[Cryptography] Attackers will always win, and it's getting worse!

Henry Baker hbaker1 at pipeline.com
Sun Jul 9 15:17:24 EDT 2017


Here's the problem:

User crypto software (the "attacked") has to run in such a way that:
a.  It produces the correct answer; and
b.  It does NOT LEAK SECRET INFORMATION through side-channels -- e.g., timing/power/etc.

Let's assume as given that the crypto math itself is good & strong.

Now, attacker systems don't have to worry about side-channel leakage, assuming that they're running in some Tempested datacenter in the wilds of Utah or Maryland.

So the problem is: the ratio of the cost ($ & latency) of user crypto software is getting worse relative to the cost of attacking software, so that the attacker's cost/performance advantage is improving over time.

More to worry about: suppose the NSA wants to create a "backdoorless backdoor", which allows NOBUS to efficiently attack a system.  What better way to do this, than to increase the advantage of "side-channel-careless" code over "side-channel-secure" code?  A little NSL leaning on the chip vendor (Intel/nVidia/AMD/ARM) and the deed is done.

For example, many (most?) arithmetic "optimizations" (both HW&SW) open up timing and/or power side-channels.  Putting such "optimizations" into chips provides an easy cover story for the inclusion of these side-channels, but each such "optimization" requires far more code complexity and latency by the attacked to defeat the side-channel than the profit on the original "optimization".  Thus, all of the advantage of these "optimizations" go to the attacker rather than the attacked.

Any thoughts on how to better engineer side-channel-secure systems?



More information about the cryptography mailing list