TY - JOUR
T1 - Hertzbleed
T2 - Turning Power Side-Channel Attacks into Remote Timing Attacks on x86
AU - Wang, Yingchen
AU - Paccagnella, Riccardo
AU - He, Elizabeth Tang
AU - Shacham, Hovav
AU - Fletcher, Christopher W.
AU - Kohlbrenner, David
N1 - Publisher Copyright:
© 1981-2012 IEEE.
PY - 2023/7/1
Y1 - 2023/7/1
N2 - Power side-channel attacks exploit data-dependent variations in a CPU's power consumption to leak secrets. In this article, we show that on modern CPUs, power side-channel attacks can be turned into timing attacks that can be mounted without access to any power measurement interface. This discovery exploits how, under certain circumstances, the dynamic frequency scaling of modern x86 CPU depends on the current power consumption (and hence, data). We demonstrate that this "frequency side channela"is a real threat to the security of cryptographic software. First, we reverse engineer the dependency between data, power, and frequency on a modern x86 CPUa-finding, among other things, that differences as small as a set bit's position in a word can be distinguished through frequency changes. Second, we describe a novel chosen-ciphertext attack against (constant-time implementations of) supersingular isogeny key encapsulation that allows full key extraction via remote timing.
AB - Power side-channel attacks exploit data-dependent variations in a CPU's power consumption to leak secrets. In this article, we show that on modern CPUs, power side-channel attacks can be turned into timing attacks that can be mounted without access to any power measurement interface. This discovery exploits how, under certain circumstances, the dynamic frequency scaling of modern x86 CPU depends on the current power consumption (and hence, data). We demonstrate that this "frequency side channela"is a real threat to the security of cryptographic software. First, we reverse engineer the dependency between data, power, and frequency on a modern x86 CPUa-finding, among other things, that differences as small as a set bit's position in a word can be distinguished through frequency changes. Second, we describe a novel chosen-ciphertext attack against (constant-time implementations of) supersingular isogeny key encapsulation that allows full key extraction via remote timing.
UR - http://www.scopus.com/inward/record.url?scp=85159809204&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85159809204&partnerID=8YFLogxK
U2 - 10.1109/MM.2023.3274619
DO - 10.1109/MM.2023.3274619
M3 - Article
AN - SCOPUS:85159809204
SN - 0272-1732
VL - 43
SP - 19
EP - 27
JO - IEEE Micro
JF - IEEE Micro
IS - 4
ER -