CryptoDB
Hertzbleed: Claims of Constant-Time Execution Are Frequently Wrong
| Authors: | |
|---|---|
| Download: | |
| Presentation: | Slides |
| Abstract: | The recent Hertzbleed disclosure demonstrates how remote-timing analysis can reveal secret information previously only accessible to local-power analysis. At worst, this constitutes a fundamental break in the constant-time programming principles and the many deployed programs that rely on them. But all hope is not lost. Hertzbleed relies on a coarse-grained, noisy channel that is difficult to exploit. Indeed, the Hertzbleed paper required a bespoke cryptanalysis to attack a specific cryptosystem (SIKE). Thus, it remains unclear if Hertzbleed represents a threat to the broader security ecosystem. In this paper, we demonstrate that Hertzbleed's effects affect cryptosystems beyond SIKE. We demonstrate how latent gadgets in other cryptosystem implementations---specifically ``constant-time'' ECDSA and Classic McEliece---can be combined with existing cryptanalysis to bootstrap Hertzbleed attacks on those cryptosystems. |
| Video: | https://www.youtube.com/watch?v=bw5ts98SZIo |
BibTeX
@misc{rwc-2024-35366,
title={Hertzbleed: Claims of Constant-Time Execution Are Frequently Wrong},
note={Video at \url{https://www.youtube.com/watch?v=bw5ts98SZIo}},
howpublished={Talk given at RWC 2024},
author={Yingchen Wang and Riccardo Paccagnella and Alan Wandke and Zhao Gang and Grant Garrett-Grossman and Christopher W. Fletcher and David Kohlbrenner and Hovav Shacham},
year=2024
}