Cryptographers’ Track at the RSA Conference

CT-RSA 2007: Topics in Cryptology – CT-RSA 2007 pp 225-242

Predicting Secret Keys Via Branch Prediction

  • Onur Acıiçmez
  • Çetin Kaya Koç
  • Jean-Pierre Seifert
Conference paper

DOI: 10.1007/11967668_15

Volume 4377 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Acıiçmez O., Koç Ç.K., Seifert JP. (2006) Predicting Secret Keys Via Branch Prediction. In: Abe M. (eds) Topics in Cryptology – CT-RSA 2007. CT-RSA 2007. Lecture Notes in Computer Science, vol 4377. Springer, Berlin, Heidelberg

Abstract

This paper announces a new software side-channel attack — enabled by the branch prediction capability common to all modern high-performance CPUs. The penalty paid (extra clock cycles) for a mispredicted branch can be used for cryptanalysis of cryptographic primitives that employ a data-dependent program flow. Analogous to the recently described cache-based side-channel attacks our attacks also allow an unprivileged process to attack other processes running in parallel on the same processor, despite sophisticated partitioning methods such as memory protection, sandboxing or even virtualization. In this paper, we will discuss several such attacks for the example of RSA, and experimentally show their applicability to real systems, such as OpenSSL and Linux. Moreover, we will also demonstrate the strength of the branch prediction side-channel attack by rendering the obvious countermeasure in this context (Montgomery Multiplication with dummy-reduction) as useless. Although the deeper consequences of the latter result make the task of writing an efficient and secure modular exponentiation (or scalar multiplication on an elliptic curve) a challenging task, we will eventually suggest some countermeasures to mitigate branch prediction side-channel attacks.

Keywords

Branch Prediction Modular Exponentiation Montgomery Multiplication RSA Side Channel Analysis Simultaneous Multi-threading 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Onur Acıiçmez
    • 1
  • Çetin Kaya Koç
    • 1
    • 2
  • Jean-Pierre Seifert
    • 3
    • 4
  1. 1.School of Electrical Engineering and Computer ScienceOregon State UniversityCorvallisUSA
  2. 2.Information Security Research CenterIstanbul Commerce UniversityIstanbulTurkey
  3. 3.Applied Security Research GroupThe Center for Computational Mathematics and Scientific Computation Faculty of Science and Science Education University of HaifaHaifaIsrael
  4. 4.Institute for Computer Science University of InnsbruckInnsbruckAustria