# A comprehensive study of multiple deductions-based algebraic trace driven cache attacks on AES

TL;DR: A mathematical model is constructed to estimate the maximal number of leakage rounds that can be utilized and the minimal number of cache traces required for a successful MDATDCA on AES and attests that combining TDCAs with algebraic techniques is a very efficient way to improve cache attacks.

Abstract: Existing trace driven cache attacks (TDCAs) can only analyze the cache events in the first two rounds or the last round of AES, which limits the efficiency of the attacks. Recently, Zhao et al. proposed the multiple deductions-based algebraic side-channel attack (MDASCA) to cope with the errors in leakage measurements and to exploit new leakage models. Their preliminary results showed that MDASCA can improve TDCAs and attack the AES implemented with a compact lookup table of 256 bytes. This paper performs a comprehensive study of MDASCA-based TDCAs (MDATDCA) on most of the AES implementations that are widely used. First, the key recovery in TDCA is depicted by an abstract model regardless of the specific attack techniques. Then, the previous work of TDCAs on AES is classified into three types and its limitations are analyzed. How to utilize the cache events with MDATDCA is presented and the overhead is also calculated. To evaluate MDATDCA on AES, this paper constructs a mathematical model to estimate the maximal number of leakage rounds that can be utilized and the minimal number of cache traces required for a successful MDATDCA. Extensive experiments are conducted under different implementations, attack scenarios and key lengths of AES. The experimental results are consistent with the theoretical analysis. Many improvements are achieved. For the first time, we show that TDCAs on AES-192 and AES-256 become possible with the MDATDCA technique. Our work attests that combining TDCAs with algebraic techniques is a very efficient way to improve cache attacks.

## Summary (6 min read)

### 1. Introduction

- Cache attacks are a class of Side-channel attacks (SCAs) that extract the secret from the behavior of cache in the processors.
- Under error-free attack scenario2, the number of cache traces required to attack the AES implemented with a compact lookup table of 256 bytes can be reduced to only five.
- Section 2 describes the notations used throughout the paper.

### 2. Notation

- Throughout the paper, P denotes the public variable (plaintext or ciphertext) and K denotes the targeted secret variable (the master key or equivalent key).
- Suppose each entry in the table has 2 e bytes and each cache line has 2δ bytes.
- Assume qt is the t-th targeted cache events in TDCA and yt denotes the related table lookup index.

### 3. The TDCA Problem

- The goal of TDCA is to extract the value of all ki in K (the secret key) from the knowledge of the pis (known public variables) and qjs (cache events).
- Suppose the cache contains no data from the table before each encryption.
- Otherwise, the assignment is an incorrect guess.
- In TDCA, the adversary can analyze different table lookups and traces until the search space of K is reduced to a level where a brute-force attack is feasible.

### 4.1. AES implementations

- All the AES implementations can be categorized into three types based on (1) gt, the number of the lookup tables; (2) gs, the size of the lookup tables; (3) gl, the number of lookups in one round that access the same table; (4) gc, the size of the cache line, where gc = 2 δ.
- Note that the scope of this paper is about AES implementations that use one or more lookup tables for the sole S-Box, and not the lookup tables for the field multiplication in the MixColumns operation of AES [8].
- Recall b is the number of bits revealed from one table lookup.

### 4.2. TDCA on AES of Type A

- To further reduce the key search space and the number of plaintexts (or power traces) required, attacks in [8, 9, 10] also utilized some cache events in the second round.
- In [8], equations are generated only from the cache hits as shown in Eq.(3).
- To improve the attack, the work in [8] also considered the case where the first two lookups in the second round (q16 and q17) are cache hits.
- The result in [8] is that 1280 chosen plaintexts are required to reduce the key search space to 224.

### 4.3. TDCA on AES of Type B

- Acı̈ıçmez [4] presented the first TDCA on AES for such implementation, in which four lookup tables are used for each round and each is accessed four times.
- More key bits can be derived via the analysis of the second round.
- Acı̈ıçmez [4] also pointed out that TDCA on the third or the deeper rounds was an open problem.

### 4.4. TDCA on AES of Type C

- The work in [5, 7] showed that under Type C implementations, TDCA on the final round of AES is much more effective than in the first round.
- While in the last round, f t(·) becomes a complicated nonlinear function.

### 4.5. Limitation of previous TDCAs

- Moreover, all current TDCA works are for AES-128.
- As to AES with longer key lengths (e.g., AES-192 and AES-256), the key expansion algorithms become more complicated and the first 20 lookups only leak partial bits of the master key.
- The manual representation of table indexes is awkward.
- Combining algebraic techniques with TDCA seems to be interesting and promising.

### 5. MDASCA-based Trace Driven Cache Attacks (MDATDCAs)

- In TDCA, the key issue is to obtain the cache events related to table lookups and to represent the possible (and/or impossible) candidates of lookup indexes with equations.
- The work in [18] proposes a generic method to convert the multiple deductions into algebraic equations and applies it to TDCA.
- Finally, the secret key is recovered by solving the whole equation system [21, 22].
- More details about MDASCA can be found in [18].
- Next, the authors will describe the core of MDATDCA, which is to represent cache hit and miss events with algebraic equations.

### 5.2. Representing a cache miss

- Eji is also introduced as in Section 5.1.
- They can be easily fed into a solver, e.g., the SAT solver CryptoMiniSAT [22], to recover the key.

### 6. Evaluation of MDATDCAs on AES

- For simplicity, this section only estimates the number of rounds that can be exploited, and the number of cache traces required in MDATDCAs on AES-128 under the error-free attack scenario, where the cache does not contain any AES data prior to each encryption.
- Extending these estimations to AES-192/256 is straightforward.

### 6.1. The Number of rounds that can be exploited

- For convenience, D is used to denote the set of cache lines that will be filled up with data from lookup tables.
- As long as D is not filled up, there may exist some cache misses (before qt) that can be used for key recovery.
- For Type C, all the 16 lookups in the last round can be used for key recovery.

### 6.2. The Number of cache traces required

- The work in [18] presents a preliminary study of estimating the minimal number of cache traces required in TDCA.
- The authors introduce four metrics and adopt the information-theoretic approach to optimize the estimations on the minimal number of cache traces required for a successful MDATDCA.
- Note that there are some intersects among.
- Kt for different table lookups in practice, thus σi satisfies σi ≤ z=16i+15∑ z=16i πz (12) (4) τi: the maximal number of key bits recovered in the i-th round Let τ0, τ1, and τ9 denote the maximal number of the key bits recovered in the first, second and last round.
- As τ0 bits are recovered in the first round, the authors only need to recover the remaining 128-τ0 bits in the second round.

### 7. Experiment Setup

- The overall process of MDATDCA has been described in Section 5.
- Due to the page limit, here the authors only list a few important details about the setup.
- Each case will be repeated many times and referred to as instances.

### 7.1. Build the AES equation set

- How to represent the S-Box is the most difficult part in algebraic analysis.
- The authors adopt the technique in [23] to derive every S-Box output bit with high-degree equations (degree 7) from the eight S-Box input bits.

### 7.2. Profile the cache traces

- This paper mainly focuses on the analysis part of MDATDCAs.
- This can be achieved by modifying the AES source code in OpenSSL and generate the sequences of cache events under different configurations.
- To prove the feasibility of MDATDCA, in Section 9, the authors conduct concrete MDATDCA experiments against AES implemented with 256B compact table on 32-bit ARM microprocessor NXP LPC2124.
- In practice, the cache hits and misses are not always distinguishable from the EM traces, which are treated as uncertain cache events or errors.

### 7.3. Utilize the cache traces

- The authors build additional equations from the generated cache events.
- In order to verify these multiple solutions, the authors append a set of new equations which describes a full AES encryption with a pair of known plaintext and ciphertext.
- Some instances cannot be solved within a day.
- To accelerate the solving process, the authors give the guesses to nk key bits first and run the exhaustive search for all the 2nk guesses.
- If the guess is correct, the solver can output the correct key within a reasonable amount of time.

### 7.4. Solve the equation system

- Many automatic tools can be used, such as Gröbner basis-based [21], or SAT-based solver [22].
- In Section 8, 9, and 10, three case studies are performed in MDATDCA on AES-128 considering different attack scenarios.

### 8. Case 1: Error-free MDATDCAs on AES

- The authors conduct MDATDCA on AES under two assumptions.
- The first is that the cache does not contain any AES data prior to each encryption.
- The second is that the adversary can distinguish the cache miss event from the cache hit event precisely.

### 8.1. Data and time complexity

- For each case, the authors run 100 instances where the correct values of nk key bits are fed into the equation set first).
- Fig. 6(a)-6(i) show the distribution of the different solving times (in seconds) for the nine cases by analyzing N cache traces.
- Similar observations are also reported in [14, 15].
- The time required in attacking AES for Type A and Type C is less than Type B.
- If the adversary has more computation power, the attack may require fewer cache traces.

### 8.2. Overhead for the equation system

- The original AES with r rounds can be represented with a set of equations.
- Suppose the number of equations and variables to represent this set are Nre and N r v respectively.
- For the lookup qt, the overhead introduced can be calculated as in Section 5.1 and 5.2.
- The ratio of Mre Nre and Mrv Nrv are denoted as EQr and VAr respectively.

### 8.3. Comparisons with previous work

- The comparisons of MDATDCAs with previous work are listed in Table 3.
- The first three columns describe the AES implementations.
- The next three columns list the attacks, and the number of traces and rounds that are required.
- The last column lists the reduced key search space.
- The authors can see that MDATDCAs have better performances than all previous work in terms of both data and time complexity.

### 9. Case 2: Error-tolerant MDATDCAs on AES

- Similar to [10], the authors implemented unprotected AES software implementations on a 32-bit ARM microprocessor NXP LPC2124 and profiled the cache collisions via EM probe.
- The authors reset the cache to clear the AES data prior to each encryption.
- The acquisition was performed with Langer RF-B 3-2 probe, Langer PA303N 30 dB preamplifier and Tektronix DPO 4104 oscilloscope.
- For some table lookups, it is hard to tell whether they are cache miss or hit because the peak is not high enough.
- Next, the authors describe the error-tolerant strategy and present the experimental results on AES.

### 9.1. Error tolerance strategy

- In the attack, the authors set two thresholds of the amplitude peak value to deduce the cache events, the upper bound threshold VM and the lower bound threshold VH .
- The authors adopt the following strategy to analyze each cache event.
- Then D, the possible deduction set of d (〈yt〉b), is composed of the index set related to both previous cache miss events and uncertain cache events.
- Thus, the set size sp is much larger than the one in error-free MDATDCA.
- Note that as some uncertain cache events might be cache hit in reality, there might exist two or more deductions which are both equal to d.

### 2. qt is a miss.

- Then the impossible deduction set of d(〈yt〉b) is only composed of the index set related to previous cache miss events.
- Note that as some cache miss events in practice may be considered as uncertain cache events, the set size sn is much smaller than the one in error-free MDATDCA.

### 9.2. Experimental results and comparisons

- The extensions to other cases are straightforward.
- In practice, the error rate is about 40%.
- Only 12 cache traces are required to break AES.
- The authors can see that, their error-tolerant MDATDCA can analyze the cache events of the first three rounds and require less cache traces than [10].

### 10. Case 3: MDATDCAs on AES with Preloaded Cache

- The MDATDCAs in Section 8 and 9 are all conducted assuming the cache is cleaned before the attack.
- In practice, the cache might be partially filled with some lines of the lookup table, which is also named as TDCA in the partially preloaded cache scenario and widely studied in previous work [7, 9, 10].
- This section presents the cache analysis strategy and experimental results of MDATDCAs on AES with partially preloaded cache.

### 10.1. Cache analysis strategy

- Under this scenario, since some data of AES lookup table are already filled in the cache, more cache hit events can be observed for a single cache trace in practice.
- Then, the cache hits that occur may correspond to preloaded lines, and no valuable information can be provided to the attack.
- The authors utilized the cache miss events in their MDATDCA on AES.

### 10.2. Experimental results and comparisons

- The comparisons of their results with previous work are depicted in Table 5.
- The authors can see that, under partially preloaded cache scenario, less cache traces are required to break AES by MDATDCA than [10].
- Even when ten of sixteen cache lines are preloaded into cache before the AES encryption, MDATDCA can still succeed within 120 cache traces, which is better than eight preloaded cache lines reported in [10].

### 11.1. Different difficulties in TDCAs on AES-128/192/256

- All previous TDCA work targets AES-128 and can at most analyze 16 lookups in the first round and first 4 lookups in the second round.
- Let P denote the plaintext, K0, K1, K2 be the round key of the first three rounds, and X1,X2 be the output of the first two rounds (f(·) be the round function).
- The key leakages in TDCA on AES-128 are depicted in Fig.9.
- Such preponderance does not exist when attacking AES-192 and AES-256, in which the key expansion algorithm is much more complicated and the second round key has little (e.g., AES-192) or no relation (e.g., AES-256) with the first round key.
- Next, the authors show that why and how MDATDCA can be used to attack AES-192 and AES-256.

### 11.2. MDATDCA on AES-192

- In total 144 key bits can be retrieved , which reduce the search space of the master key to 248.
- The authors can see that, in order to recover the full 192 bits of the master key, three rounds of cache leakages have to be analyzed, which can be done with MDATDCA.
- The authors show that 10 cache traces can recover AES key successfully within minutes on average under known plaintext and error-free scenario for the full attack.

### 11.3. MDATDCA on AES-256

- In total 144 key bits can be retrieved and reduce the search space of the master key to 2112.
- According to the key schedule of AES-256, the master key is just the concatenation of K0 and K1.
- To break AES-256, analyzing at least the cache events of the first 3 rounds has to be considered and MDATDCA works well for this.
- The authors show that 15 cache traces can recover the AES key within 30 minutes on average under known plaintext and error-free scenario for the full attack.

Did you find this useful? Give us your feedback

...read more

##### Citations

18 citations

### Cites background from "A comprehensive study of multiple d..."

...Multiple deductions-based algebraic trace driven cache attack on AES has been shown in [22]....

[...]

6 citations

4 citations

### Cites methods from "A comprehensive study of multiple d..."

...Paper Title Crypto System Algorithm used Severity In [21] Asymmetric AES HIGH ( Use two metrics: "expected number o f traces" and "average number of operations") In [23] Asymmetric RSA HIGH In [24] Asymmetric AES HIGH (proposed the numerous deductions -based algebraic side-channel attack to cope with the error in leakage capacity and to explo it new leakage Models)...

[...]

3 citations

##### References

6,498 citations

2,074 citations

### "A comprehensive study of multiple d..." refers background in this paper

...…traces are required in TDCAs (Gallais et al., 2011; Gallais and Kizhvatov, 2011) instead of hundreds (or thousands) of power traces in DPAs, CPAs (Brier et al., 2004), hundreds of cache traces in access driven cache attacks (Osvik et al., 2006), and millions of cache traces in timing driven…...

[...]

...Considering AES for example, only 30 cache traces are required in TDCAs (Gallais et al., 2011; Gallais and Kizhvatov, 2011) instead of hundreds (or thousands) of power traces in DPAs, CPAs (Brier et al., 2004), hundreds of cache traces in access driven cache attacks (Osvik et al., 2006), and millions of cache traces in timing driven cache attacks (Bernstein, 2004; Bonneau and Mironov, 2006)....

[...]

...The number of traces required in TDCAs is much less than in the conventional differential power attacks (DPAs) (Kocher et al., 1999), correlation power attacks (CPAs) (Brier et al., 2004) or other types of cache attacks (Osvik et al., 2006; Bernstein, 2004; Bonneau and Mironov, 2006)....

[...]

...Considering AES for example, only 30 cache traces are required in TDCAs [9, 10] instead of hundreds (or thousands) of power traces in DPAs, CPAs [13], hundreds of cache traces in access driven cache attacks [1], and millions of cache traces in timing driven cache attacks [2, 3]....

[...]

...The number of traces required in TDCAs is much less than in the conventional differential power attacks (DPAs) [12], correlation power attacks (CPAs) [13] or other types of cache attacks [1, 2, 3]....

[...]

991 citations

962 citations

392 citations

### "A comprehensive study of multiple d..." refers background or methods in this paper

...Solve the equation system Many automatic tools can be used, such as Gröbner basis-based [21], or SAT-based solver [22]....

[...]

...Many automatic tools can be used, such as Gröbner basisbased (Faugère, 2007), or SAT-based solver (Soos et al., 2009)....

[...]

...We use a SAT-based solver, CryptoMiniSat 2.9.0 (Soos et al., 2009), on an AMD Athlon 64 Dual core 3600þ processor clocked at 2.0 GHz....

[...]

..., the SAT solver CryptoMiniSAT [22], to recover the key....

[...]

...Finally, the secret key is recovered by solving the whole equation system (Faugère, 2007; Soos et al., 2009)....

[...]

##### Related Papers (5)

##### Frequently Asked Questions (2)

###### Q2. What are the future works in "A comprehensive study of multiple deductions-based algebraic trace driven cache attacks on aes" ?

The study of the trade-off between the data and time complexity in online and offline phases of MDATDCA, how to further quantized evaluating MDATDCA in the contributions of the leaked key bits from cache events to the recovery of the maser key of AES, how to evaluate MDATDCA on AES in case of error-tolerant and pre-loaded cache attack scenarios, how to develop new attack techniques to solve the TDCA problem might also be interesting problems in the future. The authors hope this paper can bring the understanding of both ASCA and TDCA to a new level, and help to evaluate the physical security of block cipher implementations.