From: pck@netcom.com (Paul C. Kocher)
To: cypherpunks@toad.com
Message Hash: 3fd28a26c0019db5f9d3e22fdf5af8d7abc788f38625d06b6a9f3ee043110822
Message ID: <199512110548.VAA08989@netcom3.netcom.com>
Reply To: N/A
UTC Datetime: 1995-12-11 05:50:16 UTC
Raw Date: Sun, 10 Dec 95 21:50:16 PST
From: pck@netcom.com (Paul C. Kocher)
Date: Sun, 10 Dec 95 21:50:16 PST
To: cypherpunks@toad.com
Subject: Announce: Timing cryptanalysis of RSA, DH, DSS
Message-ID: <199512110548.VAA08989@netcom3.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
I've just released details of an attack many of you will find
interesting since quite a few existing cryptography products and
systems are potentially at risk. The general idea of the attack is
that secret keys can be found by measuring the amount of time used to
to process messages. The paper describes attacks against RSA, fixed-
exponent Diffie-Hellman, and DSS, and the techniques can work with
many other systems as well.
My research on the subject is still in progress and the current paper
does not include many of my findings. I will eventually publish a full
paper, but am releasing a preliminary draft now to alert the community
as quickly as possible. A copy of the abstract is attached at the end
of this message and the full text can be downloaded in PostScript
format from:
ftp://ftp.cryptography.com/pub/kocher_timing_attack.ps
ftp://ftp.cryptography.com/pub/kocher_timing_attack.ps.gz
I've also made an HTML version which is accessible at:
http://www.cryptography.com
(The HTML uses subscripts and superscripts which aren't supported
in older web browsers. The PostScript version is the "official"
one and looks nicer.)
The results have already been seen by Matt Blaze, Martin Hellman, Ron
Rivest, Bruce Schneier, and many others. While the full significance
of the attack is not yet known, I think everyone who has seen it
considers it important (including Netscape who awarded me a $1000
bugs bounty prize).
ABSTRACT. Cryptosystems often take slightly different
amounts of time to process different messages. With network-
based cryptosystems, cryptographic tokens, and many other
applications, attackers can measure the amount of time used
to complete cryptographic operations. This abstract shows
that timing channels can, and often do, leak key material.
The attacks are particularly alarming because they often
require only known ciphertext, work even if timing
measurements are somewhat inaccurate, are computationally
easy, and are difficult to detect. This preliminary draft
outlines attacks that can find secret exponents in Diffie-
Hellman key exchange, factor RSA keys, and find DSS secret
parameters. Other symmetric and asymmetric cryptographic
functions are also at risk. A complete description of the
attack will be presented in a full paper, to be released
later. I conclude by noting that closing timing channels
is often more difficult than might be expected.
Cheers,
Paul Kocher
*********************************************************************
VERY IMPORTANT: If you send me e-mail, please understand that I
probably won't have time to respond to all who write. Please keep
messages SHORT and send them to pck@cryptography.com (**not** my
netcom address -- misdirected messages will be ignored). PGP when
used for e-mail is not vulnerable to the attack. Please state in
your note whether you would like a reply.
********************************************************************
__________________________________________________________________________
Paul C. Kocher Independent cryptography/data security consultant
E-mail: pck@cryptography.com (please see above before replying)
Return to December 1995
Return to “pck@netcom.com (Paul C. Kocher)”
1995-12-11 (Sun, 10 Dec 95 21:50:16 PST) - Announce: Timing cryptanalysis of RSA, DH, DSS - pck@netcom.com (Paul C. Kocher)