AES Side Channel Attacks Biru Cui Sam Skalicky

Outline AES algorithm Side channel attacks Side channel attack against AES Cache-collision timing attack against AES Countermeasures

AES Algorithm Key Expansion Initial Round Rounds Add Round Key – bitwise xor Rounds Sub Bytes - Sbox Shift Rows – rows shifted cyclically Mix Columns – mixing operation on the columns AddRoundKey Final Round (no Mix Columns) Sub Bytes Shift Rows Add Round Key

Rijndel Starting Data

Rijndel AES Steps

Rijndel Sub Bytes

Rijndel Shift Rows

Rijndel Mix Columns

Rijndel Add Round Key

AES Algorithm AES Lookup Table Optimizations Transposed State by Bertoni Speedup in decryption CAM based by Li Combined Sbox& inv Sbox into single table FPGA implementations Pre-computed GF ops in LUTs

Attacks on AES Brute force Related Key Side Channel

Side Channel Attacks Attacks through some implementation deficiency Timing of computations Power Analysis Fault Injection Electromagnetic Radiation Acoustic Cryptanalysis Cache

Cache-collision timing attack against AES Hit Miss Time

Process Operation Cache observation CFS - Scheduler Victim Process Spy Process scenario underlying such attacks is a follows: Consider two concurrently running processes (a spy process S and a security sensitive victim process V ) using the same cache. After letting V run for some small amount of time and potentially letting it change the state of the cache, S observes the timings of its own memory accesses, which depend on the state of the cache. These measurements allow S to infer information about the memory locations previously accessed by V . Cache

AES Cache Side Channel Attack Key recovery after observing ~100 encryptions Implementation in Linux against OpenSSL 0.9.8n Program does not require special privileges on the host machine Linux kernel task scheduler compromised Observe every memory access (CFG) Completely Fair Scheduler

AES Cache Attack Features No heuristic info about plain/cyphertexts Works against compressed tables 2 phase operation: Observation ~100 encryptions ~2-3 seconds Analysis ~3 minutes

Process Operation Cache observation CFS - Scheduler Victim Process Spy Process scenario underlying such attacks is a follows: Consider two concurrently running processes (a spy process S and a security sensitive victim process V ) using the same cache. After letting V run for some small amount of time and potentially letting it change the state of the cache, S observes the timings of its own memory accesses, which depend on the state of the cache. These measurements allow S to infer information about the memory locations previously accessed by V . Cache

Cache-collision timing attack against AES AES: operations on each byte

Cache-collision timing attack against AES System information Pentium III 1.0 GHz L1 cache 32K (split data/instr.) L2 cache 256K “T” lookup table size 256x256=64k Implication If the table is fully loaded in the cache, then there is no cache miss. This is important for why we can do first round and final round attack.

Cache-collision timing attack against AES AES: the computation of every round

Actual Results, Pentium III What are you going to say about this slide?

Cache-collision timing attack against AES Table Key xor Plaintext … [6]

Cache-collision timing attack against AES Table Key xor Plaintext … If a plaintext byte is known, as well as a first-round table lookup, a key byte is learned [6]

Cache-collision timing attack against AES First Round Attack Spy process flush the cache The lookup table is not in the cache. In other words, the cache collision is only due to same lookup table access index.

Cache-collision timing attack against AES First Round Attack

Cache-collision timing attack against AES First Round Attack If cache hits ( access time less than average access time) Counts the average encryption time for all and pair. If there is a low average time occurs for a pair and , there is high probability that .

Cache-collision timing attack against AES Final Round Attack The final round lookup table is different from previous lookup table , so there is no in the cache. And if there is a collision, it’s due to same lookup table index.

Cache-collision timing attack against AES Final Round Attack No MixColumns operations

Cache-collision timing attack against AES Final Round Attack

Cache-collision timing attack against AES Final Round Attack If cache hits ( access time less than average access time) Counts the average encryption time for all and pair. If there is a low average time occurs for a pair and , there is high probability that .

Cache-collision timing attack against AES Result Attack Encryptions needed Sample type Bernstein Plaintext/timing Tesunoo First/Final round attack

Countermeasures AES can be performed without using lookup tables Give OS ability to partition cache between processes Put AES table into ROM, add special instructions Separate AES hardware on chip (new Intel CPUs)

References [1] Rijndel flash movie: http://www.cs.bc.edu/~straubin/cs381-05/blockciphers/rijndael_ingles2004.swf [2] G. Bertoni, et al.,"Efficient Software Implementation of AES on 32-Bit Platforms” [3] H. Li, "A New CAM Based S/S−1-Box Look-up Table in AES” [4] M. McLoone et al. "Rijndael FPGA Implementations Utilising Look-Up Tables” [5] D. Gullasch et al. "Cache Games – Bringing Access-Based Cache Attacks on AES to Practice“ [6] J. Bonneau et al. “Cache-Collision Timing Attacks Against AES” [7] Dag Arne Osvik et al. “Cache Attacks and Countermeasures: the Case of AES”

Backup slides

Original Mix Columns Equations

Revised Mix Columns Equations here the operator * denotes a set of 4 ordinary multiplications in the field GF(28), per- formed in parallel on the 4 bytes of each 32-bits word. The generator polynomial used for representing the field GF(28) is the standard one of AES.

FPGA LUT Implementation