1. Sukesh Jain – 276904 Media Informatics jainsukesh@hotmail.com
Cache-timing Attack on AES Computer Security Seminar
Sukesh Jain –
Media Informatics
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

2. Cache-timing Attack on AES - Sukesh Jain
Agenda
What is AES?
Development Process of AES
AES Algorithm
Efficient Implementation Technique
Cache-timing Attack on AES
Prevention of Attack
Summary
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

3. Cache-timing Attack on AES - Sukesh Jain
What is AES?
AES stands for Advanced Encryption Standards.
NIST selected Rijndael as the proposed AES algorithm.
Pronunciation alternatives of Rijndael: "Reign Dahl," "Rain Doll" and "Rhine Dahl.“
Rijndael was proposed by Dr. Vincent Rijmen and Dr. Joan Daemen from Belgium
As a replacement for DES.
Symmetric
Block Cipher
128 bit Data and Key size of 128, 192 and 256 bits.
Resistant to known attacks.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

4. Development Process of AES
Development Process was known for its openness and transparency.
For the first time general public was involved in the development process.
January 2, NIST decided to develop AES.
Goal:
To develop a Federal Information Processing Standard (FIPS).
To be used by the U.S Government to protect its sensitive unclassified information.
Should be available to public on royalty-free basis.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

5. Development Process of AES – Acceptability Criteria
September 12, NIST made a formal call for the algorithms
Acceptability Criteria:
Symmetric Key Encryption
Block Cipher
Key-Block combination of , and bits (Scalability).
Should be available to public on royalty-free basis.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

6. Development Process of AES – Evaluation Criteria I
21 Algorithms were received.
NIST evaluated these algorithms against the following criteria ranked according to their relative importance:
Security
Cost
Algorithm & Implementation Characteristics
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

7. Development Process of AES – Evaluation Criteria II
Security
Effort required for cryptanalysis
Mathematical Basis of the algorithm
Security Issues raised by public.
Cost
Licensing requirements
Computational efficiency
Memory requirements
Algorithm & Implementation Characteristics
Flexibility
Hardware & Software suitability
Simplicity
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

8. Development Process of AES – Important Milestones I
January 2, 1997: NIST decides on AES development.
April 2, 1997: Deadline for Comments on Proposal of AES.
April 15, 1997: Workshop on evaluation Criteria.
September 12, 1997: Formal call for Algorithms
April 15, 1998: Deadline for completeness review by NIST.
May 15, 1998: Deadline time for any changes.
June 15, 1998: Deadline for submission of final Algorithm. 21 Submission were received.
August 20-22, 1998: NIST announces the 15 candidate algorithm from 12 different countries at the First AES Candidate Conference held in Ventura, California.
March 22-23, 1999: For the first time the conference was held outside U.S. Second AES Candidate Conference was held in Rome, Italy.
April 15, 1999: Deadline for initial public review of the algorithm.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

9. Development Process of AES – Important Milestones II
August 9, 1999: NIST announces the final five candidates for the AES. They are :
MARS
RC6
Rijndael
Serpent
Twofish
April 13-14, 2000: Third AES Candidate Conference was held at the Hilton New York and Towers in New York, USA.
October 2, 2000: Rijndael (but only key lengths of 128, 192 & 256 bits) was chosen for AES by NIST after very long and complex evaluation process.
February 28, 2001: Federal Information Processing Standard (FIPS) for AES was available for public review.
November 26, 2001: AES was adopted as a standard.
December 4, 2001: FIPS 197 was published in the Federal Register.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

10. Cache-timing Attack on AES - Sukesh Jain
AES Algorithm
Mathematical Preliminaries
Field
Finite Field
Finite Field Operations
Polynomials with Coefficients in GF(28)
Algorithm Specification
Encryption Process
Decryption Process
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

11. Mathematical Preliminaries - Field
Set M with two binary operators ‘+’ & ‘*’ : M x M  M.
Result of ‘+’ & ‘*’ operation must be an element of set M itself.
Satisfies field axioms of Commutative, Associative, identity (this indicates set must contain ‘0’ & ‘1’) and Inverse (except ‘0’ doesn’t have multiplicative inverse) for both ‘+’ & ‘*’ operation.
Also Distributive Property.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

12. Mathematical Preliminaries - Finite Field
Finite field order (finite number of elements)
Also known as Galois field.
Field order always a prime or a power of a prime
Various notations like Fpn , GF(pn) or GF(q) where q = pn and p is prime. If q is prime, the elements 0,1,...,q-1 form the field GF(q) under modulo q addition and multiplication.
Example of Galois Field is GF(22) with irreducible polynomial f(x) = x2+ x + 1. This field has four elements {0, 1, x, x+1}. The coefficient of x can be either 0 or 1.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

13. Mathematical Preliminaries - Finite Field Operations
Finite Field Operations over GF(2)
Addition
XOR operation denoted by the symbol .
Modulo 2 additions of the coefficients of the corresponding powers of the polynomial.
Subtraction
Similar to addition.
Multiplication
Multiplication is denoted by •.
Multiplication modulo an irreducible polynomial of degree 8 to reduce the degree of the result back to less than 8 so, that it can be represented in a byte.
The irreducible polynomial used in AES is m(x) = x8 + x4 + x3 + x + 1.
Multiplicative inverse of any non zero binary polynomial b(x) of degree less than 8 can be found using the extended Euclidean algorithm
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

14. Mathematical Preliminaries - Polynomials with Coefficients in GF(28)
Consider a 32 bit word polynomial where each coefficient is a finite field element i.e. each coefficient is of 8 bits.
a(x) = a3x3 + a2x2 + a1x + a0
a(x) can also be denoted as [a0, a1, a2, a3].
Now addition of two polynomials is given by
a(x) + b(x) = (a3  b3)x3 + (a2  b2)x2 + (a1  b1)x + (a0  b0)
Multiplication of two 32 bit word polynomial is the product of two polynomials. This may result in a polynomial of degree greater than 4 and hence the resultant polynomial is reduced by modulo a polynomial of degree 4 to make it 32 bit word.
In case of AES the modulo polynomial used is x4 + 1.
x4 + 1 is a reducible polynomial. Hence the multiplication may not be invertible. For this reason AES uses a fixed four term polynomial which has the inverse.
a(x) = {0x03}x3 + {0x01}x2 + {0x01}x + {0x02}
a-1(x) = {0x0b}x3 + {0x0d}x2 + {0x09}x + {0x0e}
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

15. Algorithm Specification - I
The State
Intermediate two dimensional array of bytes on which all the operations are performed.
It has 4 rows and ‘Nb’ columns.
‘Nb’ depends upon the block length and given by block length divided by the word length (usually 32 bits).
For AES-128 ‘Nb’ is 4 (128/32).
In the beginning of encryption and decryption the input is copied to the state array and at the end the state is copied back to the output array.
s[r, c] = in[r + 4c] for 0 r < 4&0 c < Nb.
out[r + 4c] = s[r, c] for 0 r < 4&0 c < Nb.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

16. Algorithm Specification - II
Number of rounds ‘Nr’ depends upon the cipher key size and is given in the table below.
AES Version
Key Length
(Nk words)
Block Size
(Nb words)
Number of
Rounds (Nr)
AES-128 4 10
AES-192 6 12
AES-256 8 14
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

17. Cache-timing Attack on AES - Sukesh Jain
Encryption Process - I
Remember to say that pictures are of original rijndael and now they have been changed like ByteSub to SubByte, ShiftRow to ShiftRows etc.
Source:
Source:
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

18. Encryption Process – SubBytes - I
S-box lookup (16x16 bytes containing a permutation of all 256 (8-bit) values).
Non-linear.
Two steps to create S-box:
Multiplicative inverse in the finite field GF(28) (zero mapped to itself).
Affine transformation is applied over finite field GF(2).
b′i = bi  b(i+4) mod 8  b(i+5) mod 8  b(i+6) mod 8  b(i+7) mod 8  ci
for 0 ≤ i < 8, where bi is the ith bit of the State byte and ci is the ith bit of byte c with a value of {0x63} or { }.
each byte of state is replaced by byte in row (left 4-bits) & column (right 4-bits)
e.g. byte {95} is replaced by row 9 column 5 byte which is the value {2A}
We write: S-box ({95})=2A
designed to be resistant to all known attacks bcos of non-linear in nature
It is not self-inverse, e.g. S-box({95})={2A} but IS-box({95})=AD bcos make use of different S-box for inverse
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

19. Encryption Process – SubBytes - II
The matrix form of the affine transformation would be
Last bit of the last addition matrix is zero indicates that it is a vector if ‘1’ then it is point.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

20. Encryption Process – ShiftRows - I
Cyclically left shifts last three rows of the State array.
Number of bytes to be shifted depends upon:
The row number in the State array
The version of AES algorithm.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

21. Encryption Process – ShiftRows - II
ShiftRows transformation is given by
S′r,c = Sr,(c+shift(r, Nb)) mod Nb for 0 < r < 4 & 0 ≤ c < Nb
The value of shift(r, Nb) depends upon the row number r as mentioned earlier.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

22. Encryption Process – MixColumns - I
Each column of the State array is treated as a four term polynomial over finite field GF(28).
This polynomial is multiplied modulo x4+1 with a fixed polynomial a(x)
a(x) = {0x03}x3 + {0x01}x2 + {0x01}x + {0x02}
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

23. Encryption Process – MixColumns - II
x4+1 is not irreducible.
Hence the result may not be invertible.
Therefore select a fixed polynomial whose inverse exist.
Fig : Matrix form of multiplication modulo
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

24. Encryption Process – AddRoundKey
Bitwise XOR of the Round Key obtained through the Key Schedule with the State array.
[s′0,c s′1,c s′2,c s′3,c] = [s0,c s1,c s2,c s3,c]  [wround*Nb+c]
for 0 ≤ c < Nb & 0 ≤ round ≤ Nr
Initial Secret Key is XORed with the state array even before the round function started.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

25. Cache-timing Attack on AES - Sukesh Jain
Decryption Process
Source:
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

26. Decryption Process - InvShiftRows
Inverse of ShiftRows
Cyclically right shifts last three rows of the State array.
Number of bytes to be shifted depends upon:
The row number in the State array
The version of AES algorithm.
InvShiftRows transformation is given by
S′r,(c+shift(r, Nb)) mod Nb = Sr,c for 0 < r < 4 & ≤ c < Nb
The value of shift(r, Nb) depends upon the row number r as mentioned earlier.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

27. Decryption Process - InvSubBytes
Inverse S-box look up for each byte of the State array.
Construction of inverse S-box involves two steps:
Inverse affine transformation is applied to each byte of the state array
Multiplicative inverse is looked up in the finite field GF(28).
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

28. Decryption Process - InvMixColumns
Each column of the State array is treated as a four term polynomial over finite field GF(28).
The polynomial is multiplied modulo x4+1 with the inverse of fixed polynomial a(x) i.e. a-1(x).
a-1(x) = {0x0b}x3 + {0x0d}x2 + {0x09}x + {0x0e}
s′(x) = s(x)  a-1(x)
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

29. Decryption Process – Inverse AddRoundKey
AddRoundKey transformation make use of simple XOR operation.
Hence it is its own inverse.
Here one can find a good visualization of AES. It makes use of different colors to represent each byte and then how the bytes go through the transformation during the AES process.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

30. Efficient Implementation Technique - I
Consider the output ei,j of a round function of one row of the State array ai,j where i denote the row number and j denote the column number.
AddRoundKey transformation
MixColumns transformation
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

31. Efficient Implementation Technique - II
ShiftRows Transformation
In (j-C1), C1 denote the number of bytes to be shifted as shown by the table in the Encryption process – ShiftRows – II section.
SubBytes Transformation
bi,j = S[ai,j]
By Substituting the above equations can be combined into a single equation given by:
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

32. Efficient Implementation Technique - III
The previous equation can be rewritten as
Now we can define 4 Tables:
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

33. Efficient Implementation Technique - IV
Each Table occupies 1KB (256 *4) and in total 4 tables occupies 4KB.
Finally the output of a round function can be expressed as a lookup of these 4 tables.
Since there is no MixColumns transformation in the last round and hence we lookup S-box ‘S’ tables instead of these ‘T’ tables for the last round.
Hence, a table-lookup implementation with 4 Kbytes of tables takes only 4 table lookups and 4 EXORs per column per round.
It can be seen that Ti[a] = RotByte(Ti-1[a]). At the cost of 3 additional rotations per round per column, the table-lookup implementation can be realised with only one table, i.e., with a total table size of 1KByte. We have
Most operations in the key expansion can be implemented by 32-bit word EXORs. The additional transformations are the application of the S-box and a cyclic shift over 8-bits. This can be implemented very efficiently.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

34. Efficient Implementation Technique - V
These 4 table lookup can further be reduced to single table lookup with additional 3 rotations per round per column. In this case the total table size is reduced from 4KB to 1KB.
Moreover Key Expansion consist of 32 bit word XORs, S-box lookup and a cyclic shift of 8-bits which can be implemented very efficiently.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

35. Cache-timing Attack on AES - I
Cache-timing attack is one form of the “Side-channel attacks”.
“Side-channel attacks” are the attacks that recover the secret key based on the “Side Channel Information” of the physical device on which the algorithm is implemented rather than the weakness of the algorithm or by making use of either plain text (input) or cipher text.
Side channel Information:
Power consumption
Time (time taken by the process or the movement of data into either CPU or memory)
Noise etc
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

36. Cache-timing Attack on AES - II
Takes into account the time taken to perform an encryption.
Varies based on the secret data to be encrypted.
According to Daniel J. Bernstein, it is the weakness of AES that reveals the timing information.
AES algorithm relies heavily on the table lookup.
The table lookup depends upon the input (k[i]n[i]) and hence it doesn’t result in constant time.
Thus the attacker can make use of this table look up to deduce the key k[i] as a timing function of n[i].
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

37. Cache-timing Attack on AES - Overview
The steps involved in the attack:
Measure the timing information for different values of n[i] for large set of data on target server.
Total the time for each value of n[i].
Find the maximum time involved for which value of n[i] say 147.
Simulates or make exact copy (same AES software, same CPU etc) of the target server on which the above step was carried.
Measure the maximum time for the combination of known key and the plain text k[i]  n[i] say 8.
From this one can calculate the key offset, revealing the key k[i] i.e. 147  8 = 155.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

38. Cache-timing Attack on AES - Server Program
Makes use of OpenSSL AES implementation.
Returns the scrambled zero.
To reduce the amount of noise in the timing information.
But the noise doesn’t prevent the attack itself, it is just that large number of packets are then required to average out the effect of noise.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

39. Cache-timing Attack on AES - Preparation of Attack - I
Runs the server program with known key of all zeros.
Collects the reference timing information by sending random number of 400 (600, 800) byte packets to the simulated server using the study program from another x86 system.
This program finds the average number of cycles required to process those 400 byte packets for each possible value of n[i] and also finds the difference between the average number of cycles for each value of n[i] and the overallaverage number of cycle to process all the packets.
The value of n[i] with maximum difference value reveals the key k[i] immediately. For example i = 13 then lets say for n[13] = 8 takes maximum time that means for any value k[13], k[13] 8 should take maximum time and hence reveals k[13] immediately. The author repeats for different packet size (600, 800 bytes etc) to narrow done if it is not able to find a single value for n[i] with maximum time.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

40. Cache-timing Attack on AES - Preparation of Attack - II
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

41. Cache-timing Attack on AES - Carrying out the attack - I
Runs the server program with secret key (/dev/urandom).
Collects the timing information using the study program by sending random number of 400 (600, 800) byte packets.
Correlate the two timing informations to find the offset of the possible keys k[i] , there by revealing the key k[i].
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

42. Cache-timing Attack on AES - Carrying out the attack - II
The above table clearly reveals the key for i = 3, the key is k[3] = 169 (hexadecimal a9). Similarly for other values of i we get number of possible values for the key k[i] but this number can be reduced by studying the timing information for greater number of packets and of different size of the packets (say 600, 400 bytes etc). For example the author repeated with 227random 400 byte packet and this revealed the key for k[1], k[4], k[8], k[9], k[12] and k[13]. After this author found the rest of the key with the crude search using the search program (for exact code refer [9]) which just took one minute to reveal the key which also found to be correct on looking the secret key:
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

43. Cache-timing Attack on AES - Sukesh Jain
Reference timing data for each xi
Timing data from a target machine
for the plaintext byte pi
The target machine’s timing data is exactly ki offset apart from the reference timing data and thereby revealing the secret key.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

44. Cache-timing Attack on AES - Sukesh Jain
Prevention of Attack
Constant time AES software
Table lookup should be independent of the input and key.
Table lookup should be replaced by the short bitwise operations like XOR.
Would result in constant time.
Would take longer time compared to the table lookup.
How to find whether given AES software takes constant time.
Collect timing information for different inputs and see if it all takes constant time.
Even this cannot guarantee that AES software takes constant time.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

45. Problem: Cache is faster than DRAM
Advice for AES Implementers
AES S-boxes should be in the cache throughout the AES computation
S-boxes can be kicked out of the cache by AES computation itself or by other process running on the system.
Advice for CPU Designers
Should provide a constant time S-box lookup instruction solving the problem not only for AES but also for all those processes making use of table lookups.
Accessing Cache requires less number of instructions then DRAM and hence it is faster than DRAM. Recently used data would obviously be in cache and hence would be faster than the data in the cache. For example T0[0] is in cache and T0 [64] is not then this would result in different timing and hence revealing the key immediately.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

46. Problem: L1 cache is faster than L2 cache
Advice for AES Implementers
AES S-boxes should be in the L1 cache throughout the AES computation
S-boxes can be kicked out of the L1 cache to make room for other AES computation itself or other processes or interrupts etc.
Advice for CPU Designers
Should provide an L1 table lookup instruction which ensures that entire table is in L1 cache and also takes constant time to load a selected table entry.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

47. Problem: Cache associativity is limited
Most of CPU has 2-way associative L1 cache.
Each memory line can be placed in 2 locations of the cache.
But if there are more than two memory lines with the same address modulo then any one has to be kicked out of L1 cache and hence this may leak timing information.
Advice for AES Implementers
Place all the variables, input, key and the table into the cache, then they won’t kick each other out of the cache.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

48. Problem: Code can be interrupted
Assuming that all the S-box are already in the L1 cache and no other AES computation kicks S-box out of the L1 cache.
Even then constant time cannot be guaranteed.
Interrupt like CPU timer.
Hyper threading etc.
Advice for AES Implementers
Hyper threading feature should be disabled.
Implement AES as a part of the operating system kernel.
Advice for CPU Designers
If AES is not implemented in the kernel then, this unprivileged code can not disable all the interrupts. In that case the CPU should provide the facility of loading the original table back into the cache after the interrupt is processed but before AES processing starts back.
Advice for AES Implementers
Hyper threading feature should be disabled as it can interrupt the AES computation. But still system interrupts can affect AES computation, for this the best solution would be to implement AES as a part of the operating system kernel but that may lead to serious security issue as kernel level code has total control of the system.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

49. Cache-timing Attack on AES - Sukesh Jain
Summary
The input dependent table lookup of AES result in the timing attack revealing the secret key.
Difficult to simulate exact copy of the target server.
This method also requires the knowledge of plaintext and its timing information.
There should be sufficient randomness in the plaintext.
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

50. Cache-timing Attack on AES - Sukesh Jain
References - I
AES Page available via
Federal Register: January 2, 1997 (Volume 62, Number 93), available at [1].
Federal Register: September 12, 1997 (Volume 62, Number 177), available at [1].
James Nechvatal, Elaine Barker, Lawrence Bassham, William Burr, Morris Dworkin, James Foti, Edward Roback, “Report on the Development of the Advanced Encryption Standard (AES)”, October 2, 2000.
Journal of Research of the National Institute of Standards and Technology, “Report on the Development of the Advanced Encryption Standard (AES)” Volume 106, Number 3, May-June 2001.
Advance Encryption Standard, Federal Information Processing Standards (FIPS), publication 197, Computer Security Resource Center, National Institute for Standards and Technology (NIST), November 2001;
4/16/2017
Cache-timing Attack on AES - Sukesh Jain

51. Cache-timing Attack on AES - Sukesh Jain
References - II
WolframMathWorld, “Field”,
J. Daemen and V. Rijmen, “AES Proposal: Rijndael, AES Algorithm” Submission, September 3, 1999, available at [1].
Daniel J. Bernstein, “Cache-timing attacks on AES”,
Definition of Side Channel Attacks - “Introduction to Side Channel Attacks”
Definition of Side Channel Attacks from Wikipedia,
D.A. Osvik, A. Shamir and E. Tromer. “Cache attacks and Counter-measures: the Case of AES”. In Cryptology ePrint Archive, Report 2005/271,
Joseph Bonneau and Ilya Mironov, “Cache-Collision Timing Attacks Against AES” , (Extended Version) revised ,
4/16/2017
Cache-timing Attack on AES - Sukesh Jain