Publications

2026

1. IEEE S&P

   KeyTAR: Practical Keystroke Timing Attacks and Input Reconstruction

   Mufan Qiu^*, Lihsuan Chuang^*, Dohhyun Kim, and 3 more authors

   In 2026 IEEE Symposium on Security and Privacy (SP), May 2026

   Abs DOI Bib PDF

   Keystroke timing attacks have long been recognized as a serious security concern. Researchers have conjectured that an attacker who learns the amount of time that elapses between keystrokes on a computer keyboard can reconstruct the keys pressed by a victim typist. Given the severe implications of a successful keystroke timing attack, numerous published side-channel works have utilized keystroke timing extraction as a case study to illustrate the impact of various types of side-channel attacks. However, despite an abundance of works demonstrating extraction of inter-keystroke timings, it remains to be proven that input recovery is actually possible. This paper bridges this long-standing gap in the literature and performs a comprehensive study on the feasibility of reconstructing typed input from inter-keystroke timings. We model input reconstruction as a machine translation task and fine-tune open-source Large Language Models (LLMs) with a curriculum learning strategy, leveraging their ability to utilize contextual information and incorporate semantic understanding into the reconstruction process. With this approach, we reconstruct typed input with a high degree of fidelity. Using the best reconstruction among the Top-5 predictions and a normalized edit distance threshold of 0.1 as the criterion for successful reconstruction, we achieve a success rate of 34.9%. We also demonstrate input reconstruction under practical, real-world circumstances, where additional noise is introduced to the inter-keystroke timing traces. We conduct end-to-end cache attacks, both from native environments and from the Chrome browser, and quantify how the additional noise inherent to cache attacks affects the input recovery process. To obtain a sufficiently large dataset for training and fine-tuning the LLM for noisy traces extracted via cache-attacks, we replayed over 1.5 million typing samples from real human typists while performing cache attacks. We release and open-source this dataset, along with our code and checkpoint for reconstructing input, so that future works on keystroke-timing attacks can rigorously and empirically evaluate their effectiveness.

   @inproceedings{qiu2026keytar,
     title = {KeyTAR: Practical Keystroke Timing Attacks and Input Reconstruction},
     author = {Qiu, Mufan and Chuang, Lihsuan and Kim, Dohhyun and Qu, Huaizhi and Chen, Tianlong and Kwong, Andrew},
     booktitle = {2026 IEEE Symposium on Security and Privacy (SP)},
     year = {2026},
     organization = {IEEE},
     issn = {2375-1207},
     pages = {1986-2005},
     keywords = {ai-for-security;keystroke-timing;side-channels;hardware security},
     doi = {10.1109/SP63933.2026.00106},
     url = {https://doi.ieeecomputersociety.org/10.1109/SP63933.2026.00106},
     publisher = {IEEE Computer Society},
     address = {Los Alamitos, CA, USA},
     month = may
   }