{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,17]],"date-time":"2025-10-17T19:57:03Z","timestamp":1760731023351,"version":"3.41.0"},"reference-count":31,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2018,1,2]],"date-time":"2018-01-02T00:00:00Z","timestamp":1514851200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2018,2,28]]},"abstract":"<jats:p>\n            Hardware performance counters (HPCs) are useful artifacts for evaluating the performance of software implementations. Recently, HPCs have been made more convenient to use without requiring explicit kernel patches or superuser privileges. However, in this article, we highlight that the information revealed by HPCs can be also exploited to attack standard implementations of public key algorithms. In particular, we analyze the vulnerability due to the event branch miss leaked via the HPCs during execution of the target ciphers. We present an iterative attack that targets the key bits of 1,024-bit RSA and 256-bit ECC, whereas in the offline phase, the system\u2019s underlying branch predictor is approximated by a theoretical predictor in the literature. Subsimulations are performed corresponding to each bit guess to classify the message space into distinct partitions based on the event branch misprediction and the target key bit value. In the online phase, branch mispredictions obtained from the hardware performance monitors on the target system reveal the secret key bits. We also theoretically prove that the probability of success of the attack is equivalent to the accurate modeling of the theoretical predictor to the underlying system predictor. In addition, we propose an improved version of the attack that requires fewer branch misprediction traces from the HPCs to recover the secret. Experimentations using both attack strategies have been provided on Intel Core 2 Duo, Core i3, and Core i5 platforms for 1,024-bit implementation of RSA and 256-bit scalar multiplication over the\n            <jats:italic>secp<\/jats:italic>\n            256\n            <jats:italic>r<\/jats:italic>\n            1 curve followed by results on the effect of change of parameters on the success rate. The attack can successfully reveal the exponent bits and thus seeks attention to model secure branch predictors such that it inherently prevents information leakage.\n          <\/jats:p>","DOI":"10.1145\/3156015","type":"journal-article","created":{"date-parts":[[2018,1,3]],"date-time":"2018-01-03T13:19:43Z","timestamp":1514985583000},"page":"1-31","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":7,"title":["Utilizing Performance Counters for Compromising Public Key Ciphers"],"prefix":"10.1145","volume":"21","author":[{"given":"Sarani","family":"Bhattacharya","sequence":"first","affiliation":[{"name":"Indian Institute of Technology Kharagpur, India"}]},{"given":"Debdeep","family":"Mukhopadhyay","sequence":"additional","affiliation":[{"name":"Indian Institute of Technology Kharagpur, Kharagpur, India"}]}],"member":"320","published-online":{"date-parts":[[2018,1,2]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"Topics in Cryptology\u2014CT-RSA","author":"Acii\u00e7mez Onur","year":"2007","unstructured":"Onur Acii\u00e7mez , \u00c7etin Kaya Ko\u00e7 , and Jean-Pierre Seifert . 2007a. Predicting secret keys via branch prediction . In Topics in Cryptology\u2014CT-RSA 2007 . Lecture Notes in Computer Science, Vol. 4377 . Springer , 225--242. Onur Acii\u00e7mez, \u00c7etin Kaya Ko\u00e7, and Jean-Pierre Seifert. 2007a. Predicting secret keys via branch prediction. In Topics in Cryptology\u2014CT-RSA 2007. Lecture Notes in Computer Science, Vol. 4377. Springer, 225--242."},{"key":"e_1_2_1_2_1","series-title":"Lecture Notes in Computer Science","volume-title":"Cryptography and Coding","author":"Acii\u00e7mez Onur","unstructured":"Onur Acii\u00e7mez , Shay Gueron , and Jean-Pierre Seifert . 2007b. New branch prediction vulnerabilities in OpenSSL and necessary software countermeasures . In Cryptography and Coding . Lecture Notes in Computer Science , Vol. 4887 . Springer , 185--203. Onur Acii\u00e7mez, Shay Gueron, and Jean-Pierre Seifert. 2007b. New branch prediction vulnerabilities in OpenSSL and necessary software countermeasures. In Cryptography and Coding. Lecture Notes in Computer Science, Vol. 4887. Springer, 185--203."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2007.91"},{"key":"e_1_2_1_4_1","volume-title":"Topics in Cryptology\u2014CT-RSA","author":"Acii\u00e7mez Onur","year":"2008","unstructured":"Onur Acii\u00e7mez and Werner Schindler . 2008. A vulnerability in RSA implementations due to instruction cache analysis and its demonstration on OpenSSL . In Topics in Cryptology\u2014CT-RSA 2008 . Lecture Notes in Computer Science, Vol. 4964 . Springer , 256--273. Onur Acii\u00e7mez and Werner Schindler. 2008. A vulnerability in RSA implementations due to instruction cache analysis and its demonstration on OpenSSL. In Topics in Cryptology\u2014CT-RSA 2008. Lecture Notes in Computer Science, Vol. 4964. Springer, 256--273."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1007\/s13389-017-0165-6"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1007\/11894063_16"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-10366-7_39"},{"key":"e_1_2_1_8_1","volume-title":"Proceedings of the 12th USENIX Security Symposium. https:\/\/www.usenix.org\/conference\/12th-usenix-security-symposium\/remote-timing-attacks-are-practical.","author":"Brumley David","year":"2003","unstructured":"David Brumley and Dan Boneh . 2003 . Remote timing attacks are practical . In Proceedings of the 12th USENIX Security Symposium. https:\/\/www.usenix.org\/conference\/12th-usenix-security-symposium\/remote-timing-attacks-are-practical. David Brumley and Dan Boneh. 2003. Remote timing attacks are practical. In Proceedings of the 12th USENIX Security Symposium. https:\/\/www.usenix.org\/conference\/12th-usenix-security-symposium\/remote-timing-attacks-are-practical."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1049\/iet-ifs.2015.0399"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-53140-2_1"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2768566.2768571"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2870636"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/MICRO.2016.7783743"},{"key":"e_1_2_1_14_1","unstructured":"Agner Fog. 2009. The Microarchitecture of Intel and AMD CPU\u2019s: An Optimization Guide for Assembly Programmers and Compiler Makers.  Agner Fog. 2009. The Microarchitecture of Intel and AMD CPU\u2019s: An Optimization Guide for Assembly Programmers and Compiler Makers."},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-45238-6_22"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-44499-8_23"},{"key":"e_1_2_1_17_1","volume-title":"Patterson","author":"Hennessy John L.","year":"2006","unstructured":"John L. Hennessy and David A . Patterson . 2006 . Computer Architecture : A Quantitative Approach (4th ed.). Morgan Kaufmann . John L. Hennessy and David A. Patterson. 2006. Computer Architecture: A Quantitative Approach (4th ed.). Morgan Kaufmann."},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-36400-5_22"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-68697-5_9"},{"volume-title":"Power Analysis Attacks: Revealing the Secrets of Smart Cards","author":"Mangard Stefan","key":"e_1_2_1_20_1","unstructured":"Stefan Mangard , Elisabeth Oswald , and Thomas Popp . 2007. Power Analysis Attacks: Revealing the Secrets of Smart Cards . Springer . Stefan Mangard, Elisabeth Oswald, and Thomas Popp. 2007. Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer."},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-44647-8_14"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/2366231.2337173"},{"key":"e_1_2_1_23_1","volume-title":"Vanstone","author":"Menezes Alfred J.","year":"2001","unstructured":"Alfred J. Menezes , Paul C. van Oorschot , and Scott A . Vanstone . 2001 . Handbook of Applied Cryptography. CRC Press , Boca Raton, FL. Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. 2001. Handbook of Applied Cryptography. CRC Press, Boca Raton, FL."},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1007\/11734727_14"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1090\/S0025-5718-1985-0777282-X"},{"key":"e_1_2_1_26_1","unstructured":"Nippon Telegraph and Telephone. 2010. Standards for Efficient Cryptography. SEC 2: Recommended Elliptic Curve Domain Parameters (Version 2.0). Certicom Research.  Nippon Telegraph and Telephone. 2010. Standards for Efficient Cryptography. SEC 2: Recommended Elliptic Curve Domain Parameters (Version 2.0). Certicom Research."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/FDTC.2008.19"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1049\/el:19991230"},{"volume-title":"Proceedings of the 2013 FastPath Workshop.","author":"Vincent","key":"e_1_2_1_29_1","unstructured":"Vincent M. Weaver and University of Maine. 2013. Linux perf_event features and overhead . In Proceedings of the 2013 FastPath Workshop. Vincent M. Weaver and University of Maine. 2013. Linux perf_event features and overhead. In Proceedings of the 2013 FastPath Workshop."},{"key":"e_1_2_1_30_1","volume-title":"Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-Channel Attack. Retrieved","author":"Yarom Yuval","year":"2017","unstructured":"Yuval Yarom and Naomi Benger . 2014. Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-Channel Attack. Retrieved November 7, 2017 , from https:\/\/eprint.iacr.org\/2014\/140.pdf Yuval Yarom and Naomi Benger. 2014. Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-Channel Attack. Retrieved November 7, 2017, from https:\/\/eprint.iacr.org\/2014\/140.pdf"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/123465.123475"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3156015","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3156015","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:38:44Z","timestamp":1750221524000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3156015"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,1,2]]},"references-count":31,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2018,2,28]]}},"alternative-id":["10.1145\/3156015"],"URL":"https:\/\/doi.org\/10.1145\/3156015","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"type":"print","value":"2471-2566"},{"type":"electronic","value":"2471-2574"}],"subject":[],"published":{"date-parts":[[2018,1,2]]},"assertion":[{"value":"2016-08-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-09-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2018-01-02","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}