Publications
2026
- IEEE S&PKeyTAR: Practical Keystroke Timing Attacks and Input ReconstructionMufan Qiu*, Lihsuan Chuang*, Dohhyun Kim, and 3 more authorsIn 2026 IEEE Symposium on Security and Privacy (SP), May 2026
Keystroke timing attacks have long been recognized as a serious security concern. Researchers have conjectured that an attacker who learns the amount of time that elapses between keystrokes on a computer keyboard can reconstruct the keys pressed by a victim typist. Given the severe implications of a successful keystroke timing attack, numerous published side-channel works have utilized keystroke timing extraction as a case study to illustrate the impact of various types of side-channel attacks. However, despite an abundance of works demonstrating extraction of inter-keystroke timings, it remains to be proven that input recovery is actually possible. This paper bridges this long-standing gap in the literature and performs a comprehensive study on the feasibility of reconstructing typed input from inter-keystroke timings. We model input reconstruction as a machine translation task and fine-tune open-source Large Language Models (LLMs) with a curriculum learning strategy, leveraging their ability to utilize contextual information and incorporate semantic understanding into the reconstruction process. With this approach, we reconstruct typed input with a high degree of fidelity. Using the best reconstruction among the Top-5 predictions and a normalized edit distance threshold of 0.1 as the criterion for successful reconstruction, we achieve a success rate of 34.9%. We also demonstrate input reconstruction under practical, real-world circumstances, where additional noise is introduced to the inter-keystroke timing traces. We conduct end-to-end cache attacks, both from native environments and from the Chrome browser, and quantify how the additional noise inherent to cache attacks affects the input recovery process. To obtain a sufficiently large dataset for training and fine-tuning the LLM for noisy traces extracted via cache-attacks, we replayed over 1.5 million typing samples from real human typists while performing cache attacks. We release and open-source this dataset, along with our code and checkpoint for reconstructing input, so that future works on keystroke-timing attacks can rigorously and empirically evaluate their effectiveness.
@inproceedings{qiu2026keytar, title = {KeyTAR: Practical Keystroke Timing Attacks and Input Reconstruction}, author = {Qiu, Mufan and Chuang, Lihsuan and Kim, Dohhyun and Qu, Huaizhi and Chen, Tianlong and Kwong, Andrew}, booktitle = {2026 IEEE Symposium on Security and Privacy (SP)}, year = {2026}, organization = {IEEE}, issn = {2375-1207}, pages = {1986-2005}, keywords = {ai-for-security;keystroke-timing;side-channels;hardware security}, doi = {10.1109/SP63933.2026.00106}, url = {https://doi.ieeecomputersociety.org/10.1109/SP63933.2026.00106}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, month = may }