Side Channel Attacks on AES

Highly Eﬃcient Algorithms for AES Key Retrieval in
Cache Access Attacks
Ashokkumar C. , Ravi Prakash Giri , Bernard Menezes
Indian Institute of Technology, Bombay, INDIA
IEEE European Symposium on Security and Privacy, Saarbr¨ucken, GERMANY
March 21-24, 2016

Outline
1 Preliminaries (Side Channel Attacks, AES Implementation)
2 First Round Attack
3 Second Round Attack
4 Results
5 Limitations and Extensions
6 Summary and Conclusions

Preliminaries (Side Channel Attacks, AES Implementation)
Problem Statement
Retrieve entire 128-bit AES key in a cache access attack given
Known plaintext blocks and corresponding sets of cache line numbers
of table elements accessed during AES encryption
Euro S&P ’16 Highly Eﬃcient Algorithms for AES Key Retrieval in Cache Access Attacks 3/29 3 / 29

Problem Statement
Retrieve entire 128-bit AES key in a cache access attack given
Known plaintext blocks and corresponding sets of cache line numbers
of table elements accessed during AES encryption
or
Known ciphertext blocks and corresponding sets of cache line
numbers of table elements accessed during AES decryption

Attacks on Crypto Algorithms
Traditionally, attacks on cryptographic algorithms have focused on hard
mathematical problems (such as the factorization problem or the dis-
crete logarithm) or linear/diﬀerential cryptanalysis
A diﬀerent approach is to exploit leakage of sensitive information through
various side channels – power, timing, etc. to obtain the key

Cache-based Side Channel Attacks
Exploit the fact that memory access times vary by 1–2 orders of mag-
nitude depending on which level of the memory hierarchy the required
data/instruction currently resides
Typically depend on the actual implementation of the algorithm

Cache-based Side Channel Attacks
Exploit the fact that memory access times vary by 1–2 orders of mag-
nitude depending on which level of the memory hierarchy the required
data/instruction currently resides
Typically depend on the actual implementation of the algorithm
Algorithms targeted – RSA, DSA, EC-DSA, AES, etc.

AES Basics
Secret key cipher, 128-bit block size, key size = 128/192/256
Plaintext, ciphertext and key are each represented as a 4 × 4 matrix of
bytes
P =




p0 p4 p8 p12
p1 p5 p9 p13
p2 p6 p10 p14
p3 p7 p11 p15



 K =




k0 k4 k8 k12
k1 k5 k9 k13
k2 k6 k10 k14
k3 k7 k11 k15





AES Basics
Secret key cipher, 128-bit block size, key size = 128/192/256
Plaintext, ciphertext and key are each represented as a 4 × 4 matrix of
bytes
P =




p0 p4 p8 p12
p1 p5 p9 p13
p2 p6 p10 p14
p3 p7 p11 p15



 K =




k0 k4 k8 k12
k1 k5 k9 k13
k2 k6 k10 k14
k3 k7 k11 k15




10 rounds for 128-bit AES. Round keys obtained from original AES key
via “Key Expansion Algorithm”
Plaintext is XORed with AES key before ﬁrst round

AES Operations with pictures





x
(r)
0 x
(r)
4 x
(r)
8 x
(r)
12
x
(r)
1 x
(r)
5 x
(r)
9 x
(r)
13
x
(r)
2 x
(r)
6 x
(r)
10 x
(r)
14
x
(r)
3 x
(r)
7 x
(r)
11 x
(r)
15











x
(r)
0 x
(r)
4 x
(r)
8 x
(r)
12
x
(r)
1 x
(r)
5 x
(r)
9 x
(r)
13
x
(r)
2 x
(r)
6 x
(r)
10 x
(r)
14
x
(r)
3 x
(r)
7 x
(r)
11 x
(r)
15





↓





˜x
(r)
0 ˜x
(r)
4 ˜x
(r)
8 ˜x
(r)
12
˜x
(r)
5 ˜x
(r)
9 ˜x
(r)
13 ˜x
(r)
1
˜x
(r)
10 ˜x
(r)
14 ˜x
(r)
2 ˜x
(r)
6
˜x
(r)
15 ˜x
(r)
3 ˜x
(r)
7 ˜x
(r)
11











x
(r)
0 x
(r)
4 x
(r)
8 x
(r)
12
x
(r)
1 x
(r)
5 x
(r)
9 x
(r)
13
x
(r)
2 x
(r)
6 x
(r)
10 x
(r)
14
x
(r)
3 x
(r)
7 x
(r)
11 x
(r)
15





↓





02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02





•





˜x
(r)
0 ˜x
(r)
4 ˜x
(r)
8 ˜x
(r)
12
˜x
(r)
5 ˜x
(r)
9 ˜x
(r)
13 ˜x
(r)
1
˜x
(r)
10 ˜x
(r)
14 ˜x
(r)
2 ˜x
(r)
6
˜x
(r)
15 ˜x
(r)
3 ˜x
(r)
7 ˜x
(r)
11











x
(r)
0 x
(r)
4 x
(r)
8 x
(r)
12
x
(r)
1 x
(r)
5 x
(r)
9 x
(r)
13
x
(r)
2 x
(r)
6 x
(r)
10 x
(r)
14
x
(r)
3 x
(r)
7 x
(r)
11 x
(r)
15





↓





02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02





•





˜x
(r)
0 ˜x
(r)
4 ˜x
(r)
8 ˜x
(r)
12
˜x
(r)
5 ˜x
(r)
9 ˜x
(r)
13 ˜x
(r)
1
˜x
(r)
10 ˜x
(r)
14 ˜x
(r)
2 ˜x
(r)
6
˜x
(r)
15 ˜x
(r)
3 ˜x
(r)
7 ˜x
(r)
11





⊕





k
(r)
0 k
(r)
4 k
(r)
8 k
(r)
12
k
(r)
1 k
(r)
5 k
(r)
9 k
(r)
13
k
(r)
2 k
(r)
6 k
(r)
10 k
(r)
14
k
(r)
3 k
(r)
7 k
(r)
11 k
(r)
15











x
(r)
0 x
(r)
4 x
(r)
8 x
(r)
12
x
(r)
1 x
(r)
5 x
(r)
9 x
(r)
13
x
(r)
2 x
(r)
6 x
(r)
10 x
(r)
14
x
(r)
3 x
(r)
7 x
(r)
11 x
(r)
15





↓





02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02





•





˜x
(r)
0 ˜x
(r)
4 ˜x
(r)
8 ˜x
(r)
12
˜x
(r)
5 ˜x
(r)
9 ˜x
(r)
13 ˜x
(r)
1
˜x
(r)
10 ˜x
(r)
14 ˜x
(r)
2 ˜x
(r)
6
˜x
(r)
15 ˜x
(r)
3 ˜x
(r)
7 ˜x
(r)
11





⊕





k
(r)
0 k
(r)
4 k
(r)
8 k
(r)
12
k
(r)
1 k
(r)
5 k
(r)
9 k
(r)
13
k
(r)
2 k
(r)
6 k
(r)
10 k
(r)
14
k
(r)
3 k
(r)
7 k
(r)
11 k
(r)
15





=





x
(r+1)
0 x
(r+1)
4 x
(r+1)
8 x
(r+1)
12
x
(r+1)
1 x
(r+1)
5 x
(r+1)
9 x
(r+1)
13
x
(r+1)
2 x
(r+1)
6 x
(r+1)
10 x
(r+1)
14
x
(r+1)
3 x
(r+1)
7 x
(r+1)
11 x
(r+1)
15






Software Implementation of AES
Makes extensive use of table look-ups in lieu of time-consuming ﬁeld
operations (5-table implementation targeted by us)
Each table has 256 entries, each entry is 4 bytes
Line size or block size is 64 bytes in most machines
So a single table occupies 16 lines, 16 elements per line

Round Functions implemented with table lookups
x
(r+1)
0 , x
(r+1)
1 , x
(r+1)
2 , x
(r+1)
3 ←T0 x
(r)
0 ⊕T1 x
(r)
5 ⊕T2 x
(r)
10 ⊕T3 x
(r)
15 ⊕ K
(r)
0
x
(r+1)
4 , x
(r+1)
5 , x
(r+1)
6 , x
(r+1)
7 ←T0 x
(r)
4 ⊕T1 x
(r)
9 ⊕T2 x
(r)
14 ⊕T3 x
(r)
3 ⊕ K
(r)
1
x
(r+1)
8 , x
(r+1)
9 , x
(r+1)
10 , x
(r+1)
11 ←T0 x
(r)
8 ⊕T1 x
(r)
13 ⊕T2 x
(r)
2 ⊕T3 x
(r)
7 ⊕ K
(r)
2
x
(r+1)
12 , x
(r+1)
13 , x
(r+1)
14 , x
(r+1)
15 ←T0 x
(r)
12 ⊕T1 x
(r)
1 ⊕T2 x
(r)
6 ⊕T3 x
(r)
11 ⊕ K
(r)
3
where,
x
(r)
i is the ith byte of the inputs to round r
K(r) is the rth round key and K
(r+1)
i refers to the ith
column of K(r+1).

Organization of Tables in Cache
0
0
0
0
15
0
15
15
15
15
T0
T1
T2
T3
T4
Element 255
Euro S&P ’16 Highly Eﬃcient Algorithms for AES Key Retrieval in Cache Access Attacks 10/2910 / 29

line size = 64 bytes
16 lines
Element 255
0
0
0
0
15
0
15
15
15
15
T0
T1
T2
T3
T4

Element 15
Element 0
Element 240 Element 255
0
0
0
0
15
0
15
15
15
15
T0
T1
T2
T3
T4
line size = 64 bytes
16 lines

First Round Attack
Experimental Setup
Multi-threaded spy + Victim (running AES) on one core
Spy controller on another core

First Round Attack
Run and Run size
The executions of the spy threads and victim are interleaved
Each execution instance of the victim is referred to as a run
The number of table accesses made during a run is referred to as the
run size (between 12 and 35 in our experiments)

First Round Attack
1st
Round Attack - Goal and Input
Goal:
To obtain the high-order nibble of each of the 16 bytes of the AES key

First Round Attack
1st
Round Attack - Goal and Input
Goal:
To obtain the high-order nibble of each of the 16 bytes of the AES key
Input:
Several blocks of plaintext (Scenario 1) or ciphertext (Scenario 2)
Sets of cache line numbers accessed by victim in each run during
encryption (Scenario 1) or decryption (Scenario 2) of those blocks

First Round Attack
1st
Round Attack - Example
Uses input to the ﬁrst round




p0 ⊕ k0 p4 ⊕ k4 p8 ⊕ k8 p12 ⊕ k12
p1 ⊕ k1 p5 ⊕ k5 p9 ⊕ k9 p13 ⊕ k13
p2 ⊕ k2 p6 ⊕ k6 p10 ⊕ k10 p14 ⊕ k14
p3 ⊕ k3 p7 ⊕ k7 p11 ⊕ k11 p15 ⊕ k15




Table line number of elements accessed are (p0 ⊕ k0) , (p1 ⊕ k1) , ...,
(p15 ⊕ k15)
If we know the (pi ⊕ ki ) and pi , we can deduce (ki )

First Round Attack
1st
Round Attack - Example
Uses input to the ﬁrst round




p0 ⊕ k0 p4 ⊕ k4 p8 ⊕ k8 p12 ⊕ k12
p1 ⊕ k1 p5 ⊕ k5 p9 ⊕ k9 p13 ⊕ k13
p2 ⊕ k2 p6 ⊕ k6 p10 ⊕ k10 p14 ⊕ k14
p3 ⊕ k3 p7 ⊕ k7 p11 ⊕ k11 p15 ⊕ k15




Table line number of elements accessed are (p0 ⊕ k0) , (p1 ⊕ k1) , ...,
(p15 ⊕ k15)
If we know the (pi ⊕ ki ) and pi , we can deduce (ki )
Example
Actual sequence of line numbers: 5, 19, 44, 57, 3, 30, 40, 55, 14, 26, 37, 49, 10, 20, 32,
63, 15, 30, 41, 53, 5, 23, 39, 51, 11, 23, 37, 62, 2, 28, 39,...
Run 0: 3, 5, 14, 19, 26, 30, 40, 44, 55, 57, 64, 65, 73, 75
Run 1: 2, 3, 5, 10, 11, 14, 15, 19, 20, 23, 26, 30, 32, 37, 39, 40, 41, 44, 49, 51, 53, 55,
57, 62, 63
Run 2: 2, 5, 6, 8, 11, 14, 17, 21, 23, 27, 28, 31, 33, 37, 38, 39, 40, 44, 49, 50, 51, ...

First Round Attack
Histogram of scores for each guessed value

Second Round Attack
2nd
Round Attack - Strategy
Goal
To obtain the low-order nibble of each byte of the AES key

Second Round Attack
2nd
Round Attack - Strategy
Goal
To obtain the low-order nibble of each byte of the AES key
Treat the low-order nibble of each of the 16 bytes of the key as an
attribute of a relation (table)
Each tuple in the table is a potential subkey values. Initially, any of
the 264 subkey values are possible
As in RDBMS, selection predicates are used to ﬁlter out tuples

Second Round Attack
Selection Predicate for Key Retrieval
The selection predicates we employ are the 16 equations that relate the
indices of line numbers of table elements accessed in the second round
and various bytes of the plaintext and key
Example
x
(2)
0 = 2•s(p0 ⊕k0)⊕3•s(p5 ⊕k5)⊕s(p10 ⊕k10)⊕ s(p15 ⊕k15)⊕s(k13)⊕k0 ⊕1

Second Round Attack
Applying the selection predicate
(x
(2)
0 ) = (2 • s(p0 ⊕ k0) ⊕ 3 • s(p5 ⊕ k5) ⊕ s(p10 ⊕ k10) ⊕ s(p15 ⊕ k15)
⊕ s(k13) ⊕ k0 ⊕ 1)
The LHS is the line number on which the required element resides
Actually what is provided by the spy is not a single number but a set
of line numbers
We retain a tuple only if the RHS evaluates to any element in the set

Second Round Attack
Performance and Cost considerations
The number of plaintexts (encryptions) required to retrieve the key is
ε = −4
log2 c , where c = (per table run size) /16
If c = 8/16 = 0.5, the number of encryptions required is just 4!

Second Round Attack
ε = −4
But at what cost?

Second Round Attack
ε = −4
But at what cost?
Handling 264 tuples

Second Round Attack
ε = −4
But at what cost?
Handling 264 tuples
Solution
Use relational join operations and Cartesian products in addition to
selects
Carefully choose the relational schema and which operations are per-
formed when and on which relations

Second Round Attack
Relational Join Recap
Student Dept.
Cynthia EE
Mustafa ME
Prashant CS
Tsai-Shing CS
Dept. Building
CS Niagara
EE Danube
EE Nile
ME Ganges

Second Round Attack
Student Dept.
Cynthia EE
Mustafa ME
Prashant CS
Tsai-Shing CS
Dept. Building
CS Niagara
EE Danube
EE Nile
ME Ganges
Which students visit which buildings for department-related work?

Second Round Attack
Student Dept.
Cynthia EE
Mustafa ME
Prashant CS
Tsai-Shing CS
Dept. Building
CS Niagara
EE Danube
EE Nile
ME Ganges
=
Student Dept. Building
Cynthia EE Danube
Cynthia EE Nile
Mustafa ME Ganges
Prashant CS Niagara
Tsai-Shing CS Niagara

Second Round Attack
Key Retrieval Algo in action (Round 2 Attack)
k0 , k5 , k10, k15, k13
k0 , k5 , k10, k15, k14
k0 , k5 , k10, k15
k0 , k5 , k10, k15, k12
216

Second Round Attack
k0 , k5 , k10, k15, k13
k0 , k5 , k10, k15, k14
k0 , k5 , k10, k15
k0 , k5 , k10, k15, k12
S
(σ)
216 216 * cε
212

Second Round Attack
k0 , k5 , k10, k15, k13
k0 , k5 , k10, k15, k14
k0 , k5 , k10, k15
k0 , k5 , k10, k15, k12
S
(σ)
A
216
216 * cε * 24
216
216 * cε
212
216
216

Second Round Attack
k0 , k5 , k10, k15, k13
k0 , k5 , k10, k15, k14
k0 , k5 , k10, k15
k0 , k5 , k10, k15, k12
S
(σ)
S
(σ)
A
216
216 * cε * 24
216
216 * cε
212
216
216
216 * c2ε * 24
212
212
212

Second Round Attack
k0 , k5 , k10, k15, k13
k0 , k5 , k10, k15, k14
k0 , k5 , k10, k15
k0 , k5 , k10, k15, k12
S
(σ)
J
( ⋈)
S
(σ)
A
216
216 * cε * 24
216
216 * cε
212
216
216
216 * c2ε * 24
212
212
212
224 * c3ε
212

Second Round Attack
k0 , k5 , k10, k15, k13
k0 , k5 , k10, k15, k14
k0 , k5 , k10, k15
k0 , k5 , k10, k15, k12
J
( ⋈)
228 * c4ε
212
S
(σ)
J
( ⋈)
S
(σ)
A
216
216 * cε * 24
216
216 * cε
212
216
216
216 * c2ε * 24
212
212
212
224 * c3ε
212

Second Round Attack
k0 , k5 , k10, k12, k13, k14, k15
k3 , k4 , k9 , k12, k13, k14, k15
k2 , k7 , k8 , k12, k13, k14, k15
k1 , k6 , k11, k12, k13, k14, k15
228 * c4ε
212
240 * c8ε
28
264 * c16ε
212
212
212
28
J
( ⋈)
J
( ⋈)

Results
Key Retrieval Algo in action (contd.) (Round 2 Attack)

Results
Performance of Key Retrieval Algorithms
First Round Attack:
70% → in 5–7 encryptions
16% → in 8 encryptions

Results
Performance of Key Retrieval Algorithms
First Round Attack:
70% → in 5–7 encryptions
Second Round Attack:

Results
Algorithm’s performance as a function of run size

Limitations and Extensions
Limitations
False Negatives in spy input will result in an incorrect key being de-
duced

Limitations
False Negatives in spy input will result in an incorrect key being de-
duced
Assumptions made may not always hold
1 Victim and multi-threaded spy process are located on same core
2 Hardware prefetching of cache line is turned oﬀ
3 No other processes are accessing AES table

Extensions
Design and implementation of error-tolerant key retrieval algorithm
Key retrieval algorithms with hardware prefetching turned on
Further optimizations in First Round Attack
Operationalization of the attack

Summary and Conclusions
Conclusions
Designed and implemented a suite of algorithms to deduce the 128-bit
AES key using as input sets of unordered lines captured by spy threads
Two attack scenarios where either plaintext or ciphertext is known
Algorithms expressed using simple relational algebraic operations and
run in under a minute
In practice only 6–7 blocks of plaintext or ciphertext were required
Developed analytical models to estimate number of encryptions or de-
cryptions required

Function of Spy Thread and Spy Controller
Spy Thread
1: block until cond variable is true
2: for each line of AES tables do
3: measure access time
4: flush line
5: end for
6: finished ← true
Spy Controller
1: while finished = true do
2: keep polling
3: end while
4: signal(nextThreadID)
5: finished ← false

No. of surviving tuples
(x
(2)
0 ) = (2 • s(p0 ⊕ k0) ⊕ 3 • s(p5 ⊕ k5) ⊕ s(p10 ⊕ k10) ⊕ s(p15 ⊕ k15)
⊕ s(k13) ⊕ k0 ⊕ 1)
For an incorrect/random “guess” of the key, the RHS takes a value
between 0 and F with equal probability
The probability that a tuple survives (satisﬁes the predicate) is c =
(per table run size) /16
The number of surviving tuples is hence 264 × c

No. of plaintexts required for Key Retrieval
We have a total of 16 equations and inputs from ε encryptions or a
total of 16ε predicates
The size of the output relation after being subject to 16ε select
operations is 264 × c16ε
To estimate the number of plaintexts (encryptions) required to
retrieve the key, we solve for ε from 264 × c16ε = 1 to obtain
ε = −4
log2 c , where ε is no. of plaintext(s) required

Side Channel Attacks on AES

More Related Content

What's hot

Similar to Side Channel Attacks on AES

Recently uploaded

Side Channel Attacks on AES