How to calculate bit error rate on RSA? #70
Description
I am learning to utilize flush+reload method to get private key of RSA.
I read related papers
flush+reload .
I am very grateful for these open source codes.
But with these open source codes, I always have a very confusing question. It's just that they don't introduce what the correct result looks like (if I know the correct result, I can reproduce them faster, and better observe the impact of the paper's idea on the experiment). Can someone explain how to get the bit error rate on RSA?
By reading the paper and source code, I found that it always checks whether the following three cache lines are used when decrypting.
probe 0x080f7607 S #mpih-mul.c:270 (First cache line in mpih_sqr_n())
probe 0x080f6c45 r #mpih-div.c:329 (Loop in default case in mpihelp_divrem())
probe 0x080f6fa8 M #mpih-mul.c:121 (First cache line of mul_n())
The paper also states:
Square-Reduce-Multiply-Reduce indicate a set bit. Sequences of
Square-Reduce which are not followed by Multiply indicate a clear bit.
But according to the previous description this seems to restore dp and dq. Because the above code is calculating mp = c^dp mod p and mq = c^dq mod q.
The paper also states:
Hence, knowing dp (and, symmetrically, dq) is sufficient for factoring
n and breaking the encryption
After that, the author directly gave the bit error rate.
This feels suspicious. I measured the access latency of the three cache lines above during decryption. And restore them to 01 bits according to the following introduction.
Square-Reduce-Multiply-Reduce indicate a set bit. Sequences of
Square-Reduce which are not followed by Multiply indicate a clear bit.
How can I calculate the bit error rate? Does this restore dp or dq? or something else?
How to get the correct dp and dq for comparison?
Thanks!