Fig. 1. Number of extra reductions in a Montgomery reduction as a function (equation 1) of the input g.

Fig. 2. Parameters that affect the number of decryption queries of g needed to guess a bit of the RSA factor. (a) The time variance for decrypting a particular ciphertext decreases as we increase the number of samples taken. (b) By increasing the neighborhood size we increase the zero-one gap between a bit of q that is 0 and a bit of q that is 1.

Fig. 3. Breaking 3 RSA Keys by looking at the zero-one gap time difference. (a) The zero-one gap T_g-T_ghi indicates that we can distinguish between bits that are 0 and 1 of the RSA factor q for 3 different randomly-generated keys. For clarity, bits of q that are 1 are omitted, as the x-axis can be used for reference for this case. (b) When the neighborhood is 400, the zero-one gap is small for some bits in key 3, making it difficult to distinguish between the 0 and 1 bits of q. By increasing the neighborhood size to 800, the zero-one gap is increased and we can launch a successful attack.

Fig. 4. Different compile-time flags can shift the zero-one gap by changing the resulting code and how efficiently it can be executed.

Fig. 5. Minor source-based optimizations change the zero-one gap as well. As a consequence, code that doesn’t appear initially vulnerable may become so as the source is patched.

Fig. 6. The timing attack succeeds over a local network. We contrast our results with the attack inter-process.

Fig. 7. Applications using OpenSSL 0.9.7 are vulnerable, even on a large network. (a) The zero-one gaps when attacking Apache + mod_SSL and stunnel separated by one switch. (b) The zero-one gap when attacking Apache + mod_SSL separated by several routers and a network backbone.

Fig. 8. Our attack against Apache + mod_SSL using OpenSSL 0.9.7b is defeated because blinding is enabled by default.

Table 1.

Timing attack with programs “regular” and “extra-inst” for bits 30 and 32 of q

Bit 30 of q for both “regular” and “extra-inst” (which has a few additional nop’s) have a positive instructions retired difference due to Montgomery reductions. Similarly, bit 32 has a negative instruction difference due to normal vs. Karatsuba multiplication. However, the addition of a few nop instructions in the “extra-instr” program changes the timing profile, most notably for bit 32. The percentages given are the difference divided by either the total of instructions retired or cycles as appropriate.

Table 2.

Decryption time using a sample size of 7 (Panel A) and 2800 (Panel B)

We decrypt a single value and return the median value for the sample size. We iterate this 16 times, and report the average, range of values (maximum–minimum), and standard deviation of the returned decryption times. Any variance in decryption time is due to noise.

^a Corresponds to the time measurement for a single g value in our attack. The results from the WAN and wireless indicate a sample size of 7 is insufficient to counteract the effects of noise. However, the loaded server attack still should work.
^b Corresponds to calculating T_g or T_ghi. The results indicate that repeated sampling will eventually eliminate noise on a WAN or a loaded server, but not for a wireless network.