1. Utilizing Performance Monitors for Compromising keys of RSA on Intel Platforms Sarani Bhattacharya and Debdeep Mukhopadhyay Dept. of Computer Science and Engineering Indian Institute of Technology, Kharagpur, India 10 March 2015

2. Public-Key Cryptography

3. RSA Encryption & Decryption 3 Plaintext: M C = M e mod (n=pq) Ciphertext: C C d mod n From n, difficult to figure out p,q From (n,e), difficult to figure d. From (n,e) and C, difficult to figure out M s.t. C = M e

4. Popular variants of Modular Exponentiation Algorithm

5. SPA and Timing Side Channel Resistant Algorithm for Modular Exponentiation

6. Primitive Algorithm for Performing Multiplication and Squaring

7. Modelling Branch Miss as Side- Channel from HPC Profiling of HPCs are done using performance monitoring tools and considered as side-channel. Provides simple user interface to different hardware event counts. Branch misses rely on the ability of the branch predictor to correctly predict future branches to be taken.

8. Strong Correlation between two-bit predictor and system predictor $ perf stat -e branch-misses executable-name Direct correlation is observed for the branch misses from HPCs and from the simulated 2-bit dynamic predictor over a sample of exponent bitstream. This confirms assumption of 2-bit dynamic predictor being an approximation to the underlying system branch predictor.

9. Threat model of the Attack

10. Offline Phase of Attack

11. Separation of Random Inputs

12. Online Phase Branch misses from HPCs are monitored for execution of cipher over the entire secret key on each ciphertext for 4 separate sets. The probable next bit is decided as:

14. Experimental Validation

16. Comparison with Timing Side- channel

17. Variation in separation with increase of Ciphertexts

18. Variation in separation with increase in number of Iterations

19. RSA-OAEP Randomized Padding Scheme

20. Decryption in RSA-OAEP

21. Separation for RSA-OAEP scheme

22. Thank you.