Cache Timing Attack on AES Sarani Bhattacharya Chester
Cache Timing Attack on AES Sarani Bhattacharya, Chester Rebeiro, and Debdeep Mukhopadhyay Dept. of Computer Science and Engineering Indian Institute of Technology, Kharagpur, India sarani. bhattacharya, chester, debdeep@cse. iitkgp. ernet. in 5 February 2014 SAG, DRDO
Proposed Work �Milestone 1 ◦ Cache Attacks on AES block cipher �Milestone 2 ◦ Differential Cache attacks on Clefia �Milestone 3 ◦ Analysis of micro-architectural components in the processor.
Cryptographic Communication plaintext Ka Kb Encrypt Decrypt ciphertext A generic use of crypto plaintext
Cryptographic Threat Model Message E Ka Communication Channel D Message Kb leaked Information Alice Bob Side Channels in the real world Mallory Through which a cryptographic module leaks information to its environment unintentionally Assumptions • Only Alice Knows Ka • Only Bob Knows Kb • Mallory has access to E, D and the Communication Channel but does not know the decryption key Kb
Side Channel Sources Threat Model & Security Goal Traditionally we have handled only Cryptographic Algorithms Protocols Software Human User Hardware E/D It is impossible to design a totally secure system with humans in it Key dependent Variations computation time K Real World System • Power consumption • EM Radiations • Test Methodologies • Behavior under faults Deployment & Usage
![What is Cache? Slow! Fast! Figure from [1]](http://slidetodoc.com/presentation_image_h2/fc6c313631e6e880275c0dcb5413cadf/image-6.jpg "What is Cache? Slow! Fast! Figure from [1]")
What is Cache? Slow! Fast! Figure from [1]
Cache Memory Leaks Information Microprocessor Cache Memory Main Memory �If there is a Cache Hit ◦ Access time is less ◦ Power Consumption is less If there is a Cache Miss ◦ Access time is more ◦ Power Consumption is more
Cache Attacks : The Principle P 0 K 0 XOR Sbox P 1 K 1 XOR Sbox Power and Time for the second access depends on the previous sbox access. ◦ If cache hit : Since we know P 0 and P 1, we can determine …but we need to differentiate between a cache hit and miss.
Classes of Cache Attacks Three ways to identify cache behavior �Cache Timing Attacks �Cache Access Attacks �Cache Trace Attacks
Cache Access Attacks : Osvik’s Attack �Uses a spy program to determine cache behavior Cache Memory Part of the cache memory occupied by tables Cache Miss Microprocessor Cache Hit AES Spy Memory
Cache Trace Attacks �The Power Profile of the system gives away cache behavior. Without Cache Miss With Cache Miss
Causes of Cache Timing Attacks Number of Cache Misses (For Large Tables) : The number of cache misses that occur during the entire encryption. 2. Micro-architecture effects (For Small Tables) : The number of cache misses that occur in each round. This is affected by the micro-architectural features in the cache. 1.
Cache Memories �Low cost solution to bridge the performance gap between processor and memory �It has been in use since 1960 s and is present in all computing platforms �More than 100 x performance gains with cache memory 14
Cache. Leaks Cache Memories Leak Information Cache Hits Cache Misses � � � Oscilloscope Waveforms Power Consumptions of 4 accesses to the S-Box But the correspondence is not so obvious for the complete cipher.
Cache Attacks : The Principle P 0 K 0 XOR Sbox P 1 K 1 XOR Sbox Power and Time for the second access depends on the previous sbox access. ◦ If cache hit : Since we know P 0 and P 1, we can determine K 0 xor K 1 Reduce the key space from 22 n to 2 n+δ 16
Differential Cache Attacks On a Cache hit Reduces the key space from 22 n to 2 n+δ In order to reduce the key space further, we take another plaintext, resulting in a hit. The corresponding cache hit equation is: 17
Differential Cache Attacks (contd. ) Combining these equations we have the following differential equation: The uncertainty of the key now depends on the differential property of the S-Box. Thus, if favg is the number of keys on an average that would satisfy the above equation, then the key space is reduced to: N=2δ favg 18
A Differential Cache Attack on CLEFIA is a block cipher used by Sony for Digital Rights Management Authorized Library of CLEFIA (with secret key) Application Software
Differential Cache Attack on CLEFIA F 1 F 0 128 bit block cipher from Sony. � Generalized Feistel Structure � Number of rounds : 18 � Whitening Keys added at the beginning and end. � Attacking Clefia requires finding any set of 4 round keys. � ◦ RK 0, RK 1, RK 2, RK 3 20
Observations in CLEFIA F 1 F 0 � Matrices M 0 and M 1 in the F functions does not attain complete diffusion (is not diffusion optimal). � If 5 MSBs of the output of each S-Box are known, then 3 bits of F 0 and 2 bits of F 1 are computable. � For a differential pair, the CLEFIA S-Boxes cause 60% in S 0 and 50% in S 1 input output differentials to be invalid. � For a valid input output differential, on an average 1. 28 actual values are possible for S 0, while it is 1. 007 for S 1. 21
Differential Cache Attack CLEFIA �The naïve cache trace attack on CLEFIA requires 240 encryptions �Using Differential Trace Attack, CLEFIA can be broken in less than 214 encryptions �This may not be the optimal attack, but it brings us closer. 22
Attack Steps �First determine RK 0 and RK 1 �Then determine (RK 0+WK 0) and (RK 1+WK 1) �Use this information to determine RK 4 and RK 5 �Finally, the key expansion algorithm to compute 57 bits of RK 2|RK 3.
Feistel Ciphers with SP round function Diffusion layer Key addition Substitution layer Is being considered as a good structure for ciphers • Adopted in CLEFIA, CAMELLIA, SMS 4, E 2 •
Complete Differential Attack on CLEFIA
Determining RK 0 and RK 1 Choose plaintexts P and Q to obtain cache hits in the first and second rounds. � This would give the difference equations � � The complexity of finding these relations is 27.
Determining WK 0+RK 2 and WK 1+RK 3 �Choose plaintexts P and Q to get cache hits in the third round. �This would give the relations �The complexity of finding these relations is 211
Experimental Setup �Test Platform: ◦ Xilinx XC 2 VP 30 FPGA on the SASEBO side channel attack evaluation board. ◦ 300 MHz Power. PC-405 core ◦ 16 k. B two way set associative data cache. ◦ 32 k. B of the FPGAs block RAM configured as the processor memory. ◦ CLEFIA’s reference code from SONY was run on Power. PC (http: //www. sony. net/clefia) 21/12/2010 Registration Seminar 28
Power Profiles for two first round access patterns Power Consumption (m. V) 20 MMHHHHHM MMHHHHHH 15 10 5 0 -5 -10 -15 -20 5 10 15 20 25 Time ( microseconds) 30 35 40 � The difference is not so obvious as for the single SBox seen earlier. � However correlation analysis seems to pick up the small difference. 21/12/2010 Registration Seminar 29
Classification of Hit Miss Patterns �This helps us to classify the Hit Miss patterns based on their power consumption: ◦ for example the first round has 64 Hit Miss patterns. ◦ We were able to create 64 different power profiles, corresponding to each Hit Miss pattern ◦ This classification helps to identify an unknown Hit Miss pattern from an observed power profile
Correlation Analysis with no. of measurements Correlation Value 1. 001 1 0. 999 0. 998 0. 997 0. 996 1 2 4 8 16 32 64 Number of Measurements 128 256 �The power profiles for the same Hit Miss patterns show a strong correlation: ◦ It increases from 0. 997 to 1 with the number of measurements (as shown above) ◦ For two different patterns it is around 0. 8 21/12/2010 Registration Seminar 31
Differential Cache Attack with Timing as Side-Channel
Differential Trace Attack On a Cache hit � Reduces then+δ key space from to 2 � In order to reduce the key space further, we change x 0 by a small displacement dx 0 � This small displacement gets converted to a random change due to the s-boxes in the F function. � We then restore cache hits by changing y 22 n
Differential Trace Attack contd. � � � So we now have the input difference (dx 0 ) and the output difference of the F function (dy = y – y’) From the input difference dx 0 we can determine all possible output differences of the s-box : (d 0, 0, 0 …. . , 0). Apply the transformation : (d 0, 0, 0 …. . , 0). M to get (dz 0, dz 1, …, dzn). For the correct differential ‹dz 0 = dy 0›, ‹dz 1 = dy 1› …. We thus can obtain the input and output differential for the s-box to get key candidates. dy 0 dy 1 dy 2 dx 0 S 1 d 0 dz 0 0 S 2 0 dz 1 0 S 3 0 M dz 2
Obtaining the key from here dx dy We know dx and the corresponding dy
Differential Cache Attacks (Step 1 : the collision setup) Keep x constant and vary y until all s-box accesses in the second round are cache hits The following equation holds
Differential Cache Attacks (Step 2 : the disturbance) Change x 0 to (x 0 ^ dx 0) where dx 0 is a small displacement Some of the cache hits in the second round get lost
Differential Cache Attacks (Step 3 : the restoration) Change y again to restore cache hits in the second round (All bytes of y may need to be changed in order to restore cache hits) We can obtain the differences in y : dy 0, dy 1, dy 2, dy 3
Assuming Collision is Set, We Can find the Keys
�To determine the values of these intermediate rounds we need to distinguish a desirable and an undesirable Cache Hit. �We proposed two Methods to distinguish, that Elimination method and Probabilistic Method. �Elimination is deterministic but cannot be used always.
Current Countermeasures are Adhoc! Software � Hardware �Cache Adding Noise ◦ Random Skews ◦ Dummy operations ◦ Permutation � Controlling Cache Misses ◦ Cache Warming ◦ Small Tables ◦ Without sboxes � Constant Time ◦ Compensation loop Intel AES-NI Memory ◦ Remove Cache Memory ◦ Non deterministic access ordering ◦ Randomized cache policies ◦ Increase cache line size ◦ Dynamic Partitioning cache �Processor ◦ Enforce fixed time/instruction ◦ Disable cache sharing ◦ New instructions to lock table into cache �Dedicated crypto-processor
References Daniel J. Bernstein , “Cache-timing attacks on AES”, Department of Mathematics, Statistics, and Computer Science, The University of Illinois at Chicago. � C. Rebeiro, D. Mukhopadhyay, J. Takahashi and T. Fukunaga, ''Cache Timing Attacks on CLEFIA'', INDOCRYPT 2009 � Chester Rebeiro, Mainack Mandal, Debdeep Mukhopadhyay, “Pinpointing Cache Timing Attacks on AES“ , VLSID 2010. � C. Rebeiro and D. Mukhopadhyay, ''Cryptanalysis of CLEFIA using Differential Methods with Cache Trace Patterns'', CTRSA 2011 � C. Rebeiro, R. Poddar, A. Datta, and D. Mukhopadhyay, ''An Enhanced Differential Cache Attack on CLEFIA for Large Cache Lines'', INDOCRYPT 2011 �
Thank you.
- Slides: 47