Cache-collision timing attacks against AES

Joseph Bonneau, Ilya Mironov

Research output: Chapter in Book/Report/Conference proceedingConference contribution


This paper describes several novel timing attacks against the common table-driven software implementation of the AES cipher. We define a general attack strategy using a simplified model of the cache to predict timing variation due to cache-collisions in the sequence of lookups performed by the encryption. The attacks presented should be applicable to most high-speed software AES implementations and computing platforms, we have implemented them against OpenSSL v. 0.9.8.(a) running on Pentium III, Pentium IV Xeon, and UltraSPARC III+ machines. The most powerful attack has been shown under optimal conditions to reliably recover a full 128-bit AES key with 213 timing samples, an improvement of almost four orders of magnitude over the best previously published attacks of this type [Ber05]. While the task of defending AES against all timing attacks is challenging, a small patch can significantly reduce the vulnerability to these specific attacks with no performance penalty.

Original languageEnglish (US)
Title of host publicationCryptographic Hardware and Embedded Systems, CHES 2006 - 8th International Workshop, Proceedings
PublisherSpringer Verlag
Number of pages15
ISBN (Print)3540465596, 9783540465591
StatePublished - 2006
Event8th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2006 - Yokohama, Japan
Duration: Oct 10 2006Oct 13 2006

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume4249 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other8th International Workshop on Cryptographic Hardware and Embedded Systems, CHES 2006


  • AES
  • Cache
  • Cryptanalysis
  • Side-channel attack
  • Timing attack

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'Cache-collision timing attacks against AES'. Together they form a unique fingerprint.

Cite this