I joined the IMDEA Software Institute after completing my Ph.D. in the Information Security group of ETH Zurich and working as a postdoc in the Information Security and Cryptography Group of the Max Planck Institute for Software Systems. Before that, I studied mathematics at the Universidad de Chile, the Universidade Federal de Campinas, and the University of Konstanz, from which I received a M.Sc.

AG 1, AG 2, AG 3, AG 4, AG 5, SWS, RG1, MMCI   Info

Public Audience

English

60 Minutes

Saarbrücken

Timing attacks can effectively recover keys from cryptosystems. While they can be defeated using constant-time implementations, this defensive approach comes at the price of a performance penalty.  One is hence faced with the problem of striking a balance between performance and security against timing attacks.

This talk presents a game-theoretic approach to the problem, for the case of cryptosystems based on discrete logarithms. Namely, we identify the optimal countermeasure configuration as an equilibrium in a game between a resource-bounded timing adversary who strives to maximize the probability of key recovery, and a defender who strives to reduce the cost while maintaining a certain degree of security. The key novelty in our approach are bounds for the probability of key recovery, which are expressed as a function of the countermeasure configuration and the attack strategy of the adversary.

We put our techniques to work for a library implementation of ElGamal. A highlight of our results is that we can formally justify the use of an aggressively tuned but (slightly) leaky implementation over a defensive constant-time implementation, for some parameter ranges. The talk concludes with an outlook on how similar analyses can be performed automatically and for more general classes of systems.

Sabine Nermerich

0681-3023585

--email hidden

passcode not visible

logged in users only