Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [timing-attack]

The side channel attack is based on the fact that the time difference between certain operations executed by the implementation of a cryptographic scheme allow an adversary to get information that he didn't have according to the theoretical specification of the scheme.

Timing attacks analyze the speed of implemented algorithms.

At the hardware and software layer, complex operations take more time than simple operations. Furthermore, the dataflow can be analyzed because access of CPU registers, cache, and memory have different timing characteristics.

Timing attacks are related to power analysis.

114 questions
55
votes
2 answers

Timing attack and good coding practices

How would timing attack occur on a particular code but not in another code (because of good coding practice)? Could anyone give an example? I am having trouble figuring out how timing attacks would occur based on the way the code is written.
asdfasd
  • 551
  • 1
  • 5
  • 3
27
votes
5 answers

Timing-Safety in JVM-Languages

How is it possible to write timing-safe code in JVM-languages (Java, Scala, Clojure...)? Is it possible to make libraries like BouncyCastle safe against timing-attacks? I know that even in C it is very hard to get those things right – and in C you…
K. Biermann
  • 586
  • 7
  • 16
23
votes
8 answers

How can I understand whether my C implementation is constant-time or not (i.e. resistant to timing attacks)

I have a code for polynomial multiplication and it is written in C. I heard that whether a particular instruction is "constant time" can vary by architecture and by processor model and there isn't any official documentation for this behavior. How…
esra
  • 889
  • 10
  • 21
23
votes
3 answers

Known methods for constant time (table-free) AES implementation using 'standard' operations?

There are several known methods for implementing AES in constant time using SIMD operations, mostly based around fast byte shuffling (for instance Hamburg and Kasper/Schwabe). Are there any similar approaches that allow a constant-time AES to be…
Jack Lloyd
  • 1,764
  • 17
  • 22
16
votes
1 answer

Why not use `<`, `>` or `==` in constant time comparison?

I am comparing secret data stored in arrays a and b to see which holds a greater value. My current (pseudo)code looks like this: unsigned char smaller = 0, bigger = 0; for (i = 0; i < size; ++i) { smaller |= (!bigger) & (a[i] < b[i]); bigger…
Sebastian
  • 461
  • 3
  • 7
14
votes
1 answer

Why do crypto libs use table lookups when they're vulnerable to timing attacks?

AESEngine.java, from BouncyCastle, uses table lookups as does aes_x86core.c, in OpenSSL. But per Cache-timing attacks on AES table lookups like what OpenSSL and BouncyCastle are doing are vulnerable to timing attacks. So why would they use them?
Julie Applegate
  • 175
  • 5
13
votes
1 answer

Safely sorting secret data

Suppose you have a secret list of n distinct integers. How would you sort this list in a way that is not vulnerable to timing attacks? I tried looking up "constant time sorting" and other related queries but that expectedly lead nowhere.
Kai Arakawa
  • 145
  • 9
13
votes
1 answer

Is it possible to test implementation for side-channel attacks?

When it comes to implementing cryptographic algorithms, there seems to be a big focus on the difficulty of doing so without introducing the potential for side channel attacks and the knowledge required. Along with that seems to go the assumption…
DasIch
  • 233
  • 1
  • 6
12
votes
4 answers

Do I need to worry about timing attacks in Base64 encoding/decoding of private keys?

Do I need to worry about timing attacks in Base64 encoding/decoding of private keys? This is a common operation (ex. PEM keys) and is variable time in typical implementations.
Demi
  • 4,853
  • 1
  • 22
  • 40
11
votes
1 answer

AES timing attacks

I'm just interested in cryptography, so please don't expect me to be an expert. ;) I recently read about AES cache timing attacks and found it very interesting. I read the article Cache-timing attacks on AES by Daniel Bernstein, but I don't seem to…
cooky451
  • 257
  • 2
  • 7
11
votes
3 answers

Is If/else vulnerable to timing side-channel attacks?

I have a branching in c++: if (x & 1) { x = function_1(x); } else { x = function_2(x); } If function_1 and function_2 are constant time and it takes the same time to compute them, is such branching still vulnerable for side-channel attacks?…
Tom
  • 1,251
  • 8
  • 17
10
votes
1 answer

AES cache-timing attacks and nonce-based operation modes

As I understand it, AES cache-timing attacks exploit the execution time variations due to cache hits/misses, especially the ones depending on the SBox look-up tables which are key-related. To mount such an attack, does an attacker need to have…
Raoul722
  • 3,003
  • 3
  • 23
  • 42
10
votes
3 answers

Stopping timing attacks on AES: Why is it important to prevent the OS from interrupting the AES computation?

I read the paper Cache-timing attacks on AES (by Daniel J. Bernstein), but I don't seem to understand everything. The author dedicates a long section on how to prevent the OS to interrupt an AES computation. But how does this leak any information?…
cooky451
  • 257
  • 2
  • 7
10
votes
1 answer

Are more complex algorithms easier to break with timing attacks?

Is there a point where increasing the complexity of an encryption algorithm will make it easier to break using a timing attack? Or is there no connection here at all?
Shiraz Bhaiji
  • 635
  • 1
  • 5
  • 9
9
votes
1 answer

How to confirm my implementation is constant time

I'm implementing Schnorr signatures following a variant used in Bitcoin Cash (BCH) of this algorithm: GitHub - Schnorr Signatures for secp256k1. A notable difference is that the BCH schnorr algorithm uses this variant: IETF - Variant for k…
user79780
1
2 3 4 5 6 7 8