Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | dinah-richardson |
View: | 215 times |
Download: | 1 times |
Utilizing Performance Monitors for Compromising keys of RSA on Intel
Platforms
Sarani Bhattacharya and Debdeep Mukhopadhyay
Dept. of Computer Science and Engineering
Indian Institute of Technology, Kharagpur, India
10 March 2015
Public-Key Cryptography
RSA Encryption & Decryption
3
Plaintext: M
C = Me mod (n=pq)
Ciphertext: C
Cd mod n
From n, difficult to figure out p,qFrom (n,e), difficult to figure d.From (n,e) and C, difficult to figure out M s.t. C = Me
Popular variants of Modular Exponentiation Algorithm
SPA and Timing Side Channel Resistant Algorithm for Modular Exponentiation
Primitive Algorithm for Performing Multiplication and Squaring
Modelling Branch Miss as Side-Channel from HPC
Profiling of HPCs are done using performance monitoring tools and considered as side-channel.
Provides simple user interface to different hardware event counts.
Branch misses rely on the ability of the branch predictor to correctly predict future branches to be taken.
Strong Correlation between two-bit predictor and system predictor
• $ perf stat -e branch-misses executable-name
Direct correlation is observed for the branch misses from HPCs and from the simulated 2-bit dynamic predictor over a sample of exponent bitstream.
This confirms assumption of 2-bit dynamic predictor being an approximation to the underlying system branch predictor.
Threat model of the AttackAttacker knows first i bits of the
private key and wants to determine next unknown bit of the key (, , · · · , , · · · , )
Generate a trace of branches as (, , · · · , )
Under the assumption of having value j, where j ∈ {0, 1}, appropriate value of is simulated.
Offline Phase of Attack
Separation of Random Inputs
We ensure there must be nocommon ciphertexts in the sets (, ) and (, ) and the sets are disjoint.
Online PhaseBranch misses from HPCs are
monitored for execution of cipher over the entire secret key on each ciphertext for 4 separate sets.
The probable next bit is decided as:
Experimental ValidationA large input set is separated by
simulations over bimodal and two-level adaptive predictor.
Average branch misses are observed from HPCs for each elements in set and
Each set has L = 1000 elements.Experiment is repeated over I =
1000 iterations.
Comparison with Timing Side-channel
Variation in separation with increase of Ciphertexts
Variation in separation with increase in number of Iterations
RSA-OAEP Randomized Padding Scheme
Decryption in RSA-OAEP
Separation for RSA-OAEP scheme
Thank you.