Cryptology ePrint Archive: Report 2017/968

Template Attack on Blinded Scalar Multiplication with Asynchronous perf-ioctl Calls

Sarani Bhattacharya and Clementine Maurice and Shivam Bhasin and Debdeep Mukhopadhyay

Abstract: In recent years, performance counters have been used as a side channel source for the branch mispredictions which has been used to attack ciphers with user privileges. However, existing research considers blinding techniques, like scalar blinding, scalar splitting as a mechanism of thwarting such attacks. In this endeavour, we reverse engineer the undisclosed model of Intelís Broadwell and Sandybridge branch predictor and further utilize the largely unexplored perf ioctl calls in sampling mode to granularly monitor the branch prediction events asynchronously when a victim cipher is executing. With these artifacts in place, we target scalar blinding and splitting countermeasures to develop a key retrieval process using what is called as Deduce & Remove. The Deduce step uses template based on the number of branch misses as expected from the 3-bit model of the BPU to infer the matched candidate values. In the Remove step, we correct any erroneous conclusions that are made, by using the properties of the blinding technique under attack. It may be emphasized that as in iterated attacks the cost of a mistaken deduction could be significant, the blinding techniques actually aids in removing wrong guesses and in a way auto-corrects the key retrieval process. Finally, detailed experimental results have been provided to illustrate all the above steps for point blinding, scalar blinding, and scalar splitting to show that the secret scalar can be correctly recovered with high confidence. The paper concludes with recommendation on some suitable countermeasure at the algorithm level to thwart such attacks.

Category / Keywords: Scalar Multiplication, Scalar Splitting, Scalar Blinding, 3-bit predictor

Date: received 18 Sep 2017, last revised 1 Oct 2017

Contact author: tinni1989 at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20171003:172406 (All versions of this report)

Short URL: ia.cr/2017/968

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]