A method for constructing sliding windows leak from noisy cache timing information

This paper presents a method for constructing an operation sequence of sliding window exponentiation from the noisy cache information of RSA, which can be used for a cache attack using sliding windows leak (SWL). An SWL attack can retrieve the secret keys of RSA with non-negligible probability if the SWL is correctly captured. However, in practice, it is not always possible for an attacker to acquire a complete and correct operation sequence from cache information observation. In this paper, we first show that the capture errors in an operation sequence can be evaluated based on the Levenshtein distance between correct and estimated sequences. The dynamic time warping algorithm is employed for quantitative evaluation. Then, we present a method of accurately estimating a complete and correct operation sequence from noisy sequences obtained through multiple observations. Furthermore, we show the effectiveness of the proposed method through a set of experiments performed using RSA software in Libgcrypt. As a result, we can identify the correct operation sequence from approximately 100 observations of cache traces.