Researchers: [email protected], [email protected], [email protected], [email protected], [email protected]
This is a *remote timing* attack on *constant-time* implementations of SIKE, a post quantum key encapsulation mechanism that is currently a finalist in NIST’s PQC competition. This attack is enabled by a new side channel called Hertzbleed, as well as new cryptanalysis techniques. As a result of this attack, mitigations were deployed to both Cloudflare’s and Microsoft’s implementations of SIKE, incurring performance overheads of 5% and 11%.
The Hertzbleed side channel takes advantage of the discovery that, under certain circumstances, dynamic CPU frequency adjustments on modern x86 processors depend on the data being processed, and these adjustments directly translate to execution time differences (as 1 hertz = 1 cycle per second). The attack on SIKE shows that, using Hertzbleed, a clever attacker can perform *full key extraction* via remote timing, despite SIKE being implemented as “constant time” and despite its “well-understood” side channel posture. An unoptimized version of the attack recovers the full key from the Cloudflare’s and Microsoft’s implementations in 36 and 89 hours, respectively. The cryptanalytic details of the attack are described in the research paper.
The takeaway of this attack is that the current cryptographic engineering practices for how to write constant-time code are no longer sufficient to guarantee constant time execution of software on modern processors. Indeed, as a result of this attack, Intel had to release new software guidance for cryptography implementations.