Cryptology ePrint Archive: Report 2015/621

Who watches the watchmen? : Utilizing Performance Monitors for Compromising keys of RSA on Intel Platforms

Sarani Bhattacharya, Debdeep Mukhopadhyay

Abstract: Asymmetric-key cryptographic algorithms when implemented on systems with branch predictors, are subjected to side-channel attacks exploiting the deterministic branch predictor behavior due to their key-dependent input sequences. We show that branch predictors can also leak information through the hardware performance monitors which are accessible by an adversary at the user-privilege level. This paper presents an iterative attack which target the key-bits of 1024 bit RSA, where in offline phase, the systemís underlying branch predictor is approximated by a theoretical predictor in literature. Subsimulations are performed to classify the message-space into distinct partitions based on the event branch misprediction and the target key bit value. In online phase, we ascertain the secret key bit using branch mispredictions obtained from the hardware performance monitors which reflect the information of branch miss due to the underlying predictor hardware. We theoretically prove that the probability of success of the attack is equivalent to the accurate modelling of the theoretical predictor to the underlying system predictor. Experimentations reveal that the success-rate increases with message-count and reaches such a significant value so as to consider side-channel from the performance counters as a real threat to RSA-like ciphers due to the underlying branch predictors and needs to be considered for developing secured-systems.

Category / Keywords: public-key cryptography / Branch misprediction, HPC, public-key cipher, side-channel.

Original Publication (with minor differences): IACR-CHES-2015

Date: received 23 Jun 2015

Contact author: tinni1989 at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20150630:183311 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]