis with a Leakage Model. In Cryptographic Hardware and Embedded Systems - CHES 2004: 6th International Workshop Cambridge, MA, USA, August 11--13, 2004. Proceedings (Lecture Notes in Computer Science), Marc Joye and Jean-Jacques Quisquater (Eds.), Vol. 3156. Springer, 16--29.Google Scholar
Billy Bob Brumley. 2015. Faster Software for Fast Endomorphisms. In Constructive Side-Channel Analysis and Secure Design - 6th International Workshop, COSADE 2015, Berlin, Germany, April 13--14, 2015. Revised Selected Papers (Lecture Notes in Computer Science), Stefan Mangard and Axel Y. Poschmann (Eds.), Vol. 9064. Springer, 127--140. Google ScholarDigital Library
Billy Bob Brumley, Manuel Barbosa, Dan Page, and Frederik Vercauteren. 2012. Practical Realisation and Elimination of an ECC-Related Software Bug Attack. In Topics in Cryptology - CT-RSA 2012 - The Cryptographers' Track at the RSA Conference 2012, San Francisco, CA, USA, February 27 - March 2, 2012. Proceedings (Lecture Notes in Computer Science), Orr Dunkelman (Ed.), Vol. 7178. Springer, 171--186. Google ScholarDigital Library
Billy Bob Brumley and Risto M. Hakala. 2009. Cache-Timing Template Attacks. In Advances in Cryptology - ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6--10, 2009. Proceedings (Lecture Notes in Computer Science), Mitsuru Matsui (Ed.), Vol. 5912. Springer, 667--684. Google ScholarDigital Library
Billy Bob Brumley and Nicola Tuveri. 2011. Remote Timing Attacks Are Still Practical. In Computer Security - ESORICS 2011 - 16th European Symposium on Research in Computer Security, Leuven, Belgium, September 12--14, 2011. Proceedings (Lecture Notes in Computer Science), Vijay Atluri and Claudia Díaz (Eds.), Vol. 6879. Springer, 355--371. Google ScholarDigital Library
David Brumley and Dan Boneh. 2003. Remote Timing Attacks Are Practical. In Proceedings of the 12th USENIX Security Symposium, Washington, D.C., USA, August 4--8, 2003. USENIX Association. https://www.usenix.org/conference/12th-usenix-security-symposium/remote-timing-attacks-are-practical Google ScholarDigital Library
David Brumley and Dan Boneh. 2005. Remote timing attacks are practical. Computer Networks 48, 5 (2005), 701--716. Google ScholarDigital Library
Certicom Research. 2010. Standards for Efficient Cryptography 2 (SEC 2): Recommended Elliptic Curve Domain Parameters (Version 2.0). Technical Report. Certicom Corp. http://www.secg.org/sec2-v2.pdfGoogle Scholar
Suresh Chari, Josyula R. Rao, and Pankaj Rohatgi. 2002. Template Attacks. In Cryptographic Hardware and Embedded Systems - CHES 2002, 4th International Workshop, Redwood Shores, CA, USA, August 13--15, 2002, Revised Papers (Lecture Notes in Computer Science), Burton S. Kaliski Jr., Çetin Kaya Koç, and Christof Paar (Eds.), Vol. 2523. Springer, 13--28. Google ScholarDigital Library
Cai-Sen Chen, Tao Wang, and Jun-Jian Tian. 2013. Improving timing attack on RSA-CRT via error detection and correction strategy. Information Sciences 232 (2013), 464--474. Google ScholarDigital Library
Jiazhe Chen, Mingjie Liu, Hexin Li, and Hongsong Shi. 2015. Mind Your Nonces Moving: Template-Based Partially-Sharing Nonces Attack on SM2 Digital Signature Algorithm. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS '15, Singapore, April 14--17, 2015, Feng Bao, Steven Miller, Jianying Zhou, and Gail-Joon Ahn (Eds.). ACM, 609--614. Google ScholarDigital Library
Łukasz Chmielewski, Pedro Massolino, Jo Vliegen, Lejla Batina, and Nele Mentens. 2017. Completing the Complete ECC Formulae with Countermeasures. Journal of Low Power Electronics and Applications 7, 1 (2017), 3.Google ScholarCross Ref
Tom Chothia and Apratim Guha. 2011. A Statistical Test for Information Leaks Using Continuous Mutual Information. In Proceedings of the 24th IEEE Computer Security Foundations Symposium, CSF 2011, Cernay-la-Ville, France, 27--29 June, 2011. IEEE Computer Society, 177--190. Google ScholarDigital Library
Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, and Vincent Verneuil. 2010. Horizontal Correlation Analysis on Exponentiation. In Information and Communications Security - 12th International Conference, ICICS 2010, Barcelona, Spain, December 15--17, 2010. Proceedings (Lecture Notes in Computer Science), Miguel Soriano, Sihan Qing, and Javier López (Eds.), Vol. 6476. Springer, 46--61. Google ScholarDigital Library
Jean-Sébastien Coron. 1999. Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems. In Cryptographic Hardware and Embedded Systems, First International Workshop, CHES'99, Worcester, MA, USA, August 12--13, 1999, Proceedings (Lecture Notes in Computer Science), Çetin Kaya Koç and Christof Paar (Eds.), Vol. 1717. Springer, 292--302. Google ScholarDigital Library
Scott A. Crosby, Dan S. Wallach, and Rudolf H. Riedi. 2009. Opportunities and Limits of Remote Timing Attacks. ACM Transactions on Information and System Security (TISSEC) 12, 3 (2009), 17:1--17:29. Google ScholarDigital Library
T. Dierks and C. Allen. 1999. The TLS Protocol Version 1.0. RFC 2246. RFC Editor. Google ScholarDigital Library
Margaux Dugardin, Louiza Papachristodoulou, Zakaria Najm, Lejla Batina, Jean-Luc Danger, and Sylvain Guilley. 2016. Dismantling Real-World ECC with Horizontal and Vertical Template Attacks. In Constructive Side-Channel Analysis and Secure Design - 7th International Workshop, COSADE 2016, Graz, Austria, April 14--15, 2016, Revised Selected Papers (Lecture Notes in Computer Science), François-Xavier Standaert and Elisabeth Oswald (Eds.), Vol. 9689. Springer, 88--108.Google Scholar
Pierre-Alain Fouque and Frédéric Valette. 2003. The Doubling Attack - Why Upwards Is Better than Downwards. In Cryptographic Hardware and Embedded Systems - CHES 2003, 5th International Workshop, Cologne, Germany, September 8--10, 2003, Proceedings (Lecture Notes in Computer Science), Colin D. Walter, Çetin Kaya Koç, and Christof Paar (Eds.), Vol. 2779. Springer, 269--280.Google Scholar
Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer. 2016. ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs. In Topics in Cryptology - CT-RSA 2016 - The Cryptographers' Track at the RSA Conference 2016, San Francisco, CA, USA, February 29 - March 4, 2016, Proceedings (Lecture Notes in Computer Science), Kazue Sako (Ed.), Vol. 9610. Springer, 219--235. Google ScholarDigital Library
Daniel Genkin, Lev Pachmanov, Itamar Pipman, Eran Tromer, and Yuval Yarom. 2016. ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24--28, 2016, Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi (Eds.). ACM, 1626--1638. Google ScholarDigital Library
Daniel Genkin, Adi Shamir, and Eran Tromer. 2014. RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis. In Advances in Cryptology - CRYPTO 2014 - 34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17--21, 2014, Proceedings, Part I (Lecture Notes in Computer Science), Juan A. Garay and Rosario Gennaro (Eds.), Vol. 8616. Springer, 444--461.Google Scholar
Daniel Genkin, Luke Valenta, and Yuval Yarom. 2017. May the Fourth Be With You: A Microarchitectural Side Channel Attack on Several Real-World Applications of Curve25519. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, Bhavani M. Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu (Eds.). ACM, 845--858. Google ScholarDigital Library
Gabriel Goller and Georg Sigl. 2015. Side Channel Attacks on Smartphones and Embedded Devices Using Standard Radio Equipment. In Constructive Side-Channel Analysis and Secure Design - 6th International Workshop, COSADE 2015, Berlin, Germany, April 13--14, 2015. Revised Selected Papers (Lecture Notes in Computer Science), Stefan Mangard and Axel Y. Poschmann (Eds.), Vol. 9064. Springer, 255--270. Google ScholarDigital Library
Gilbert Goodwill, Benjamin Jun, Josh Jaffe, and Pankaj Rohatgi. 2011. A testing methodology for side-channel resistance validation. In Non-Invasive Attack Testing Workshop, NIAT 2011, Nara, Japan, September 26--27, 2011. Proceedings. NIST. https://csrc.nist.gov/csrc/media/events/non-invasive-attack-testing-workshop/documents/08_goodwill.pdfGoogle Scholar
Daniel Gruss, Raphael Spreitzer, and Stefan Mangard. 2015. Cache Template Attacks: Automating Attacks on Inclusive Last-Level Caches. In 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12--14, 2015, Jaeyeon Jung and Thorsten Holz (Eds.). USENIX Association, 897--912. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/gruss Google ScholarDigital Library
Shay Gueron and Vlad Krasnov. 2015. Fast prime field elliptic-curve cryptography with 256-bit primes. J. Cryptographic Engineering 5, 2 (2015), 141--151.Google ScholarCross Ref
Björn Haase and Benoît Labrique. 2017. Making Password Authenticated Key Exchange Suitable for Resource-Constrained Industrial Control Devices. In Cryptographic Hardware and Embedded Systems - CHES 2017 - 19th International Conference, Taipei, Taiwan, September 25--28, 2017, Proceedings (Lecture Notes in Computer Science), Wieland Fischer and Naofumi Homma (Eds.), Vol. 10529. Springer, 346--364.Google Scholar
Ralf Hund, Carsten Willems, and Thorsten Holz. 2013. Practical Timing Side Channel Attacks Against Kernel Space ASLR. In 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24--27, 2013. The Internet Society. https://www.ndss-symposium.org/ndss2013/practical-timing-side-channel-attacks-against-kernel-space-aslrGoogle Scholar
Toshiya Itoh and Shigeo Tsujii. 1988. A fast algorithm for computing multiplicative inverses in GF(2m) using normal bases. Inform. and Comput. 78, 3 (1988), 171--177. Google ScholarDigital Library
Josh Jaffe, Pankaj Rohatgi, and Marc Witteman. 2011. Efficient side-channel testing for public key algorithms: RSA case study. In Non-Invasive Attack Testing Workshop, NIAT 2011, Nara, Japan, September 26--27, 2011. Proceedings. NIST. https://csrc.nist.gov/CSRC/media/Events/Non-Invasive-Attack-Testing-Workshop/documents/09_Jaffe.pdfGoogle Scholar
Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In 2019 IEEE Symposium on Security and Privacy, SP 2019, Proceedings, 20--29 May 2019, San Francisco, California, USA. IEEE, 19--37.Google Scholar
Paul C. Kocher. 1996. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In Advances in Cryptology - CRYPTO '96, 16th Annual International Cryptology Conference, Santa Barbara, California, USA, August 18--22, 1996, Proceedings (Lecture Notes in Computer Science), Neal Koblitz (Ed.), Vol. 1109. Springer, 104--113. Google ScholarDigital Library
Paul C. Kocher, Joshua Jaffe, and Benjamin Jun. 1999. Differential Power Analysis. In Advances in Cryptology - CRYPTO '99, 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15--19, 1999, Proceedings (Lecture Notes in Computer Science), Michael J. Wiener (Ed.), Vol. 1666. Springer, 388--397. Google ScholarDigital Library
Moritz Lipp, Daniel Gruss, Raphael Spreitzer, Clémentine Maurice, and Stefan Mangard. 2016. ARMageddon: Cache Attacks on Mobile Devices. In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10--12, 2016, Thorsten Holz and Stefan Savage (Eds.). USENIX Association, 549--564. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/lipp Google ScholarDigital Library
Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading Kernel Memory from User Space. In 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15--17, 2018, William Enck and Adrienne Porter Felt (Eds.). USENIX Association, 973--990. https://www.usenix.org/conference/usenixsecurity18/presentation/lipp Google ScholarDigital Library
Mingjie Liu, Jiazhe Chen, and Hexin Li. 2013. Partially Known Nonces and Fault Injection Attacks on SM2 Signature Algorithm. In Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Guangzhou, China, November 27--30, 2013, Revised Selected Papers (Lecture Notes in Computer Science), Dongdai Lin, Shouhuai Xu, and Moti Yung (Eds.), Vol. 8567. Springer, 343--358.Google Scholar
Jake Longo, Elke De Mulder, Dan Page, and Michael Tunstall. 2015. SoC It to EM: ElectroMagnetic Side-Channel Attacks on a Complex System-on-Chip. In Cryptographic Hardware and Embedded Systems - CHES 2015 - 17th International Workshop, Saint-Malo, France, September 13--16, 2015, Proceedings (Lecture Notes in Computer Science), Tim Güneysu and Helena Handschuh (Eds.), Vol. 9293. Springer, 620--640.Google Scholar
Clémentine Maurice, Christoph Neumann, Olivier Heen, and Aurélien Francillon. 2015. C5: Cross-Cores Cache Covert Channel. In Detection of Intrusions and Malware, and Vulnerability Assessment - 12th International Conference, DIMVA 2015, Milan, Italy, July 9--10, 2015, Proceedings (Lecture Notes in Computer Science), Magnus Almgren, Vincenzo Gulisano, and Federico Maggi (Eds.), Vol. 9148. Springer, 46--64.Google Scholar
Christopher Meyer, Juraj Somorovsky, Eugen Weiss, Jörg Schwenk, Sebastian Schinzel, and Erik Tews. 2014. Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20--22, 2014, Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 733--748. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/meyer Google ScholarDigital Library
Peter L. Montgomery. 1987. Speeding the Pollard and elliptic curve methods of factorization. Math. Comp. 48, 177 (1987), 243--264.Google ScholarCross Ref
Amir Moradi, Bastian Richter, Tobias Schneider, and François-Xavier Standaert. 2018. Leakage Detection with the X2-Test. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018, 1 (2018), 209--237.Google ScholarCross Ref
Cédric Murdica, Sylvain Guilley, Jean-Luc Danger, Philippe Hoogvorst, and David Naccache. 2012. Same Values Power Analysis Using Special Points on Elliptic Curves. In Constructive Side-Channel Analysis and Secure Design - Third International Workshop, COSADE 2012, Darmstadt, Germany, May 3--4, 2012. Proceedings (Lecture Notes in Computer Science), Werner Schindler and Sorin A. Huss (Eds.), Vol. 7275. Springer, 183--198. Google ScholarDigital Library
Erick Nascimento, Lukasz Chmielewski, David Oswald, and Peter Schwabe. 2016. Attacking Embedded ECC Implementations Through cmov Side Channels. In Selected Areas in Cryptography - SAC 2016 - 23rd International Conference, St. John's, NL, Canada, August 10--12, 2016, Revised Selected Papers (Lecture Notes in Computer Science), Roberto Avanzi and Howard M. Heys (Eds.), Vol. 10532. Springer, 99--119.Google Scholar
Erick Nascimento, Julio López, and Ricardo Dahab. 2015. Efficient and Secure Elliptic Curve Cryptography for 8-bit AVR Microcontrollers. In Security, Privacy, and Applied Cryptography Engineering - 5th International Conference, SPACE 2015, Jaipur, India, October 3--7, 2015, Proceedings (Lecture Notes in Computer Science), Rajat Subhra Chakraborty, Peter Schwabe, and Jon A. Solworth (Eds.), Vol. 9354. Springer, 289--309. Google ScholarDigital Library
Katsuyuki Okeya and Kouichi Sakurai. 2002. A Second-Order DPA Attack Breaks a Window-Method Based Countermeasure against Side Channel Attacks. In Information Security, 5th International Conference, ISC 2002 Sao Paulo, Brazil, September 30 - October 2, 2002, Proceedings (Lecture Notes in Computer Science), Agnes Hui Chan and Virgil D. Gligor (Eds.), Vol. 2433. Springer, 389--401. Google ScholarDigital Library
Dag Arne Osvik, Adi Shamir, and Eran Tromer. 2006. Cache Attacks and Countermeasures: The Case of AES. In Topics in Cryptology - CT-RSA 2006, The Cryptographers' Track at the RSA Conference 2006, San Jose, CA, USA, February 13--17, 2006, Proceedings (Lecture Notes in Computer Science), David Pointcheval (Ed.), Vol. 3860. Springer, 1--20. Google ScholarDigital Library
Colin Percival. 2005. Cache Missing for Fun and Profit. In BSDCan 2005, Ottawa, Canada, May 13--14, 2005, Proceedings. http://www.daemonology.net/papers/cachemissing.pdfGoogle Scholar
Cesar Pereida García and Billy Bob Brumley. 2017. Constant-Time Callees with Variable-Time Callers. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16--18, 2017, Engin Kirda and Thomas Ristenpart (Eds.). USENIX Association, 83--98. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/garcia Google ScholarDigital Library
Jean-Jacques Quisquater and David Samyde. 2001. ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards. In Smart Card Programming and Security, International Conference on Research in Smart Cards, E-smart 2001, Cannes, France, September 19--21, 2001, Proceedings (Lecture Notes in Computer Science), Isabelle Attali and Thomas P. Jensen (Eds.), Vol. 2140. Springer, 200--210. Google ScholarDigital Library
Tobias Schneider and Amir Moradi. 2016. Leakage assessment methodology -- Extended version. Journal of Cryptographic Engineering 6, 2 (2016), 85--99.Google ScholarCross Ref
Ru-Hui Shi, Zeng-Ju Li, Lei Du, Qian Peng, and Jiu-Ba Xu. 2015. Side Channel Analysis on SM2 Decryption Algorithm. Journal of Cryptologic Research 2, 5 (2015), 467--476.Google Scholar
Sam Tregar. 2002. Writing Perl Modules for CPAN. Apress. Google ScholarDigital Library
Joop van de Pol, Nigel P. Smart, and Yuval Yarom. 2015. Just a Little Bit More. In Topics in Cryptology - CT-RSA 2015, The Cryptographer's Track at the RSA Conference 2015, San Francisco, CA, USA, April 20--24, 2015. Proceedings (Lecture Notes in Computer Science), Kaisa Nyberg (Ed.), Vol. 9048. Springer, 3--21.Google Scholar
Tom van Goethem, Wouter Joosen, and Nick Nikiforakis. 2015. The Clock is Still Ticking: Timing Attacks in the Modern Web. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12--16, 2015, Indrajit Ray, Ninghui Li, and Christopher Kruegel (Eds.). ACM, 1382--1393. Google ScholarDigital Library
Pepe Vila and Boris Köpf. 2017. Loophole: Timing Attacks on Shared Event Loops in Chrome. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16--18, 2017, Engin Kirda and Thomas Ristenpart (Eds.). USENIX Association, 849--864. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/vila Google ScholarDigital Library
Samuel Weiser, Raphael Spreitzer, and Lukas Bodner. 2018. Single Trace Attack Against RSA Key Generation in Intel SGX SSL. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security, AsiaCCS 2018, Incheon, Republic of Korea, June 04-08, 2018, Jong Kim, Gail-Joon Ahn, Seungjoo Kim, Yongdae Kim, Javier López, and Taesoo Kim (Eds.). ACM, 575--586. Google ScholarDigital Library
Bernard L. Welch. 1947. The generalization of 'Student's' problem when several different population variances are involved. Biometrika 34 (1947), 28--35. http://www.jstor.org/stable/2332510Google ScholarCross Ref
Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20--22, 2014. USENIXAssociation, 719--732. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/yarom Google ScholarDigital Library
Kaiyu Zhang, Sen Xu, Dawu Gu, Haihua Gu, Junrong Liu, Zheng Guo, Ruitong Liu, Liang Liu, and Xiaobo Hu. 2017. Practical Partial-Nonce-Exposure Attack on ECC Algorithm. In 13th International Conference on Computational Intelligence and Security, CIS 2017, Hong Kong, China, December 15--18, 2017. IEEE, 248--252.Google Scholar
Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2014. Cross-Tenant Side-Channel Attacks in PaaS Clouds. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3--7, 2014, Gail-Joon Ahn, Moti Yung, and Ninghui Li (Eds.). ACM, 990--1003. Google ScholarDigital Library

Side-Channel Analysis of SM2: A Late-Stage Featurization Case Study
1. Security and privacy
  1. Cryptography

Recommendations

Déjà Vu: Side-Channel Analysis of Mozilla's NSS
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Recent work on Side Channel Analysis (SCA) targets old, well-known vulnerabilities, even previously exploited, reported, and patched in high-profile cryptography libraries. Nevertheless, researchers continue to find and exploit the same vulnerabilities ...
Read More
"Make Sure DSA Signing Exponentiations Really are Constant-Time"
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

TLS and SSH are two of the most commonly used protocols for securing Internet traffic. Many of the implementations of these protocols rely on the cryptographic primitives provided in the OpenSSL library. In this work we disclose a vulnerability in ...
Read More
Constant-time callees with variable-time callers
SEC'17: Proceedings of the 26th USENIX Conference on Security Symposium

Side-channel attacks are a serious threat to security-critical software. To mitigate remote timing and cachetiming attacks, many ubiquitous cryptography software libraries feature constant-time implementations of cryptographic primitives. In this work, ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference
December 2018
766 pages
ISBN:9781450365697
DOI:10.1145/3274694

Copyright © 2018 Owner/Author
This work is licensed under a Creative Commons Attribution-ShareAlike International 4.0 License.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 3 December 2018
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
OpenSSL
SM2
TVLA
applied cryptography
cache-timing attacks
power analysis
public key cryptography
side-channel analysis
software engineering
timing attacks
Qualifiers
- research-article
- Research
- Refereed limited
Conference

Acceptance Rates
Overall Acceptance Rate104of497submissions,21%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 13
  Total Citations
  View Citations
- 764
  Total Downloads
- Downloads (Last 12 months)130
- Downloads (Last 6 weeks)21
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Side-Channel Analysis of SM2: A Late-Stage Featurization Case Study

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

ABSTRACT

References

Cited By

Recommendations

Déjà Vu: Side-Channel Analysis of Mozilla's NSS

"Make Sure DSA Signing Exponentiations Really are Constant-Time"

Constant-time callees with variable-time callers

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Side-Channel Analysis of SM2: A Late-Stage Featurization Case Study

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

ABSTRACT

References

Cited By

Recommendations

Déjà Vu: Side-Channel Analysis of Mozilla's NSS

"Make Sure DSA Signing Exponentiations Really are Constant-Time"

Constant-time callees with variable-time callers

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media