contributed articles

DOI:10.1145/ 2851486
needs to never output it or anything that
Computers broadcast their secrets via may reveal it. (The operating system
may be misused to allow someone else’s
inadvertent physical emanations that process to peek into the program’s
are easily measured and exploited. memory or files, though we are getting
better at avoiding such attacks, too.)
BY DANIEL GENKIN, LEV PACHMANOV, ITAMAR PIPMAN, Yet programs’ control over their
ADI SHAMIR, AND ERAN TROMER own outputs is a convenient fiction,
for a deeper reason. The hardware run-

Physical
ning the program is a physical object
and, as such, interacts with its envi-
ronment in complex ways, including
electric currents, electromagnetic

Key Extraction
fields, sound, vibrations, and light
emissions. All these “side channels”
may depend on the computation per-
formed, along with the secrets within

Attacks on PCs
it. “Side-channel attacks,” which ex-
ploit such information leakage, have
been used to break the security of nu-
merous cryptographic implementa-
tions; see Anderson,2 Kocher et al.,19 and
Mangard et al.23 and references therein.
Side channels on small devices.
Many past works addressed leakage
from small devices (such as smart-
cards, RFID tags, FPGAs, and simple
embedded devices); for such devices,
CRYPTOGRAPH Y I S UBI Q UI TO US. Secure websites and physical key extraction attacks have
financial, personal communication, corporate, and been demonstrated with devastating
effectiveness and across multiple phys-
national secrets all depend on cryptographic algorithms ical channels. For example, a device’s
operating correctly. Builders of cryptographic systems power consumption is often correlated
with the computation it is currently ex-
have learned (often the hard way) to devise algorithms ecuting. Over the past two decades, this
and protocols with sound theoretical analysis, physical phenomenon has been used
write software that implements them correctly, extensively for key extraction from
small devices,19,23 often using power-
and robustly integrate them with the surrounding ful techniques, including differential
applications. Consequentially, direct attacks against power analysis.18
state-of-the-art cryptographic software are getting key insights
increasingly difficult.
˽˽ Small differences in a program’s data
For attackers, ramming the gates of cryptography is can cause large differences in acoustic,
electric, and electromagnetic emanations
not the only option. They can instead undermine the as the program runs.
fortification by violating basic assumptions made by ˽˽ These emanations can be measured
the cryptographic software. One such assumption is through inexpensive equipment and used
to extract secret data, even from fast and
software can control its outputs. Our programming complex devices like laptop computers
and mobile phones.
courses explain that programs produce their outputs ˽˽ Common hardware and software are
through designated interfaces (whether print, write, vulnerable, and practical mitigation of
these risks requires careful application-
send, or mmap); so, to keep a secret, the software just specific engineering and evaluation.

70 COMMUNICATIO NS O F TH E ACM | J U NE 201 6 | VO L . 5 9 | NO. 6

 The electromagnetic emanations emanations from transistors, as they transistors, on a motherboard with other
from a device are likewise affected by the switch state, are exploitable as a side circuitry and peripherals, running an
computation-correlated currents inside channel for reading internal registers operating system and handling various
it. Starting with Agrawal et al.,1 Gandolfi leading and extracting keys.29 asynchronous events. All these intro-
et al.,11 and Quisquater and Samyde,28 See Anderson2 for an extensive sur- duce complexity, unpredictability, and
such attacks have been demonstrated vey of such attacks. noise into the physical emanations as
IMAGE BY IWONA USA KIEWICZ/A ND RIJ BORYS ASSOCIATES

on numerous small devices involving Vulnerability of PCs. Little was the cryptographic code executes.
various cryptographic implementations. known, however, about the possibility Second is speed. Typical side-chan-
Optical and thermal imaging of cir- of cryptographic attacks through physi- nel techniques require the analog leak-
cuits provides layout information and cal side channels on modern commod- age signal be acquired at a bandwidth
coarse activity maps that are useful for ity laptop, desktop, and server com- greater than the target’s clock rate.
reverse engineering. Miniature probes puters. Such “PC-class” computers (or For PCs running GHz-scale CPUs, this
can be used to access individual inter- “PCs,” as we call them here) are indeed means recording analog signals at
nal wires in a chip, though such tech- very different from the aforementioned multi-GHz bandwidths requiring ex-
niques require invasive disassembly small devices, for several reasons. pensive and delicate lab equipment, in
of the chip package, as well as con- First, a PC is a very complex environ- addition to a lot of storage space and
siderable technical expertise. Optical ment—a CPU with perhaps one billion processing power.

JU N E 2 0 1 6 | VO L. 59 | N O. 6 | C OM M U N IC AT ION S OF T HE ACM 71
contributed articles

Figure 1. An acoustic attack using a parabolic microphone (left) on a target laptop (right); various trade-offs among attack range,
keys can be extracted from a distance of 10 meters. speed, and equipment cost. The follow-
ing sections explore our findings, as pub-
lished in several recent articles.12,15,16
Acoustic. The power consumption of
a CPU and related chips changes dras-
tically (by many Watts) depending on
the computation being performed
at each moment. Electronic compo-
nents in a PC’s internal power supply,
struggling to provide constant voltage
to the chips, are subject to mechani-
cal forces due to fluctuations of volt-
ages and currents. The resulting vi-
brations, as transmitted to the ambient
air, create high-pitched acoustic noise,
known as “coil whine,” even though it of-
ten originates from capacitors. Because
this noise is correlated with the ongo-
Figure 2. Measuring the chassis potential by touching a conductive part of the laptop; ing computation, it leaks information
the wristband is connected to signal-acquisition equipment. about what applications are running and
what data they process. Most dramati-
cally, it can acoustically leak secret keys
during cryptographic operations.
By recording such noise while a
target is using the RSA algorithm to
decrypt ciphertexts (sent to it by the
attacker), the RSA secret key can be ex-
tracted within one hour for a high-grade
4,096-bit RSA key. We experimentally
demonstrated this attack from as far as
10 meters away using a parabolic micro-
phone (see Figure 1) or from 30cm away
through a plain mobile phone placed
next to the computer.
Electric. While PCs are typically
grounded to the mains earth (through
their power supply “brick,” or ground-
ed peripherals), these connections
are, in practice, not ideal, so the elec-
tric potential of the laptop’s chassis
A third difference involves attack many other effects can be used to fluctuates. These fluctuations depend
scenarios. Traditional techniques for glean sensitive information across the on internal currents, and thus on the
side-channel attacks require long, un- boundaries between processes or even ongoing computation. An attacker
interrupted physical access to the target virtual machines. Here, we focus on can measure the fluctuations directly
device. Moreover, some such attacks physical attacks that do not require de- through a plain wire connected to a
involve destructive mechanical intru- ployment of malicious software on the conductive part of the laptop, or in-
sion into the device (such as decapsu- target PC. directly through any cable with a con-
lating chips). For small devices, these Our research thus focuses on two ductive shield attached to an I/O port
scenarios make sense; such devices main questions: Can physical side- on the laptop (such as USB, Ethernet,
are often easily stolen and sometimes channel attacks be used to nonintru- display, or audio). Perhaps most sur-
even handed out to the attacker (such sively extract secret keys from PCs, prising, the chassis potential can be
as in the form of cable TV subscription despite their complexity and operating measured, with sufficient fidelity,
cards). However, when attacking other speed? And what is the cost of such at- even through a human body; human
people’s PCs, the attacker’s physical tacks in time, equipment, expertise, attackers need to touch only the tar-
access is often brief, constrained, and and physical access? get computer with a bare hand while
must proceed unobserved. Results. We have identified multiple their body potential is measured (see
Note numerous side channels in side channels for mounting physical Figure 2).
PCs are known at the software level; key-extraction attacks on PCs, appli- This channel offers a higher band-
timing,8 cache contention,6,26,27 and cable in various scenarios and offering width than the acoustic one, allowing

72 COMM UNICATIO NS O F THE ACM | J U NE 201 6 | VO L . 5 9 | NO. 6

 contributed articles

observation of the effect of individual TEMPEST. Most of this work remains prone to side-channel leakage due to
key bits on the computation. RSA and classified. What little is declassified their physical nature and lower operat-
ElGamal keys can thus be extracted confirms the existence and risk of ing speed; for example, acoustic noise
from a signal obtained from just a few physical information leakage but says from keyboards can reveal keystrokes,3
seconds of measurement, by touching nothing about the feasibility of the key printer-noise printed content,4 and sta-
a conductive part of the laptop’s chas- extraction scenarios discussed in this tus LEDs data on a communication
sis, or by measuring the chassis po- article. Acoustic leakage, in particular, line.22 Computer screens inadvertently
tential from the far side of a 10-meter- has been used against electromechan- broadcast their content as “van Eck”
long cable connected to the target’s ical ciphers (Wright31 recounts how electromagnetic radiation that can be
I/O port. the British security agencies tapped a picked up from a distance;21,30 see An-
Electromagnetic. The computation phone to eavesdrop on the rotors of a derson2 for a survey.
performed by a PC also affects the elec- Hagelin electromechanical cipher ma- Some observations have also been
tromagnetic field it radiates. By moni- chine); but there is strong evidence it made about physical leakage from
toring the computation-dependent was not recognized by the security ser- PCs, though at a coarse level. The gen-
electromagnetic fluctuations through vices as effective against modern elec- eral activity level is easily gleaned from
an antenna for just a few seconds, tronic computers.16 temperature,7 fan speed, and mechan-
it is possible to extract RSA and El- ical hard-disk movement. By tapping
Gamal secret keys. For this channel, Non-Cryptographic Leakage the computer’s electric AC power, it
the measurement setup is notably Peripheral devices attached to PCs are is possible to identify the webpages
unintrusive and simple. A suitable
electromagnetic probe antenna can Figure 3. An electromagnetic attack using a consumer AM radio receiver placed near the
target and recorded by a smartphone.
be made from a simple loop of wire
and recorded through an inexpensive
software-defined radio USB dongle. Al-
ternatively, an attacker can sometimes
use a plain consumer-grade AM radio
receiver, tuned close to the target’s sig-
nal frequency, with its headphone out-
put connected to a phone’s audio jack
for digital recording (see Figure 3).
Applicability. A surprising result of
our research is how practical and easy
are physical key-extraction side-chan-
nel attacks on PC-class devices, despite
the devices’ apparent complexity and
high speed. Moreover, unlike previous
attacks, our attacks require very little
analog bandwidth, as low as 50kHz,
even when attacking multi-GHz CPUs,
thus allowing us to utilize new chan-
nels, as well as inexpensive and readily
available hardware.
We have demonstrated the fea-
sibility of our attacks using GnuPG
(also known as GPG), a popular open
source cryptographic software that Figure 4. A spectrogram of an acoustic signal. The vertical axis is time (3.7 seconds), and
the horizontal axis is frequency (0kHz–310kHz). Intensity represents instantaneous energy
implements both RSA and ElGamal. in the frequency band. The target is performing one-second loops of several x86 instruc-
Our attacks are effective against vari- tions: CPU sleep (HLT), integer multiplication (MUL), floating-point multiplication (FMUL),
ous versions of GnuPG that use differ- main memory access, and short-term idle (REP NOP).
ent implementations of the targeted
cryptographic algorithm. We tested 0
0 50 100 150 200 250 300 350kHz

various laptop computers of different 0.25

HLT
models from different manufacturers 0.5 MUL
and running various operating sys- 0.75 FMUL
tems, all “as is,” with no modification 1 ADD
or case intrusions. 1.25
History. Physical side-channel at- 1.5
MEM
tacks have been studied for decades in 1.75
NOP
military and espionage contexts in the sec
U.S. and NATO under the codename

JU N E 2 0 1 6 | VO L. 59 | N O. 6 | C OM M U N IC AT ION S OF T HE ACM 73
contributed articles

loaded by the target’s browser9 and ic algorithms and implementations, is often decoupled from the secret
even some malware.10 Tapping USB so compromising any of them has a di- key, the operands to these operations
power lines makes it possible to iden- rect effect on many deployed systems. are often key-dependent. Moreover,
tify when cryptographic applications Consequently, our research focused on operand values with atypical prop-
are running.25 key extraction from the most common erties (such as operands containing
The acoustic, electric, and electro- public-key encryption schemes—RSA many zero bits or that are unusually
magnetic channels can also be used to and ElGamal—as implemented by the short) may trigger implementation-
gather coarse information about a tar- popular GnuPG software. dependent corner cases. We thus craft
get’s computations; Figure 4 shows a When analyzing implementations special inputs (ciphertexts to be de-
microphone recording of a PC, demon- of public-key cryptographic algo- crypted) that “poison” internal values
strating loops of different operations rithms, an attacker faces the difficul- occurring inside the cryptographic
have distinct acoustic signatures. ties described earlier of complexity, algorithm, so atypically structured op-
noise, speed, and nonintrusiveness. erands occur at key-dependent times.
Cryptanalytic Approach Moreover, engineers implementing Measuring leakage during such a poi-
Coarse leakage is ubiquitous and eas- cryptographic algorithms try to make soned execution can reveal at which
ily demonstrated once the existence the sequence of executed operations operations these operands occurred,
of the physical channel is recognized. very regular and similar for all secret and thus leak key information.
However, there remains the question keys. This is done to foil past attacks Leakage self-amplification. In order
of whether the physical channels can that exploit significant changes in con- to overcome a device’s complexity
be used to steal finer and more devas- trol flow to deduce secrets, including and execution speed, an attacker can
tating information. The crown jewels, timing attacks,8 cache contention at- exploit the algorithm’s own code to
in this respect, are cryptographic keys, tacks6,26,27 (such as a recent application amplify its own leakage. By asking for
for three reasons. First, direct impact, to GnuPG32,33), and many other types of decryption of a carefully chosen cipher-
as compromising cryptographic keys attacks on small devices. text, we create a minute change (com-
endangers all data and authorizations We now show how to overcome these pared to the decryption of a random-
that depend on them. Second, difficul- difficulties, using a careful selection of looking ciphertext) during execution
ty, as cryptographic keys tend to be well the ciphertext to be decrypted by the of the innermost loop of the attacked
protected and used in carefully crafted algorithm. By combining the following algorithm. Since the code inside the
algorithms designed to resist attacks; two techniques for ciphertext selection, innermost loop is executed many
so if even these keys can be extracted, we obtain a key-dependent leakage that times throughout the algorithm, this
it is a strong indication more pedes- is robustly observable, even through yields an easily observable global
trian data can be also extracted. And low-bandwidth measurements. change affecting the algorithm’s
third, commonality, as there is only a Internal value poisoning. While the entire execution.
small number of popular cryptograph- sequence of performed operations
GnuPG’S RSA Implementation
Algorithm 1. Modular exponentiation using square-and-always-multiply. For concreteness in describing our ba-
sic attack method, we outline GnuPG’s
Input: Three integers c,d,q in binary representation such implementation of RSA decryption,
that d = d1 . . . dm.
as of version 1.4.14 from 2013. Later
Output: a = c d mod q.
1: procedure MOD_EXP(c,d,q) GnuPG versions revised their imple-
2: c ← c mod q mentations to defend against the adap-
3: a← 1 tive attack described here; we discuss
4: for i ← 1 to m do
5: a ← a2
these variants and corresponding at-
6: t← a.c tacks later in the article.
7: if di = 1 then Notation. RSA key generation is
8: a← t done by choosing two large primes p,
9: return a
q, a public exponent e and a secret ex-
ponent d, such that ed ≡ 1 (mod Φ(n))
where n = pq and Φ(n) = (p − 1)(q − 1).
Algorithm 2. GnuPG’s basic multiplication code. The public key is (n, e) and the private
key is (p, q, d). RSA encryption of a mes-
Input: Two integers a = as . . . a1 and b = bt . . . b1 of size s.
sage m is done by computing me mod n,
and t limbs respectively and RSA decryption of a ciphertext c is
Output: a . b. done by computing cd mod n. GnuPG
1: procedure MUL_BASECASE(a,b) uses a common optimization for RSA
2: p ← a . b1
3: for i ← 2 to t do
decryption; instead of directly com-
4: if bi ≠ 0 then  (and if bi = 0 do nothing) puting m = cd mod n, it first com-
5: p ← p + a . bi . 232 .(i-1) putes mp = cdp mod p, m q = cdq mod q
6: return p
(where d p and dq are derived from the
secret key), then combines m p and m q

74 COM MUNICATIO NS O F TH E AC M | J U NE 201 6 | VO L . 5 9 | NO. 6

 contributed articles

into m using the Chinese Remainder by the target the side-channel leakage We have thus obtained a connec-
Theorem. To fully recover the secret reveals the value of qi. Eventually the tion between the i-th bit of q and the
key, it suffices to learn any of its com- entire q is revealed. The choice of each resulting structure of c after the modu-
ponents (p, q, d, dp, or dq); the rest can ciphertext depends on the key bits lar reduction—either long and repeti-
be deduced. learned thus far, making it an adaptive tive or short and random looking—
Square-and-always-multiply expo- chosen ciphertext attack. thereby poisoning internal values in
nentiation. Algorithm 1 is pseudocode This attack requires the target to Algorithm 1.
of the square-and-always-multiply ex- decrypt ciphertexts chosen by the at- Leakage self-amplification. To learn
ponentiation used by GnuPG 1.4.14 tacker, which is realistic since GnuPG the i-th bit of q, we need to amplify the
to compute mp and mq. As a counter- is invoked by numerous applications leakage resulting from this connection
measure to the attack of Yarom and to decrypt ciphertexts arriving via so it becomes physically distinguish-
Falkner,32 the sequence of squarings email messages, files, webpages, and able. Note the value c is used during
and multiplications performed by chat messages. For example, Enig- the main loop of Algorithm 1 in line
Algorithm 1 is independent of the mail and GpgOL are popular plugins 6. Moreover, since the multiplication
secret key. Note the modular reduc- that add PGP/MIME encrypted-email in line 6 is executed once per bit of d,
tion in line 2 and the multiplication capabilities to Mozilla Thunderbird we obtain that Algorithm 1 performs k
in line 6. Both these lines are used by and Outlook, respectively. They de- multiplications by c, whose structure
our attack on RSA—line 2 for poison- crypt incoming email messages by depends on qi. We now analyze the ef-
ing internal values and line 6 for leakage passing them to GnuPG. If the target fects of repetitive vs. random-looking
self-amplification. uses them, an attacker can remotely second operand on the multiplication
Since our attack uses GnuPG’s mul- inject a chosen ciphertext into GnuPG routine of GnuPG.
tiplication routine for leakage self-am- by encoding the ciphertext as a PGP/ Suppose c (i) = 1. Then c has its low-
plification, we now analyze the code of MIME email (following RFC 3156) est k − i bits set to 1. Next, c is passed
GnuPG’s multiplication routines. and sending it to the target. to the Karatsuba-based multiplication
Multiplication. For multiplying large Cryptanalysis. We can now describe routine as the second operand b. The
integers (line 6), GnuPG uses a variant the adaptive chosen ciphertext attack result of (bL − bH), as computed in the
of the Karatsuba multiplication algo- on GnuPG’s RSA implementation. Karatsuba-based multiplication, will
rithm. It computes the product of two Internal value poisoning. We begin thus contain many zero limbs. This in-
k-numbers a and b recursively, using by choosing appropriate ciphertexts variant, of having the second operand
the identity ab = (22k + 2k)aHbH + 2k(aH − that will poison some of the internal containing many zero limbs, is pre-
aL) (bL − bL) + (2k + 1)aLbL, where aH, bH values inside Algorithm 1. Let p, q be served by the Karatsuba-based multi-
are the most significant halves of a and two random k-bit primes compris- plication all the way until the recursion
b, respectively, and, similarly, aL, bL are ing an RSA secret key; in the case of reaches the base-case multiplication
the least significant halves of a and b. high-security 4,096-bit RSA, k = 2,048. routine (Algorithm 2), where it affects
The recursion’s base case is a GnuPG always generates RSA keys the control flow in line 4, forcing the
simple grade-school “long multipli- such that the most significant bit of loop in line 3 to perform almost no
cation” algorithm, shown (in sim- p and q is set, thus qi = 1. Assume we multiplications.
plified form) in Algorithm 2. GnuPG have already recovered the topmost Conversely, if qi = 0, then c is ran-
stores large integers in arrays of 32-bit i − 1 bits of q and define the cipher- dom-looking, containing few (if any)
words, called limbs. Note how Algo- text c (i) to be the k-bit ciphertext whose zero limbs. When the Karatsuba-based
rithm 2 handles the case of zero limbs topmost i − 1 bits are the same as q, multiplication routine gets c as its sec-
of b. Whenever a zero limb of b is en- its i-th bit is 0 and whose remaining ond operand b, the derived values stay
countered, the operation in line 5 is bits are set to 1. Consider the effects random-looking throughout the recur-
not executed, and the loop in line 3 of decrypting c (i) on the intermediate sion until the base case, where these
proceeds to handle the next limb of values of Algorithm 1, depending on random-looking values affect the con-
b. This optimization is exploited by the secret key bit qi. trol flow in line 4 inside the main loop
the leakage self-amplification compo- Suppose qi = 1. Then c (i) ≤ q, and of Algorithm 2, making it almost al-
nent of our attack. Specifically, each this c (i) is passed as the argument c to ways perform a multiplication.
of our chosen ciphertexts will cause a Algorithm 1, where the modular re- Our attack thus creates a situation
targeted bit of q to affect the number duction in line 2 returns c = c (i) (since where, during the entire decryption
of zero limbs of b given to Algorithm 2 c (i) ≤ q), so the lowest k − i bits of c re- operation, the branch in line 4 of Algo-
and thus the control flow in line 4 and main 1. Conversely, if qi = 0, then c (i) > rithm 2 is either always taken or is nev-
thereby the side-channel leakage. q, so when c (i) is passed to Algorithm 1, er taken, depending on the current bit
the modular reduction in line 2 modi- of q. During the decryption process, the
Adaptive Chosen Ciphertext Attack fies the value of c. Since c (i) agrees with branch in line 4 is evaluated numerous
We now describe our first attack on q on its topmost i − 1 bits, it holds that times (approximately 129,000 times for
RSA, extracting the bits of the secret q < c (i) < 2q, so in this case the modular 4,096-bit RSA). This yields the desired
prime q, one by one. For each bit of q, reduction computes c ← c − q, which self-amplification effect. Once qi is ex-
denoted qi, the attack chooses a cipher- is a random-looking number of length tracted, we can compute the next cho-
text c (i) such that when c (i) is decrypted k − i bits. sen ciphertext ci+1 and proceed to ex-

JU N E 2 0 1 6 | VO L. 59 | N O. 6 | C OM M U N IC AT ION S OF T HE ACM 75
contributed articles

Figure 5. Measuring acoustic leakage: (a) is the attacked target; (b) is a microphone picking open question, but we conjecture that
up the acoustic emanations; (c) is the microphone power supply and amplifier; (d) is the exploitable correlations will persist.
digitizer; and the acquired signal is processed and displayed by the attacker’s laptop (e).
Non-Adaptive Chosen
Ciphertext Attacks
The attack described thus far re-
quires decryption of a new adaptively
chosen ciphertext for every bit of the
secret key, forcing the attacker to in-
teract with the target computer for a
long time (approximately one hour).
To reduce the attack time, we turn to
the electrical and electromagnetic
channels, which offer greater ana-
log bandwidth, though still orders of
magnitude less than the target’s CPU
Figure 6. Acoustic emanations (0kHz–20kHz, 0.5 seconds) of RSA decryption during an frequency. This increase in bandwidth
adaptive chosen-ciphertext attack. allows the attacker to observe finer de-
tails about the operations performed
by the target algorithm, thus requiring
0 5 10 15 20 kHz 0 5 10 15 20 kHz
0
less leakage amplification.
0
Utilizing the increased bandwidth,
p our next attack trades away some of the
0.25 0.25 leakage amplification in favor of reduc-
ing the number of ciphertexts. This
q
reduction shortens the key-extraction
0.5 0.5 time to seconds and, moreover, makes
sec sec
(a) (b) the attack non-adaptive, meaning the
chosen ciphertexts can be sent to the
target all at once (such as on a CD with
tract the next secret bit—qi+1—through of the second exponentiation is dif- a few encrypted files).
the same method. ferent between Figure 6a and Figure Cryptanalysis. The non-adaptive
The full attack requires additional 6b. This is exactly the effect created chosen ciphertext attack against
components (such as error detection by our attack, which can be utilized to square-and-always-multiply exponen-
and recovery16). extract the bits of q. tiation (Algorithm 1) follows the ap-
Acoustic cryptanalysis of RSA. The By applying the iterative attack al- proach of Yen et al.,34 extracting the
basic experimental setup for measur- gorithm described earlier, attacking bits of d instead of q.
ing acoustic leakage consists of a mi- each key bit at a time by sending the Internal value poisoning. Consider
crophone for converting mechanical chosen ciphertext for decryption and the RSA decryption of c = n − 1. As in the
air vibrations to electronic signals, an learning the key bit from the measured previous acoustic attack, c is passed to
amplifier for amplifying the micro- acoustic signal, the attacker can fully Algorithm 1, except this time, after the
phone’s signals, a digitizer for convert- extract the secret key. For 4,096-bit RSA modular reduction in line 2, it holds
ing the analog signal to a digital form, keys (which, according to NIST recom- that c ≡ –1 (mod q). We now examine
and software to perform signal process- mendations, should remain secure for the effect of c on the squaring opera-
ing and cryptanalytic deduction. Figure decades), key extraction takes approxi- tion performed during the main loop
1 and Figure 5 show examples of such mately one hour. of Algorithm 1.
setups using sensitive ultrasound mi- Parallel load. This attack assumes First note the value of a during the
crophones. In some cases, it even suf- decryption is triggered on an other- execution of Algorithm 1 is always ei-
fices to record the target through the wise-idle target machine. If addition- ther 1 or –1 modulo q. Next, since –12
built-in microphone of a mobile phone al software is running concurrently, ≡ 12 ≡ 1 (mod q), we have that the value
placed in proximity to the target and then the signal will be affected, but of a in line 6 is always 1 modulo q. We
running the attacker’s mobile app.16 the attack may still be feasible. In par- thus obtain the following connection
Figure 6 shows the results of ap- ticular, if other software is executed between the secret key bit di–1 and the
plying the acoustic attack for differ- through timeslicing, then the irrel- value of a at the start of the i-th itera-
ent values (0 or 1) of the attacked bit evant timeslices can be identified and tion of Algorithm 1’s main loop.
of q. Several effects are discernible. discarded. If other, sufficiently ho- Suppose di–1 = 0, so the branch in
First, the transition between the two mogenous software is executed on a line 7 is not taken, making the value
modular exponentiations (using the different core, then (empirically) the of a at the start of the i-th iteration
modulus p and q) is clearly visible. signal of interest is merely shifted. be 1 mod q = 1. Since GnuPG’s inter-
Second, note the acoustic signatures Characterizing the general case is an nal representation does not truncate

76 COMM UNICATIO NS O F THE AC M | J U NE 201 6 | VO L . 5 9 | NO. 6

 contributed articles

leading zeros, a contains many lead- or blocks separated by runs of zero To cope with noise, we measured
ing zero limbs that are then passed to bits (in “sliding-window” exponentia- the electric potential during a few
the squaring routine during the i-th tion). The main loop, instead of han- (typically 10) decryption operations.
iteration. Conversely, if di–1 = 1, then dling the exponent one bit at a time, Each recording was filtered and de-
the branch in line 7 is taken, making handles a whole block at every itera- modulated. We used frequency-de-
the value of a at the start of the i-th tion, by multiplying a by cx, where x modulation since it produced best
iteration be –1 modulo q, represented is the block’s value. The values cx are results compared to amplitude and
as p – 1. Since q is a randomly generat- pre-computed and stored in a lookup phase demodulations. We then com-
ed prime, the value of a, and therefore table (for all m-bit values x). bined the recordings using corre-
the value sent to the squaring routine An adaptation of these techniques lation-based averaging, yielding a
during the i-th iteration, is unlikely to also allows attacking windowed expo- combined signal (see Figure 8). The
contain any zero limbs. nentiation.12 In a nutshell, we focus successive bits of d can be deduced
We have thus poisoned some of the on each possible m-bit value x, one at a from this combined signal. Full key
internal values of Algorithm 1, creating time, and identify which blocks in the extraction, using non-adaptive elec-
a connection between the bits of d and exponent d, that is, which iterations of tric measurements, requires only a few
the intermediate values of a during the the main loop, contain x. This is done seconds of measurements, as opposed
exponentiation. by crafting a ciphertext c such that cx to an hour using the adaptive attack.
Amplification. GnuPG’s squaring mod q contains many zero limbs. Leak- We obtained similar results for ElGa-
routines are implemented in ways age amplification and measurement mal encryption; Genkin et al.15 offer a
similar to the multiplication routines, then work similarly to the acoustic and complete discussion.
including the optimizations for han- electric attacks described earlier. Once Electromagnetic attacks. The elec-
dling zero limbs, yielding leakage self- we identify where each x occurred, we tromagnetic channel, which exploits
amplification, as in an adaptive attack. aggregate these locations to deduce computation-dependent fluctuations
Since each iteration of the exponen- the full key d. in the electromagnetic field surround-
tiation’s main loop leaks one bit of the Electric attacks. As discussed earli- ing the target, can also be used for key
secret d, all the bits d can be extracted er, the electrical potential on the chas- extraction. While this channel was pre-
from (ideally) a single decryption of sis of laptop computers often fluctu- viously used for attacks on small devic-
a single ciphertext. In practice, a few ates (in reference to the mains earth es at very close proximity,1,11,28 the PC
measurements are needed to cope with ground) in a computation-dependent class of devices was only recently con-
noise, as discussed here. way. In addition to measuring this po- sidered by Zajic and Prulovic35 (without
Windowed exponentiation. Many tential directly using a plain wire con- cryptographic applications).
RSA implementations, including nected to the laptop chassis, it is pos- Measuring the target’s electromag-
GnuPG version 1.4.16 and newer, use sible to measure the chassis potential netic emanations requires an antenna,
an exponentiation algorithm that is from afar using the conductive shield- electronics for filtering and amplifi-
faster than Algorithm 1. In such an ing of any cable attached to one of the cation, analog-to-digital conversion,
implementation, the exponent d is laptop’s I/O ports (see Figure 7) or and software for signal processing and
split into blocks of m bits (typically m = from nearby by touching an exposed cryptanalytic deduction. Prior works
5), either contiguous blocks (in “fixed metal part of the laptop’s chassis, as (on small devices) typically used cum-
window” or “m-ary” exponentiation) in Figure 2. bersome and expensive lab-grade

Figure 7. Measuring the chassis potential Figure 8. A signal segment from an electric attack, after demodulating and combining
from the far side of an Ethernet cable (blue) measurements of several decryptions. Note the correlation between the signal (blue) and
plugged into the target laptop (10 meters the correct key bits (red).
away) through an alligator clip leading to
measurement equipment (green wire).
1
1
1 1 1
1 1 1 1 1 1 1 1 1 1
1 1 1 1

0 0 0 0 0 0 0 0 0 0 0
00 0
0

JU N E 2 0 1 6 | VO L. 59 | N O. 6 | C OM M U N IC AT ION S OF T HE ACM 77
contributed articles

equipment. In our attacks,12 we used using the non-adaptive attack de- lets, as well as to other cryptographic
highly integrated solutions that are scribed earlier, we have extracted se- libraries (such as OpenSSL and iOS
small and inexpensive (such as a soft- cret keys in a few seconds from a dis- CommonCrypto), electromagnetic key
ware-defined radio dongle, as in Figure tance of half a meter. extraction from implementations of
9, or a consumer-grade radio receiver Attacking other schemes and oth- the Elliptic Curve Digital Signature Al-
recorded by a smartphone, as in Figure er devices. So far, we have discussed gorithm has also been demonstrated,
3). Demonstrating how an untethered attacks on the RSA and ElGamal cryp- including attacks that are non-inva-
probe may be constructed from readily tosystems based on exponentiation sive,17 low-bandwidth,5,24 or both.14
available electronics, we also built the in large prime fields. Similar attacks
Portable Instrument for Trace Acquisi- also target elliptic-curve cryptogra- Conclusion
tion (PITA), which is compact enough phy. For example, we demonstrated Extraction of secret cryptographic keys
to be concealed, as in pita bread (see key extraction from GnuPG’s imple- from PCs using physical side channels
Figure 10). mentation of the Elliptic-Curve Dif- is feasible, despite their complexity
Experimental results. Attacking RSA fie-Hellman scheme running on a and execution speed. We have demon-
and ElGamal (in both square-and-al- PC;13 the attacker, in this case, can strated such attacks on many public-
ways-multiply and windowed imple- measure the target’s electromag- key encryption schemes and digital-
mentations) over the electromagnetic netic leakage from an adjacent room signature schemes, as implemented
channel (sampling at 200 kSample/sec through a wall. by popular cryptographic libraries, us-
around a center frequency of 1.7MHz), Turning to mobile phones and tab- ing inexpensive and readily available
equipment, by various attack vectors
Figure 9. Measuring electromagnetic emanations from a target laptop (left) through a loop and in multiple scenarios.
of coax cable (handheld) recorded by a software-defined radio (right).
Hardware countermeasures.
Side-channel leakage can be attenu-
ated through such physical means as
sound-absorbing enclosures against
acoustic attacks, Faraday cages
against electromagnetic attacks, in-
sulating enclosures against chassis
and touch attacks, and photoelectric
decoupling or fiber-optic connections
against “far end of cable” attacks.
However, these countermeasures are
expensive and cumbersome. Devis-
ing inexpensive physical leakage pro-
tection for consumer-grade PCs is an
open problem.
Software countermeasures. Given
a characterization of a side channel,
algorithms and their software imple-
mentations may be designed so the
Figure 10. Extracting keys by measuring a laptop’s electromagnetic emanations leakage through the given channel
through a PITA device.
will not convey useful information.
One such approach is “blinding,”
or ensuring long operations (such
as modular exponentiation) that in-
volve sensitive values are, instead,
performed on random dummy values
and later corrected using an opera-
tion that includes the sensitive value
but is much shorter and thus more
difficult to measure (such as modular
multiplication). A popular example of
this approach is ciphertext random-
ization,20 which was added to GnuPG
following our observations and in-
deed prevents both the internal value
poisoning and the leakage self-ampli-
fication components of our attacks.
However, such countermeasures
require careful design and adaptation

78 COMM UNICATIO NS O F THE AC M | J U NE 201 6 | VO L . 5 9 | NO. 6

 contributed articles

for every cryptographic scheme and laboration in Cryptography through Proceedings of the Annual Cryptology Conference
(CRYPTO 1996). Springer, 1996, 104–113.
leakage channel; moreover, they of- National Science Foundation grant 21. Kuhn, M.G. Compromising Emanations: Eavesdropping
ten involve significant cost in perfor- #CNS-1523467. Risks of Computer Displays. Ph.D. Thesis and
Technical Report UCAM-CL-TR-577. University of
mance. There are emerging generic Cambridge Computer Laboratory, Cambridge, U.K.,
protection methods at the algorith- Dec. 2003; https://www.cl.cam.ac.uk/techreports/
References UCAM-CL-TR-577.pdf
mic level, using fully homomorphic 1. Agrawal, D., Archambeault, B., Rao, J.R., and Rohatgi, 22. Loughry, J. and Umphress, D.A. Information leakage
P. The EM side-channel(s). In Proceedings of the from optical emanations. ACM Transactions on
encryption and cryptographic leakage Workshop on Cryptographic Hardware and Embedded Information Systems Security 5, 3 (Aug. 2002), 262–289.
resilience; however, their overhead is Systems (CHES 2002). Springer, 2002, 29–45. 23. Mangard, S., Oswald, E., and Popp, T. Power Analysis
2. Anderson, R.J. Security Engineering: A Guide to Attacks: Revealing the Secrets of Smart Cards.
currently so great as to render them Building Dependable Distributed Systems, Second Springer, Berlin, Heidelberg, 2007.
impractical. Edition. Wiley, 2008. 24. Nakano, Y., Souissi, Y., Nguyen, R., Sauvage, L.,
3. Asonov, D. and Agrawal, R. Keyboard acoustic Danger, J., Guilley, S., Kiyomoto, S., and Miyake, Y. A
Future work. To fully understand emanations. In Proceedings of the IEEE Symposium pre-processing composition for secret key recovery
the ramifications and potential of on Security and Privacy. IEEE Computer Society on Android smartphones. In Proceedings of the
Press, 2004, 3–11. International Workshop on Information Security
physical side-channel attacks on PCs 4. Backes, M., Dürmuth, M., Gerling, S., Pinkal, M., and Theory and Practice (WISTP 2014). Springer, Berlin,
Sporleder, C. Acoustic side-channel attacks on printers.
and other fast and complex devices, In Proceedings of the USENIX Security Symposium
Heidelberg, 2014.
25. Oren, Y. and Shamir, A. How not to protect
many questions remain open. What 2010. USENIX Association, 2010, 307–322. PCs from power analysis. Presented at the
5. Belgarric, P., Fouque, P.-A., Macario-Rat, G., and
other implementations are vulner- Tibouchi, M. Side-channel analysis of Weierstrass and
Annual Cryptology Conference (CRYPTO
2006) rump session. 2006; http://iss.oy.ne.ro/
able, and what other algorithms tend Koblitz curve ECDSA on Android smartphones. In HowNotToProtectPCsFromPowerAnalysis
Proceedings of the Cryptographers’ Track of the RSA
to have vulnerable implementations? Conference (CT-RSA 2016). Springer, 2016, 236–252.
26. Osvik, D.A., Shamir, A., and Tromer, E. Cache
attacks and countermeasures: The case of AES. In
In particular, can symmetric encryp- 6. Bernstein, D.J. Cache-timing attacks on AES. 2005; Proceedings of the Cryptographers’ Track of the RSA
http://cr.yp.to/papers.html#cachetiming Conference (CT-RSA 2006). Springer, 2006,1–20.
tion algorithms (which are faster and 7. Brouchier, J., Dabbous, N., Kean, T., Marsh, C., and 27. Percival, C. Cache missing for fun and profit. In
more regular) be attacked? What oth- Naccache, D. Thermocommunication. Cryptology Proceedings of the BSDCan Conference, 2005; http://
ePrint Archive, Report 2009/002, 2009; https://eprint. www.daemonology.net/hyperthreading-considered-
er physical channels exist, and what iacr.org/2009/002 harmful
signal processing and cryptanalytic 8. Brumley, D. and Boneh, D. Remote timing attacks 28. Quisquater, J.-J. and Samyde, D. Electromagnetic
are practical. Computer Networks 48, 5 (Aug. 2005), analysis (EMA): Measures and countermeasures
techniques can exploit them? Can the 701–716. for smartcards. In Proceedings of the Smart Card
attacks’ range be extended (such as 9. Clark, S.S., Mustafa, H.A., Ransford, B., Sorber, J., Fu, Programming and Security: International Conference
K., and Xu, W. Current events: Identifying webpages on Research in Smart Cards (E-smart 2001). Springer,
in acoustic attacks via laser vibrom- by tapping the electrical outlet. In Proceedings of the 2001, 200–210.
eters)? What level of threat do such 18th European Symposium on Research in Computer 29. Skorobogatov, S. Optical Surveillance on Silicon Chips.
Security (ESORICS 2013). Springer, Berlin, Heidelberg, University of Cambridge, Cambridge, U.K., 2009;
channels pose in various real-world 2013, 700–717. http://www.cl.cam.ac.uk/~sps32/SG_talk_OSSC_a.pdf
10. Clark, S.S., Ransford, B., Rahmati, A., Guineau, S.,
scenarios? Ongoing research indi- Sorber, J., Xu, W., and Fu, K. WattsUpDoc: Power
30. van Eck, W. Electromagnetic radiation from video
display units: An eavesdropping risk? Computers and
cates the risk extends well beyond the side channels to nonintrusively discover untargeted Security 4, 4 (Dec. 1985), 269–286.
malware on embedded medical devices. In
particular algorithms, software, and Proceedings of the USENIX Workshop on Health
31. Wright, P. Spycatcher. Viking Penguin, New York, 1987.
32. Yarom, Y. and Falkner, K. FLUSH+RELOAD: A high-
platforms we have covered here. Information Technologies (HealthTech 2013). USENIX resolution, low-noise, L3 cache side-channel attack.
Association, 2013.
On the defensive side, we also raise 11. Gandolfi, K., Mourtel, C., and Olivier, F. Electromagnetic
In Proceedings of the USENIX Security Symposium
2014. USENIX Association, 2014, 719–732.
three complementary questions: How analysis: Concrete results. In Proceedings of the 33. Yarom, Y., Liu, F., Ge, Q., Heiser, G., and Lee, R.B.
Workshop on Cryptographic Hardware and Embedded Last-level cache side-channel attacks are practical.
can we formally model the feasible Systems (CHES 2001). Springer, Berlin, Heidelberg, In Proceedings of the IEEE Symposium on Security
side-channel attacks on PCs? What en- 2001, 251–261. and Privacy. IEEE Computer Society Press, 2015,
12. Genkin, D., Pachmanov, L., Pipman, I., and Tromer, 606–622.
gineering methods will ensure devices E. Stealing keys from PCs using a radio: Cheap 34. Yen, S.-M., Lien, W.-C., Moon, S.-J., and Ha, J. Power
comply with the model? And what al- electromagnetic attacks on windowed exponentiation. analysis by exploiting chosen message and internal
In Proceedings of the Workshop on Cryptographic collisions: Vulnerability of checking mechanism for
gorithms, when running on compli- Hardware and Embedded Systems (CHES 2015). RSA decryption. In Proceedings of the International
ant devices, will provably protect their Springer, 2015, 207–228. Conference on Cryptology in Malaysia (Mycrypt 2005).
13. Genkin, D., Pachmanov, L., Pipman, I., and Tromer, Springer, 2005, 183–195.
secrets, even in the presence of side- E. ECDH key-extraction via low-bandwidth 35. Zajic, A. and Prvulovic, M. Experimental demonstration
channel attacks? electromagnetic attacks on PCs. In Proceedings of the of electromagnetic information leakage from modern
Cryptographers’ Track of the RSA Conference (CT-RSA processor-memory systems. IEEE Transactions on
2016). Springer, 2016, 219–235. Electromagnetic Compatibility 56, 4 (Aug. 2014),
14. Genkin, D., Pachmanov, L., Pipman, I., Tromer, E., and
Acknowledgments Yarom, Y. ECDSA Key Extraction from Mobile Devices
885–893.
This article is based on our previous via Nonintrusive Physical Side Channels. Cryptology
ePrint Archive, Report 2016/230, 2016; http://eprint. Daniel Genkin (danielg3@cs.technion.ac.il) is a Ph.D.
research,12,13,15,16 which was support- iacr.org/2016/230 candidate in the Computer Science Department at
ed by the Check Point Institute for 15. Genkin, E., Pipman, I., and Tromer, E. Get your hands Technion-Israel Institute of Technology, Haifa, Israel, and
off my laptop: Physical side-channel key-extraction a research assistant in the Blavatnik School of Computer
Information Security, the European attacks on PCs. In Proceedings of the Workshop on Science at Tel Aviv University, Israel.
Union’s 10th Framework Programme Cryptographic Hardware and Embedded Systems
(CHES 2014). Springer, 2014, 242–260. Lev Pachmanov (levp@tau.ac.il) is a master’s candidate
(FP10/2010-2016) under grant agree- 16. Genkin, D., Shamir, A., and Tromer, E. RSA key in the Blavatnik School of Computer Science at Tel Aviv
ment no. 259426 ERC-CaC, a Google extraction via low-bandwidth acoustic cryptanalysis. University, Israel.
In Proceedings of the Annual Cryptology Conference
Faculty Research Award, the Leona M. (CRYPTO 2014). Springer, 2014, 444–461. Itamar Pipman (itamarpi@tau.ac.il) is a master’s
& Harry B. Helmsley Charitable Trust, 17. Kenworthy, G. and Rohatgi, P. Mobile device security: candidate in the Blavatnik School of Computer Science at
The case for side-channel resistance. In Proceedings Tel Aviv University, Israel.
the Israeli Ministry of Science, Tech- of the Mobile Security Technologies Conference
(MoST), 2012; http://mostconf.org/2012/papers/21.pdf Adi Shamir (adi.shamir@weizmann.ac.il) is a professor in
nology and Space, the Israeli Centers the faculty of Mathematics and Computer Science at the
18. Kocher, P., Jaffe, J., and Jun, B. Differential power
of Research Excellence I-CORE pro- analysis. In Proceedings of the Annual Cryptology Weizmann Institute of Science, Rehovot, Israel.

gram (center 4/11), NATO’s Public Di- Conference (CRYPTO 1999). Springer, 1999, 388–397. Eran Tromer (tromer@cs.tau.ac.il) is a senior lecturer
19. Kocher, P., Jaffe, J., Jun, B., and Rohatgi, P. in the Blavatnik School of Computer Science at Tel Aviv
plomacy Division in the Framework of Introduction to differential power analysis. Journal of University, Israel.
Cryptographic Engineering 1, 1 (2011), 5–27.
“Science for Peace,” and the Simons 20. Kocher, P.C. Timing attacks on implementations of
Foundation and DIMACS/Simons Col- Diffie-Hellman, RSA, DSS, and other systems. In Copyright held by authors.

JU N E 2 0 1 6 | VO L. 59 | N O. 6 | C OM M U N IC AT ION S OF T HE ACM 79