Cryptography Watch

Aciicmez, et. al. have just published a paper[1] defining a modified type of Branch Prediction Analysis (BPA) attack. The new attack which they have demonstrated against RSA Encryption in able to determine significant key material by monitoring a CPU’s Branch Predictor with a spy process during a single encryption process when running on the same physical hardware. The use of technologies such as sand boxing and virtulization do not significantly reduce the effectiveness of the attack. They have termed the new attack, Simple Branch Prediction Analysis (SBPA).

[1] O. Aciicmez, C. Koc and J. Seifert. On the Power of Simple Branch Prediction Analysis. Cryptology ePrint Archive, Report 2006/351, October 2006.

Abstract:

Very recently, a new software side-channel attack, called Branch Prediction Analysis (BPA)
attack, has been discovered and also demonstrated to be practically feasible on popular
commodity PC platforms. While the above recent attack still had the flavor of a classical timing
attack against RSA, where one uses many execution-time measurements under the same key
in order to statistically amplify some small but key-dependent timing differences, we
dramatically improve upon the former result. We prove that a carefully written spy-process
running simultaneously with an RSA-process, is able to collect during one \emph{single} RSA
signing execution almost all of the secret key bits. We call such an attack, analyzing the CPU's
Branch Predictor states through spying on a single quasi-parallel computation process, a
\emph{Simple Branch Prediction Analysis (SBPA)} attack --- sharply differentiating it from those
one relying on statistical methods and requiring many computation measurements under the
same key. The successful extraction of almost all secret key bits by our SBPA attack against an
openSSL RSA implementation proves that the often recommended blinding or so called
randomization techniques to protect RSA against side-channel attacks are, in the context of
SBPA attacks, totally useless. Additional to that very crucial security implication, targeted at
such implementations which are assumed to be at least statistically secure, our successful
SBPA attack also bears another equally critical security implication. Namely, in the context
of simple side-channel attacks, it is widely believed that equally balancing the operations
after branches is a secure countermeasure against such simple attacks. Unfortunately, this
is not true, as even such ``balanced branch'' implementations can be completely broken by
our SBPA attacks. Moreover, despite sophisticated hardware-assisted partitioning methods
such as memory protection, sandboxing or even virtualization, SBPA attacks empower an
unprivileged process to successfully attack other processes running in parallel on the same
processor. Thus, we conclude that SBPA attacks are much more dangerous than previously
anticipated, as they obviously do not belong to the same category as pure timing attacks.

The number RSA-640 of the RSA Factoring Challenge has been factored by Bahr, F.; Boehm, M.; Franke, J. and Kleinjung, T. of the German Federal Agency for Information Technology Security (BSI). The factorization took five months on 80 2.2 GHz AMD Opteron CPUs using the General Number Field Sieve.

The result was:

RSA-640 = 16347336458092538484431338838650908598417836700330923121
81110852389333100104508151212118167511579
* 19008712816648221131268515739354139754718967899685154936
66638539088027103802104498957191261465571

RSA-576 (174 decimal digits) has been factored using the General Number Field Sieve by Franke, J. et. al.

The result was:

RSA-576 = 3980750864240649373971255005503864911990643623
42526708406385189575946388957261768583317
* 4727721461074353025362230719730482246329146953020971164
59852171130520711256363590397527

Distributed.net, a grid computing project has successfully completed the partial known plaintext attack RSA Labs RC5 64bit Challenge. The attack took 1,757 days (4 years, 333 days). Additional detials are given in the official announcement:

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

distributed.net completes rc5-64 project (list announcement)
september 25, 2002

RC5-64 HAS BEEN SOLVED!

On 14-Jul-2002, a relatively characterless PIII-450 in Tokyo returned
the winning key to the distributed.net keyservers. The key
0×63DE7DC154F4D039 produces the plaintext output:

The unknown message is: some things are better left unread

Unfortunately, due to breakage in scripts (dbaker’s fault, naturally)
on the keymaster, this successful submission was not automatically
detected. It sat undiscovered until 12-Aug-2002. The key was
immediately submitted to RSA Labs and was verified as the winning key.

So, after 1,757 days and 58,747,597,657 work units tested the winning
key was found! While it’s debatable that the duration of this project
does much to devalue the security of a 64-bit RC5 key by much, we can
say with confidence that RC5-64 is not an appropriate algorithm to use
for data that will still be sensitive in more than several years’
time. On the distributed computing front, however, the RC5-64 project
clearly demonstrates the viability of long-term, volunteer-driven,
internet-based collaborative efforts. The next time someone bemoans
the public’s short attention span or need for instant gratification
you should remind them what 331,252 people were able to accomplish by
joining together and working for nearly five years. distributed.net’s
RC5-64 project clearly shows that even the most ambitious projects can
be completed by volunteers thanks to the combined power of the
internet and distributed computing.

Ignoring artificially high numbers resulting from network
difficulties, we completed 86,950,894 workunits on our best day. This
is 0.12% of the total keyspace meaning that at our peak rate we could
expect to exhaust the keyspace in 790 days. Our peak rate of
270,147,024 kkeys/sec is equivalent to 32,504 800MHz Apple PowerBook
G4 laptops or 45,998 2GHz AMD Athlon XP machines or (to use some
rc5-56 numbers) nearly a half million Pentium Pro 200s.

Over the course of the RC5-64 project, 331,252 individuals
participated. We tested 15,769,938,165,961,326,592 keys.

We apologize for the latency in the announcement, but scheduling
conflicts with RSA Laboratories and difficulties in reaching the
winning participant (who has asked to remain anonymous) introduced the
additional delay to the process.

Also, please consider joining us on SlashNET IRC on Saturday
28-Sep-2002 @ 21:00 UTC (5:00PM EDT) for an online Q+A session on the
RC5-64 project and the future plans for the distributed.net network.
Not only are we looking forward to moving on to RC5-72 but we’re
currently reshaping the framework of the dnetc architecture to better
accommodate additional projects. We’re hoping to attract some new and
motivated partners with good ideas and a need for cycles.

Thanks to RSA Labs for continuing to offer challenges that reward
distributed efforts!

For more information, contact:
* David McNett +1-512-350-5038

References

http://www.slashnet.org/
http://www.rsasecurity.com/news/releases/pr.asp?doc_id=1400
http://www.distributed.net/rc5/

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE9lKZcgAekZNFUBFURAkYcAKCOTk63Bpi/8beOA/6GxOGi4/VqLwCeMeXB
M1zR4DccCqJ26YxUUrKyXOg=
=DP11
—–END PGP SIGNATURE—–

The number RSA-140 of the RSA Factoring Challenge {W} has been factored by Herman J. J. te Riele {W}, et. al.

The factorization is:

RSA-140 = 3398717423028438554530123627613875835633986495969597423490929302771479
* 6264200187401285096151654948264442219302037178623509019111660653946049

The 56bit RSA Labs RC5 partial known plaintext attack challenge has been completed successfully in 265 days by Distributed.net a grid computing project. The active search time is 212 days. At its averaged rate the project tested 5.3 Gk/s (giga keys a second).

The official Dnet announcement includes more information.

The 48bit RSA Labs RC5 partial known plaintext attack challenge has been completed successfully in 313 hours.

The 40bit RSA Labs RC5 partial known plaintext attack challenge has been completed successfully in 3 1/2 hours on a graphics work station by a university student.

US companies are restricted to using no greater than 40bit cryptography in products they plan to export. One of the most common applications for such cryptographic code is the 40bit SSL capable web browser. This break shows that 40bit encryption is trivial to crack and in no way sufficient for protecting electronic commerce transactions or corporate trade secrets.

The RSA-130 Number of the RSA Factoring Challenge has been factored by Lenstra, et. al.

RSA-130 has the factorization:

RSA-130 = 39685999459597454290161126162883786067576449112810064832555157243
* 45534498646735972188403686897274408864356301263205069600999044599

The semi-prime RSA-129, of the RSA Factoring Challenge, has been factored by Lenstra, A., et. al. using a distributed computing approach involving roughly 600 computers.  The factorization was done using the Multiple Polynomial Quadratic Sieve (MPQS).

The result was:

RSA-129 = 3490529510847650949147849619903898133417764638493387843990820577
* 32769132993266709549961988190834461413177642967992942539798288533