scispace - formally typeset

Journal ArticleDOI

A comprehensive study of multiple deductions-based algebraic trace driven cache attacks on AES

01 Nov 2013-Computers & Security (Elsevier)-Vol. 39, pp 173-189

TL;DR: A mathematical model is constructed to estimate the maximal number of leakage rounds that can be utilized and the minimal number of cache traces required for a successful MDATDCA on AES and attests that combining TDCAs with algebraic techniques is a very efficient way to improve cache attacks.

AbstractExisting trace driven cache attacks (TDCAs) can only analyze the cache events in the first two rounds or the last round of AES, which limits the efficiency of the attacks. Recently, Zhao et al. proposed the multiple deductions-based algebraic side-channel attack (MDASCA) to cope with the errors in leakage measurements and to exploit new leakage models. Their preliminary results showed that MDASCA can improve TDCAs and attack the AES implemented with a compact lookup table of 256 bytes. This paper performs a comprehensive study of MDASCA-based TDCAs (MDATDCA) on most of the AES implementations that are widely used. First, the key recovery in TDCA is depicted by an abstract model regardless of the specific attack techniques. Then, the previous work of TDCAs on AES is classified into three types and its limitations are analyzed. How to utilize the cache events with MDATDCA is presented and the overhead is also calculated. To evaluate MDATDCA on AES, this paper constructs a mathematical model to estimate the maximal number of leakage rounds that can be utilized and the minimal number of cache traces required for a successful MDATDCA. Extensive experiments are conducted under different implementations, attack scenarios and key lengths of AES. The experimental results are consistent with the theoretical analysis. Many improvements are achieved. For the first time, we show that TDCAs on AES-192 and AES-256 become possible with the MDATDCA technique. Our work attests that combining TDCAs with algebraic techniques is a very efficient way to improve cache attacks.

Topics: AES implementations (62%), Cache (59%)

Summary (6 min read)

1. Introduction

  • Cache attacks are a class of Side-channel attacks (SCAs) that extract the secret from the behavior of cache in the processors.
  • Under error-free attack scenario2, the number of cache traces required to attack the AES implemented with a compact lookup table of 256 bytes can be reduced to only five.
  • Section 2 describes the notations used throughout the paper.

2. Notation

  • Throughout the paper, P denotes the public variable (plaintext or ciphertext) and K denotes the targeted secret variable (the master key or equivalent key).
  • Suppose each entry in the table has 2 e bytes and each cache line has 2δ bytes.
  • Assume qt is the t-th targeted cache events in TDCA and yt denotes the related table lookup index.

3. The TDCA Problem

  • The goal of TDCA is to extract the value of all ki in K (the secret key) from the knowledge of the pis (known public variables) and qjs (cache events).
  • Suppose the cache contains no data from the table before each encryption.
  • Otherwise, the assignment is an incorrect guess.
  • In TDCA, the adversary can analyze different table lookups and traces until the search space of K is reduced to a level where a brute-force attack is feasible.

4.1. AES implementations

  • All the AES implementations can be categorized into three types based on (1) gt, the number of the lookup tables; (2) gs, the size of the lookup tables; (3) gl, the number of lookups in one round that access the same table; (4) gc, the size of the cache line, where gc = 2 δ.
  • Note that the scope of this paper is about AES implementations that use one or more lookup tables for the sole S-Box, and not the lookup tables for the field multiplication in the MixColumns operation of AES [8].
  • Recall b is the number of bits revealed from one table lookup.

4.2. TDCA on AES of Type A

  • To further reduce the key search space and the number of plaintexts (or power traces) required, attacks in [8, 9, 10] also utilized some cache events in the second round.
  • In [8], equations are generated only from the cache hits as shown in Eq.(3).
  • To improve the attack, the work in [8] also considered the case where the first two lookups in the second round (q16 and q17) are cache hits.
  • The result in [8] is that 1280 chosen plaintexts are required to reduce the key search space to 224.

4.3. TDCA on AES of Type B

  • Acı̈ıçmez [4] presented the first TDCA on AES for such implementation, in which four lookup tables are used for each round and each is accessed four times.
  • More key bits can be derived via the analysis of the second round.
  • Acı̈ıçmez [4] also pointed out that TDCA on the third or the deeper rounds was an open problem.

4.4. TDCA on AES of Type C

  • The work in [5, 7] showed that under Type C implementations, TDCA on the final round of AES is much more effective than in the first round.
  • While in the last round, f t(·) becomes a complicated nonlinear function.

4.5. Limitation of previous TDCAs

  • Moreover, all current TDCA works are for AES-128.
  • As to AES with longer key lengths (e.g., AES-192 and AES-256), the key expansion algorithms become more complicated and the first 20 lookups only leak partial bits of the master key.
  • The manual representation of table indexes is awkward.
  • Combining algebraic techniques with TDCA seems to be interesting and promising.

5. MDASCA-based Trace Driven Cache Attacks (MDATDCAs)

  • In TDCA, the key issue is to obtain the cache events related to table lookups and to represent the possible (and/or impossible) candidates of lookup indexes with equations.
  • The work in [18] proposes a generic method to convert the multiple deductions into algebraic equations and applies it to TDCA.
  • Finally, the secret key is recovered by solving the whole equation system [21, 22].
  • More details about MDASCA can be found in [18].
  • Next, the authors will describe the core of MDATDCA, which is to represent cache hit and miss events with algebraic equations.

5.2. Representing a cache miss

  • Eji is also introduced as in Section 5.1.
  • They can be easily fed into a solver, e.g., the SAT solver CryptoMiniSAT [22], to recover the key.

6. Evaluation of MDATDCAs on AES

  • For simplicity, this section only estimates the number of rounds that can be exploited, and the number of cache traces required in MDATDCAs on AES-128 under the error-free attack scenario, where the cache does not contain any AES data prior to each encryption.
  • Extending these estimations to AES-192/256 is straightforward.

6.1. The Number of rounds that can be exploited

  • For convenience, D is used to denote the set of cache lines that will be filled up with data from lookup tables.
  • As long as D is not filled up, there may exist some cache misses (before qt) that can be used for key recovery.
  • For Type C, all the 16 lookups in the last round can be used for key recovery.

6.2. The Number of cache traces required

  • The work in [18] presents a preliminary study of estimating the minimal number of cache traces required in TDCA.
  • The authors introduce four metrics and adopt the information-theoretic approach to optimize the estimations on the minimal number of cache traces required for a successful MDATDCA.
  • Note that there are some intersects among.
  • Kt for different table lookups in practice, thus σi satisfies σi ≤ z=16i+15∑ z=16i πz (12) (4) τi: the maximal number of key bits recovered in the i-th round Let τ0, τ1, and τ9 denote the maximal number of the key bits recovered in the first, second and last round.
  • As τ0 bits are recovered in the first round, the authors only need to recover the remaining 128-τ0 bits in the second round.

7. Experiment Setup

  • The overall process of MDATDCA has been described in Section 5.
  • Due to the page limit, here the authors only list a few important details about the setup.
  • Each case will be repeated many times and referred to as instances.

7.1. Build the AES equation set

  • How to represent the S-Box is the most difficult part in algebraic analysis.
  • The authors adopt the technique in [23] to derive every S-Box output bit with high-degree equations (degree 7) from the eight S-Box input bits.

7.2. Profile the cache traces

  • This paper mainly focuses on the analysis part of MDATDCAs.
  • This can be achieved by modifying the AES source code in OpenSSL and generate the sequences of cache events under different configurations.
  • To prove the feasibility of MDATDCA, in Section 9, the authors conduct concrete MDATDCA experiments against AES implemented with 256B compact table on 32-bit ARM microprocessor NXP LPC2124.
  • In practice, the cache hits and misses are not always distinguishable from the EM traces, which are treated as uncertain cache events or errors.

7.3. Utilize the cache traces

  • The authors build additional equations from the generated cache events.
  • In order to verify these multiple solutions, the authors append a set of new equations which describes a full AES encryption with a pair of known plaintext and ciphertext.
  • Some instances cannot be solved within a day.
  • To accelerate the solving process, the authors give the guesses to nk key bits first and run the exhaustive search for all the 2nk guesses.
  • If the guess is correct, the solver can output the correct key within a reasonable amount of time.

7.4. Solve the equation system

  • Many automatic tools can be used, such as Gröbner basis-based [21], or SAT-based solver [22].
  • In Section 8, 9, and 10, three case studies are performed in MDATDCA on AES-128 considering different attack scenarios.

8. Case 1: Error-free MDATDCAs on AES

  • The authors conduct MDATDCA on AES under two assumptions.
  • The first is that the cache does not contain any AES data prior to each encryption.
  • The second is that the adversary can distinguish the cache miss event from the cache hit event precisely.

8.1. Data and time complexity

  • For each case, the authors run 100 instances where the correct values of nk key bits are fed into the equation set first).
  • Fig. 6(a)-6(i) show the distribution of the different solving times (in seconds) for the nine cases by analyzing N cache traces.
  • Similar observations are also reported in [14, 15].
  • The time required in attacking AES for Type A and Type C is less than Type B.
  • If the adversary has more computation power, the attack may require fewer cache traces.

8.2. Overhead for the equation system

  • The original AES with r rounds can be represented with a set of equations.
  • Suppose the number of equations and variables to represent this set are Nre and N r v respectively.
  • For the lookup qt, the overhead introduced can be calculated as in Section 5.1 and 5.2.
  • The ratio of Mre Nre and Mrv Nrv are denoted as EQr and VAr respectively.

8.3. Comparisons with previous work

  • The comparisons of MDATDCAs with previous work are listed in Table 3.
  • The first three columns describe the AES implementations.
  • The next three columns list the attacks, and the number of traces and rounds that are required.
  • The last column lists the reduced key search space.
  • The authors can see that MDATDCAs have better performances than all previous work in terms of both data and time complexity.

9. Case 2: Error-tolerant MDATDCAs on AES

  • Similar to [10], the authors implemented unprotected AES software implementations on a 32-bit ARM microprocessor NXP LPC2124 and profiled the cache collisions via EM probe.
  • The authors reset the cache to clear the AES data prior to each encryption.
  • The acquisition was performed with Langer RF-B 3-2 probe, Langer PA303N 30 dB preamplifier and Tektronix DPO 4104 oscilloscope.
  • For some table lookups, it is hard to tell whether they are cache miss or hit because the peak is not high enough.
  • Next, the authors describe the error-tolerant strategy and present the experimental results on AES.

9.1. Error tolerance strategy

  • In the attack, the authors set two thresholds of the amplitude peak value to deduce the cache events, the upper bound threshold VM and the lower bound threshold VH .
  • The authors adopt the following strategy to analyze each cache event.
  • Then D, the possible deduction set of d (〈yt〉b), is composed of the index set related to both previous cache miss events and uncertain cache events.
  • Thus, the set size sp is much larger than the one in error-free MDATDCA.
  • Note that as some uncertain cache events might be cache hit in reality, there might exist two or more deductions which are both equal to d.

2. qt is a miss.

  • Then the impossible deduction set of d(〈yt〉b) is only composed of the index set related to previous cache miss events.
  • Note that as some cache miss events in practice may be considered as uncertain cache events, the set size sn is much smaller than the one in error-free MDATDCA.

9.2. Experimental results and comparisons

  • The extensions to other cases are straightforward.
  • In practice, the error rate is about 40%.
  • Only 12 cache traces are required to break AES.
  • The authors can see that, their error-tolerant MDATDCA can analyze the cache events of the first three rounds and require less cache traces than [10].

10. Case 3: MDATDCAs on AES with Preloaded Cache

  • The MDATDCAs in Section 8 and 9 are all conducted assuming the cache is cleaned before the attack.
  • In practice, the cache might be partially filled with some lines of the lookup table, which is also named as TDCA in the partially preloaded cache scenario and widely studied in previous work [7, 9, 10].
  • This section presents the cache analysis strategy and experimental results of MDATDCAs on AES with partially preloaded cache.

10.1. Cache analysis strategy

  • Under this scenario, since some data of AES lookup table are already filled in the cache, more cache hit events can be observed for a single cache trace in practice.
  • Then, the cache hits that occur may correspond to preloaded lines, and no valuable information can be provided to the attack.
  • The authors utilized the cache miss events in their MDATDCA on AES.

10.2. Experimental results and comparisons

  • The comparisons of their results with previous work are depicted in Table 5.
  • The authors can see that, under partially preloaded cache scenario, less cache traces are required to break AES by MDATDCA than [10].
  • Even when ten of sixteen cache lines are preloaded into cache before the AES encryption, MDATDCA can still succeed within 120 cache traces, which is better than eight preloaded cache lines reported in [10].

11.1. Different difficulties in TDCAs on AES-128/192/256

  • All previous TDCA work targets AES-128 and can at most analyze 16 lookups in the first round and first 4 lookups in the second round.
  • Let P denote the plaintext, K0, K1, K2 be the round key of the first three rounds, and X1,X2 be the output of the first two rounds (f(·) be the round function).
  • The key leakages in TDCA on AES-128 are depicted in Fig.9.
  • Such preponderance does not exist when attacking AES-192 and AES-256, in which the key expansion algorithm is much more complicated and the second round key has little (e.g., AES-192) or no relation (e.g., AES-256) with the first round key.
  • Next, the authors show that why and how MDATDCA can be used to attack AES-192 and AES-256.

11.2. MDATDCA on AES-192

  • In total 144 key bits can be retrieved , which reduce the search space of the master key to 248.
  • The authors can see that, in order to recover the full 192 bits of the master key, three rounds of cache leakages have to be analyzed, which can be done with MDATDCA.
  • The authors show that 10 cache traces can recover AES key successfully within minutes on average under known plaintext and error-free scenario for the full attack.

11.3. MDATDCA on AES-256

  • In total 144 key bits can be retrieved and reduce the search space of the master key to 2112.
  • According to the key schedule of AES-256, the master key is just the concatenation of K0 and K1.
  • To break AES-256, analyzing at least the cache events of the first 3 rounds has to be considered and MDATDCA works well for this.
  • The authors show that 15 cache traces can recover the AES key within 30 minutes on average under known plaintext and error-free scenario for the full attack.

Did you find this useful? Give us your feedback

...read more

Content maybe subject to copyright    Report

A Comprehensive Study of Multiple Deductions-based Algebraic Trace
Driven Cache Attacks on AES
Xinjie Zhao
a,
, Shize Guo
b
, Fan Zhang
c,∗∗
, Tao Wang
a
, Zhijie Shi
c
, Zhe Liu
d
, Jean-Fran¸cois Gallais
d
a
Department of Computer Engineering, Ordnance Engineering College, Shijiazhuang 050003, China
b
The Institute of North Electronic Equipment, Beijing 100083,China
c
Department of Computer Science and Engineering,University of Connecticut, Storrs 06269, USA
d
Laboratory of Algorithmics, Cryptology and Security (LACS), University of Luxembourg, L-1359, Luxembourg.
Abstract
Existing trace driven cache attacks (TDCAs) can only analyze the cache events in the first two rounds or
the last round of AES, which limits the efficiency of the attacks. Recently, Zhao et al. proposed the multiple
deductions-based algebraic side-channel attack (MDASCA) to cope with the errors in leakage measurements
and to exploit new leakage models. Their preliminary results showed that MDASCA can improve TDCAs and
attack the AES implemented with a compact lookup table of 256 bytes. This paper performs a comprehensive
study of MDASCA-based TDCAs (MDATDCA) on most of the AES implementations that are widely used.
First, the key recovery in TDCA is depicted by an abstract model regardless of the specific attack techniques.
Then, the previous work of TDCAs on AES is classified into three types and its limitations are analyzed.
How to utilize the cache events with MDATDCA is presented and the overhead is also calculated. To evaluate
MDATDCA on AES, this paper constructs a mathematical model to estimate the maximal number of leakage
rounds that can be utilized and the minimal number of cache traces required for a successful MDATDCA.
Extensive experiments are conducted under different implementations, attack scenarios and key lengths of
AES. The experimental results are consistent with the theoretical analysis. Many improvements are achieved.
For the first time, we show that TDCAs on AES-192 and AES-256 become possible with the MDATDCA
technique. Our work attests that combining TDCAs with algebraic techniques is a very efficient way to
improve cache attacks.
Keywords: Multiple deductions, Algebraic side-channel attack, Trace driven, Cache attack,
Error-tolerant, AES-128/192/256.
1. Introduction
Cache attacks are a class of Side-channel attacks (SCAs) that extract the secret from the behavior of
cache in the processors. These attacks utilize the fact that a cache miss has a different profile of leakages from
Corresponding author. Email: zhaoxinjieem@163.com.
∗∗
Corresponding author. Email: fan.zhang@engineer.uconn.edu.
Preprint submitted to Computers & Security August 27, 2013

a cache hit. Cache attacks demonstrated fall into three categories, depending on the channels used to collect
the leakages. These channels are spy processes [1], timing information [2, 3] and power/electromagnetic
(EM) traces [4, 5, 6, 7, 8, 9, 10, 11]. The focus of this paper is trace driven cache attack (TDCA), which
exploits the power or electromagnetic traces.
With direct access to the cryptographic device, the adversaries can monitor the power/EM traces, which
minimizes the invasion to the device. As the name suggests, TDCAs monitor cache hits and misses from
power/EM traces, and recover the secret key used in the computation. The number of traces required
in TDCAs is much less than in the conventional differential power attacks (DPAs) [12], correlation power
attacks (CPAs) [13] or other types of cache attacks [1, 2, 3]. Considering AES for example, only 30 cache
traces are required in TDCAs [9, 10] instead of hundreds (or thousands) of power traces in DPAs, CPAs [13],
hundreds of cache traces in access driven cache attacks [1], and millions of cache traces in timing driven
cache attacks [2, 3].
AES was targeted in many TDCAs [4, 5, 6, 7, 8, 9, 10, 11]. Throughout this paper, AES refers to
AES-128 by default. Bertoni et al. [6] showed that the cache traces manifested in the power profiles can be
used to reveal the secret key. The cache events in the first round of AES S-Box lookups
1
implemented with
a table of 256 bytes were estimated from power simulations and analyzed in [6]. Further research in TDCAs
on AES splits into two directions. One is about exploiting new and real leakages in TDCAs, where cache
traces were collected from real power consumptions in [8, 9] and from EM in [10]. The other is improving
the efficiency of TDCAs on different AES implementations. In attacks on AES with large lookup tables
(e.g., 1K bytes), TDCAs can exploit cache events in the first round [11], the first two rounds [4] or the last
round [5, 7]. For AES implemented with a compact table (256 bytes), TDCAs can exploit the cache events
in the first round [6], or the first two rounds [8, 9, 10]. This paper is under the latter direction and tries to
improve TDCA on AES.
In the aforementioned TDCAs on AES, the cache events utilized are limited to the first 20 table lookups
in the first two rounds because of the avalanche effect. Since the traces are captured for entire encryptions,
exploiting the cache events in the third and later rounds can improve the efficiency of TDCA. Combining
TDCAs with algebraic techniques and conducting algebraic side-channel attacks (ASCA) [14, 15, 16, 17] is
a very promising way to improve TDCA. Previous ASCA mainly focused on power based Hamming weight
leakage model [14, 15, 17] or Hamming distance leakage model [16]. The original ASCA [14, 15] can only
work when the deduction on the targeted states is single and correct. The error tolerant ASCA in [16, 17]
can only work with limited deductions where the variance of the error is small and fixed. Previous ASCA
cannot be directly and easily combined with TDCA because in practice, there are multiple deductions and
the variance of the errors are large and uncertain.
1
S-Box is usually implemented with lookup table and S-Box lookup is identical with the table lookup throughout the paper.
2

In COSADE 2012, Zhao et al. proposed the multiple deductions-based ASCA (MDASCA) [18]. The
work in [18] showed that, due to the inaccurate measurements or the interferences from other components
in the cryptosystem, the deduction on the targeted intermediate state from SCA is not always correct. As a
result, attacks have to deal with the fact that the correct value is among multiple candidates obtained during
the process, which are also referred to as multiple deductions. How to represent and utilize these multiple
deductions is critical to improving the error tolerance and exploiting new leakage models for ASCAs [14, 15,
16, 17]. They showed that MDASCA can utilize the leakages in the first three rounds of AES in TDCAs.
Under error-free attack scenario
2
, the number of cache traces required to attack the AES implemented with
a compact lookup table of 256 bytes can be reduced to only five. However, there remain some questions to be
answered. For different AES implementations (e.g., AES implemented with 1KB, 2KB tables in OpenSSL
cryptography library [19]), different attack scenarios (e.g., error-tolerant scenario [10], partial preloaded
cache scenario [7, 9, 10]), different AES key lengths (e.g., AES-192/256), how many rounds of leakages can
MDASCA exploit, how much can MDASCA improve TDCAs in terms of the data complexity, and what are
the new scenarios where we can apply MDASCA in cache attacks?
This paper aims to answer these questions and gives a systemic and comprehensive study of the multiple
deductions-based algebraic TDCAs (MDATDCAs). The rest of this paper is organized as follows. Section 2
describes the notations used throughout the paper. In Section 3, we formalize the key recovery problem in
TDCA with an abstract model, which is independent of specific TDCA techniques [4, 5, 6, 7, 8, 9, 10, 11, 18].
Then we categorize previous TDCAs on AES into three types and study their limitations in Section 4. In
Section 5, we describe the detailed procedure of MDATDCA and analyze the overhead. To evaluate the
efficiency of MDATDCA on AES, we build a mathematical model in Section 6 to estimate the maximal
number of leakage rounds that can be exploited and the minimal number of cache traces required in a
successful MDATDCA. Unlike previous work that can only analyze the cache events in the first round, this
paper can analyze any cache events. The attack setup is described in Section 7. The preliminary results
under an error-free scenario are presented in Section 8 to verify the theoretical analysis results. The results
with different error rates are showed in Section 9. MDATDCAs on AES with partially preloaded cache are
described in Section 10. To demonstrate the power of MDATDCA, we extend the attack to AES-192/256
in Section 11. Finally, we conclude the paper in Section 12.
2
In TDCA, error means that the deduction for the cache events (hit or miss) from side channel leakages is incorrect.
error-free attack scenario means that the adversary can deduce all the cache events correctly in one attack. Comparatively,
error-tolerant attack scenario means that there exists errors when deducing some cache events in an attack.
3

2. Notation
Throughout the paper, P denotes the public variable (plaintext or ciphertext) and K denotes the targeted
secret variable (the master key or equivalent key). Variables p
i
and k
i
denote the i-th (i 0) part in P and
K, respectively. Each part contains l bits. Let q
j
denote the j-th table lookup in the execution of block
ciphers, λ denote the number of table lookups considered in the attack, 0 j < λ. H and M denote whether
q
j
is a cache hit or miss respectively. y
j
denotes the index of the lookup q
j
. U
j
and V
j
are the set of p
i
and
k
i
that represent y
j
, where U
j
P, V
j
K. Let f
j
(·) be the function that computes y
j
from U
j
and V
j
,
y
j
= f
j
(U
j
, V
j
). Suppose each entry in the table has 2
e
bytes and each cache line has 2
δ
bytes. Let hy
j
i
b
be
the b most significant bits (MSBs) of y
j
leaked in q
j
, b = l (δ e). Assume q
t
is the t-th targeted cache
events in TDCA and y
t
denotes the related table lookup index. Suppose among the first t 1 lookups, there
are n cache misses in n different table lookups q
M
1
, . . . , q
M
n
, which form a set O
t
M
= {M
1
, . . . , M
n
} (n < t).
Let S
t
M
be the set of the b MSBs of the indexes y
M
1
, . . . , y
M
n
, i.e., S
t
M
= {hy
M
1
i
b
, hy
M
2
i
b
, . . . , hy
M
n
i
b
}.
3. The TDCA Problem
In this section, we propose an abstract model which can be used to generalize all TDCAs.
TDCA on a block cipher is illustrated in Fig.1, where λ lookups are considered. Observing power or
EM traces, one can detect whether q
j
is a cache hit (H) or miss (M ), 0 j < λ. From Fig.1 we can see
that a cache miss has a distinct amplitude peak than a cache hit (Note also that the amount of clock cycles
is distinctly different). The goal of TDCA is to extract the value of all k
i
in K (the secret key) from the
knowledge of the p
i
s (known public variables) and q
j
s (cache events).
y
0
=f
0
(U
0
,V
0
)
S
...
...
q
0
y
t
=f
t
(U
t
,V
t
)
S
q
t
S(y
0
)
S(y
t
)
y
λ-1
=f
λ-1
(U
λ-1
,V
λ-1
)
S
q
λ-1
S(y
λ-1
)
... ...
M H
M
Figure 1: S-Box (Table)Look-up structure targeted in TDCA
Suppose the cache contains no data from the table before each encryption. As to the analysis of the
cache event in q
t
, suppose q
j
is the only cache miss before q
t
. A cache hit of q
t
means both y
t
and y
j
access
the same cache line. Eq.(1) holds if q
t
is a cache hit.
4

hy
t
i
b
= hy
j
i
b
= hf
t
(U
t
, V
t
)i
b
= hf
j
(U
j
, V
j
)i
b
(1)
The key technique of TDCA is to use Eq.(1) to reduce the search space of V
t
S
V
j
, which converges to
K if t is large enough. Since both U
t
and U
j
are known, the adversary can check all the assignments to
those k
i
in V
t
S
V
j
with Eq.(1). If Eq.(1) is satisfied, the assignment is a possible value for k
i
. Otherwise,
the assignment is an incorrect guess. Similarly, if q
t
is a cache miss, Eq.(2) can be used in the key search.
hy
t
i
b
6= hy
j
i
b
= hf
t
(U
t
, V
t
)i
b
6= hf
j
(U
j
, V
j
)i
b
(2)
From Section 2, there are n cache misses q
M
1
, . . . , q
M
n
before the first t 1 lookups. The set O
t
M
=
{M
1
, . . . , M
n
} (n < t) can be used to build n additional equations (or inequations). If q
t
is a hit, only one
of q
M
1
, . . . , q
M
n
accesses the same cache line as q
t
(because if two of them are in the same cache line as q
t
,
one of them must be a hit). In this case, Eq.(3) holds
j O
t
M
: hf
t
(U
t
, V
t
)i
b
= hf
j
(U
j
, V
j
)i
b
j
O
t
M
(j
6= j) : hf
t
(U
t
, V
t
)i
b
6= hf
j
(U
j
, V
j
)i
b
(3)
If q
t
is a miss, Eq.(4) holds
j O
t
M
: hf
t
(U
t
, V
t
)i
b
6= hf
j
(U
j
, V
j
)i
b
(4)
Using the n equations (inequations) in (3) or (4), more assignments to key bits in V
M
1
S
· · ·
S
V
M
n
S
V
t
can be verified. The key recovery is converted into the problem of how to converge V
M
1
S
· · ·
S
V
M
n
S
V
t
to the master key K with cache events. In TDCA, the adversary can analyze different table lookups and
traces until the search space of K is reduced to a level where a brute-force attack is feasible.
The above abstract model can help us to understand the TDCA problem and is generic to block ciphers
using the S-Box (table) lookup structure [4, 5, 6, 7, 8, 9, 10, 11, 24, 25, 26, 27, 28]. Different attack techniques
can be developed to solve this problem, such as traditional TDCA technique [4, 5, 6, 7, 8, 9, 10, 11], MDASCA
technique [18] or others to be proposed in the future.
4. Analysis of Previous Work
4.1. AES implementations
All the AES implementations can be categorized into three types based on (1) g
t
, the number of the
lookup tables; (2) g
s
, the size of the lookup tables; (3) g
l
, the number of lookups in one round that access
the same table; (4) g
c
, the size of the cache line, where g
c
= 2
δ
. Note that the scope of this paper is about
AES implementations that use one or more lookup tables for the sole S-Box, and not the lookup tables for
the field multiplication in the MixColumns operation of AES [8].
5

Citations
More filters

Journal ArticleDOI
TL;DR: The results show that the proposed version of AES is better in withstanding attacks and compared with the original AES based upon some parameters such as nonlinearity, resiliency, balancedness, propagation characteristics, and immunity.
Abstract: Advanced Encryption Standard (AES) is a standard algorithm for block ciphers for providing security services. A number of variations of this algorithm are available in network security domain. In spite of the strong security features, this algorithm has been recently broken down by the cryptanalysis processes. Therefore, it is required to improve the security strength of this algorithm as AES is popular in commercial use. In this paper, we have shown the reasons of the loopholes in AES and also have provided a solution by using our Symmetric Random Function Generator (SRFG). The use of randomness in the key generation process in block cipher is novel in this domain. We have also compared our results with the original AES based upon some parameters such as nonlinearity, resiliency, balancedness, propagation characteristics, and immunity. The results show that our proposed version of AES is better in withstanding attacks.

18 citations


Cites background from "A comprehensive study of multiple d..."

  • ...Multiple deductions-based algebraic trace driven cache attack on AES has been shown in [22]....

    [...]


Journal ArticleDOI
Ping Zhou, Tao Wang, Guang Li, Fan Zhang1, Xinjie Zhao 
TL;DR: The complete rules for choosing the monitored instructions based on necessary and sufficient condition are proposed and how to select the optimal threshold based on Bayesian binary signal detection principal is also proposed.
Abstract: FLUSH+RELOAD attack is recently proposed as a new type of Cache timing attacks. There are three essential factors in this attack, which are monitored instructions, threshold and waiting interval. However, existing literature seldom exploit how and why they could affect the system. This paper aims to study the impacts of these three parameters, and the method of how to choose optimal values. The complete rules for choosing the monitored instructions based on necessary and sufficient condition are proposed. How to select the optimal threshold based on Bayesian binary signal detection principal is also proposed. Meanwhile, the time sequence model of monitoring is constructed and the calculation of the optimal waiting interval is specified. Extensive experiments are conducted on RSA implemented with binary square-and-multiply algorithm. The results show that the average success rate of full RSA key recovery is 89.67%.

6 citations


Proceedings ArticleDOI
01 Oct 2018
TL;DR: This paper is provide support and background knowledge for new researchers in area of side channel attack in different environments and the strength of prevention method as well as drawbacks of that method.
Abstract: The Cloud Computing (CC) is famous due to shared resources technology. Cloud computing share resources among distrusting customers and provide on demand, cost effective, elasticity services. Due to rapid growth of cloud computing environment, vulnerabilities and their preventions methods are potential increase. We had seen that conventional prevention methods for Side Channel (SC) attack are not suitable for avoidance of cross-VM cashed based SC attacks.In 2016, shared technology issues is a one of top threat consider by cloud security alliance (CSA), which has been published in February 2016 in The Treacherous 12 [1]. This is a under top threat by CSA from last 5 year. In this paper we will discuss multiple method for performing side channel attack and prevention methods. We also discuss the strength of prevention method as well as drawbacks of that method. So that this paper will generate more research scope and new effective idea for prevention of side channel attack, this paper is provide support and background knowledge for new researchers in area of side channel attack in different environments.

4 citations


Cites methods from "A comprehensive study of multiple d..."

  • ...Paper Title Crypto System Algorithm used Severity In [21] Asymmetric AES HIGH ( Use two metrics: "expected number o f traces" and "average number of operations") In [23] Asymmetric RSA HIGH In [24] Asymmetric AES HIGH (proposed the numerous deductions -based algebraic side-channel attack to cope with the error in leakage capacity and to explo it new leakage Models)...

    [...]



Dissertation
28 Jul 2015

2 citations


References
More filters

Book ChapterDOI
15 Aug 1999
Abstract: Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.

6,498 citations


Book ChapterDOI
11 Aug 2004
TL;DR: A classical model is used for the power consumption of cryptographic devices based on the Hamming distance of the data handled with regard to an unknown but constant reference state, which allows an optimal attack to be derived called Correlation Power Analysis.
Abstract: A classical model is used for the power consumption of cryptographic devices. It is based on the Hamming distance of the data handled with regard to an unknown but constant reference state. Once validated experimentally it allows an optimal attack to be derived called Correlation Power Analysis. It also explains the defects of former approaches such as Differential Power Analysis.

2,074 citations


"A comprehensive study of multiple d..." refers background in this paper

  • ...…traces are required in TDCAs (Gallais et al., 2011; Gallais and Kizhvatov, 2011) instead of hundreds (or thousands) of power traces in DPAs, CPAs (Brier et al., 2004), hundreds of cache traces in access driven cache attacks (Osvik et al., 2006), and millions of cache traces in timing driven…...

    [...]

  • ...Considering AES for example, only 30 cache traces are required in TDCAs (Gallais et al., 2011; Gallais and Kizhvatov, 2011) instead of hundreds (or thousands) of power traces in DPAs, CPAs (Brier et al., 2004), hundreds of cache traces in access driven cache attacks (Osvik et al., 2006), and millions of cache traces in timing driven cache attacks (Bernstein, 2004; Bonneau and Mironov, 2006)....

    [...]

  • ...The number of traces required in TDCAs is much less than in the conventional differential power attacks (DPAs) (Kocher et al., 1999), correlation power attacks (CPAs) (Brier et al., 2004) or other types of cache attacks (Osvik et al., 2006; Bernstein, 2004; Bonneau and Mironov, 2006)....

    [...]

  • ...Considering AES for example, only 30 cache traces are required in TDCAs [9, 10] instead of hundreds (or thousands) of power traces in DPAs, CPAs [13], hundreds of cache traces in access driven cache attacks [1], and millions of cache traces in timing driven cache attacks [2, 3]....

    [...]

  • ...The number of traces required in TDCAs is much less than in the conventional differential power attacks (DPAs) [12], correlation power attacks (CPAs) [13] or other types of cache attacks [1, 2, 3]....

    [...]


Book ChapterDOI
13 Feb 2006
Abstract: We describe several software side-channel attacks based on inter-process leakage through the state of the CPU’s memory cache. This leakage reveals memory access patterns, which can be used for cryptanalysis of cryptographic primitives that employ data-dependent table lookups. The attacks allow an unprivileged process to attack other processes running in parallel on the same processor, despite partitioning methods such as memory protection, sandboxing and virtualization. Some of our methods require only the ability to trigger services that perform encryption or MAC using the unknown key, such as encrypted disk partitions or secure network links. Moreover, we demonstrate an extremely strong type of attack, which requires knowledge of neither the specific plaintexts nor ciphertexts, and works by merely monitoring the effect of the cryptographic process on the cache. We discuss in detail several such attacks on AES, and experimentally demonstrate their applicability to real systems, such as OpenSSL and Linux’s dm-crypt encrypted partitions (in the latter case, the full key can be recovered after just 800 writes to the partition, taking 65 milliseconds). Finally, we describe several countermeasures for mitigating such attacks.

991 citations


Posted Content
Abstract: We describe several software side-channel attacks based on inter-process leakage through the state of the CPU’s memory cache. This leakage reveals memory access patterns, which can be used for cryptanalysis of cryptographic primitives that employ data-dependent table lookups. The attacks allow an unprivileged process to attack other processes running in parallel on the same processor, despite partitioning methods such as memory protection, sandboxing and virtualization. Some of our methods require only the ability to trigger services that perform encryption or MAC using the unknown key, such as encrypted disk partitions or secure network links. Moreover, we demonstrate an extremely strong type of attack, which requires knowledge of neither the specific plaintexts nor ciphertexts, and works by merely monitoring the effect of the cryptographic process on the cache. We discuss in detail several such attacks on AES, and experimentally demonstrate their applicability to real systems, such as OpenSSL and Linux’s dm-crypt encrypted partitions (in the latter case, the full key can be recovered after just 800 writes to the partition, taking 65 milliseconds). Finally, we describe several countermeasures for mitigating such attacks.

962 citations


Book ChapterDOI
29 Jun 2009
TL;DR: A new approach to solving cryptographic problems by adapting both the problem description and the solver synchronously instead of tweaking just one of them is presented, which was able to solve a well-researched stream cipher 26 times faster than was previously possible.
Abstract: Cryptography ensures the confidentiality and authenticity of information but often relies on unproven assumptions. SAT solvers are a powerful tool to test the hardness of certain problems and have successfully been used to test hardness assumptions. This paper extends a SAT solver to efficiently work on cryptographic problems. The paper further illustrates how SAT solvers process cryptographic functions using automatically generated visualizations, introduces techniques for simplifying the solving process by modifying cipher representations, and demonstrates the feasibility of the approach by solving three stream ciphers. To optimize a SAT solver for cryptographic problems, we extended the solver's input language to support the XOR operation that is common in cryptography. To better understand the inner workings of the adapted solver and to identify bottlenecks, we visualize its execution. Finally, to improve the solving time significantly, we remove these bottlenecks by altering the function representation and by pre-parsing the resulting system of equations. The main contribution of this paper is a new approach to solving cryptographic problems by adapting both the problem description and the solver synchronously instead of tweaking just one of them. Using these techniques, we were able to solve a well-researched stream cipher 26 times faster than was previously possible.

392 citations


"A comprehensive study of multiple d..." refers background or methods in this paper

  • ...Solve the equation system Many automatic tools can be used, such as Gröbner basis-based [21], or SAT-based solver [22]....

    [...]

  • ...Many automatic tools can be used, such as Gröbner basisbased (Faugère, 2007), or SAT-based solver (Soos et al., 2009)....

    [...]

  • ...We use a SAT-based solver, CryptoMiniSat 2.9.0 (Soos et al., 2009), on an AMD Athlon 64 Dual core 3600þ processor clocked at 2.0 GHz....

    [...]

  • ..., the SAT solver CryptoMiniSAT [22], to recover the key....

    [...]

  • ...Finally, the secret key is recovered by solving the whole equation system (Faugère, 2007; Soos et al., 2009)....

    [...]


Frequently Asked Questions (2)
Q1. What are the contributions in "A comprehensive study of multiple deductions-based algebraic trace driven cache attacks on aes" ?

This paper performs a comprehensive study of MDASCA-based TDCAs ( MDATDCA ) on most of the AES implementations that are widely used. How to utilize the cache events with MDATDCA is presented and the overhead is also calculated. To evaluate MDATDCA on AES, this paper constructs a mathematical model to estimate the maximal number of leakage rounds that can be utilized and the minimal number of cache traces required for a successful MDATDCA. For the first time, the authors show that TDCAs on AES-192 and AES-256 become possible with the MDATDCA technique. 

The study of the trade-off between the data and time complexity in online and offline phases of MDATDCA, how to further quantized evaluating MDATDCA in the contributions of the leaked key bits from cache events to the recovery of the maser key of AES, how to evaluate MDATDCA on AES in case of error-tolerant and pre-loaded cache attack scenarios, how to develop new attack techniques to solve the TDCA problem might also be interesting problems in the future. The authors hope this paper can bring the understanding of both ASCA and TDCA to a new level, and help to evaluate the physical security of block cipher implementations.