Skip to main content
SpringerLink
Log in

Formal fault analysis of branch predictors: attacking countermeasures of asymmetric key ciphers

  • Special Section on Proofs 2016
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

Implementations of asymmetric key algorithm have been threatened via timing side channels due to the behavior of the underlying branch predictors. However, the effect of faults on such predictors and the consequences thereof on the security of crypto-algorithms have not been studied. Motivated by the fact that unknown branch predictors of standard processors bear a strong correlation with 2-bit dynamic predictors, this paper develops a formal analysis of such a bimodal predictor under the effect of faults. Assuming a popular bit-flip fault model, the analysis shows that differences of branch misses under the effect of such faults can be exploited to attack implementations of RSA-like asymmetric key algorithms, based on square and multiplication operations. Furthermore, these attacks can be also threatening against Montgomery ladder of CRT-RSA (RSA implemented using Chinese Remainder Theorem) and even against fault attack countermeasures which stop or randomize the output in case of a fault. The theoretical claims have been substantiated by detailed fault simulations, where the difference of branch misses has been observed using the “perf” tool in Linux.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Notes

  1. We explain the upper bound of 3 at the end of this section. The lower bound can be similarly established.

References

  1. Aciiçmez, O., Koç, Ç.K., Seifert, J.-P.: On the power of simple branch prediction analysis. IACR Cryptol. ePr. Arch. 2006, 351 (2006)

    Google Scholar 

  2. Aciiçmez, O., Koç, Ç.K., Seifert, J.-P.: Predicting secret keys via branch prediction. In: Abe, M. (ed.) CT-RSA, Volume 4377 of Lecture Notes in Computer Science, pp. 225–242. Springer, Berlin (2007)

    Google Scholar 

  3. Aciiçmez, O., Gueron, S., Seifert, J-P.: New branch prediction vulnerabilities in openssl and necessary software countermeasures. In: Cryptography and Coding, 11th IMA International Conference 2007, Proceedings, pp. 185–203. (2007)

  4. AVR Freaks. Instruction skipping after spurious interrupt. http://www.avrfreaks.net/forum/solved-instruction-skipping-after-spurious-interrupt (2015)

  5. Bhattacharya, S., Mukhopadhyay, D.: Curious case of rowhammer: flipping secret exponent bits using timing analysis. In: Gierlichs, B., Poschmann, A. (eds.) Cryptographic hardware and embedded systems – CHES 2016. CHES 2016. Lecture notes in Computer Science, vol. 9813, pp. 602–624. Springer, Berlin, Heidelberg (2016)

  6. Bhattacharya, S., Mukhopadhyay, D.: Who watches the watchmen?: utilizing performance monitors for compromising keys of RSA on Intel platforms. In: Güneysu, T., Handschuh, H. (eds.) Cryptographic Hardware and Embedded Systems – CHES 2015. CHES 2015. Lecture Notes in Computer Science, vol. 9293, pp. 248–266. Springer, Berlin, Heidelberg (2015)

  7. Bhattacharya, S., Rebeiro, C., Mukhopadhyay, D.: Hardware prefetchers leak: a revisit of svf for cache-timing attacks. In: MICRO Workshops, pp. 17–23. IEEE Computer Society (2012)

  8. Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (eds.) Advances in Cryptology – EUROCRYPT ’97. EUROCRYPT 1997. Lecture notes in Computer Science, vol. 1233, pp. 37–51. Springer, Berlin, Heidelberg (1997)

  9. Fog, A.: The microarchitecture of Intel, AMD and VIA CPUs/An optimization guide for assembly programmers and compiler makers (2012)

  10. Joye, M., Yen, S.-M.: The montgomery powering ladder. In: Kaliski, B.S., Koç, Ç.K., Paar, C. (eds.) CHES, Volume 2523 of Lecture Notes in Computer Science, pp. 291–302. Springer, Berlin (2002)

    Google Scholar 

  11. Kim, C.H., Quisquater, J-J.: Fault attacks for CRT based RSA: new attacks, new results, and new countermeasures. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, JJ. (eds.) Information security theory and practices. Smart cards, mobile and ubiquitous computing systems. WISTP 2007. Lecture notes in Computer Science, vol. 4462, pp. 215–228. Springer, Berlin, Heidelberg (2007)

  12. Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J-H., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ACM/IEEE 41st International Symposium on Computer Architecture, ISCA 2014, 14–18 June 2014, pp. 361–372. IEEE Computer Society, Minneapolis (2014)

  13. Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: CRYPTO ’96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology, pp. 104–113. Springer, London (1996)

  14. Maitra, S., Sarkar, S.: On deterministic polynomial-time equivalence of computing the CRT-RSA secret keys and factoring. IACR Cryptol. ePr. Arch. 2009, 62 (2009)

    Google Scholar 

  15. mp-fpga. Performance counter for microblaze. http://mp-fpga.blogspot.in/2007/10/performance-counter-for-microblaze.html (2007)

  16. Patranabis, S., Chakraborty, A., Mukhopadhyay, D.: Fault tolerant infective countermeasure for AES. In: Security, Privacy, and Applied Cryptography Engineering–5th International Conference, SPACE 2015, Jaipur, India, October 3–7, 2015, pp. 190–209 (2015)

  17. Rebeiro, C., Mukhopadhyay, D.: A formal analysis of prefetching in profiled cache-timing attacks on block ciphers. IACR Cryptol. ePr. Arch. 2015, 1191 (2015)

    Google Scholar 

  18. Seaborn, M., Dullien, T.: Exploiting the DRAM rowhammer bug to gain kernel privileges. http://googleprojectzero.blogspot.in/2015/03/exploiting-dram-rowhammer-bug-to-gain.html (2015)

  19. Seaborn, M., Dullien, T.: Test DRAM for bit flips caused by the rowhammer problem. https://github.com/google/rowhammer-test,2015 (2015)

  20. Weaver, V.M., University of Maine.: Linux perf_event features and overhead. In: 2013 FastPath Workshop (2013)

  21. Wikipedia. Rowhammer wikipedia page. https://en.wikipedia.org/wiki/Row-hammer (2016)

Download references

Author information

Authors and Affiliations

  1. Secured Embedded Architecture Laboratory (SEAL), Department of Computer Science and Engineering, Indian Institute of Technology Kharagpur, Kharagpur, West Bengal, 721302, India

    Sarani Bhattacharya & Debdeep Mukhopadhyay

Authors
  1. Sarani Bhattacharya
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Debdeep Mukhopadhyay
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sarani Bhattacharya.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bhattacharya, S., Mukhopadhyay, D. Formal fault analysis of branch predictors: attacking countermeasures of asymmetric key ciphers. J Cryptogr Eng 7, 299–310 (2017). https://doi.org/10.1007/s13389-017-0165-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-017-0165-6

Keywords

Search

Navigation