Eliminating Timing Side-channels. A Tutorial.

ShmooCon XI - 2015

Presented by: Peter Schwabe
Date: Sunday January 18, 2015
Time: 11:00 - 11:50
Location: Build It

The traditional model of an attacker against a cryptographic primitive sees (and potentially controls) inputs and outputs of the computation. Side-channel attacks go beyond this model. The attacker now also sees some "leakage" of the internal state of the cryptographic computation. One class of leakage is timing: If the time taken by a computation depends on secret data, the attacker can measure time and obtain information about this secret data. This is not just a theoretical threat as illustrated, for example, by a 2006 attack by Osvik, Shamir, and Tromer who used a timing attack to recover the AES-256 key used in Linux hard-disk encryption in just 65 ms. A more recent example is the Lucky 13 attack against almost all implementations of AES-CBC in TLS libraries.

The timing side channel is different than other side channels (such as power consumption or electromagnetic radiation) because it can be exploited remotely and without any specialized hardware or manual interaction. It is also different because it is now well understood how to fully eliminate timing leakage. This talk is a tutorial on how to write constant-time software, i.e., software that does not leak any secret information through timing.

Peter Schwabe

Peter Schwabe is a researcher in applied cryptography working at Radboud University Nijmegen in the Netherlands. He is mainly working on secure and efficient software implementations of cryptography and occasionally cryptanalysis. Examples of what he's been working on includes speed-record-setting timing-attack protected software for AES-CTR and AES-GCM, the Ed25519 signature scheme, and recently the formal verification of a hand-optimized assembly implementation of Curve25519 Diffie-Hellman key exchange. He is in the core development team of NaCl, the only cryptographic library that systematically protects against timing attacks.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats