We systematically characterize side-channel vulnerabilities from past works based on di$erent operations in di$erent cryptographic algorithms and protocols. Table 2 summarizes the vulnera- bilities covered in this article. For each vulnerability, we present the vulnerable operations, causes, and the corresponding attack techniques.
∗
Modular multiplication.Given three integers x, y, and m, this operation is to calculate x y mod m. Both OpenSSL and GnuPG implement two multiplication routines: naive multiplication and Karatsuba multiplication [110]. The selection of the routine is based on the operand size: The naive routine is taken for small multiplicands, while Karatsuba routine is adopted for large ones. Such implementation introduces control-flow side channels about the operands: Karatsuba routine is typically faster than the native routine. An adversary can measure the execution time to infer the sizes of the operands and then recover the secret key [38].
