Analysis of countermeasures against access driven cache attacks on AES

Transcription

1 Analyss of countermeasures aganst access drven cache attacks on AES Johannes Blömer and Volker Krummel Faculty of Computer Scence, Electrcal Engneerng and Mathematcs Unversty of Paderborn, Germany Abstract. Cache attacks on mplementatons of cryptographc algorthms have turned out to be very powerful. Progress n processor desgn, e.g., lke hyperthreadng, requres to adapt models for tamperng or sde-channel attacks to cover cache attacks as well. Hence, n ths paper we present a rather general model for cache attacks. Our model s stronger than recently used ones. We ntroduce the notons of nformaton leakage and so called resstance to analyze the securty of several mplementatons of AES. Furthermore, we analyze how to use random permutatons to protect aganst cache attacks. By provdng a successful attack on an AES mplementaton protected by random permutatons we show that random permutatons used n a straghtforward manner are not enough to protect aganst cache attacks. Hence, to mprove upon the securty provded by random permutatons, we descrbe the property a permutaton must have n order to prevent the leakage of some key bts through cache attacks. Usng a permutaton havng ths property forces an adversary to consder several rounds of the cpher. Ths ncreases the complexty of any cache attack consderably. We also descrbe how to mplement our countermeasure effcently. The method to do so s of ndependent nterest, snce t alone can also be used to protect aganst cache attacks. Moreover, combnng both countermeasures allows for a trade-off between securty and effcency. Keywords: cache attacks, AES, threat model, countermeasures, random permutatons 1 Introducton Snce Kocher publshed hs work about tmng attacks [12] n 1996 t s well known that observng the temporal behavor of an encrypton algorthm may reveal nformaton about the secret key. Durng the selecton process of AES Koeune and Qusquater [13] showed that a careless mplementaton of Rjndael s susceptble to tmng attacks. They used the fact that the tme for the MxColumns operaton depends on the values of the ntermedate results. At that tme table lookups were regarded as constant tme operatons and hence were not consdered to be susceptble to tmng attacks. However, due to the herarchcal organzaton of memory nto fast cache and slow man memory, the assumpton that table lookups use constant tme requred revson. In 2002 Page [19] presented a theoretcal attack on DES that exploted tmng nformaton to deduce nformaton about cache hts and msses, whch n turn reveal nformaton about secret keys beng used. In the sequel we call attacks that explot nformaton about the cache behavor cache based attacks or CBAs. Tsunoo et al. [23] publshed a practcal cache based attack aganst DES 1. Further publcatons of Page [20], Percval [21], Bernsten [4], Osvk et al. [18] and Brckell et al. [8] dsclosed the full power of cache based attacks. See [7, 5, 14, 17, 1, 2] for further mprovements of cache based attacks. In partcular, the fast AES mplementaton of Barreto [3] s susceptble to cache attacks. Note that Barreto s mplementaton s used n vrtually all crypto lbrares. It s susceptble to cache based attacks snce t depends heavly on the usage of 5 large sboxes each of the sze of 1024 bytes. As was ponted out by Bernsten n [4], the threat model that s often mplctly used for cache attacks may not be strong enough. In partcular, often t s assumed that the adversary A only can extract nformaton from the cache before and after the encrypton. Ths assumpton s wrong from the theoretcal pont of vew due to the process swtchng of the operatng system. Moreover, t also has been practcally dsproved n [16]. Hence, several of the countermeasures proposed n the lterature so far may not be effectve. In ths paper we present a stronger model to analyze cache attacks. We take nto account powerful adversares A that are able to obtan cache nformaton even durng the encrypton. Wthn ths model we show that usng random permutatons to mtgate the leakage of nformaton as proposed n [8] s not an effectve countermeasure. On one hand, we present a CBA that shows that random permutatons do not ncrease the complexty of CBAs as much as one mght expect. On the other hand, the same attack shows that a random permutaton does Ths work was partally supported by grants from Intel Corporaton, Portland 1 See [8] for a more detaled descrpton of the evoluton of cache based sde channel attacks.

2 not prevent the leakage of the complete secret key. We also consder a modfed countermeasure based on random permutatons. Ths countermeasure s qute general even though we present t n detal only for AES. Although we use permutatons, we do not use arbtrary permutatons. Instead we only use permutatons that hedge a certan number of bts of the last round key n AES. By ths we mean, that usng our countermeasure a cache attack on the last round of AES, say, wll only reveal about half the bts of the last round key. As one can see, ths s the least amount of leakng nformaton that can be provably protected by permutatons. To determne the remanng bts, an attacker has to combne the cache attack wth another attack, for example a cache attack on the next to last round. We gve a mathematcal precse descrpton and analyss of the property of permutatons that we need for our countermeasure. Ths analyss also sheds some lght on the dfference between the cache attack by Osvk et al. on the frst two rounds of AES [18] and the attack of Brckell et al. on the tenth round of AES [8]. Furthermore, we analyze the securty of several mplementatons of AES aganst cache attacks. One of these mplementatons s provably secure wthn our model. Suppose you want to compute a functon lke the AES sbox S : {0, 1} 8 {0, 1} 8 va table look-ups. Cache attacks become a threat f the complete table for S does not ft nto a sngle so called cache lne. In ths case, we smply break the functon S nto four functon S 1,...,S 4 : {0, 1} 8 {0, 1} 2, say, such that S(x) = (S 1 (x),..., S 4 (x)). If the smaller tables for the functons S ft nto a sngle cache lne, cache attacks are mpossble. Of course, ths countermeasure can be used wth almost all tables by choosng sutable parameters for the sze of the range of the S. In partcular, ths dea can also be used to protect the applcatons of permutatons that are realzed as table lookups. How to apply permutatons securely has not been consdered before. The paper s organzed as follows. In Secton 2 we provde the techncal background. After that we ntroduce our threat model n Secton 3. In Secton 4 we gve our formal outlne of a cache attack. We show that our formal cache attack s qute general. I.e., t covers the cache attacks on the frst round of [18] and on the last round of [8]. In Secton 5 we ntroduce our man securty measures, nformaton leakage and resstance. We use our securty measures to analyze the securty of several dfferent mplementatons of AES n Secton 6. In Secton 7, frst we consder random permutatons as a countermeasure and descrbe a cache attack on ths countermeasure. Then, we present and dscuss an mproved countermeasure usng so called dstngushed permutatons. We fnsh wth some extensons and remarks about future research. 2 Notaton and techncal prelmnares In ths secton we gve a short descrpton of the techncal background of cache based attacks,.e., the memory management of modern computers. The memory of a computer should have two propertes. It should be bg and fast. However, wth recent technologes these are contradctory propertes. To acheve a fast data management, commonly used computers have a herarchy of dfferent types of memory wth dfferent szes and dfferent access tmes. They are separated nto the man memory and dfferent levels of cache memores (level1 cache, level2 cache etc.). The dfference between these knds of memory s ther sze and ther speed. Generally speakng, smaller memory s faster. For a thorough treatment of computer archtecture we refer to [10]. For ths paper we smplfy the stuaton by assumng that we have a slow man memory and only a sngle cache memory. Cache memory s a fast but small memory that s placed between the processor and the man memory. It consttutes a trade-off between speed and sze. On one hand, t s much larger than processor regsters but much smaller than the man memory. On the other hand, t s much faster than man memory but slower than processor regsters. Every memory transfer from man memory to the processor s redrected through the cache. Every tme data s loaded from man memory t s checked whether the data s already n the cache. If that s true the data s loaded drectly from the cache nto the processor, avodng access to the slow man memory. We call ths a cache ht. If the data s not n the cache t s frst loaded from the man memory nto the cache and then transferred nto the processor. We call ths a cache mss. Hence, f a process wants to access the same data more than once wthn a short perod of tme, after the frst access the data can be quckly reloaded from the cache. In order to keep the admnstraton of the cache smple, t s organzed n so called cache lnes of fxed sze CL bts, e.g., 512 bts. The man memory s parttoned nto peces of CL bts. A smple functon maps each of these peces to a certan cache lne. Every tme a sngle byte of the man memory s accessed, the pece of man memory contanng ths byte s transferred to the cache. That means that data s always

3 mapped to the same cache lne 2. Snce the cache s much smaller than the man memory data wll be pushed out of the cache from tme to tme. In ths paper we focus on explotng the behavor of the cache mechansm for attackng cryptographc algorthms such as AES that use sboxes for encrypton. In fast mplementatons, applcatons of the sboxes are realzed va table lookups. However, one of the man securty problems 3 of usng table lookups for cryptographc purposes on common processors s that the processors cache s much faster than the man memory. Therefore, an encrypton of a plantext that uses cached data more often should be faster than an encrypton of a plantext that uses more accesses to the man memory. Hence, tme measurements may reveal cache contents whch n turn may leak nformaton about the secret key. The stuaton wth modern processors s even worse snce the cache s shared between dfferent processes. Although a process cannot read cached data of another process, t s able to push that data out of the cache. In [18] the authors gve a detaled descrpton of how these propertes of modern processors can be exploted to attack fast mplementatons of AES wth the help of cache tmngs (see also below). In ths paper we deal wth two dfferent mplementatons of AES. The frst one s the standard mplementaton as descrbed n FIPS 197 [15] and [9] whch only uses the so called standard sbox S havng 256 entres each of sze 8 bt. The other mplementaton s the fast mplementaton [9,3] that uses 5 larger sboxes T 0,...,T 3 n rounds 1,...,9 and the sbox T 4 n round 10 of the encrypton. Each T maps an element of {0, 1} 8 to an element of {0, 1} 32 and hence has sze 2 13 bts. See [3] for a detaled descrpton. 3 Threat Model We consder computers wth a sngle processor, fast but small cache memory and large but slow man memory. Every tme a process wants to read a word from the man memory a porton of data n the sze of a cache lne s transferred to the cache. An AES encrypton or decrypton process (AES process) s runnng on that computer that takes as nput a plantext (or cphertext) and computes the correspondng AES cphertext (or plantext) wth a fxed secret key k. To defne our threat model we make several assumptons. We explan and justfy each assumpton wth regard to our focus on cache based attacks. We start wth a general assumpton of cryptanalyss snce t allows to smplfy descrptons and analyss of attacks. Assumpton 1 1. A knows all techncal detals about the underlyng cryptographc algorthm and ts mplementaton. 2. A can feed the AES process wth chosen plantexts (or cphertexts) and gets the correspondng cphertexts (or plantexts). In partcular, snce we focus on nformaton leakage due to table lookups, we assume that A knows the poston of the sboxes n the memory and the possble cache lnes they can be mapped to. Snce varatons of mplementatons are rather lmted, the securty of the mplementaton should not rely on keepng mplementatonal aspects secret. Ths s the natural extenson of Kerckhoffs prncple to mplementaton attacks. In order to gve smple descrptons of the attacks, we model the nteracton of A wth the AES process such that A can use chosen plantexts and chosen cphertexts. However, every attack and countermeasure presented n ths paper also works f we restrct A to use only known plantexts. Assumpton 2 A gets the ndces of the cache lnes that were accessed durng the encrypton (decrypton) (cache nformaton). Snce A has access to the computer we assume that he can measure the tmngs of encryptons (decryptons) wth reasonable precson. He can use ths nformaton to determne the accessed cache lnes n a smlar way as descrbed n [11]. To buld a strong model we smplfy the determnaton of accessed cache lnes n the followng way. We assume that A smply gets the correct partton of the set of all cache lnes M nto the sets of accessed cache lnes D 0 and the set D 1 of cache lnes that were not accessed durng the encrypton. We call ths partton cache nformaton. The plantext / cphertext par together wth the cache nformaton s called a measurement. Assumpton 3 A can restrct the cache nformaton to certan rounds of the encrypton. 2 Modern processors are able to map data to a fxed number of dfferent cache lnes. Ths property s called assocatvty 3 See Bernsten [4] for a thorough treatment of the techncal problems.

4 Ths restrcton s justfed by the property of modern multtaskng operatng systems to change the actve process after a constant amount of runnng tme 4. Hence, t s possble that the encrypton process s nterrupted by the attackers process, allowng A to access the cache durng an encrypton (decrypton). In [4] Bernsten already warned that ths property may be explotable and the authors of [8] managed to explot t to determne arbtrary cache nformaton on a real PC wth some reasonable precson. Assumpton 4 A cannot dstngush between the elements of a sngle cache lne. Ths assumpton s justfed because up to now t s not clear f t s techncally possble to dstngush access tmes of elements wthn the same cache lne. None of our attacks requres ths somewhat dffcult and unlkely ablty of the adversary A. Obvously, the ablty to dstngush elements wthn the same cache lne would allow more powerful cache attacks than the attacks publshed so far. Dstngushng elements that resde n the same cache lne mples that the adversary gets the value of an ntermedate result. To counteract such powerful attacks effectvely requres expensve randomzaton technques lke the one proposed n [6]. All effcent countermeasures that were desgned to counteract cache attacks so far rely essentally on ths assumpton. Lkewse, the countermeasures presented n ths paper are effectve only under ths assumpton. 4 Access drven CBAs on AES Under the assumptons of our thread model we can gve the formal outlne of a cache based attack. An attacker A who uses cache nformaton to derve nformaton about the secret key performs the followng two steps: 1. A gets n N measurements m (1),..., m (n) of encryptons of plantexts p (1),..., p (n) wth the secret key k. 2. For each measurement m (j) the attacker A computes a set of possble values of an ntermedate result x (j) of the encrypton that only depends on the plantext (or cphertext), the th byte k of the key k, and the obtaned cache nformaton. Dependng on ths set of values A computes a set bk (j) of canddates for k. Fnally, A combnes the nformaton of all measurements m (1),..., m (n) by computng n\ bk := bk (j). j=1 Fg.1. Formal outlne of an access drven CBA To llustrate the general structure of cache attacks let us brefly recall the CBAs on AES based on the frst round of [18] and on the last round of [8]. For smplcty we assume that a cache lne has sze CL = 512 bts. Hence, an sbox T 0,...,T 4 fts nto 16 cache lnes. 4.1 CBA on the frst round of AES We descrbe the CBA of [18] based on ntermedate results of the frst round. To be more precse, A focus on the result of the frst applcaton of an sbox n the frst round. Snce the nvolved sbox depends on the ndex of the key byte we only consder the output x = T ( mod 4) [p k ] of the sbox T ( mod 4). To smplfy notaton we smply wrte x = T[p k ]. For 0 l 15 the sbox s mapped nto the cache lnes CL l as follows: CL l = {T[x] x = l 16,..., l }. To derve nformaton about the th byte of the secret key k an attacker performs the followng operatons accordng to the general structure shown n Fgure 1: 1. A chooses n N plantexts p (1),..., p (n) that are fxed n byte p (j) and vary n the other bytes. 2. A obtans measurements m (j) = (D (j) 0, D(j) 1, p(j) ) for 1 j n. 3. A concludes that x X (j) = {l 16,..., l } 4 For further detals see [22]. l D (j) 0

5 4. A computes the sets { K (j) = p (j) x (j) x (j) X (j)} for all 1 j n. 5. A computes the set of canddates for k. K = n j=1 K (j) In [18] the authors show that n ths way, A s able to compute the 4 most sgnfcant bts of every key byte. They also show, that one can combne ths attack wth an attack on the second round to compute the complete key even f the cache nformaton s taken over all 10 rounds. 4.2 CBA on the last round of AES Next, we descrbe the CBA on the fast mplementaton of AES mentoned n [8] that s based on ntermedate results of the last round of the encrypton. Basng the attack on the last round has advantages over the attack on the frst rounds of [18]. Frst, cache nformaton of the last round s suffcent to determne all bts of the secret key. So A does not need to attack dfferent rounds. Another advantage occurs f the encrypton process uses the fast mplementaton of AES [3]. Here the sbox T 4 of the last round s specal and s only used n that round. Ths helps the attacker because cache nformaton s never perturbed by cache accesses of other rounds. We show how an attacker can use cache nformaton to determne bytes of the last round key k 10. Knowng all key bytes of the last round key allows to revert the key schedule and compute the cpher key k. We denote the l-th cache lne used for the table look-ups for T 4 by CL l, l = 0,...,15. Hence, CL l contans the tuples {T 4 [x] x = 16 l,...,16 l + 15}. The structure of ths CBA fts nto the general structure shown n Fgure 1. To derve nformaton about the th byte of the last round key k 10 an attacker performs the followng operatons: 1. A chooses n N plantexts p (1),..., p (n) unformly at random. 2. A obtans the cphertexts and the measurements m (j) = (D (j) 0, D(j) 1, c(j) ) for 1 j n. 3. A concludes that = {l 16,...,l } x (j) X (j) l D (j) 0 4. A computes the sets { [ K (j) = c (j) S x (j) ] x (j) } (j) X for all 1 j n. 5. A computes the set of canddates for k (10). K = n j=1 K (j) If there s a sngle byte wth ths property, the adversary has determned k 10. Now t s not hard to see that the ntersecton of sets n step (5) eventually wll contan only a sngle element ff for every δ {0, 1} 8 \ {0} the followng property holds j {0,..., 15} a CL j : a δ CL j. (1) We verfed that the cache lnes CL j as defned above actually have ths property. We wll consder ths property more closely when we consder countermeasures based on permutatons n Secton 7. Moreover, experments show that on average approxmately 15 pars (p j, c j ) together wth the cache nformaton D j 0 suffce to determne the key byte k 10 unquely.

6 5 Informaton leakage and resstance CBAs are very powerful attacks. Although they seem to be unrealstc and hypothetcal on frst sght they were proven to be a real threat for mplementatons of cryptographc algorthms on computers wth cache. Hence, a strong threat model s essental for a thorough securty analyss. The threat model descrbed above s stronger than the threat models publshed so far. The adversary s more powerful because A can restrct the cache nformaton to a smaller nterval of encrypton operatons. Ths reduces the number of accessed cache lnes per measurement and ncreases the effcency of cache based attacks. The man questons when analysng the securty aganst CBAs are nformaton leakage and complexty of a CBA. After gvng a formal defnton of nformaton leakage we ntroduce the noton of the so called resstance of an mplementaton as a measure that allows to estmate the complexty of a CBA. Informaton leakage The most mportant aspect of an mplementaton regardng the securty aganst access drven CBAs s to determne the maxmal amount of nformaton that leaks va access drven CBAs. As we wll see, the amount of leakng nformaton about the secret key vares dependng on the detals of the CBA and the mplementaton of the cryptographc algorthm. We make the followng defnton: Defnton 1 (nformaton leakage). We consder an adversary who can mount a CBA usng an arbtrary number of measurements as descrbed n Assumpton 2. Let K be the set of remanng key canddates for a key byte k 10 at the end of the attack. Then the leakng nformaton s 8 log 2 ( K ) bts. The amount of leakng nformaton allows to estmate the uncertanty of an attacker about the secret key that remans after a successful access drven CBA. To quantfy the maxmal amount of nformaton A can obtan about the secret key by access drven CBAs, we defne CL to be the sze of a cache lne n bts, S the number of entres of the sbox and s the sze of a sngle sbox element n bts. Hence, the number of elements that fts nto a cache lne s CL and the cache nformaton of a sngle measurement leaks at most log 2 ( S ) log 2 ( CL s ) ( = log S 2 s ) CL s bts. Dependng on the exact nature of an attack, the sets of measurements let the attacker reduce the number of remanng key canddates after the attack. The nformaton leakage vares between 0 and 8 bts of nformaton per byte. For example, the attack on the frst round of [18] mounted on the fast mplementaton can determne at most 4 bts of every key byte regardless of the number of measurements. In contrast, the attack of [8] based on the last round allows an adversary to determne all key bts. Furthermore, n Secton 6 we present an mplementaton that does not leak any nformaton n our model. Complexty of a CBA The nformaton leakage as defned above measures the maxmal amount of nformaton a CBA can provde usng an arbtrary number of measurements. Determnng the expected number of measurements an attacker needs to obtan the complete leakng nformaton depends on the detals of the mplementaton and on detals of the CBA. For smplfcaton we ntroduce the noton of so called resstance. The resstance focuses on the general structure of a CBA as shown n Fgure 1 and does not consder detals of certan CBAs. It s a general measure to estmate the complexty of CBAs on dfferent mplementatons. Defnton 2 (Resstance). The resstance of an mplementaton s the expected number E r of key canddates that are proven to be wrong durng a sngle measurement that s based on r rounds of the encrypton. The larger E r the more susceptble s the mplementaton to access drven CBAs. In partcular, f an mplementaton does not leak any nformaton then an adversary cannot rule out key canddates and hence the resstance s 0. To compute E r we assume that all sbox lookups are ndependently and unformly dstrbuted. Ths assumpton s justfed because an attacker A usually does not have any nformaton about the dstrbuton of the sbox lookups. Hence, the best he can do n an attack s to choose the parts of the plantexts/cphertexts that are not relevant for the attack unformly at random. Let m be the number of cache lnes needed to store the complete sbox. Each cache lne can store v elements of an sbox. Furthermore, let w be the number of sbox lookups per round and let r be the number of rounds the attack focuses on. In an access drven CBA a key canddate s proven to be ncorrect f t causes an access of a cache lne that was not accessed durng a measurement. Assumng that all sbox lookups are unformly dstrbuted the probablty that a cache lne s not accessed n all r w sbox lookups s ( ) r w m 1 p mss :=. m

7 Hence, ( ) r w m 1 E r := m v (2) m s the expected number of key canddates that can be sorted out after a sngle measurement. However, the maxmal amount of nformaton an arbtrary number of measurements can reveal s lmted by the nformaton leakage. Further measurements wll not reveal further nformaton. We verfed by experments that the number of measurements needed to acheve the full nformaton leakage only depends on E r. In the sequel, we focus on methods to counteract CBAs. In general, there are two approaches to counteract such a sde channel. The frst approach s to use some knd of randomzaton to ensure that the leakng nformaton does not reveal nformaton about the secret key. Usng randomzng s a general strategy that protects aganst several knds of sde channel attacks, see for example [6]. In Secton 7 we analyze a more effcent method based on random permutatons. Before that, we consder the second approach that s to reduce the bandwth of the sde channel. We present several mplementatons of AES and examne ther nformaton leakage and ther resstance. 6 Countermeasure 1: Modfy mplementaton As Bernsten ponted out n [4] to thwart cache attacks t s not suffcent to load all sbox entres nto the cache before accessng the sbox n order to compute an ntermedate result because A can get cache nformaton at all tmes. Hence, loadng the complete sbox nto the cache does not suffce to hde all cache nformaton. Therefore, he advses to avod the usage of table lookups n cryptographc algorthms. Computng the AES SubBytes operaton accordng to ts defnton f : {0, 1} 8 {0, 1} 8, x a INV(x) b would vrtually cause no cache accesses and hence seems to be secure aganst CBAs. However, mplementng SubBytes lke ths would result n a very neffcent mplementaton on a PC. To acheve a hgh level of effcency people prefer to use precomputed tables. In the sequel, we analyze the securty of some well known and some novel varatons of mplementatons of AES. Frst, we explan the dfferent mplementatons and after that examne the nformaton leakage and the resstance as defned n (2) aganst CBAs: the standard mplementaton as descrbed n [9]. the fast mplementaton of Barreto as descrbed n [3,9]. fastv1 s based on the fast mplementaton. The only dfference s that the sbox T 4 of round 10 s replaced by the standard sbox as proposed n [8]. fastv2 s also based on the fast mplementaton but uses only sbox T 0. The descrpton of the fast mplementaton of AES shows that the th entry of the sboxes T 1,...,T 3 s equal to the th entry of the sbox T 0 shfted by 1, 2 and 3 bytes to the rght respectvely (see [9,3]). Hence, we propose to use only sbox T 0 n the encrypton and shft the result as needed to compute the correct AES encrypton. E.g., to compute the sbox lookup T 1 [] usng the sbox T 0 we smply cyclcally shft the value T 0 [] by 1 byte to the rght. small-n A smple but effectve countermeasure to counteract cache attacks s to splt the sbox S nto n smaller sboxes S 0,...,S n 1 such that every small sbox S fts completely nto a sngle cache lne 5. An applcaton S [x] of sbox S yelds d bts of the desred result S[x]. Hence, the correct result can be calculated by computng all bts separately and shft them nto the correct poston. We construct the small sboxes S for 0 n 1 as follows: mappng S : {0, 1} 8 {0, 1} d x S[x] ( P 1 j=0 dj,(p j=0 dj) 1) where y (b,e) are the bts y b...y e of the bnary representaton of y = (y 0,..., y 7 ). Instead of applyng the sbox S to x drectly each S s appled. The result s computed as n 1 S[x] = =0 S [x] 2 P 1 j=0 dj. 5 Each sbox should ft nto a sngle cache lne at every cache level.

8 In the sequel, we assume that the sze of the sbox s a multple of the sze of a cache lne and that all d j are equal. Dependng on the number n of requred sboxes we call ths mplementaton small-n. E.g., let CL = 512 and for 0 3 let each S store the bts S[x] 2,2+1. The result S[x] s then computed as S[x] = S 0 [x] S 1 [x] 4 S 2 [x] 16 S 3 [x] 64. We call ths mplementaton small-4. Obvously, the performance depends on the number of nvolved sboxes and shfts to move bts nto the rght poston. To estmate the effcency we used the small-n varants n the last round of the fast mplementaton. Due to the neffcent bt manpulatons on 32 bt processors our ad hoc mplementaton of usng small-4 only n the last round shows that the penalty s about 60%. We expect that a more sophstcated mplementaton reduces ths penalty sgnfcantly. However, we stress that access drven CBAs are very powerful attacks. Hence, t s not astonshng that secure mplementatons are not that effcent. Table 1 n the appendx shows a summary of tmng measurements of the mplementatons descrbed above. The measurements were done on a Pentum M (1400MHz) runnng lnux kernel , gcc Next, we consder CBAs based on dfferent sboxes and examne the nformaton leakage and the resstance of each of the mplementatons descrbed above. The standard mplementaton uses only a sngle sbox. Hence, a CBA as descrbed above s based on that sbox. We verfed by experments that measurements taken over 3 rounds of the standard mplementaton leak all key bts. Although the small probablty p mss prevents performng further experments we assume that even more rounds wll leak all key bts. The resstance for all numbers of rounds s lsted n column 1 of Table 2 n the appendx. The second mplementaton s the fast mplementaton. The CBA on the frst round of [18] on one of the sboxes T 0,...,T 3 shows that n ths case the fast mplementaton wll reveal half of the key bts, even wth an arbtrary number of measurements. The resstance of the fast mplementaton aganst such an attack s shown n column 2 of Table 2. The CBA of [8] as descrbed n Secton 4.2 based on the sbox T 4 show that n ths case the fast mplementaton leaks all key bts. Snce ths sbox s only used n the last round the resstance as shown n column 3 of Table 2 does not change for a dfferent number of rounds. The mplementaton called fastv1 also leaks all key bts. The resstance aganst CBAs based on sboxes T 0,...,T 3 remans the same as lsted n column 2 of Table 2. The resstance aganst CBAs based on the standard sbox s shown n column 4 of Table 2. It remans constant over the number of rounds because the standard sbox s only used n the last round. Lke the fast mplementaton, the varaton called fastv2 also leaks all key bts. It uses only the large sbox T 0 n every round. The resstance for all possble numbers of rounds s lsted n column 5 of Table 2. Last, we consder the varants small-2, small-4 and small-8 that use smaller sboxes than the standard sboxes. Computng S[x] usng varant small-4 or small-8 leaks 0 bts of nformaton havng cache lnes of sze 512 bts because of two reasons: 1. Every S fts completely nto a sngle cache lne. 2. For every x each S s used exactly once to compute S[x]. Hence, the cache nformaton remans constant for all nputs. The only assumpton that s nvolved s that A cannot dstngush between the accesses on dfferent elements wthn the same cache lne (Assumpton 4). The varant small-2 presumably leaks all key bts n our settng. As we have shown above, the varants small-4 and small-8 leak no key bt and hence have resstance 0 (see column 7 and 8 of Table 2). The resstance of small-2 s lsted n column 6 of Table 2. Comparson of mplementatons As Table 2 shows, the standard mplementaton provdes rather good resstance aganst CBAs but only has low effcency. The fast mplementaton provdes the lowest resstance aganst CBAs but s very effcent. Its varants fastv1 and fastv2 are almost as effcent on 32 bt platforms but provde better resstance aganst CBAs. The varants usng small sboxes provde the best resstance. Especally small-4 and small-8 prevent the leakage of nformaton. For hgh securty applcatons we propose to use one of the varants usng small sboxes and adapt the number of sboxes to the actual sze of cache lnes of the system. 7 Countermeasure 2: Random Permutaton Another class of countermeasure that was already proposed but not analyzed n [8] s to use secret random permutatons to randomze the accesses to the sbox. In ths secton we present a CBA aganst an mplementaton of AES secured by a random permutaton that needs roughly 2300 measurements to reveal the

9 complete key. Ths shows that the ncrease of the complexty of CBAs nduced by random permutatons s not as hgh as one would expect. In partcular, the uncertanty of the permutaton s not a good measure to estmate the gan of securty. A random permutaton has uncertanty of log 2 (256!) 1684 bts and the uncertanty of the nduced partton on the cache lnes s log 2 (256!/(16!) 16 ) 976 bts. On the other hand, we present a subset of permutatons, so called dstngushed permutatons, that reduce the nformaton leakage from 8 bts to 4 bts per key byte. Hence, the remanng bts must be determned by an addtonal attack thereby ncreasng the complexty. In our standard scenaro ths s the best one can acheve. We focus only on the protecton of the last round of AES and we assume that the output x of the 9th round s randomzed usng some secret random permutaton π. To be more precse, each byte x of the state x = x 0,..., x 15 s substtuted by π(x ). To execute the last round of AES a modfed sbox T 4 that depends on π fulfllng T 4 [π(x )] = T 4 [x ] s appled to every byte x. Ths ensures that the resultng cphertext c = c 0,...,c 15 s correct. We denote the l-th cache lne used for the table look-ups for T 4 by CL l, l = 0,...,15. Hence, CL l contans the values {S[π 1 (x)] x = 16l,...,16l + 15}. Usng a permutaton π, nformaton leakng through accessed cache lnes does not depend drectly on x but only on the permuted value π(x ). Snce π s unknown to A the applcaton of π prevents hm to deduce nformaton about the secret key k 10 = k0 10,...,k10 15 drectly. However, n the sequel we wll show how to bypass random permutatons by usng CBAs. 7.1 An access drven CBA on a permuted sbox We assume that we have a fast mplementaton of AES that s protected by a random permutaton π as descrbed above. We also assume that the adversary A has access to the AES decrypton algorthm. Ths assumpton can be avoded. However, the exposton becomes easer f we allow A access to the decrypton. We show how an adversary A can compute the bytes k0 10,..., k15 10 of the last round key. Let k 0 denote a canddate for byte k0 10 of the last round key. In a frst step for each possble value k 0 the adversary A determnes the assgnment P bk0 of bytes to cache lnes nduced by π under the assumpton that k 0 = k0 10. To be more precse A computes a functon such that f k 0 s correct then for all x: P bk0 : {0, 1} 8 {0,...,15} π(x) {16P bk0 (x),..., 16P bk0 (x) + 15}. I.e., f k 0 s correct then P bk0 s the correct partton of values π(x) nto cache lnes. Let us fx some x and a canddate k 0 for k0 10. We set c 0 = S[x] k 0 and M 0 = {0,..., 15}. The adversary repeats the followng steps for j = 1, 2,..., untl M 0 contans a sngle element. 1. A chooses a cphertext c j, whose frst byte s c 0, whle the remanng bytes of c j are chosen ndependently and unformly at random. 2. Usng hs access to the decrypton algorthm, A computes the plantext p j correspondng to the c j. 3. By encryptng p j, the adversary A determnes the set D j 0 of ndces of cache lnes accessed for the table look-ups for T 4 durng the encrypton of pj. 4. A sets M 0 := M 0 D0. If M 0 = {y}, then A sets P bk0 (x) = y. Repeatng ths process for all x yelds the functon P bk0 whch has the desred property. Under the assumpton that the guess k 0 was correct, the functon P bk0 s the correct partton of values π(x) nto cache lnes. Moreover, t s not dffcult to see that the nformaton provded by P bk0 enables the adversary to mount an attack smlar to the one descrbed n Secton 4.2. Ths attack can be used to determne for each possble k 0 a set of vectors k 1,..., k 15 of hypotheses for the other key bytes. For the tme beng, we assume that π has the property that for each k 0 there remans only a sngle vector of hypotheses for the other key bytes. Hence, n the end there are only 256 AES keys left and a smple brute force attack reveals the correct one. In general, a random permutaton has ths property. For a mathematcal precse defnton and analyss of that property see Secton 7.2.

10 Cost Analyss Experments show that n the frst step of the attack A needs on average 9 measurements consstng of a par (p, c ) and the correspondng cache nformaton D 0 such that the ntersecton M 0 := D 0 contans only a sngle element y = P bk0 (x). We need to determne the mappng P bk0 (x) for every key canddate k 0 and every argument x {0, 1} 8. Hence, a straghtforward mplementaton of the attack needs roughly measurements to determne the functon P bk0 (x) for all arguments x {0, 1} 8 and all key canddates k 0 {0, 1} 8. However, one can reuse measurements for dfferent key canddates k 0, k 0 to reduce the number of measurements to roughly = To determne the vector of hypothess based on the canddate k 0 we can reuse the measurements obtaned by determnng the functon P bk0. Hence, the expected number of measurements of ths attack s Separablty and dstngushed permutatons From a securty pont of vew, t s desrable to reduce the nformaton leakage. E.g., a cache attack alone should reveal as few nformaton as possble, n partcular t should not reveal the complete key. Then the adversary s forced to ether mount a refned and more complex CBA based on other ntermedate results or combne the cache attack wth some other method to determne the key bytes unquely. In ths case, the stuaton s smlar to the attack of [18], where a cache attack on the frst round only reveals 4 bts of each key byte. Hence Osvk et al. combne cache attacks on the frst and second round of AES. Frst, we present the property a permutaton appled to the result of the 9-th round should have such that A cannot determne the key bytes unquely usng only a cache attack on the last round. We denote the lth cache lne by CL l and the elements of CL l by a (l) 0,...,a(l) 15. Hence, the underlyng permutaton used to defne ths cache lne s gven by π 1 (16l + j) = S 1 [a (l) j ]. (3) We say that a key canddate k 0 s separable from the frst key byte k 0 of the last round f there exsts a measurement that proves k 0 to be wrong. Conversely, a key canddate k 0 s nseparable from the key k 0 f there does not exst a measurement that proves k 0 to be wrong. More precsely, wrtng k 0 = k 0 δ the bytes k 0 and k 0 are nseparable f and only f l {0,...,15} a CL l : a δ CL l. (4) Notce that ths property only depends on the dfference δ and not on the value of k 0. Snce there are 16 elements of the sbox n every cache lne property (4) can only be satsfed by at most 16 dfferences. It turns out that for = 16 the set := {δ for all k 0 {0, 1} 8 the bytes k 0 and k 0 δ are nseparable} forms a 4 dmensonal subspace of F 2 8 vewed as a 8 dmensonal vector space over F 2. It s obvous that the neutral element 0 s an element of and that every δ s ts own nverse. It remans to show that s closed wth respect to addton. Consder δ, δ and an arbtrary a CL l. Then a = a δ CL l mples that a δ = a δ δ CL l because of (4) and δ δ holds. Hence, any partton that has the maxmal number of nseparable key canddates must generate a subspace of dmenson 4. Usng ths observaton we descrbe how to effcently construct permutatons such that the set of nseparable dfferences has sze 16. In the sequel, we wll call any such permutaton a dstngushed permutaton. Constructon of the subspace We frst construct a set of 16 dfferences that s closed wth respect to addton over F 256. We can do ths n the followng way 1. set := {δ 0 := 0}, choose δ 1 unformly at random from the set {1,...,255}, set := {δ 1 } 2. choose δ 2 unformly at random from {1,...,255} \, set := {δ 2, δ 3 := δ 1 δ 2 } 3. choose δ 4 unformly at random from {1,..., 255} \, set := {δ 4, δ 5 := δ 4 δ 1, δ 6 := δ 4 δ 2, δ 7 := δ 4 δ 3 } 4. choose δ 8 unformly at random from {1,...,255}\, set := {δ 8, δ 9 := δ 8 δ 1, δ 10 := δ 8 δ 2, δ 11 := δ 8 δ 3, δ 12 := δ 8 δ 4, δ 13 := δ 8 δ 5, δ 14 := δ 8 δ 6, δ 15 := δ 8 δ 7 } Ths constructon ensures that s closed wth respect to addton and hence forms a subspace as desred.

11 Constructon of the permutaton Now we can compute the functon P that maps S[x] F 8 2 to a cache lne. We use the fact that 16 proper translatons of a 4 dmensonal subspace form a partton of a 8 dmensonal vector space F 8 2. A bass {b 0,...b 3 } of the subspace can be expanded by 4 vectors b 4,... b 7 to a bass of F 8 2. The 16 translatons of generated by lnear combnatons of b 4,...,b 7 form the quotent space F 8 2 / that s a partton of F 8 2. To construct the functon P we do the followng: 1. for every cache lne CL l do 2. choose a (l) unformly at random from F 256 /{a (j) δ j < l, δ } 3. fll CL l wth the values of the set {a (l) δ δ } Usng (3) ths partton nto cache lnes defnes the correspondng permutaton. Analyss of the countermeasure The securty usng a dstngushed permutaton as defned above rests on two facts. 1. Usng a dstngushed permutaton where the set of nseparable dfferences has sze 16, a cache attack on the last round of AES wll reveal only four bts of each key byte k 10. Overall 64 of the 128 bts of the last round key reman unknown. Therefore, the adversary has to combne hs cache attack on the last round wth some other method to determne the remanng 64 unknown bts. For example, he could try a modfed cache attack on the 9-th round explotng hs partal knowledge of the last round key. Or he could use a brute force search to determne the last round key completely. 2. There are several dstngushed permutatons and each of these permutatons leads to 16! dfferent functons mappng elements to 16 lnes. If we choose randomly one of these functons, before an adversary can mount a cache attack on the last round as descrbed n Secton 4.2, he frst has to use some method lke the one descrbed n Secton 7.1 to determne the functon P that s actually used. We stress that we consder the frst fact to be the more mportant securty feature. We saw already n Secton 7.1 that determnng a random permutaton used for mappng elements to cache lnes s not as secure as one mght expect. Snce we are usng permutatons of a specal form the attack descrbed n Secton 7.1 can be mproved somewhat. In the remander of ths secton we brefly descrbe ths mprovement. To do so, frst we have to determne the number of subspaces leadng to dstngushed permutatons. As before vew F n 2 := {0, 1} n as an n-dmensonal F 2 vector space. For 0 k n we defne D n,k to be the number of k-dmensonal subspaces of F n 2. To determne D n,k for V an arbtrary m-dmensonal subspace of F n 2 we defne N m,k := {(v 1,..., v k ) v V, v 1,... v k are lnearly ndependent}. The number N m,k s ndependent of the partcular m-dmensonal subspace V, t only depends on the two parameters m and k. Then Next we observe that Hence, we obtan that D n,k = N n,k N k,k. k 1 k 1 N m,k = (2 m 2 j ) = 2 k(k 1)/2 (2 m j 1). j=0 D n,k = j=0 k 1 j=0 (2n j 1) k 1 j=0 (2k j 1). In our specal case we have n = 8 and k = 4 and hence the number of 4 dmensonal subspaces s D 8,4 = = As mentoned above, each subspace leads to 16! dfferent dstngushed permutatons. Hence, overall we have ! 2 60 dstngushed permutatons. On the other hand, because of the specal structure of our permutatons, to determne the functon P by cache attacks can be done more effcently than determnng an arbtrary functon mappng elements to cache lnes (see Secton 7.1). In partcular, A only needs to observe about 7 accesses of a sngle but arbtrary cache lne. Wth hgh probablty ths wll be enough to determne a bass of the subspace beng used. In addton, A needs at least one access for every other cache lne n order to determne the functon P. The correspondng probablty experment follows the multnomal dstrbuton. We dd not calculate the expected number of tres exactly. Experments show that f we can determne the

12 accessed cache lne exactly, on average 62 measurements suffce to compute the functon P exactly. However, a sngle measurement only yelds a set of accessed cache lnes. But arguments smlar to the ones used for the frst part of the attack n Secton 7.1 show that we need on average 9 measurements to unquely determne an accessed cache lne. Therefore, on average we need 62 9 = 558 experments to determne the functon P. Hence, compared to the results of Secton 7.1 we have reduced the number of measurements used to determne the functon P by a factor of 3. However, we want to stress agan, that the man securty enhancement of usng dstngushed permutatons nstead of arbtrary permutatons s the fact, that dstngushed permutatons have a lower nformaton leakage. To mprove the securty, one can choose larger key szes such as 192 bts or 256 bts. Snce dstngushed permutatons protect half of the key bts, the remanng uncertanty about the secret key after cache attacks can be provably ncreased from 64 bts to 96 bts or 128 bts, respectvely. Separablty and random permutatons In our CBA on an mplementaton protected by a random permutaton (Secton 7.1) we assumed that fxng a canddate k 0 determnes the canddates for all other key bytes. Wth suffcently many measurements for a fxed k 0 we can determne the functon P bk0 as defned n Secton 7.1. Furthermore, we saw that the separablty of canddates k, k depends only on ther dfference δ = k k. Hence, to be able to rule out all but one canddate k at poston for a fxed k 0 the permutaton π must have the followng property: δ 0 j {0,...,15} a CL j : a δ CL j. There are less than of the 256! permutatons that do not have ths property. Hence, a random permutaton satsfes ths condton wth probablty Summary of countermeasures and open problems In ths paper we presented and analyzed the securty of several dfferent mplementatons of AES. Moreover, we analyzed countermeasures based on permutatons: random permutatons and dstngushed permutatons. We gve a short overvew over the advantages and dsadvantages of the countermeasures: countermeasure # measurements nformaton n bts /securty effcency small-4 0 / hgh slow random permutaton / low fast dstngushed permutatons / medum fast The second column shows the expected number of measurements an attacker has to perform n order to get the amount of nformaton shown n the thrd column. Small-4 (see Secton 6) prevents nformaton leakage n a cache attack. However, the effcency depends on the sze of a cache lne and s rather low. In contrast, random permutatons (see Secton 7) provde only low securty. About 2300 measurements are enough to reveal the complete 128 bt AES key. If realzed va table lookups, random permutatons are fast. But to ncrease the securty offered by random permutatons they have to be changed frequently. Changng a permutaton may cause problems wth respect to effcency and securty. So far, we have no precse analyss of these ssues. Dstngushed permutatons (see Secton 7.2) protect half of the key bts and hence provde a medum level of securty. Usng dstngushed permutatons, no frequent changes of permutatons are requred to acheve a medum level of securty. Hence, they do not suffer from the above mentoned problems of random permutatons. Therefore, dstngushed permutatons provde a better rato of effcency and securty as random permutatons but stll leak half of the key bts. Random permutatons and dstngushed permutatons have to be realzed as tables for effcency reasons. Hence, a straghtforward mplementaton of the applcatons of a permutaton would render the whole mplementaton susceptble to cache attacks. A possble soluton to ths problem s to realze permutatons va small sboxes that completely ft nto a cache lne. Followng the descrpton of the small varant of Secton 6, π s splt nto smaller tables π 0,...,π 3 each of whch s appled to the nput x. Obvously, ths does not make sense f the standard sbox S s used because both π and S map from {0, 1} 8 to {0, 1} 8. Hence, t takes as many table lookups to apply π realzed wth small sboxes as t takes to apply S realzed wth small sbox drectly. Moreover, realzng S va small tables has the advantage of not leakng nformaton va the cache behavor. The stuaton s dfferent f the large sboxes of the fast mplementaton are used. Agan π maps from {0, 1} 8 to {0, 1} 8 but a large sbox maps from {0, 1} 8 to {0, 1} 32. Therefore, t takes 4 tmes as many table

13 lookups to realze the large sbox va small sboxes than to realze π va small tables. Hence, frst applyng π to an nput va small tables and then applyng a large permuted sbox, as shown n Fgure 2, makes sense f ths technque s faster than realzng the standard sbox S va small sboxes. Here, one has to take nto account the techncal problem that on 32-bt platforms the byte orented structure of the standard sbox S leads to a tme consumng post processng to ncorporate the output of the sbox nto the encrypton state. Note that realzng π va small tables does not leak any nformaton n cache attacks. Only the applcaton of the permuted sbox leaks nformaton about ntermedate states. Hence, ths scenaro s exactly the scenaro of our attack n Secton 7.1 where we assumed that only the applcaton of the sbox leaks nformaton. As mentoned n Secton 6 one can scale the szes of the smaller tables to mprove effcency. But t s essental to determne whether the amount of nformaton that leaks wth ths method s acceptable or not. Summng up, the analyss gven above shows that permutatons as a countermeasure to thwart cache based attacks do not provde as much securty as one would expect. However, we have shown that usng dstngushed permutatons one can reduce the nformaton leakage va CBAs. That means that even wth an arbtrary number of measurements a CBA based on the last round cannot determne certan bts of the secret key. Snce we consder the reducton of nformaton leakage as a preferred goal dstngushed permutatons consttute an nterestng way to mprove the securty gan of permutatons. References 1. Onur Acçmez and Çetn Kaya Koç. Trace-drven cache attacks on AES (short paper). In Peng Nng, Shan Qng, and Nnghu L, edtors, ICICS, volume 4307 of Lecture Notes n Computer Scence, pages Sprnger, Onur Acçmez, Werner Schndler, and Çetn Kaya Koç. Cache based remote tmng attack on the AES. In Masayuk Abe, edtor, CT-RSA, volume 4377 of Lecture Notes n Computer Scence, pages Sprnger, Paulo Barreto. The AES block cpher n C++, paulobarreto/eax++.zp. 4. D. J. Bernsten. Cache-tmng attacks on AES, Document ID: cd9faae9bd5308c440df50fc26a517b4. 5. Gudo Berton, Vttoro Zaccara, Luca Brevegler, Matteo Monchero, and Ganluca Palermo. AES power attack based on nduced cache mss and countermeasure. In ITCC (1), pages IEEE Computer Socety, Johannes Blömer, Jorge Guajardo, and Volker Krummel. Provably secure maskng of AES. In Helena Handschuh and M. Anwar Hasan, edtors, Selected Areas n Cryptography, volume 3357 of Lecture Notes n Computer Scence, pages Sprnger, Joseph Bonneau and Ilya Mronov. Cache-collson tmng attacks aganst AES. In Lous Goubn and Mtsuru Matsu, edtors, CHES, volume 4249 of Lecture Notes n Computer Scence, pages Sprnger, Erne Brckell, Gary Graunke, Mchael Neve, and Jean-Perre Sefert. Software mtgatons to hedge AES aganst cache-based software sde channel vulnerabltes. Cryptology eprnt Archve, Report 2006/052, Joan Daemen and Vncent Rjmen. The Desgn of Rjndael: AES - The Advanced Encrypton Standard. Informaton Securty and Cryptography. Sprnger Verlag, John Hennesey and Davd Patterson. Computer Archtecture: A Quanttatve Approach. Morgan Kaufmann Publshers, 3rd edton, We-Mng Hu. Lattce schedulng and covert channels. In IEEE Symposum on Securty and Prvacy, pages IEEE Press, Paul C. Kocher. Tmng attacks on mplementatons of Dffe-Hellman, RSA, DSS, and other systems. In Neal Kobltz, edtor, CRYPTO, volume 1109 of Lecture Notes n Computer Scence, pages Sprnger, Francos Koeune and Jean-Jacques Qusquater. A tmng attack aganst Rjndael. Techncal Report CG-1999/1, Unverst Catholque de Louvan, Cédrc Lauradoux. Collson attacks on processors wth cache and countermeasures. In Chrstopher Wolf, Stefan Lucks, and Po-Wah Yau, edtors, WEWoRC, volume 74 of LNI, pages GI, Natonal Insttute of Standards and Technology. Advanced Encrypton Standard (AES) (FIPS PUB 197), Mchael Neve and Jean-Perre Sefert. Advances on access-drven cache attacks on AES. In Proceedngs of Selected Areas n Cryptography 2006, Mchael Neve, Jean-Perre Sefert, and Zhenghong Wang. A refned look at Bernsten s AES sde-channel analyss. In Ferng-Chng Ln, Der-Tsa Lee, Bao-Shuh Ln, Shuhpyng Sheh, and Sushl Jajoda, edtors, ASIACCS, page 369. ACM, Dag Arne Osvk, Ad Shamr, and Eran Tromer. Cache attacks and countermeasures: The case of AES. In Davd Pontcheval, edtor, CT-RSA, volume 3860 of Lecture Notes n Computer Scence, pages Sprnger, D. Page. Theoretcal use of cache memory as a cryptanalytc sde-channel. Cryptology eprnt Archve, Report 2002/169,