Skip to main content
SpringerLink
Log in

Predicting Secret Keys Via Branch Prediction

  • Conference paper
Book cover Topics in Cryptology – CT-RSA 2007 (CT-RSA 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4377))

Included in the following conference series:

Abstract

This paper announces a new software side-channel attack — enabled by the branch prediction capability common to all modern high-performance CPUs. The penalty paid (extra clock cycles) for a mispredicted branch can be used for cryptanalysis of cryptographic primitives that employ a data-dependent program flow. Analogous to the recently described cache-based side-channel attacks our attacks also allow an unprivileged process to attack other processes running in parallel on the same processor, despite sophisticated partitioning methods such as memory protection, sandboxing or even virtualization. In this paper, we will discuss several such attacks for the example of RSA, and experimentally show their applicability to real systems, such as OpenSSL and Linux. Moreover, we will also demonstrate the strength of the branch prediction side-channel attack by rendering the obvious countermeasure in this context (Montgomery Multiplication with dummy-reduction) as useless. Although the deeper consequences of the latter result make the task of writing an efficient and secure modular exponentiation (or scalar multiplication on an elliptic curve) a challenging task, we will eventually suggest some countermeasures to mitigate branch prediction side-channel attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Acıiçmez, O., Schindler, W., Koç, Ç.K.: Cache Based Remote Timing Attack on the AES. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377. Springer, Heidelberg (2006)

    Google Scholar 

  2. Bernstein, D.J.: Cache-timing attacks on AES. Technical Report, 37 pages (April 2005), Available at: http://cr.yp.to/antiforgery/cachetiming-20050414.pdf

  3. Brumley, D., Boneh, D.: Remote Timing Attacks are Practical. In: Proceedings of the 12th Usenix Security Symposium, pp. 1–14 (2003)

    Google Scholar 

  4. Chen, Y., England, P., Peinado, M., Willman, B.: High Assurance Computing on Open Hardware Architectures. Technical Report, MSR-TR-2003-20, 17 pages, Microsoft Corporation (March 2003), Available at: ftp://ftp.research.microsoft.com/pub/tr/tr-2003-20.ps

  5. Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity. IEEE Transactions on Computers 53(6), 760–768 (2004)

    Article  Google Scholar 

  6. Coron, J.-S., Naccache, D., Kocher, P.: Statistics and Secret Leakage. ACM Transactions on Embedded Computing Systems 3(3), 492–508 (2004)

    Article  Google Scholar 

  7. Dhem, J.F., Koeune, F., Leroux, P.A., Mestre, P., Quisquater, J.-J., Willems, J.L.: A Practical Implementation of the Timing Attack. In: Schneier, B., Quisquater, J.-J. (eds.) CARDIS 1998. LNCS, vol. 1820. Springer, Heidelberg (2000)

    Google Scholar 

  8. England, P., Lampson, B., Manferdelli, J., Peinado, M., Willman, B.: A Trusted Open Platform. IEEE Computer 36(7), 55–62 (2003)

    Google Scholar 

  9. Gochman, S., Ronen, R., Anati, I., Berkovits, A., Kurts, T., Naveh, A., Saeed, A., Sperber, Z., Valentine, R.: The Intel Pentium M Processor: Microarchitecture and performance. Intel Technology Journal 7(2) (May 2003)

    Google Scholar 

  10. Grawrock, D.: The Intel Safer Computing Initiative: Building Blocks for Trusted Computing. Intel Press, Hillsboro (2006)

    Google Scholar 

  11. Hevia, A., Kiwi, M.: Strength of Two Data Encryption Standard Implementations under Timing Attacks. ACM Transactions on Information and System Security 2(4), 416–437 (1999)

    Article  Google Scholar 

  12. Hu, W.M.: Lattice scheduling and covert channels. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 52–61. IEEE Press, Los Alamitos (1992)

    Chapter  Google Scholar 

  13. Joye, M., Yen, S.-M.: The Montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  14. Kocher, P.C.: Timing Attacks on Implementations of Diffie–Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)

    Google Scholar 

  15. Menezes, A.J., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, New York (1997)

    MATH  Google Scholar 

  16. Milenkovic, M., Milenkovic, A., Kulick, J.: Microbenchmarks for Determining Branch Predictor Organization. Software Practice & Experience 34(5), 465–487 (2004)

    Article  Google Scholar 

  17. Openssl: the open-source toolkit for ssl/tls, Available online at: http://www.openssl.org/

  18. Neve, M., Seifert, J.-P.: Advances on Access-driven Cache Attacks on AES. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  19. Osvik, D.A., Shamir, A., Tromer, E.: Other People’s Cache: Hyper Attacks on HyperThreaded Processors, Presentation available at: http://www.wisdom.weizmann.ac.il/~tromer/

  20. Osvik, D.A., Shamir, A., Tromer, E.: Cache Attacks and Countermeasures: The Case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  21. Patterson, D., Hennessy, J.: Computer Architecture: A Quantitative Approach, 3rd edn. Morgan Kaufmann, San Francisco (2005)

    Google Scholar 

  22. Pearson, S.: Trusted Computing Platforms: TCPA Technology in Context. Prentice Hall PTR, Englewood Cliffs (2002)

    Google Scholar 

  23. Percival, C.: Cache missing for fun and profit. In: BSDCan 2005, Ottawa (2005), Available at: http://www.daemonology.net/hyperthreading-considered-harmful/

  24. Pfleeger, C.P., Pfleeger, S.L.: Security in Computing, 3rd edn. Prentice Hall PTR, Englewood Cliffs (2002)

    Google Scholar 

  25. Schindler, W.: A Timing Attack against RSA with the Chinese Remainder Theorem. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 109–124. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  26. Shanley, T.: The Unabridged Pentium 4: IA32 Processor Genealogy. Addison-Wesley Professional, Reading (2004)

    Google Scholar 

  27. Shen, J., Lipasti, M.: Modern Processor Design: Fundamentals of Superscalar Processors. McGraw-Hill, New York (2005)

    Google Scholar 

  28. Sibert, O., Porras, P.A., Lindell, R.: The Intel 80x86 Processor Architecture: Pitfalls for Secure Systems. In: IEEE Symposium on Security and Privacy, pp. 211–223 (1995)

    Google Scholar 

  29. Smith, S.W.: Trusted Computing Platforms: Design and Applications. Springer, Heidelberg (2004)

    Google Scholar 

  30. Trusted Computing Group, http://www.trustedcomputinggroup.org

  31. Uhlig, R., Neiger, G., Rodgers, D., Santoni, A.L., Martins, F.C.M., Anderson, A.V., Bennett, S.M., Kagi, A., Leung, F.H., Smith, L.: Intel Virtualization Technology. IEEE Computer 38(5), 48–56 (2005)

    Google Scholar 

  32. Walter, C.D.: Montgomery Exponentiation Needs No Final Subtractions. IEE Electronics Letters 35(21), 1831–1832 (1999)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Electrical Engineering and Computer Science, Oregon State University, Corvallis, OR, 97331, USA

    Onur Acıiçmez & Çetin Kaya Koç

  2. Information Security Research Center, Istanbul Commerce University, Eminönü, Istanbul, 34112, Turkey

    Çetin Kaya Koç

  3. Applied Security Research Group, The Center for Computational Mathematics and Scientific Computation Faculty of Science and Science Education University of Haifa, Haifa, 31905, Israel

    Jean-Pierre Seifert

  4. Institute for Computer Science University of Innsbruck, 6020, Innsbruck, Austria

    Jean-Pierre Seifert

Authors
  1. Onur Acıiçmez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Çetin Kaya Koç
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jean-Pierre Seifert
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Information Sharing Platform Laboratories, NTT Corporation, Japan

    Masayuki Abe

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Acıiçmez, O., Koç, Ç.K., Seifert, JP. (2006). Predicting Secret Keys Via Branch Prediction. In: Abe, M. (eds) Topics in Cryptology – CT-RSA 2007. CT-RSA 2007. Lecture Notes in Computer Science, vol 4377. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11967668_15

Download citation

  • DOI: https://doi.org/10.1007/11967668_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-69327-7

  • Online ISBN: 978-3-540-69328-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation