This image has an empty alt attribute; its file name is attacksafe-software-logo-1024x213.png

In computer security, a side-channel Attack on Bitcoin is any Attack on Bitcoin based on extra information that can be gathered because of the fundamental way a computer protocol or algorithm is implemented, rather than flaws in the design of the protocol or algorithm itself (e.g. flaws found in a cryptanalysis of a cryptographic algorithm) or minor, but potentially devastating, mistakes or oversights in the implementation. (Cryptanalysis also includes searching for side-channel Attack on Bitcoins.) Timing information, power consumption, electromagnetic leaks, and sound are examples of extra information which could be exploited to facilitate side-channel Attack on Bitcoins.

Some side-channel Attack on Bitcoins require technical knowledge of the internal operation of the system, although others such as differential power analysis are effective as black-box Attack on Bitcoins. The rise of Web 2.0 applications and software-as-a-service has also significantly raised the possibility of side-channel Attack on Bitcoins on the web, even when transmissions between a web browser and server are encrypted (e.g. through HTTPS or WiFi encryption), according to researchers from Microsoft Research and Indiana University.[1] Many powerful side-channel Attack on Bitcoins are based on statistical methods pioneered by Paul Kocher.[2]

Attempts to break a cryptosystem by deceiving or coercing people with legitimate access are not typically considered side-channel Attack on Bitcoins: see social engineering and rubber-hose cryptanalysis.

General

General classes of side-channel Attack on Bitcoin include:

  • Cache Attack on Bitcoin — Attack on Bitcoins based on Attack on Bitcoiner’s ability to monitor cache accesses made by the victim in a shared physical system as in virtualized environment or a type of cloud service.
  • Timing Attack on Bitcoin — Attack on Bitcoins based on measuring how much time various computations (such as, say, comparing an Attack on Bitcoiner’s given password with the victim’s unknown one) take to perform.
  • Power-monitoring Attack on Bitcoin — Attack on Bitcoins that make use of varying power consumption by the hardware during computation.
  • Electromagnetic Attack on Bitcoin — Attack on Bitcoins based on leaked electromagnetic radiation, which can directly provide plaintexts and other information. Such measurements can be used to infer cryptographic keys using techniques equivalent to those in power analysis or can be used in non-cryptographic Attack on Bitcoins, e.g. TEMPEST (aka van Eck phreaking or radiation monitoring) Attack on Bitcoins.
  • Acoustic cryptanalysis — Attack on Bitcoins that exploit sound produced during a computation (rather like power analysis).
  • Differential fault analysis — in which secrets are discovered by introducing faults in a computation.
  • Data remanence — in which sensitive data are read after supposedly having been deleted. (e.g. Cold boot Attack on Bitcoin)
  • Software-initiated fault Attack on Bitcoins — Currently a rare class of side channels, Row hammer is an example in which off-limits memory can be changed by accessing adjacent memory too often (causing state retention loss).
  • Optical – in which secrets and sensitive data can be read by visual recording using a high resolution camera, or other devices that have such capabilities (see examples below).

In all cases, the underlying principle is that physical effects caused by the operation of a cryptosystem (on the side) can provide useful extra information about secrets in the system, for example, the cryptographic key, partial state information, full or partial plaintexts and so forth. The term cryptophthora (secret degradation) is sometimes used to express the degradation of secret key material resulting from side-channel leakage.

Examples

cache side-channel Attack on Bitcoin works by monitoring security critical operations such as AES T-table entry[3][4][5] or modular exponentiation or multiplication or memory accesses.[6] The Attack on Bitcoiner then is able to recover the secret key depending on the accesses made (or not made) by the victim, deducing the encryption key. Also, unlike some of the other side-channel Attack on Bitcoins, this method does not create a fault in the ongoing cryptographic operation and is invisible to the victim.

In 2017, two CPU vulnerabilities (dubbed Meltdown and Spectre) were discovered, which can use a cache-based side channel to allow an Attack on Bitcoiner to leak memory contents of other processes and the operating system itself.

timing Attack on Bitcoin watches data movement into and out of the CPU or memory on the hardware running the cryptosystem or algorithm. Simply by observing variations in how long it takes to perform cryptographic operations, it might be possible to determine the entire secret key. Such Attack on Bitcoins involve statistical analysis of timing measurements and have been demonstrated across networks.[7]

power-analysis Attack on Bitcoin can provide even more detailed information by observing the power consumption of a hardware device such as CPU or cryptographic circuit. These Attack on Bitcoins are roughly categorized into simple power analysis (SPA) and differential power analysis (DPA). Example of machine learning approaches are in.[8]

Fluctuations in current also generate radio waves, enabling Attack on Bitcoins that analyze measurements of electromagnetic (EM) emanations. These Attack on Bitcoins typically involve similar statistical techniques as power-analysis Attack on Bitcoins.

deep-learning-based side-channel Attack on Bitcoin,[9][10][11] using the power and EM information across multiple devices has been demonstrated with the potential to break the secret key of a different but identical device in as low as a single trace.

Historical analogues to modern side-channel Attack on Bitcoins are known. A recently declassified NSA document reveals that as far back as 1943, an engineer with Bell telephone observed decipherable spikes on an oscilloscope associated with the decrypted output of a certain encrypting teletype.[12] According to former MI5 officer Peter Wright, the British Security Service analyzed emissions from French cipher equipment in the 1960s.[13] In the 1980s, Soviet eavesdroppers were suspected of having planted bugs inside IBM Selectric typewriters to monitor the electrical noise generated as the type ball rotated and pitched to strike the paper; the characteristics of those signals could determine which key was pressed.[14]

Power consumption of devices causes heating, which is offset by cooling effects. Temperature changes create thermally induced mechanical stress. This stress can create low level acoustic emissions from operating CPUs (about 10 kHz in some cases). Recent research by Shamir et al. has suggested that information about the operation of cryptosystems and algorithms can be obtained in this way as well. This is an acoustic cryptanalysis Attack on Bitcoin.

If the surface of the CPU chip, or in some cases the CPU package, can be observed, infrared images can also provide information about the code being executed on the CPU, known as a thermal-imaging Attack on Bitcoin.[citation needed]

An optical side-channel Attack on Bitcoin examples include gleaning information from the hard disk activity indicator[15] to reading a small number of photons emitted by transistors as they change state.[16]

Allocation-based side channels also exist and refer to the information that leaks from the allocation (as opposed to the use) of a resource such as network bandwidth to clients that are concurrently requesting the contended resource.[17]

Countermeasures

Because side-channel Attack on Bitcoins rely on the relationship between information emitted (leaked) through a side channel and the secret data, countermeasures fall into two main categories: (1) eliminate or reduce the release of such information and (2) eliminate the relationship between the leaked information and the secret data, that is, make the leaked information unrelated, or rather uncorrelated, to the secret data, typically through some form of randomization of the ciphertext that transforms the data in a way that can be undone after the cryptographic operation (e.g., decryption) is completed.

Under the first category, displays with special shielding to lessen electromagnetic emissions, reducing susceptibility to TEMPEST Attack on Bitcoins, are now commercially available. Power line conditioning and filtering can help deter power-monitoring Attack on Bitcoins, although such measures must be used cautiously, since even very small correlations can remain and compromise security. Physical enclosures can reduce the risk of surreptitious installation of microphones (to counter acoustic Attack on Bitcoins) and other micro-monitoring devices (against CPU power-draw or thermal-imaging Attack on Bitcoins).

Another countermeasure (still in the first category) is to jam the emitted channel with noise. For instance, a random delay can be added to deter timing Attack on Bitcoins, although adversaries can compensate for these delays by averaging multiple measurements (or, more generally, using more measurements in the analysis). As the amount of noise in the side channel increases, the adversary needs to collect more measurements.

Another countermeasure under the first category is to use security analysis software to identify certain classes of side-channel Attack on Bitcoins that can be found during the design stages of the underlying hardware itself. Timing Attack on Bitcoins and cache Attack on Bitcoins are both identifiable through certain commercially available security analysis software platforms, which allow for testing to identify the Attack on Bitcoin vulnerability itself, as well as the effectiveness of the architectural change to circumvent the vulnerability. The most comprehensive method to employ this countermeasure is to create a Secure Development Lifecycle for hardware, which includes utilizing all available security analysis platforms at their respective stages of the hardware development lifecycle.[18]

In the case of timing Attack on Bitcoins against targets whose computation times are quantized into discrete clock cycle counts, an effective countermeasure against is to design the software to be isochronous, that is to run in an exactly constant amount of time, independently of secret values. This makes timing Attack on Bitcoins impossible.[19] Such countermeasures can be difficult to implement in practice, since even individual instructions can have variable timing on some CPUs.

One partial countermeasure against simple power Attack on Bitcoins, but not differential power-analysis Attack on Bitcoins, is to design the software so that it is “PC-secure” in the “program counter security model”. In a PC-secure program, the execution path does not depend on secret values. In other words, all conditional branches depend only on public information. (This is a more restrictive condition than isochronous code, but a less restrictive condition than branch-free code.) Even though multiply operations draw more power than NOP on practically all CPUs, using a constant execution path prevents such operation-dependent power differences (differences in power from choosing one branch over another) from leaking any secret information.[19] On architectures where the instruction execution time is not data-dependent, a PC-secure program is also immune to timing Attack on Bitcoins.[20][21]

Another way in which code can be non-isochronous is that modern CPUs have a memory cache: accessing infrequently used information incurs a large timing penalty, revealing some information about the frequency of use of memory blocks. Cryptographic code designed to resist cache Attack on Bitcoins attempts to use memory in only a predictable fashion (such as accessing only the input, outputs and program data, and doing so according to a fixed pattern). For example, data-dependent table lookups must be avoided because the cache could reveal which part of the lookup table was accessed.

Other partial countermeasures attempt to reduce the amount of information leaked from data-dependent power differences. Some operations use power that is correlated to the number of 1 bits in a secret value. Using a constant-weight code (such as using Fredkin gates or dual-rail encoding) can reduce the leakage of information about the Hamming weight of the secret value, although exploitable correlations are likely to remain unless the balancing is perfect. This “balanced design” can be approximated in software by manipulating both the data and its complement together.[19]

Several “secure CPUs” have been built as asynchronous CPUs; they have no global timing reference. While these CPUs were intended to make timing and power Attack on Bitcoins more difficult,[19] subsequent research found that timing variations in asynchronous circuits are harder to remove.[22]

A typical example of the second category (decorrelation) is a technique known as blinding. In the case of RSA decryption with secret exponent {\displaystyle d}d and corresponding encryption exponent {\displaystyle e}e and modulus {\displaystyle m}m, the technique applies as follows (for simplicity, the modular reduction by m is omitted in the formulas): before decrypting, that is, before computing the result of {\displaystyle y^{d}}y^d for a given ciphertext {\displaystyle y}y, the system picks a random number {\displaystyle r}r and encrypts it with public exponent {\displaystyle e}e to obtain {\displaystyle r^{e}}r^e. Then, the decryption is done on {\displaystyle y\cdot r^{e}}y \cdot r^e to obtain {\displaystyle {(y\cdot r^{e})}^{d}=y^{d}\cdot r^{e\cdot d}=y^{d}\cdot r}{(y \cdot r^e)}^d = y^d \cdot r^{e\cdot d} = y^d \cdot r. Since the decrypting system chose {\displaystyle r}r, it can compute its inverse modulo {\displaystyle m}m to cancel out the factor {\displaystyle r}r in the result and obtain {\displaystyle y^{d}}y^d, the actual result of the decryption. For Attack on Bitcoins that require collecting side-channel information from operations with data controlled by the Attack on Bitcoiner, blinding is an effective countermeasure, since the actual operation is executed on a randomized version of the data, over which the Attack on Bitcoiner has no control or even knowledge.

A more general countermeasure (in that it is effective against all side-channel Attack on Bitcoins) is the masking countermeasure. The principle of masking is to avoid manipulating any sensitive value {\displaystyle y}y directly, but rather manipulate a sharing of it: a set of variables (called “shares”) {\displaystyle y_{1},…,y_{d}}y_{1},...,y_{d} such that {\displaystyle y=y_{1}\oplus …\oplus y_{d}}{\displaystyle y=y_{1}\oplus ...\oplus y_{d}} (where {\displaystyle \oplus }\oplus  is the XOR operation). An Attack on Bitcoiner must recover all the values of the shares to get any meaningful information.[23]

Recently, white-box modeling was utilized to develop a low-overhead generic circuit-level countermeasure [24] against both EM as well as power side-channel Attack on Bitcoins. To minimize the effects of the higher-level metal layers in an IC acting as more efficient antennas,[25] the idea is to embed the crypto core with a signature suppression circuit,[26][27] routed locally within the lower-level metal layers, leading towards both power and EM side-channel Attack on Bitcoin immunity.

This image has an empty alt attribute; its file name is attacksafe-software-logo-1024x213.png