Detailed cryptographic analysis of contact tracing protocolsChristian Spolaore
A detailed description of DP3T, Google/Apple and PEP-PT
contact tracing protocols. After a brief mathematical introduction on modern cryptography, the primitives used in the protocols are specifically taken into consideration. Then, they are described in details and linked to the standard goals of information security, analyzing if the proposed designs reach them or not. Finally, there can be found a quick but interesting description of the main issues regarding BLE Technology and an example of a secret sharing scheme which could be used to prevent local attacks to the system (refer also to: https://www.slideshare.net/ChristianSpolaore1/introduction-to-contact-tracing-apps-and-privacy-issues).
FPGA Implementation of Large Area Efficient and Low Power Geortzel Algorithm ...IDES Editor
Spectrum analysis is very essential requirement in
instrumentation and communication signal interception
.Spectrum analysis is normally carried out by online or offline
FFT processing. But the FFT being highly mathematical
intensive, is not suitable for low area and low power
applications. Offline FFT processing can’t give the real time
spectrum estimation which is essential in communication
signal interception. Online FFT computation takes very high
resources, which makes the system costly and power hungry.
The Goertzel algorithm is a digital signal processing (DSP)
technique for identifying frequency components of a signal,
published by Dr. Gerald Goertzel in 1958. While the general
Fast Fourier transform (FFT) algorithm computes evenly
across the bandwidth of the incoming signal, the Goertzel
algorithm looks at specific, predetermined frequency. However
the implementation of Goertzel algorithm for spectrum
computation is not explored for FPGA implementation. The
FPGA being capable of offering high frequency data paths in
them become suitable for realizing high speed spectrum
analysis algorithms.
Slides for a college cryptography course at CCSF. Instructor: Sam Bowne
Based on: Understanding Cryptography: A Textbook for Students and Practitioners by Christof Paar, Jan Pelzl, and Bart Preneel, ISBN: 3642041000 ASIN: B014P9I39Q
See https://samsclass.info/141/141_F17.shtml
Detailed cryptographic analysis of contact tracing protocolsChristian Spolaore
A detailed description of DP3T, Google/Apple and PEP-PT
contact tracing protocols. After a brief mathematical introduction on modern cryptography, the primitives used in the protocols are specifically taken into consideration. Then, they are described in details and linked to the standard goals of information security, analyzing if the proposed designs reach them or not. Finally, there can be found a quick but interesting description of the main issues regarding BLE Technology and an example of a secret sharing scheme which could be used to prevent local attacks to the system (refer also to: https://www.slideshare.net/ChristianSpolaore1/introduction-to-contact-tracing-apps-and-privacy-issues).
FPGA Implementation of Large Area Efficient and Low Power Geortzel Algorithm ...IDES Editor
Spectrum analysis is very essential requirement in
instrumentation and communication signal interception
.Spectrum analysis is normally carried out by online or offline
FFT processing. But the FFT being highly mathematical
intensive, is not suitable for low area and low power
applications. Offline FFT processing can’t give the real time
spectrum estimation which is essential in communication
signal interception. Online FFT computation takes very high
resources, which makes the system costly and power hungry.
The Goertzel algorithm is a digital signal processing (DSP)
technique for identifying frequency components of a signal,
published by Dr. Gerald Goertzel in 1958. While the general
Fast Fourier transform (FFT) algorithm computes evenly
across the bandwidth of the incoming signal, the Goertzel
algorithm looks at specific, predetermined frequency. However
the implementation of Goertzel algorithm for spectrum
computation is not explored for FPGA implementation. The
FPGA being capable of offering high frequency data paths in
them become suitable for realizing high speed spectrum
analysis algorithms.
Slides for a college cryptography course at CCSF. Instructor: Sam Bowne
Based on: Understanding Cryptography: A Textbook for Students and Practitioners by Christof Paar, Jan Pelzl, and Bart Preneel, ISBN: 3642041000 ASIN: B014P9I39Q
See https://samsclass.info/141/141_F17.shtml
Sequence Learning,
Simply introduce sequence learning technique to do the temporal classification Task. Include recurrent neural network, long-short term memory, bidirectional neural network, connectionist Temporal Classification and our experiment on low-resource language.
Fault Tolerant Parallel Filters Based On Bch CodesIJERA Editor
Digital filters are used in signal processing and communication systems. In some cases, the reliability of those
systems is critical, and fault tolerant filter implementations are needed. Over the years, many techniques that
exploit the filters’ structure and properties to achieve fault tolerance have been proposed. As technology scales,
it enables more complex systems that incorporate many filters. In those complex systems, it is common that
some of the filters operate in parallel, for example, by applying the same filter to different input signals.
Recently, a simple technique that exploits the presence of parallel filters to achieve multiple fault tolerance has
been presented. In this brief, that idea is generalized to show that parallel filters can be protected using Bose–
Chaudhuri–Hocquenghem codes (BCH) in which each filter is the equivalent of a bit in a traditional ECC. This
new scheme allows more efficient protection when the number of parallel filters is large.
Ajay Kumar.Ph.D Research scholar at National Institute of Technology my mail id:-- ajaymodaliger@gmail.com
In this presentation slide i have Explained how to reducing Computational time complexity of Discrete Fourier transform(DFT) from O(n^2 ) to nlogn through Radix-2 .FFT Algorithm in this work i have also introduced how we can use Radix-2 FFT in encrypted signal processing application by considering homomarphic properties(RSA) of Paillier cryptosystem.
AI邊緣運算實作: TensorFlow Lite for MCU
https://bit.ly/3j2fIIt
[1]python程式設計
https://bit.ly/359cz4m
[2]AI機器學習&深度學習
http://bit.ly/2KDZZz4
[3]TensorFlow Lite for MCU
https://bit.ly/3j2fIIt
Sequence Learning,
Simply introduce sequence learning technique to do the temporal classification Task. Include recurrent neural network, long-short term memory, bidirectional neural network, connectionist Temporal Classification and our experiment on low-resource language.
Fault Tolerant Parallel Filters Based On Bch CodesIJERA Editor
Digital filters are used in signal processing and communication systems. In some cases, the reliability of those
systems is critical, and fault tolerant filter implementations are needed. Over the years, many techniques that
exploit the filters’ structure and properties to achieve fault tolerance have been proposed. As technology scales,
it enables more complex systems that incorporate many filters. In those complex systems, it is common that
some of the filters operate in parallel, for example, by applying the same filter to different input signals.
Recently, a simple technique that exploits the presence of parallel filters to achieve multiple fault tolerance has
been presented. In this brief, that idea is generalized to show that parallel filters can be protected using Bose–
Chaudhuri–Hocquenghem codes (BCH) in which each filter is the equivalent of a bit in a traditional ECC. This
new scheme allows more efficient protection when the number of parallel filters is large.
Ajay Kumar.Ph.D Research scholar at National Institute of Technology my mail id:-- ajaymodaliger@gmail.com
In this presentation slide i have Explained how to reducing Computational time complexity of Discrete Fourier transform(DFT) from O(n^2 ) to nlogn through Radix-2 .FFT Algorithm in this work i have also introduced how we can use Radix-2 FFT in encrypted signal processing application by considering homomarphic properties(RSA) of Paillier cryptosystem.
AI邊緣運算實作: TensorFlow Lite for MCU
https://bit.ly/3j2fIIt
[1]python程式設計
https://bit.ly/359cz4m
[2]AI機器學習&深度學習
http://bit.ly/2KDZZz4
[3]TensorFlow Lite for MCU
https://bit.ly/3j2fIIt
Three new attacks are described. The first is a Denial of Service attack capable of halting all traffic for one minute by injecting only two frames. The second attack allows the injection of arbitrary many packets towards a client. It is shown that this can be used to perform a portscan on any TKIP-secured client. The third attack reset the internal state of the Michael algorithm, allowing an attack to append any (encrypted) TKIP packet with invalidating the MIC. This can be used to decrypt arbitrary packets sent towards the client.
Hardening is a conference of Computer Security, created by Prof. Giampaolo Bella of University of Catania to talk of the way to harden the computer that we use every day. In each edition there are different arguments of Internet/Computer Security. In this edition (29 may 2017) we have talked of Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS), show examples of attacks and applications of these technologies.
Introduction to lecture
https://www.youtube.com/watch?v=tUYbRu1nrz8&feature=youtu.be&a
Seminar of Threshold-optimal DSAECDSA signatures and an application to Bitcoin wallet security - ACNS 2016 by Rosario Gennaro, Steven Goldfeder, and Arvind Narayanan
A deep dive into Bitcoin hardware wallets security. Illustrating weaknesses of hardware wallets based on regular (not secure) microcontrollers such as the Trezor.
This presentation explores a brief idea about the structural and functional attributes of nucleotides, the structure and function of genetic materials along with the impact of UV rays and pH upon them.
Remote Sensing and Computational, Evolutionary, Supercomputing, and Intellige...University of Maribor
Slides from talk:
Aleš Zamuda: Remote Sensing and Computational, Evolutionary, Supercomputing, and Intelligent Systems.
11th International Conference on Electrical, Electronics and Computer Engineering (IcETRAN), Niš, 3-6 June 2024
Inter-Society Networking Panel GRSS/MTT-S/CIS Panel Session: Promoting Connection and Cooperation
https://www.etran.rs/2024/en/home-english/
Seminar of U.V. Spectroscopy by SAMIR PANDASAMIR PANDA
Spectroscopy is a branch of science dealing the study of interaction of electromagnetic radiation with matter.
Ultraviolet-visible spectroscopy refers to absorption spectroscopy or reflect spectroscopy in the UV-VIS spectral region.
Ultraviolet-visible spectroscopy is an analytical method that can measure the amount of light received by the analyte.
Professional air quality monitoring systems provide immediate, on-site data for analysis, compliance, and decision-making.
Monitor common gases, weather parameters, particulates.
Nutraceutical market, scope and growth: Herbal drug technologyLokesh Patil
As consumer awareness of health and wellness rises, the nutraceutical market—which includes goods like functional meals, drinks, and dietary supplements that provide health advantages beyond basic nutrition—is growing significantly. As healthcare expenses rise, the population ages, and people want natural and preventative health solutions more and more, this industry is increasing quickly. Further driving market expansion are product formulation innovations and the use of cutting-edge technology for customized nutrition. With its worldwide reach, the nutraceutical industry is expected to keep growing and provide significant chances for research and investment in a number of categories, including vitamins, minerals, probiotics, and herbal supplements.
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...Ana Luísa Pinho
Functional Magnetic Resonance Imaging (fMRI) provides means to characterize brain activations in response to behavior. However, cognitive neuroscience has been limited to group-level effects referring to the performance of specific tasks. To obtain the functional profile of elementary cognitive mechanisms, the combination of brain responses to many tasks is required. Yet, to date, both structural atlases and parcellation-based activations do not fully account for cognitive function and still present several limitations. Further, they do not adapt overall to individual characteristics. In this talk, I will give an account of deep-behavioral phenotyping strategies, namely data-driven methods in large task-fMRI datasets, to optimize functional brain-data collection and improve inference of effects-of-interest related to mental processes. Key to this approach is the employment of fast multi-functional paradigms rich on features that can be well parametrized and, consequently, facilitate the creation of psycho-physiological constructs to be modelled with imaging data. Particular emphasis will be given to music stimuli when studying high-order cognitive mechanisms, due to their ecological nature and quality to enable complex behavior compounded by discrete entities. I will also discuss how deep-behavioral phenotyping and individualized models applied to neuroimaging data can better account for the subject-specific organization of domain-general cognitive systems in the human brain. Finally, the accumulation of functional brain signatures brings the possibility to clarify relationships among tasks and create a univocal link between brain systems and mental functions through: (1) the development of ontologies proposing an organization of cognitive processes; and (2) brain-network taxonomies describing functional specialization. To this end, tools to improve commensurability in cognitive science are necessary, such as public repositories, ontology-based platforms and automated meta-analysis tools. I will thus discuss some brain-atlasing resources currently under development, and their applicability in cognitive as well as clinical neuroscience.
DERIVATION OF MODIFIED BERNOULLI EQUATION WITH VISCOUS EFFECTS AND TERMINAL V...Wasswaderrick3
In this book, we use conservation of energy techniques on a fluid element to derive the Modified Bernoulli equation of flow with viscous or friction effects. We derive the general equation of flow/ velocity and then from this we derive the Pouiselle flow equation, the transition flow equation and the turbulent flow equation. In the situations where there are no viscous effects , the equation reduces to the Bernoulli equation. From experimental results, we are able to include other terms in the Bernoulli equation. We also look at cases where pressure gradients exist. We use the Modified Bernoulli equation to derive equations of flow rate for pipes of different cross sectional areas connected together. We also extend our techniques of energy conservation to a sphere falling in a viscous medium under the effect of gravity. We demonstrate Stokes equation of terminal velocity and turbulent flow equation. We look at a way of calculating the time taken for a body to fall in a viscous medium. We also look at the general equation of terminal velocity.
2. Intro
Source paper
RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
Daniel Genkin, Technion and Tel Aviv University;
Adi Shamir, Weizmann Institute of Science;
Eran Tromer, Tel Aviv University
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 2 / 36
3. Source of the sound
What is it about
Extracts RSA private key by
observing acoustic side-channel leak
during decryption.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 3 / 36
4. Source of the sound
Acoustic, really?
Why does modern PC emit audible
noise?
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 4 / 36
5. Source of the sound
Capacitor noise
High-pitched audible noise - capacitor is culprit #1.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 5 / 36
6. Source of the sound
Capacitor noise - why?
Piezoelectric effect.
The internal generation of a mechanical strain resulting from an
applied electrical field.
Note: Reversible, not interested in inverse right now.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 6 / 36
7. Source of the sound
Capacitor noise - why?
Piezoelectric effect.
The internal generation of a mechanical strain resulting from an
applied electrical field.
Note: Reversible, not interested in inverse right now.
Ti , Zr2+
Pb 4+
T < T
4+2–
O
P
C
T > TC
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 6 / 36
8. Source of the sound
Capacitor noise - how exactly?
L-T L-W
Before
applying
voltage
After
applying
voltage
LW with metal
terminal
The large portion of
modification
is made into Free.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 7 / 36
9. Source of the sound
Capacitor noise - how exactly?
L-T L-W
Before
applying
voltage
After
applying
voltage
LW with metal
terminal
The large portion of
modification
is made into Free.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 7 / 36
10. Source of the sound
Coil - culprit #2
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 8 / 36
11. Source of the sound
Coil - culprit #2
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 8 / 36
12. Source of the sound
Sound source
Dynamics of the pulse-width-modulation-based voltage regulator
circuitry.
Regulates emount of energy for CPU.
Best mic mounting: fan exhaust, ethernet port.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 9 / 36
13. Experiment setup
Lab grade setup
1.25M saples per second, professional HW
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 10 / 36
14. Experiment setup
Portable setup
200k saples per second, 100kHz resolution.
Attack works up to 1 m, (4 m with parabolic mic).
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 11 / 36
15. Experiment setup
Mobile setup
48k saples per second, low sensitivity, noise, pushing to the limits.
attack works up to the 30 cm distance.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 12 / 36
16. Experiment setup
Acoustic noise – multiple devices tested
(a) Asus N55SF (b) Dell Inspiron 7720 (c) HP ProBook 4530s
(d) HP Pavilion Sleek book 15-b005ej (e) Samsung NP300V5A (f) Lenovo ThinkPad W530
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 13 / 36
17. Experiment setup
Attack scenario
Attacking several GnuPG implementations.
Goal: recovery of a 4096 bit private key.
Adaptive chosen cipher text attack.
Recovers priv. key bit-by-bit. Requires to observe at least 2048
decryptions (n = pq).
Attack vector: Enigmail - Thunderbird GPG plugin, automatically
decrypts incoming message.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 14 / 36
18. Experiment setup
Attack scenario
Attacking several GnuPG implementations.
Goal: recovery of a 4096 bit private key.
Adaptive chosen cipher text attack.
Recovers priv. key bit-by-bit. Requires to observe at least 2048
decryptions (n = pq).
Attack vector: Enigmail - Thunderbird GPG plugin, automatically
decrypts incoming message.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 14 / 36
19. Experiment setup
Attack scenario
Attacking several GnuPG implementations.
Goal: recovery of a 4096 bit private key.
Adaptive chosen cipher text attack.
Recovers priv. key bit-by-bit. Requires to observe at least 2048
decryptions (n = pq).
Attack vector: Enigmail - Thunderbird GPG plugin, automatically
decrypts incoming message.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 14 / 36
20. Experiment setup
Attack scenario
Attacking several GnuPG implementations.
Goal: recovery of a 4096 bit private key.
Adaptive chosen cipher text attack.
Recovers priv. key bit-by-bit. Requires to observe at least 2048
decryptions (n = pq).
Attack vector: Enigmail - Thunderbird GPG plugin, automatically
decrypts incoming message.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 14 / 36
21. Experiment setup
Attack scenario
Attacking several GnuPG implementations.
Goal: recovery of a 4096 bit private key.
Adaptive chosen cipher text attack.
Recovers priv. key bit-by-bit. Requires to observe at least 2048
decryptions (n = pq).
Attack vector: Enigmail - Thunderbird GPG plugin, automatically
decrypts incoming message.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 14 / 36
24. Experiment setup
RSA implementation in GPG
n = pq where n is public modulus, p, q private prime numbers.
e public, d secret private exponent, ed ≡ 1 (mod ϕ(n))
Normal RSA decryption: m = cd (mod n)
Optimization (by factor of 4):
dp = d (mod (p − 1))
dq = d (mod (q − 1))
m1 = cdp
(mod p)
m2 = cdq
(mod q)
m = combine m1 and m2 using CRT
Thus 2 modular exponentiations, attacking 2nd prime.
Signal is somehow stabilized after first one, better SNR.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 17 / 36
25. Experiment setup
RSA implementation in GPG
n = pq where n is public modulus, p, q private prime numbers.
e public, d secret private exponent, ed ≡ 1 (mod ϕ(n))
Normal RSA decryption: m = cd (mod n)
Optimization (by factor of 4):
dp = d (mod (p − 1))
dq = d (mod (q − 1))
m1 = cdp
(mod p)
m2 = cdq
(mod q)
m = combine m1 and m2 using CRT
Thus 2 modular exponentiations, attacking 2nd prime.
Signal is somehow stabilized after first one, better SNR.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 17 / 36
26. Experiment setup
Attack 1 - Key distinguishability
5 GnuPG RSA signatures executed on a Lenovo ThinkPad T61.
The transitions between p, q marked with yellow arrows.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 18 / 36
27. Experiment setup
Attack 2 - Key extraction
Determines secret factor q, one bit at time, from MSB to LSB.
Notation: i-th bit qi of q, starting from MSB, (i = 2048).
Incremental: Assumes key bits b2048 . . . qi+1 recovered
Testing hypotheses about qi.
Attacking different control flow that occurs for different ciphertexts.
Targeting multiplication optimizations (multiplication by zero vs.
multiplication by a random number).
Notation: A = 00 . . . 0
32bit
, 00 . . . 0
32bit
, . . . , 00 . . . 0
32bit
, array of limbs.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 19 / 36
28. Experiment setup
Attack 2 - Key extraction
Determines secret factor q, one bit at time, from MSB to LSB.
Notation: i-th bit qi of q, starting from MSB, (i = 2048).
Incremental: Assumes key bits b2048 . . . qi+1 recovered
Testing hypotheses about qi.
Attacking different control flow that occurs for different ciphertexts.
Targeting multiplication optimizations (multiplication by zero vs.
multiplication by a random number).
Notation: A = 00 . . . 0
32bit
, 00 . . . 0
32bit
, . . . , 00 . . . 0
32bit
, array of limbs.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 19 / 36
29. Experiment setup
Attack 2 - Key extraction
Determines secret factor q, one bit at time, from MSB to LSB.
Notation: i-th bit qi of q, starting from MSB, (i = 2048).
Incremental: Assumes key bits b2048 . . . qi+1 recovered
Testing hypotheses about qi.
Attacking different control flow that occurs for different ciphertexts.
Targeting multiplication optimizations (multiplication by zero vs.
multiplication by a random number).
Notation: A = 00 . . . 0
32bit
, 00 . . . 0
32bit
, . . . , 00 . . . 0
32bit
, array of limbs.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 19 / 36
30. Experiment setup
Attack 2 - Key extraction
Determines secret factor q, one bit at time, from MSB to LSB.
Notation: i-th bit qi of q, starting from MSB, (i = 2048).
Incremental: Assumes key bits b2048 . . . qi+1 recovered
Testing hypotheses about qi.
Attacking different control flow that occurs for different ciphertexts.
Targeting multiplication optimizations (multiplication by zero vs.
multiplication by a random number).
Notation: A = 00 . . . 0
32bit
, 00 . . . 0
32bit
, . . . , 00 . . . 0
32bit
, array of limbs.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 19 / 36
31. Experiment setup
Attack 2 - Key extraction
Determines secret factor q, one bit at time, from MSB to LSB.
Notation: i-th bit qi of q, starting from MSB, (i = 2048).
Incremental: Assumes key bits b2048 . . . qi+1 recovered
Testing hypotheses about qi.
Attacking different control flow that occurs for different ciphertexts.
Targeting multiplication optimizations (multiplication by zero vs.
multiplication by a random number).
Notation: A = 00 . . . 0
32bit
, 00 . . . 0
32bit
, . . . , 00 . . . 0
32bit
, array of limbs.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 19 / 36
32. Experiment setup
Attack 2 - Key extraction
Determines secret factor q, one bit at time, from MSB to LSB.
Notation: i-th bit qi of q, starting from MSB, (i = 2048).
Incremental: Assumes key bits b2048 . . . qi+1 recovered
Testing hypotheses about qi.
Attacking different control flow that occurs for different ciphertexts.
Targeting multiplication optimizations (multiplication by zero vs.
multiplication by a random number).
Notation: A = 00 . . . 0
32bit
, 00 . . . 0
32bit
, . . . , 00 . . . 0
32bit
, array of limbs.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 19 / 36
33. Experiment setup
Attack 2 - Key extraction
Determines secret factor q, one bit at time, from MSB to LSB.
Notation: i-th bit qi of q, starting from MSB, (i = 2048).
Incremental: Assumes key bits b2048 . . . qi+1 recovered
Testing hypotheses about qi.
Attacking different control flow that occurs for different ciphertexts.
Targeting multiplication optimizations (multiplication by zero vs.
multiplication by a random number).
Notation: A = 00 . . . 0
32bit
, 00 . . . 0
32bit
, . . . , 00 . . . 0
32bit
, array of limbs.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 19 / 36
50. Experiment setup
Karatsuba
Recursive algorithm for fast integer multiplication in Θ(nlog23).
Faster than schoolbook algorithm (for suitably larger integers).
Based on the following identity:
u = uH|uL concatenation of high & low part
v = vH|vL
uv =
1.mult
(22n
+ 2n
)uHvH +
2.mult
2n
(uH − uL)( vH − vL
will be almost zero
) +
3.mult
(2n
+ 1)vLuL
Ciphertext c is passed to Karatsuba as a second parameter.
Special form of the ciphertext causes marked part to be zero.
Recursion will invoke Karatsuba(uH − uL, vH − vL), leads to
multiplication by zero.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 25 / 36
51. Experiment setup
Karatsuba
Recursive algorithm for fast integer multiplication in Θ(nlog23).
Faster than schoolbook algorithm (for suitably larger integers).
Based on the following identity:
u = uH|uL concatenation of high & low part
v = vH|vL
uv =
1.mult
(22n
+ 2n
)uHvH +
2.mult
2n
(uH − uL)( vH − vL
will be almost zero
) +
3.mult
(2n
+ 1)vLuL
Ciphertext c is passed to Karatsuba as a second parameter.
Special form of the ciphertext causes marked part to be zero.
Recursion will invoke Karatsuba(uH − uL, vH − vL), leads to
multiplication by zero.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 25 / 36
52. Experiment setup
Karatsuba
uv =
1.mult,h
(22n
+ 2n
)uHvH +
2.mult,t
2n
(uH − uL)( vH − vL
will be almost zero
) +
3.mult,l
(2n
+ 1)vLuL
Karatsuba recursive expansion
If qi = 1 ⇒ c = q2048, q2047, . . . , qi−1, 0, 1, 1, . . . , 1 ⇒ many zero
limbs in 2nd mult. arg.
If qi = 0 ⇒ c random-looking number
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 26 / 36
53. Experiment setup
Karatsuba
uv =
1.mult,h
(22n
+ 2n
)uHvH +
2.mult,t
2n
(uH − uL)( vH − vL
will be almost zero
) +
3.mult,l
(2n
+ 1)vLuL
Karatsuba recursive expansion
If qi = 1 ⇒ c = q2048, q2047, . . . , qi−1, 0, 1, 1, . . . , 1 ⇒ many zero
limbs in 2nd mult. arg.
If qi = 0 ⇒ c random-looking number
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 26 / 36
54. Experiment setup
Source of side-channel leakage
Computation is very fast (GHz), acoustic channel is narrow (kHz).
Would not be able without amplification.
Side-channel leakage function is called multiple times during one
decryption, 7 × 12 × 2048 = 172032
Such number of invocations create detectable pattern (random vs.
zero bits) in accoustic spectrum.
Karatsuba recursive expansion
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 27 / 36
55. Experiment setup
Source of side-channel leakage
(a) attacking 0 bit (b) attacking 1 bit
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
34 35 36 37 38 39
Power(nanovolts)
Frequency (kHz)
Attacked bit is 1
Attacked bit is 0
(c) Frequency spectra of the second modular exponentiation
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 28 / 36
56. Experiment setup
Attack technicalities
More bits are recovered more closer frequency peaks in spectrum
are.
Analysis gets complicated, but the core idea still holds.
Frequency spectrum for ciphertexts of size 2048 bits with various
sizes of zero words:
0
50000
100000
150000
200000
250000
35 35.5 36 36.5 37 37.5 38 38.5 39
numberofzerolimbsinthesecondoperandofMUL_BASECASE
frequancy (kHz)
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 29 / 36
58. Experiment setup
Attack scheme
1 Obtains acoustic trace of the second modular exponentiation.
Obtain templates T0, T1.
2 Compute frequency spectrum s of the trace (sliding window FFT,
median binning).
3 Peak smoothing (noise removal).
4 Normalization (remove microphone pattern).
5 Compute distance of a s from template T0 and T1 allowing some
shift (freq. left,right).
6 Classification.
7 Template update. Create new templates T0, T1 for next bit.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 31 / 36
59. Experiment setup
Attack scheme
1 Obtains acoustic trace of the second modular exponentiation.
Obtain templates T0, T1.
2 Compute frequency spectrum s of the trace (sliding window FFT,
median binning).
3 Peak smoothing (noise removal).
4 Normalization (remove microphone pattern).
5 Compute distance of a s from template T0 and T1 allowing some
shift (freq. left,right).
6 Classification.
7 Template update. Create new templates T0, T1 for next bit.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 31 / 36
60. Experiment setup
Attack scheme
1 Obtains acoustic trace of the second modular exponentiation.
Obtain templates T0, T1.
2 Compute frequency spectrum s of the trace (sliding window FFT,
median binning).
3 Peak smoothing (noise removal).
4 Normalization (remove microphone pattern).
5 Compute distance of a s from template T0 and T1 allowing some
shift (freq. left,right).
6 Classification.
7 Template update. Create new templates T0, T1 for next bit.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 31 / 36
61. Experiment setup
Attack scheme
1 Obtains acoustic trace of the second modular exponentiation.
Obtain templates T0, T1.
2 Compute frequency spectrum s of the trace (sliding window FFT,
median binning).
3 Peak smoothing (noise removal).
4 Normalization (remove microphone pattern).
5 Compute distance of a s from template T0 and T1 allowing some
shift (freq. left,right).
6 Classification.
7 Template update. Create new templates T0, T1 for next bit.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 31 / 36
62. Experiment setup
Attack scheme
1 Obtains acoustic trace of the second modular exponentiation.
Obtain templates T0, T1.
2 Compute frequency spectrum s of the trace (sliding window FFT,
median binning).
3 Peak smoothing (noise removal).
4 Normalization (remove microphone pattern).
5 Compute distance of a s from template T0 and T1 allowing some
shift (freq. left,right).
6 Classification.
7 Template update. Create new templates T0, T1 for next bit.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 31 / 36
63. Experiment setup
Attack scheme
1 Obtains acoustic trace of the second modular exponentiation.
Obtain templates T0, T1.
2 Compute frequency spectrum s of the trace (sliding window FFT,
median binning).
3 Peak smoothing (noise removal).
4 Normalization (remove microphone pattern).
5 Compute distance of a s from template T0 and T1 allowing some
shift (freq. left,right).
6 Classification.
7 Template update. Create new templates T0, T1 for next bit.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 31 / 36
64. Experiment setup
Attack scheme
1 Obtains acoustic trace of the second modular exponentiation.
Obtain templates T0, T1.
2 Compute frequency spectrum s of the trace (sliding window FFT,
median binning).
3 Peak smoothing (noise removal).
4 Normalization (remove microphone pattern).
5 Compute distance of a s from template T0 and T1 allowing some
shift (freq. left,right).
6 Classification.
7 Template update. Create new templates T0, T1 for next bit.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 31 / 36
65. Experiment setup
Attack scheme
If attack misclassifies some qi, use backtracking.
Error is detected, next bits are still the same (e.g., ones).
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 32 / 36
66. Experiment setup
Countermeasures
Artificial CPU load on another core. Does not work. Reduces
leakage frequency 35 − 38 kHz to 32 − 35 kHZ actually helping
the attack.
Another side-channel fix (CPU cache, multiplication),
multiplication is performed regardless di, doubling number of
multiplications, helping the attack.
Ciphertext randomization. Works. Let r be random 4096 bit
number. (re × c)d × r−1 mod n = ced mod n
Modulus randomization. Works. Let t be random medium sized
integer. Compute mq = cdq mod (tq), then mq = mqmod q.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 33 / 36
67. Experiment setup
Countermeasures
Artificial CPU load on another core. Does not work. Reduces
leakage frequency 35 − 38 kHz to 32 − 35 kHZ actually helping
the attack.
Another side-channel fix (CPU cache, multiplication),
multiplication is performed regardless di, doubling number of
multiplications, helping the attack.
Ciphertext randomization. Works. Let r be random 4096 bit
number. (re × c)d × r−1 mod n = ced mod n
Modulus randomization. Works. Let t be random medium sized
integer. Compute mq = cdq mod (tq), then mq = mqmod q.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 33 / 36
68. Experiment setup
Countermeasures
Artificial CPU load on another core. Does not work. Reduces
leakage frequency 35 − 38 kHz to 32 − 35 kHZ actually helping
the attack.
Another side-channel fix (CPU cache, multiplication),
multiplication is performed regardless di, doubling number of
multiplications, helping the attack.
Ciphertext randomization. Works. Let r be random 4096 bit
number. (re × c)d × r−1 mod n = ced mod n
Modulus randomization. Works. Let t be random medium sized
integer. Compute mq = cdq mod (tq), then mq = mqmod q.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 33 / 36
69. Experiment setup
Countermeasures
Artificial CPU load on another core. Does not work. Reduces
leakage frequency 35 − 38 kHz to 32 − 35 kHZ actually helping
the attack.
Another side-channel fix (CPU cache, multiplication),
multiplication is performed regardless di, doubling number of
multiplications, helping the attack.
Ciphertext randomization. Works. Let r be random 4096 bit
number. (re × c)d × r−1 mod n = ced mod n
Modulus randomization. Works. Let t be random medium sized
integer. Compute mq = cdq mod (tq), then mq = mqmod q.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 33 / 36
70. Experiment setup
Conclusions
Attack is realistic.
Within one hour recovers 4096-bit private key.
Attack: Mobile phone near laptop, performing attack, generating
ciphertexts on the fly.
Attack: hidden microphone in docking station, in table.
Attack: self-spying (malware on the PC).
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 34 / 36
72. Experiment setup
References & sources
https://www.cs.tau.ac.il/˜tromer/acoustic/
https://68kmla.org/forums/viewtopic.php?f=10&t=13101
https://eeepitnl.tksc.jaxa.jp/mews/jp/26th/data/2_12_4.pdf
http://www.bjorn3d.com/2013/09/asus-gtx-780-directcu-ii-oc/
http://img.techpowerup.org/120520/vrm.jpg
https://en.wikipedia.org/wiki/Piezoelectricity
Disclaimer: Images are not mine own, some of them may be from unknown
source. Appologies for not referencing them correctly.
Dušan Klinec (FI MUNI) Ph4r05 13. 3. 2014 36 / 36