Cache-collision timing attacks against AES

Joseph Bonneau; Ilya Mironov

doi:10.1007/11894063_16

Cache-collision timing attacks against AES

Joseph Bonneau, Ilya Mironov

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

This paper describes several novel timing attacks against the common table-driven software implementation of the AES cipher. We define a general attack strategy using a simplified model of the cache to predict timing variation due to cache-collisions in the sequence of lookups performed by the encryption. The attacks presented should be applicable to most high-speed software AES implementations and computing platforms, we have implemented them against OpenSSL v. 0.9.8.(a) running on Pentium III, Pentium IV Xeon, and UltraSPARC III+ machines. The most powerful attack has been shown under optimal conditions to reliably recover a full 128-bit AES key with 2¹³ timing samples, an improvement of almost four orders of magnitude over the best previously published attacks of this type [Ber05]. While the task of defending AES against all timing attacks is challenging, a small patch can significantly reduce the vulnerability to these specific attacks with no performance penalty.

Original language	English (US)
Title of host publication	Cryptographic Hardware and Embedded Systems, CHES 2006 - 8th International Workshop, Proceedings
Publisher	Springer Verlag
Pages	201-215
Number of pages	15
ISBN (Print)	3540465596, 9783540465591
DOIs	https://doi.org/10.1007/11894063_16
State	Published - 2006
Event	8th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2006 - Yokohama, Japan Duration: Oct 10 2006 → Oct 13 2006

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	4249 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	8th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2006
Country/Territory	Japan
City	Yokohama
Period	10/10/06 → 10/13/06

Keywords

AES
Cache
Cryptanalysis
Side-channel attack
Timing attack

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/11894063_16

Cite this

Bonneau, J., & Mironov, I. (2006). Cache-collision timing attacks against AES. In Cryptographic Hardware and Embedded Systems, CHES 2006 - 8th International Workshop, Proceedings (pp. 201-215). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4249 LNCS). Springer Verlag. https://doi.org/10.1007/11894063_16

Cache-collision timing attacks against AES. / Bonneau, Joseph; Mironov, Ilya.
Cryptographic Hardware and Embedded Systems, CHES 2006 - 8th International Workshop, Proceedings. Springer Verlag, 2006. p. 201-215 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4249 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Bonneau, J & Mironov, I 2006, Cache-collision timing attacks against AES. in Cryptographic Hardware and Embedded Systems, CHES 2006 - 8th International Workshop, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4249 LNCS, Springer Verlag, pp. 201-215, 8th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2006, Yokohama, Japan, 10/10/06. https://doi.org/10.1007/11894063_16

@inproceedings{f5fe00df5d6c4046942f825679e2852b,

title = "Cache-collision timing attacks against AES",

abstract = "This paper describes several novel timing attacks against the common table-driven software implementation of the AES cipher. We define a general attack strategy using a simplified model of the cache to predict timing variation due to cache-collisions in the sequence of lookups performed by the encryption. The attacks presented should be applicable to most high-speed software AES implementations and computing platforms, we have implemented them against OpenSSL v. 0.9.8.(a) running on Pentium III, Pentium IV Xeon, and UltraSPARC III+ machines. The most powerful attack has been shown under optimal conditions to reliably recover a full 128-bit AES key with 213 timing samples, an improvement of almost four orders of magnitude over the best previously published attacks of this type [Ber05]. While the task of defending AES against all timing attacks is challenging, a small patch can significantly reduce the vulnerability to these specific attacks with no performance penalty.",

keywords = "AES, Cache, Cryptanalysis, Side-channel attack, Timing attack",

author = "Joseph Bonneau and Ilya Mironov",

note = "Funding Information: ACKNOWLEDGMENTS We thank Katie McFadden, Danielle DiIullo, Lindsay Glass, and Ethan Tate for help with fish collection and laboratory observations. Comments from the Fisheries Ecology and Aquatic Sciences Lab Group at North Carolina State University, Nick Haddad, and Joseph Kawatski improved earlier versions of this manuscript. This project was funded by a State Wildlife Grant through the North Carolina Wildlife Resources Commission. Any use of trade, product, or firm names is for descriptive purposes only and does not imply endorsement by the U.S. Government. The North Carolina Cooperative Fish and Wildlife Research Unit is jointly supported by North Carolina State University, North Carolina Wildlife Resources Commission, U.S. Geological Survey, U.S. Fish and Wildlife Service, and Wildlife Management Institute.; 8th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2006 ; Conference date: 10-10-2006 Through 13-10-2006",

year = "2006",

doi = "10.1007/11894063_16",

language = "English (US)",

isbn = "3540465596",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "201--215",

booktitle = "Cryptographic Hardware and Embedded Systems, CHES 2006 - 8th International Workshop, Proceedings",

}

TY - GEN

T1 - Cache-collision timing attacks against AES

AU - Bonneau, Joseph

AU - Mironov, Ilya

N1 - Funding Information: ACKNOWLEDGMENTS We thank Katie McFadden, Danielle DiIullo, Lindsay Glass, and Ethan Tate for help with fish collection and laboratory observations. Comments from the Fisheries Ecology and Aquatic Sciences Lab Group at North Carolina State University, Nick Haddad, and Joseph Kawatski improved earlier versions of this manuscript. This project was funded by a State Wildlife Grant through the North Carolina Wildlife Resources Commission. Any use of trade, product, or firm names is for descriptive purposes only and does not imply endorsement by the U.S. Government. The North Carolina Cooperative Fish and Wildlife Research Unit is jointly supported by North Carolina State University, North Carolina Wildlife Resources Commission, U.S. Geological Survey, U.S. Fish and Wildlife Service, and Wildlife Management Institute.

PY - 2006

Y1 - 2006

N2 - This paper describes several novel timing attacks against the common table-driven software implementation of the AES cipher. We define a general attack strategy using a simplified model of the cache to predict timing variation due to cache-collisions in the sequence of lookups performed by the encryption. The attacks presented should be applicable to most high-speed software AES implementations and computing platforms, we have implemented them against OpenSSL v. 0.9.8.(a) running on Pentium III, Pentium IV Xeon, and UltraSPARC III+ machines. The most powerful attack has been shown under optimal conditions to reliably recover a full 128-bit AES key with 213 timing samples, an improvement of almost four orders of magnitude over the best previously published attacks of this type [Ber05]. While the task of defending AES against all timing attacks is challenging, a small patch can significantly reduce the vulnerability to these specific attacks with no performance penalty.

AB - This paper describes several novel timing attacks against the common table-driven software implementation of the AES cipher. We define a general attack strategy using a simplified model of the cache to predict timing variation due to cache-collisions in the sequence of lookups performed by the encryption. The attacks presented should be applicable to most high-speed software AES implementations and computing platforms, we have implemented them against OpenSSL v. 0.9.8.(a) running on Pentium III, Pentium IV Xeon, and UltraSPARC III+ machines. The most powerful attack has been shown under optimal conditions to reliably recover a full 128-bit AES key with 213 timing samples, an improvement of almost four orders of magnitude over the best previously published attacks of this type [Ber05]. While the task of defending AES against all timing attacks is challenging, a small patch can significantly reduce the vulnerability to these specific attacks with no performance penalty.

KW - AES

KW - Cache

KW - Cryptanalysis

KW - Side-channel attack

KW - Timing attack

UR - http://www.scopus.com/inward/record.url?scp=33750814106&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33750814106&partnerID=8YFLogxK

U2 - 10.1007/11894063_16

DO - 10.1007/11894063_16

M3 - Conference contribution

AN - SCOPUS:33750814106

SN - 3540465596

SN - 9783540465591

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 201

EP - 215

BT - Cryptographic Hardware and Embedded Systems, CHES 2006 - 8th International Workshop, Proceedings

PB - Springer Verlag

T2 - 8th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2006

Y2 - 10 October 2006 through 13 October 2006

ER -

Cache-collision timing attacks against AES

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this