Skip to content

Constant time arithmetics

Mamy Ratsimbazafy edited this page Jan 26, 2021 · 33 revisions

Context

Recent high-profile vulnerabilities in RSA (Cache-bleed), AES, ECDSA involved side-channel attacks. Most often those attacks were carried by timing the difference of execution time depending on user supplied input to restrict private keys to a subset of a large theoretical range.

Attacks can also allow decoding of a private encrypted message.

Other examples

Attacks and counter-defences

Concrete non-crypto example

You can read Twitter blogpost of Silhouette, an innovative side-channel attack that uses timing differences between private and public profile on Twitter to determine your Twitter identity bypassing all Twitter and browsers cookies and cross-site mitigations.

And another one exploiting the hardware Spectre vulnerability to read each bit at an arbitrary memory location in 5 lines of C.

Prevention

It is key that execution time does not depend at all on user supplied input. As cryptography rely in big integers computation, a constant time big int implementation is needed.

Challenges

Implementation

Even Openssl does not have full constant time implementation..

Fighting the compiler

We need boolean to implement logic, unfortunately there is no way to prevent compilers to use branches as soon as boolean are involved. So the library cannot use booleans at all and an alternative boolean type must be created.

Compilers may even used "optimized" routines like multiplication that have shortcuts for special operands (all ones or all zeros). This has been exploited to retrieve serve secrets (https://research.kudelskisecurity.com/2017/01/16/when-constant-time-source-may-not-save-you/)

Examples of fighting Clang/LLVM:

Hardware

On some hardware, some primitive operations like multiplication are not constant-time. Given the resources we have, we should do constant-time as a best effort.

Guidelines

The following resources gives much more information on challenges, guidelines and implementations of constant time arithmetics:

Testing/implementing constant-time

https://arxiv.org/abs/1808.05575 https://github.com/UzL-ITS/Microwalk

Side-note on OS, heap, debuggers

Heap allocation is also very tricky and should be avoided