Questions tagged [side-channel-attack]
attacks using information leaked by implementations of cryptographic algorithms to obtain information about keys or (plaintext) data, instead of (or additional to) using cryptographic weaknesses.
235 questions
2 votes
1 answer
109 views
Modulus blinding in RSA?
To prevent some side-channel attacks in RSA, I've seen people use multiplicative blinding $$ a^d\bmod N=(r^{-1})^d(ra)^d\bmod N $$ or additive exponent blinding $$ a^d=a^{d+r\phi(N)}\bmod N. $$ ...
- 522
1 vote
1 answer
120 views
What does propagation of fake signatures for lattice attack mean?
I'm carrying out a research project on vulnerabilities in ECDSA implementation especially on the part of the signatures. This what got me to lattice attacks on vulnerable signatures with leaked bits ...
- 43
1 vote
0 answers
44 views
Inconsistency in TINYAES128 template attack results
I've attempted to perform a template attack on TINYAES128. Plaintext and key are both 16 bytes and my attack targets each subkey (byte) separately. The AES implementation is mostly like the one ...
- 11
3 votes
1 answer
117 views
Are there real-world applications of non-malleable codes?
I've encountered numerous theoretical works on non-malleable codes (NMCs), including constructions for various tampering classes and improvements in efficiency or security models. Some notable ...
- 323
2 votes
3 answers
321 views
Who has checked that AES-NI produces the expected results? (i.e. the exact same as software-only AES encryption)
Everybody seems to rely happily on the set of Intel instructions on > 2010 CPUs to accelerate AES256 encryption. This might be a too naive question but, being the exact algorithms an industrial ...
- 163
8 votes
0 answers
308 views
Boolean-to-arithmetic masking
In the paper "Efficient Boolean-to-Arithmetic Mask Conversion in Hardware" by Aein Rezaei Shahmirzadi and Michael Hutter of PQShield, the authors claim to have found a method for boolean-to-...
- 193
1 vote
0 answers
55 views
How do side channel attacks on memory hard key derivation work?
Is it solely by exploiting that accessing a given memory address depends on its location? E.g. column hit? Or is it just the CPU cache pre-fetching? Or is it something else (or more)? Also, how ...
- 721
4 votes
1 answer
158 views
How decryption failure reveals information about the secret key?
I have been studying the CRYSTALS-KYBER cryptosystem and came across the description of a Decryption Failure Attack in the paper. The specific part (Section 5.5 https://pq-crystals.org/kyber/data/...
- 95
13 votes
5 answers
4k views
Are garbage-collection programming languages inherently unsafe for use in cryptography
In JP Aumasson's cryptocoding guidelines, he states that memory containing secret data should be cleared before it goes out of scope. This is to prevent vulnerabilities where, for example, an attacker ...
- 594
2 votes
0 answers
123 views
Why doesn't OpenSSL use Karatsuba multiplication with bit extension when the numbers are of different sizes?
In the second paragraph of section 2.5 of the paper Remote Timing Attacks are Practical the authors write: When $g$ is just below a multiple of $q$, then OpenSSL almost always uses fast Karatsuba ...
- 121
7 votes
3 answers
2k views
New causes of side channel
Until recently, my list of what can cause side channels exfiltrating secret data (including data depending on secrets) from code running in a computer was limited to: Hardware emissions: power (e.g. ...
- 151k
3 votes
2 answers
1k views
How do cache-timing attacks determine the secret keys of encryption algorithms?
In cache-timing attacks like prime+probe, attacking programs are able to discover the addresses of a victim program's data in main memory. These attacks are often used to determine the secret keys ...
- 33
1 vote
0 answers
314 views
ECDSA biased nonce with biased middle bits
The paper "Biased nonce sense" (https://eprint.iacr.org/2019/023.pdf) covers key recovery for MSB and LSB, the latter case being handled by doing modular inverse of 2 to the power of the ...
- 11
3 votes
2 answers
385 views
AES vs Serpent - which is more side-channel resistent?
I learned that some AES implementations are vulnerable to side-channel attacks due to how the SBOX structure is implemented. The output have to be nonlinear, therefore having low bit inputs results in ...
- 53
1 vote
0 answers
649 views
Need help with Cryptohack's ProSign 3 ECDSA problem [closed]
I'm trying to solve the CTF challenge called ProSign 3 at Cryptohack platform which involves exploiting an ECDSA signing service that allows us to sign a fixed message being padded with the time ... ...
