Cryptography Reference
In-Depth Information
which the system operates (because the adversary will try to manipulate the environ-
ment into “untypical” states), nor can one be content with countermeasures designed
to withstand specific attacks (because the adversary will try to attack the systems in
ways that are different from the ones the designer envisioned). Cryptographic sys-
tems that are based on make-believe, adhoc approaches and heuristics are typically
broken sooner or later. Consequently, the design of a secure cryptographic system
should be based on firm foundations. It typically consists of the following two steps:
1. In the
definitional step
, the problem the cryptographic system is intended to
solve must be identified, precisely defined, and formally specified.
2. In the
constructive step
, a cryptographic system that satisfies the definition
distilled in step one, possibly while relying on intractability assumptions, must
be designed.
Again, it is important to note that most parts of modern cryptography rely
on intractability assumptions and that relying on such assumptions seems to be
unavoidable today (see Chapter 21). Still, there is a huge difference between relying
on an explicitly stated intractability assumption and just assuming (or rather hoping)
that an ad hoc construction satisfies some unspecified or vaguely specified goals.
1.2.3
Side Channel and Related Attacks
It is important to note (and always keep in mind) that an implementation of a
secure cryptographic system may not necessarily be secure. In fact, many attacks
can be mounted against a particular implementation of a (secure) cryptographic
system (rather than its mathematical properties). For example, there are attacks that
take advantage of and try to exploit the side channel information that a particular
implementation may leak. These attacks are called
side channel attacks
. Since about
the middle of the 1990s, people have found and come up with many possibilities to
mount side channel attacks. The following list is not comprehensive.
•
Timing attacks
take advantage of and try to exploit the correlation between
a cryptographic key and the running time of a (cryptographic) operation that
employs this key [13]. Consider, for example, the square-and-multiply algo-
rithm (i.e., Algorithm 3.3) that is frequently used in public key cryptography
to decrypt data or digitally sign messages. The running time of this algorithm
mainly depends on the number of ones in the argument that represents the
(private) exponent and key; hence the running time of the algorithm provides
some side channel information about the particular key in use. This is a very
general problem, and there are basically two possibilities to protect against
timing attacks. The first possibility is to make sure that a specific operation
