Timing attack definition
A timing attack is an attack in cryptography when an attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. Every logical operation in a computer takes time, so computation time often varies depending on the input.
An attacker can try out different keys and measure the time it takes for a cryptographic operation to complete. If the system takes notably less time to respond, it might indicate that the guessed part of the key was correct. By repeating this process, the attacker can uncover the entire key.
To mitigate these attacks, developers design systems that take a consistent amount of time to process data, regardless of inputs.
History of timing attacks
The concept of timing attacks has been around for several decades and has gained even more relevance with the rise of digital cryptography.
One of the earliest and most notable references to timing attacks was in a 1996 paper titled “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems” by Paul C. Kocher. In this paper, Kocher detailed how variances in the time taken to perform private key operations could leak information about the key, thereby posing a potential security vulnerability.
Kocher’s work was a major contribution to cryptography, highlighting a new attack vector that hadn’t been thoroughly considered before: the side channel. Prior to this, much of the focus had been on protecting against direct attacks on the algorithm or system rather than considering these more subtle channels of potential information leakage.
Since then, many other timing attacks have been discovered and published. They have been applied not just to cryptographic systems, but also to other types of software and systems that handle sensitive data. Examples include timing attacks on web browsers (like the “Pixel Perfect” attack) and other software vulnerabilities.