Welcome back to our monthly review of some of the most interesting security research publications. This month, let's do a bit of crypto...
Rowhammer is an attack on DRAM, which consists in repeatedly accessing given rows of the DRAM to cause random bit flips in adjacent rows.
Until now, the attack hadn't been demonstrated on ARM's TrustZone: but that's what the author implemented. He demonstrated that, using Rowhammer, it is possible to leak a private RSA key stored in TrustZone's secure side.
His attack is implemented as follows:
This illustration is taken from P. Carru's presentation.
The slides show an interesting implementation of Rowhammer over TrustZone, and demonstrate that it can break an RSA key in practice. There are, however, conditions to this, which need to be highlighted: (a) the attack will only work over RSA implementations that are based on CRT (true, those are frequent, but nevertheless, not in every case), and (b) the attack only works correctly if the fault occurs on one of the pre-computed integers. If the attack occurs on two of the pre-computed integers, or elsewhere (e.g. modulus), it won't work.
This paper proposes RSA parameters and a prime generation algorithm so that an attack, even if implemented on a theoretical quantum computer, would be of .
The settings consist in a 1-terabyte key, which is huge. However, the authors managed to demonstrate that generating such a key was feasible: they generated one on a (big) computer with terabytes of RAM and swap. They also managed to compute RSA encryption / decryption; however, with slightly smaller keys (256GB instead of 1T).
So what? This paper looks far ahead of our time. It does not focus on whether quantum computers are feasible or not, but simply assumes they will be. What’s interesting is that the authors debunk the claims which say quantum computers would kill RSA. And this is interesting.
There’s been a lot of speculation about quantum crypto (personally, I doubt it will ever work out - or not exactly the way we initially thought). The hype that quantum crypto will be capable of anything is, I believe, a misunderstanding of cryptography. Of course, it is true that the implementation described by the authors has a high cost (they do mention it themselves: $1 per encryption / decryption), but we're defending against something that does not even exist yet...
-- the Crypto Girl
"If you think research is expensive, try disease!" - Mary Lasker (1900-1994)