Skip to main content
SpringerLink
Log in

A Formal Analysis of Prefetching in Profiled Cache-Timing Attacks on Block Ciphers

  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

Formally bounding side-channel leakage is important to bridge the gap between theory and practice in cryptography. However, bounding side-channel leakages is difficult because leakage in a cryptosystem could be from several sources. Moreover, the amount of leakage from a source may vary depending on the implementation of the cipher and the form of attack. To formally analyze the security of a cryptosystem, it is therefore essential to consider each source of leakage independently. This paper considers data prefetching, which is used in most modern day cache memories to reduce miss penalty. We build a framework that would help computer architects theoretically gauge the impact of a data prefetcher in time-driven cache attacks early in the design phase. The framework computes leakage due to the prefetcher using a metric that is based on the Kullback–Leibler transformation. We use the framework to analyze two commonly used prefetching algorithms, namely sequential and arbitrary-stride prefetching. These form the basis of several other prefetching algorithms. We also demonstrate its use by designing a new prefetching algorithm called even–odd prefetcher that does not have leakage in time-driven cache attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Notes

  1. It may be noted that Fig. 1 is not a universal model for all known block cipher implementations. However, it does include a significant number of them. Ciphers may vary in the way key addition is done, for instance by the use of modular integer addition instead of exor. These changes do not alter the information leaked from an implementation, since leakage through time is mainly a factor of the cache memory and the memory accesses.

  2. The experiments were done on a 2.8 GHz Intel Core 2 Duo machine with 32 KByte L1 data cache. The measurements were made using Intel’s performance monitoring events and Linux’s perfmon library. Since the figures show actual hardware measurements, the number of cache misses is higher than what would otherwise be expected. This is because of the noisy cache miss events that get counted during the measurements. The noisy events are due to other applications running on the system.

  3. http://valgrind.org/docs/manual/cg-manual.html.

  4. http://valgrind.org/docs/manual/cg-manual.html.

References

  1. O. Aciiçmez, Çetin Kaya Koç, Trace-driven cache attacks on AES (short paper), in P. Ning, S. Qing, N. Li, (eds.) ICICS. Lecture Notes in Computer Science, vol. 4307 (Springer, 2006), pp. 112–121

  2. O. Aciiçmez, W. Schindler, Çetin Kaya Koç, Cache based remote timing attack on the AES, in Abe, M. (ed.) CT-RSA. Lecture Notes in Computer Science, vol. 4377 (Springer, 2007), pp. 271–286

  3. J.L. Baer, Microprocessor Architecture: From Simple Pipelines to Chip Multiprocessors (Cambridge University Press, 2010)

  4. D.J. Bernstein, Cache-timing Attacks on AES. Tech. rep. (2005), https://cr.yp.to/antiforgery/cachetiming-20050414.pdf

  5. G. Bertoni, V. Zaccaria, L. Breveglieri, M. Monchiero, G. Palermo, AES power attack based on induced cache miss and countermeasure. in ITCC (1) (IEEE Computer Society, 2005), pp. 586–591

  6. S. Bhattacharya, C. Rebeiro, D. Mukhopadhyay, Hardware prefetchers leak: a revisit of SVF for cache-timing attacks, in 45th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2012, Workshops Proceedings, Vancouver, BC, Canada, December 1-5, 2012 (IEEE Computer Society, 2012), pp. 17–23 https://doi.org/10.1109/MICROW.2012.13

  7. S. Bhattacharya, C. Rebeiro, D. Mukhopadhyay, A formal security analysis of even-odd sequential prefetching in profiled cache-timing attacks, in Proceedings of the Hardware and Architectural Support for Security and Privacy 2016, HASP@ICSA 2016, Seoul, Republic of Korea, June 18, 2016. pp. 6:1–6:8. ACM (2016), https://doi.org/10.1145/2948618.2948624

  8. E. Biham, A fast new DES implementation in software, in Biham, E. (ed.) FSE. Lecture Notes in Computer Science, vol. 1267 (Springer, 1997), pp. 260–272

  9. J. Bonneau, I. Mironov, Cache-collision timing attacks against AES, in Goubin, L., Matsui, M. (eds.) CHES. Lecture Notes in Computer Science, vol. 4249 (Springer, 2006), pp. 201–215

  10. F. Brasser, U. Müller, A. Dmitrienko, K. Kostiainen, S. Capkun, A. Sadeghi, Software grand exposure: SGX cache attacks are practical, in W. Enck, C. Mulliner, (eds.) 11th USENIX Workshop on Offensive Technologies, WOOT 2017, Vancouver, BC, Canada, August 14–15, 2017. USENIX Association (2017), https://www.usenix.org/conference/woot17/workshop-program/presentation/brasser

  11. B.B. Brumley, N. Tuveri, Remote timing attacks are still practical, in V. Atluri, C. Díaz, (eds.) ESORICS. Lecture Notes in Computer Science, vol. 6879 (Springer, 2011), pp. 355–371

  12. D. Brumley, D. Boneh, Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005)

  13. A. Canteaut, C. Lauradoux, A. Seznec, Understanding Cache Attacks. Research Report RR-5881, INRIA (2006), http://hal.inria.fr/inria-00071387/en/

  14. S.A. Crosby, D.S. Wallach, R.H. Riedi, Opportunities and limits of remote timing attacks. ACM Trans. Inf. Syst. Secur. 12(3) (2009)

  15. J. Demme, R. Martin, A. Waksman, S. Sethumadhavan, Side-channel vulnerability factor: a metric for measuring information leakage, in ISCA (IEEE, 2012), pp. 106–117

  16. L. Domnitser, A. Jaleel, J. Loew, N.B Abu-Ghazaleh, D. Ponomarev, Non-monopolizable caches: low-complexity mitigation of cache side-channel attacks. TACO 8(4), 35 (2012)

  17. J.J.A. Fournier, M. Tunstall, Cache based power analysis attacks on AES, in L.M. Batten, R. Safavi-Naini, (eds.) ACISP. Lecture Notes in Computer Science, vol. 4058 (Springer, 2006), pp. 17–28

  18. A. Fuchs, R.B. Lee, Disruptive prefetching: impact on side-channel attacks and cache designs, in Proceedings of the 8th ACM International Systems and Storage Conference. SYSTOR’15, ACM, New York, NY, USA (2015), pp. 14:1–14:12 https://doi.org/10.1145/2757667.2757672

  19. J.F. Gallais, I. Kizhvatov, M. Tunstall, Improved trace-driven cache-collision attacks against embedded AES implementations, in Y. Chung, M. Yung, (eds.) WISA. Lecture Notes in Computer Science, vol. 6513 (Springer, 2010), pp. 243–257

  20. R. Hegde, Optimizing Application Performance on Intel® Core\(^{{\rm TM}}\) Microarchitecture Using Hardware-Implemented Prefetchers. Intel Software Network, https://software.intel.com/en-us/articles/optimizing-application-performance-on-intel-coret-microarchitecture-using-hardware-implemented-prefetchers/ (2015)

  21. J.L. Hennessy, D.A. Patterson, Computer Architecture: A Quantitative Approach, 4th Edition (Morgan Kaufmann, 2006)

  22. Intel Corporation: Intel® 64 and IA-32 Architectures Optimization Reference Manual (2009)

  23. E. Käsper, P. Schwabe, Faster and timing-attack resistant AES-GCM, in C. Clavier, K. Gaj, (eds.) Cryptographic Hardware and Embedded Systems - CHES 2009, 11th International Workshop, Lausanne, Switzerland, September 6-9, 2009, Proceedings. Lecture Notes in Computer Science, vol. 5747 (Springer, 2009) pp. 1–17

  24. P.C. Kocher, Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems, in N. Koblitz, (ed.) CRYPTO’96: Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology. Lecture Notes in Computer Science, vol. 1109 (Springer-Verlag, London, UK, 1996), pp. 104–113

  25. J. Kong, O. Aciiçmez, J.P. Seifert, H. Zhou, Deconstructing new cache designs for thwarting software cache-based side channel attacks, in T. Jaeger, (ed.) CSAW (ACM, 2008), pp. 25–34

  26. B. Köpf, D.A. Basin, An information-theoretic model for adaptive side-channel attacks, in P. Ning, S.D.C. di Vimercati, Syverson, P.F. (eds.) ACM Conference on Computer and Communications Security (ACM, 2007), pp. 286–296

  27. S. Kullback, R.A. Leibler, On information and sufficiency. Ann. Math. Stat. 22, 49–86 (1951)

  28. S. Mathew, F. Sheikh, A. Agarwal, M. Kounavis, S. Hsu, H. Kaul, M. Anders, R. Krishnamurthy, 53 Gbps Native \(GF(2^4)^2\) composite-field AES-encrypt/decrypt accelerator for content-protection in 45nm high-performance microprocessors, in VLSI Circuits (VLSIC), 2010 IEEE Symposium on, pp. 169–170 (June)

  29. M. Neve, Cache-based Vulnerabilities and SPAM analysis. Ph.D. thesis, Thesis in Applied Science, UCL (2006)

  30. M. Neve, J.P. Seifert, Advances on access-driven cache attacks on AES, in E. Biham, A.M. Youssef, (eds.) Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 4356 (Springer, 2006), pp. 147–162

  31. D.A. Osvik, A. Shamir, E. Tromer, Cache attacks and countermeasures: the case of AES, in D. Pointcheval, (ed.) CT-RSA. Lecture Notes in Computer Science, vol. 3860 (Springer, 2006), pp. 1–20

  32. D. Page, Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel. Tech. rep., Department of Computer Science, University of Bristol (2002), http://eprint.iacr.org/2002/169

  33. D. Page, Partitioned Cache Architecture as a Side-Channel Defence Mechanism. IACR Cryptology ePrint Archive 2005, 280 (2005)

  34. C. Percival, Cache missing for fun and profit, in Proc. of BSDCan (2005)

  35. C. Rebeiro, P.H. Nguyen, D. Mukhopadhyay, A. Poschmann, Formalizing the effect of Feistel Cipher structures on differential cache attacks. IEEE Trans. Inf. For. Secur. 8(8), 1274–1279 (2013)

  36. C. Rebeiro, D. Mukhopadhyay, Cryptanalysis of CLEFIA using differential methods with cache trace patterns, in A. Kiayias, (ed.) CT-RSA. Lecture Notes in Computer Science, vol. 6558 (Springer, 2011), pp. 89–103

  37. C. Rebeiro, D. Mukhopadhyay, Boosting profiled cache timing attacks with a-priori analysis. IEEE Trans. Inf. For. Secur. 7(6), 1900–1905 (2012), https://doi.org/10.1109/TIFS.2012.2217333

  38. C. Rebeiro, D. Mukhopadhyay, Micro-architectural analysis of time-driven cache attacks: quest for the ideal implementation. IEEE Trans. Comput. 64(3), 778–790 (2015), https://doi.org/10.1109/TC.2013.212

  39. C. Rebeiro, D. Mukhopadhyay, J. Takahashi, T. Fukunaga, Cache timing attacks on CLEFIA, in B. Roy, N. Sendrier, (eds.) INDOCRYPT. Lecture Notes in Computer Science, vol. 5922 (Springer, 2009), pp. 104–118

  40. C. Rebeiro, A.D. Selvakumar, A.S.L. Devi, Bitslice implementation of AES, in D. Pointcheval, Y. Mu, K. Chen, (eds.) CANS. Lecture Notes in Computer Science, vol. 4301 (Springer, 2006), pp. 203–212

  41. O. Reparaz, J. Balasch, I. Verbauwhede, Dude, is my code constant time? in D. Atienza, G.D. Natale, (eds.) Design, Automation & Test in Europe Conference & Exhibition, DATE 2017, Lausanne, Switzerland, March 27–31, 2017. IEEE (2017), pp. 1697–1702, https://doi.org/10.23919/DATE.2017.7927267

  42. T. Ristenpart, E. Tromer, H. Shacham, S. Savage, Hey, You, Get off of my Cloud: Exploring Information Leakage in Third-Party Compute Clouds. in E. Al-Shaer, S. Jha, A.D. Keromytis, (eds.) ACM Conference on Computer and Communications Security. (ACM, 2009), pp. 199–212

  43. W. Schindler, K. Lemke, C. Paar, A stochastic model for differential side channel cryptanalysis, in J.R. Rao, B. Sunar, (eds.) CHES. Lecture Notes in Computer Science, vol. 3659 (Springer, 2005), pp. 30–46

  44. B. Schneier, J. Kelsey, Unbalanced feistel networks and block cipher design, in D. Gollmann, (ed.) FSE. Lecture Notes in Computer Science, vol. 1039 (Springer, 1996) pp. 121–144

  45. Shay Gueron: Intel®Advanced Encryption Standard (AES) Instructions Set (Rev:3.0) (2010)

  46. F.X. Standaert, T. Malkin, M. Yung, A unified framework for the analysis of side-channel key recovery attacks (extended version). Cryptology ePrint Archive, Report 2006/139 (2006), http://eprint.iacr.org/

  47. K. Tiri, O. Aciiçmez, M. Neve, F. Andersen, An analytical model for time-driven cache attacks, in A. Biryukov, (ed.) FSE. Lecture Notes in Computer Science, vol. 4593 (Springer, 2007), pp. 399–413

  48. E. Tromer, D.A. Osvik, A. Shamir, Efficient cache attacks on AES, and countermeasures. J. Cryptol. 23(2), 37–71 (2010)

  49. Y. Tsunoo, T. Saito, T. Suzaki, M. Shigeri, H. Miyauchi, Cryptanalysis of DES implemented on computers with cache, in C.D. Walter, Çetin Kaya Koç, C. Paar, (eds.) CHES. Lecture Notes in Computer Science, vol. 2779 (Springer, 2003), pp. 62–76

  50. Y. Tsunoo, E. Tsujihara, K. Minematsu, H. Miyauchi, Cryptanalysis of block ciphers implemented on computers with cache, in International Symposium on Information Theory and Its Applications (2002), pp. 803–806

  51. S.P. Vanderwiel, D.J. Lilja, When caches aren’t enough: data prefetching techniques. IEEE Comput. 30(7), 23–30 (1997)

  52. S.P. Vanderwiel, D.J. Lilja, Data prefetch mechanisms. ACM Comput. Surv. 32(2), 174–199 (2000)

    Article  Google Scholar 

  53. Z. Wang, R.B. Lee, New cache designs for thwarting software cache-based side channel attacks, in D.M. Tullsen, B. Calder, (eds.) ISCA (ACM, 2007), pp. 494–505

  54. Z. Wang, R.B. Lee, A novel cache architecture with enhanced performance and security, in MICRO (IEEE Computer, Society 2008), pp. 83–93

  55. Y. Yarom, D. Genkin, N. Heninger, CacheBleed: a timing attack on OpenSSL constant-time RSA. J. Cryptogr. Eng. 7(2), 99–112 (2017), https://doi.org/10.1007/s13389-017-0152-y

  56. L. Zhang, A.A. Ding, Y. Fei, Z.H. Jiang, Statistical analysis for access-driven cache attacks against AES. Cryptology ePrint Archive, Report 2016/970 (2016), http://eprint.iacr.org/2016/970

  57. Y. Zhang, A. Juels, M.K. Reiter, T. Ristenpart, Cross-VM side channels and their use to extract private keys, in Proceedings of the 2012 ACM Conference on Computer and Communications Security (ACM, 2012), pp. 305–316

  58. X. Zhao, T. Wang, Improved cache trace attack on AES and CLEFIA by considering cache miss and s-box misalignment. Cryptology ePrint Archive, Report 2010/056 (2010), http://eprint.iacr.org/

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Indian Institute of Technology Madras, Chennai, India

    Chester Rebeiro

  2. Department of Computer Science and Engineering, Indian Institute of Technology Kharagpur, Kharagpur, India

    Debdeep Mukhopadhyay

Authors
  1. Chester Rebeiro
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Debdeep Mukhopadhyay
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Debdeep Mukhopadhyay.

Additional information

Communicated by Bart Preneel.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Rebeiro, C., Mukhopadhyay, D. A Formal Analysis of Prefetching in Profiled Cache-Timing Attacks on Block Ciphers. J Cryptol 34, 21 (2021). https://doi.org/10.1007/s00145-021-09394-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-021-09394-z

Keywords

Search

Navigation