Abstract
Formally bounding side-channel leakage is important to bridge the gap between theory and practice in cryptography. However, bounding side-channel leakages is difficult because leakage in a cryptosystem could be from several sources. Moreover, the amount of leakage from a source may vary depending on the implementation of the cipher and the form of attack. To formally analyze the security of a cryptosystem, it is therefore essential to consider each source of leakage independently. This paper considers data prefetching, which is used in most modern day cache memories to reduce miss penalty. We build a framework that would help computer architects theoretically gauge the impact of a data prefetcher in time-driven cache attacks early in the design phase. The framework computes leakage due to the prefetcher using a metric that is based on the Kullback–Leibler transformation. We use the framework to analyze two commonly used prefetching algorithms, namely sequential and arbitrary-stride prefetching. These form the basis of several other prefetching algorithms. We also demonstrate its use by designing a new prefetching algorithm called even–odd prefetcher that does not have leakage in time-driven cache attacks.
Similar content being viewed by others
Notes
It may be noted that Fig. 1 is not a universal model for all known block cipher implementations. However, it does include a significant number of them. Ciphers may vary in the way key addition is done, for instance by the use of modular integer addition instead of exor. These changes do not alter the information leaked from an implementation, since leakage through time is mainly a factor of the cache memory and the memory accesses.
The experiments were done on a 2.8 GHz Intel Core 2 Duo machine with 32 KByte L1 data cache. The measurements were made using Intel’s performance monitoring events and Linux’s perfmon library. Since the figures show actual hardware measurements, the number of cache misses is higher than what would otherwise be expected. This is because of the noisy cache miss events that get counted during the measurements. The noisy events are due to other applications running on the system.
References
O. Aciiçmez, Çetin Kaya Koç, Trace-driven cache attacks on AES (short paper), in P. Ning, S. Qing, N. Li, (eds.) ICICS. Lecture Notes in Computer Science, vol. 4307 (Springer, 2006), pp. 112–121
O. Aciiçmez, W. Schindler, Çetin Kaya Koç, Cache based remote timing attack on the AES, in Abe, M. (ed.) CT-RSA. Lecture Notes in Computer Science, vol. 4377 (Springer, 2007), pp. 271–286
J.L. Baer, Microprocessor Architecture: From Simple Pipelines to Chip Multiprocessors (Cambridge University Press, 2010)
D.J. Bernstein, Cache-timing Attacks on AES. Tech. rep. (2005), https://cr.yp.to/antiforgery/cachetiming-20050414.pdf
G. Bertoni, V. Zaccaria, L. Breveglieri, M. Monchiero, G. Palermo, AES power attack based on induced cache miss and countermeasure. in ITCC (1) (IEEE Computer Society, 2005), pp. 586–591
S. Bhattacharya, C. Rebeiro, D. Mukhopadhyay, Hardware prefetchers leak: a revisit of SVF for cache-timing attacks, in 45th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2012, Workshops Proceedings, Vancouver, BC, Canada, December 1-5, 2012 (IEEE Computer Society, 2012), pp. 17–23 https://doi.org/10.1109/MICROW.2012.13
S. Bhattacharya, C. Rebeiro, D. Mukhopadhyay, A formal security analysis of even-odd sequential prefetching in profiled cache-timing attacks, in Proceedings of the Hardware and Architectural Support for Security and Privacy 2016, HASP@ICSA 2016, Seoul, Republic of Korea, June 18, 2016. pp. 6:1–6:8. ACM (2016), https://doi.org/10.1145/2948618.2948624
E. Biham, A fast new DES implementation in software, in Biham, E. (ed.) FSE. Lecture Notes in Computer Science, vol. 1267 (Springer, 1997), pp. 260–272
J. Bonneau, I. Mironov, Cache-collision timing attacks against AES, in Goubin, L., Matsui, M. (eds.) CHES. Lecture Notes in Computer Science, vol. 4249 (Springer, 2006), pp. 201–215
F. Brasser, U. Müller, A. Dmitrienko, K. Kostiainen, S. Capkun, A. Sadeghi, Software grand exposure: SGX cache attacks are practical, in W. Enck, C. Mulliner, (eds.) 11th USENIX Workshop on Offensive Technologies, WOOT 2017, Vancouver, BC, Canada, August 14–15, 2017. USENIX Association (2017), https://www.usenix.org/conference/woot17/workshop-program/presentation/brasser
B.B. Brumley, N. Tuveri, Remote timing attacks are still practical, in V. Atluri, C. Díaz, (eds.) ESORICS. Lecture Notes in Computer Science, vol. 6879 (Springer, 2011), pp. 355–371
D. Brumley, D. Boneh, Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005)
A. Canteaut, C. Lauradoux, A. Seznec, Understanding Cache Attacks. Research Report RR-5881, INRIA (2006), http://hal.inria.fr/inria-00071387/en/
S.A. Crosby, D.S. Wallach, R.H. Riedi, Opportunities and limits of remote timing attacks. ACM Trans. Inf. Syst. Secur. 12(3) (2009)
J. Demme, R. Martin, A. Waksman, S. Sethumadhavan, Side-channel vulnerability factor: a metric for measuring information leakage, in ISCA (IEEE, 2012), pp. 106–117
L. Domnitser, A. Jaleel, J. Loew, N.B Abu-Ghazaleh, D. Ponomarev, Non-monopolizable caches: low-complexity mitigation of cache side-channel attacks. TACO 8(4), 35 (2012)
J.J.A. Fournier, M. Tunstall, Cache based power analysis attacks on AES, in L.M. Batten, R. Safavi-Naini, (eds.) ACISP. Lecture Notes in Computer Science, vol. 4058 (Springer, 2006), pp. 17–28
A. Fuchs, R.B. Lee, Disruptive prefetching: impact on side-channel attacks and cache designs, in Proceedings of the 8th ACM International Systems and Storage Conference. SYSTOR’15, ACM, New York, NY, USA (2015), pp. 14:1–14:12 https://doi.org/10.1145/2757667.2757672
J.F. Gallais, I. Kizhvatov, M. Tunstall, Improved trace-driven cache-collision attacks against embedded AES implementations, in Y. Chung, M. Yung, (eds.) WISA. Lecture Notes in Computer Science, vol. 6513 (Springer, 2010), pp. 243–257
R. Hegde, Optimizing Application Performance on Intel® Core\(^{{\rm TM}}\) Microarchitecture Using Hardware-Implemented Prefetchers. Intel Software Network, https://software.intel.com/en-us/articles/optimizing-application-performance-on-intel-coret-microarchitecture-using-hardware-implemented-prefetchers/ (2015)
J.L. Hennessy, D.A. Patterson, Computer Architecture: A Quantitative Approach, 4th Edition (Morgan Kaufmann, 2006)
Intel Corporation: Intel® 64 and IA-32 Architectures Optimization Reference Manual (2009)
E. Käsper, P. Schwabe, Faster and timing-attack resistant AES-GCM, in C. Clavier, K. Gaj, (eds.) Cryptographic Hardware and Embedded Systems - CHES 2009, 11th International Workshop, Lausanne, Switzerland, September 6-9, 2009, Proceedings. Lecture Notes in Computer Science, vol. 5747 (Springer, 2009) pp. 1–17
P.C. Kocher, Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems, in N. Koblitz, (ed.) CRYPTO’96: Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology. Lecture Notes in Computer Science, vol. 1109 (Springer-Verlag, London, UK, 1996), pp. 104–113
J. Kong, O. Aciiçmez, J.P. Seifert, H. Zhou, Deconstructing new cache designs for thwarting software cache-based side channel attacks, in T. Jaeger, (ed.) CSAW (ACM, 2008), pp. 25–34
B. Köpf, D.A. Basin, An information-theoretic model for adaptive side-channel attacks, in P. Ning, S.D.C. di Vimercati, Syverson, P.F. (eds.) ACM Conference on Computer and Communications Security (ACM, 2007), pp. 286–296
S. Kullback, R.A. Leibler, On information and sufficiency. Ann. Math. Stat. 22, 49–86 (1951)
S. Mathew, F. Sheikh, A. Agarwal, M. Kounavis, S. Hsu, H. Kaul, M. Anders, R. Krishnamurthy, 53 Gbps Native \(GF(2^4)^2\) composite-field AES-encrypt/decrypt accelerator for content-protection in 45nm high-performance microprocessors, in VLSI Circuits (VLSIC), 2010 IEEE Symposium on, pp. 169–170 (June)
M. Neve, Cache-based Vulnerabilities and SPAM analysis. Ph.D. thesis, Thesis in Applied Science, UCL (2006)
M. Neve, J.P. Seifert, Advances on access-driven cache attacks on AES, in E. Biham, A.M. Youssef, (eds.) Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 4356 (Springer, 2006), pp. 147–162
D.A. Osvik, A. Shamir, E. Tromer, Cache attacks and countermeasures: the case of AES, in D. Pointcheval, (ed.) CT-RSA. Lecture Notes in Computer Science, vol. 3860 (Springer, 2006), pp. 1–20
D. Page, Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel. Tech. rep., Department of Computer Science, University of Bristol (2002), http://eprint.iacr.org/2002/169
D. Page, Partitioned Cache Architecture as a Side-Channel Defence Mechanism. IACR Cryptology ePrint Archive 2005, 280 (2005)
C. Percival, Cache missing for fun and profit, in Proc. of BSDCan (2005)
C. Rebeiro, P.H. Nguyen, D. Mukhopadhyay, A. Poschmann, Formalizing the effect of Feistel Cipher structures on differential cache attacks. IEEE Trans. Inf. For. Secur. 8(8), 1274–1279 (2013)
C. Rebeiro, D. Mukhopadhyay, Cryptanalysis of CLEFIA using differential methods with cache trace patterns, in A. Kiayias, (ed.) CT-RSA. Lecture Notes in Computer Science, vol. 6558 (Springer, 2011), pp. 89–103
C. Rebeiro, D. Mukhopadhyay, Boosting profiled cache timing attacks with a-priori analysis. IEEE Trans. Inf. For. Secur. 7(6), 1900–1905 (2012), https://doi.org/10.1109/TIFS.2012.2217333
C. Rebeiro, D. Mukhopadhyay, Micro-architectural analysis of time-driven cache attacks: quest for the ideal implementation. IEEE Trans. Comput. 64(3), 778–790 (2015), https://doi.org/10.1109/TC.2013.212
C. Rebeiro, D. Mukhopadhyay, J. Takahashi, T. Fukunaga, Cache timing attacks on CLEFIA, in B. Roy, N. Sendrier, (eds.) INDOCRYPT. Lecture Notes in Computer Science, vol. 5922 (Springer, 2009), pp. 104–118
C. Rebeiro, A.D. Selvakumar, A.S.L. Devi, Bitslice implementation of AES, in D. Pointcheval, Y. Mu, K. Chen, (eds.) CANS. Lecture Notes in Computer Science, vol. 4301 (Springer, 2006), pp. 203–212
O. Reparaz, J. Balasch, I. Verbauwhede, Dude, is my code constant time? in D. Atienza, G.D. Natale, (eds.) Design, Automation & Test in Europe Conference & Exhibition, DATE 2017, Lausanne, Switzerland, March 27–31, 2017. IEEE (2017), pp. 1697–1702, https://doi.org/10.23919/DATE.2017.7927267
T. Ristenpart, E. Tromer, H. Shacham, S. Savage, Hey, You, Get off of my Cloud: Exploring Information Leakage in Third-Party Compute Clouds. in E. Al-Shaer, S. Jha, A.D. Keromytis, (eds.) ACM Conference on Computer and Communications Security. (ACM, 2009), pp. 199–212
W. Schindler, K. Lemke, C. Paar, A stochastic model for differential side channel cryptanalysis, in J.R. Rao, B. Sunar, (eds.) CHES. Lecture Notes in Computer Science, vol. 3659 (Springer, 2005), pp. 30–46
B. Schneier, J. Kelsey, Unbalanced feistel networks and block cipher design, in D. Gollmann, (ed.) FSE. Lecture Notes in Computer Science, vol. 1039 (Springer, 1996) pp. 121–144
Shay Gueron: Intel®Advanced Encryption Standard (AES) Instructions Set (Rev:3.0) (2010)
F.X. Standaert, T. Malkin, M. Yung, A unified framework for the analysis of side-channel key recovery attacks (extended version). Cryptology ePrint Archive, Report 2006/139 (2006), http://eprint.iacr.org/
K. Tiri, O. Aciiçmez, M. Neve, F. Andersen, An analytical model for time-driven cache attacks, in A. Biryukov, (ed.) FSE. Lecture Notes in Computer Science, vol. 4593 (Springer, 2007), pp. 399–413
E. Tromer, D.A. Osvik, A. Shamir, Efficient cache attacks on AES, and countermeasures. J. Cryptol. 23(2), 37–71 (2010)
Y. Tsunoo, T. Saito, T. Suzaki, M. Shigeri, H. Miyauchi, Cryptanalysis of DES implemented on computers with cache, in C.D. Walter, Çetin Kaya Koç, C. Paar, (eds.) CHES. Lecture Notes in Computer Science, vol. 2779 (Springer, 2003), pp. 62–76
Y. Tsunoo, E. Tsujihara, K. Minematsu, H. Miyauchi, Cryptanalysis of block ciphers implemented on computers with cache, in International Symposium on Information Theory and Its Applications (2002), pp. 803–806
S.P. Vanderwiel, D.J. Lilja, When caches aren’t enough: data prefetching techniques. IEEE Comput. 30(7), 23–30 (1997)
S.P. Vanderwiel, D.J. Lilja, Data prefetch mechanisms. ACM Comput. Surv. 32(2), 174–199 (2000)
Z. Wang, R.B. Lee, New cache designs for thwarting software cache-based side channel attacks, in D.M. Tullsen, B. Calder, (eds.) ISCA (ACM, 2007), pp. 494–505
Z. Wang, R.B. Lee, A novel cache architecture with enhanced performance and security, in MICRO (IEEE Computer, Society 2008), pp. 83–93
Y. Yarom, D. Genkin, N. Heninger, CacheBleed: a timing attack on OpenSSL constant-time RSA. J. Cryptogr. Eng. 7(2), 99–112 (2017), https://doi.org/10.1007/s13389-017-0152-y
L. Zhang, A.A. Ding, Y. Fei, Z.H. Jiang, Statistical analysis for access-driven cache attacks against AES. Cryptology ePrint Archive, Report 2016/970 (2016), http://eprint.iacr.org/2016/970
Y. Zhang, A. Juels, M.K. Reiter, T. Ristenpart, Cross-VM side channels and their use to extract private keys, in Proceedings of the 2012 ACM Conference on Computer and Communications Security (ACM, 2012), pp. 305–316
X. Zhao, T. Wang, Improved cache trace attack on AES and CLEFIA by considering cache miss and s-box misalignment. Cryptology ePrint Archive, Report 2010/056 (2010), http://eprint.iacr.org/
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Bart Preneel.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Rebeiro, C., Mukhopadhyay, D. A Formal Analysis of Prefetching in Profiled Cache-Timing Attacks on Block Ciphers. J Cryptol 34, 21 (2021). https://doi.org/10.1007/s00145-021-09394-z
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s00145-021-09394-z