Editing RSA cryptosystem (section)

===Side-channel analysis attacks===
A side-channel attack using branch-prediction analysis (BPA) has been described. Many processors use a [[branch predictor]] to determine whether a conditional branch in the instruction flow of a program is likely to be taken or not. Often these processors also implement [[simultaneous multithreading]] (SMT). Branch-prediction analysis attacks use a spy process to discover (statistically) the private key when processed with these processors.

Simple Branch Prediction Analysis (SBPA) claims to improve BPA in a non-statistical way. In their paper, "On the Power of Simple Branch Prediction Analysis",<ref>{{Cite conference |citeseerx = 10.1.1.80.1438 |title = On the power of simple branch prediction analysis |first1=Onur |last1=Acıiçmez |first2=Çetin Kaya |last2=Koç |first3=Jean-Pierre |last3=Seifert |pages = 312–320 |year = 2007 |book-title=Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security |series=ASIACCS '07 |doi=10.1145/1229285.1266999 }}</ref> the authors of SBPA (Onur Aciicmez and Cetin Kaya Koc) claim to have discovered 508 out of 512&nbsp;bits of an RSA key in 10 iterations.

A power-fault attack on RSA implementations was described in 2010.<ref>{{cite book |last1=Pellegrini |first1=Andrea |last2=Bertacco |first2=Valeria |last3=Austin |first3=Todd |chapter=Fault-based attack of RSA authentication |title=2010 Design, Automation & Test in Europe Conference & Exhibition (DATE 2010) |date=March 2010 |pages=855–860 |doi=10.1109/DATE.2010.5456933 |isbn=978-3-9810801-6-2 |access-date=21 November 2024 |chapter-url=https://ieeexplore.ieee.org/document/5456933}}</ref> The author recovered the key by varying the CPU power voltage outside limits; this caused multiple power faults on the server.