Cache-Collision Timing Attacks Against AES

  • Joseph Bonneau
  • Ilya Mironov
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4249)


This paper describes several novel timing attacks against the common table-driven software implementation of the AES cipher. We define a general attack strategy using a simplified model of the cache to predict timing variation due to cache-collisions in the sequence of lookups performed by the encryption. The attacks presented should be applicable to most high-speed software AES implementations and computing platforms, we have implemented them against OpenSSL v. 0.9.8.(a) running on Pentium III, Pentium IV Xeon, and UltraSPARC III+ machines. The most powerful attack has been shown under optimal conditions to reliably recover a full 128-bit AES key with 213 timing samples, an improvement of almost four orders of magnitude over the best previously published attacks of this type [Ber05]. While the task of defending AES against all timing attacks is challenging, a small patch can significantly reduce the vulnerability to these specific attacks with no performance penalty.


AES cryptanalysis side-channel attack timing attack cache 


  1. [ABDM00]
    Akkar, M.-L., Bévan, R., Dischamp, P., Moyart, D.: Power analysis, what is now possible.... In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 489–502. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  2. [AK06]
    Acıiçmez, O., Koç, Ç. K.: Trace driven cache attack on AES. IACR Cryptology ePrint Archive, Report 2006/138 (April 2006)Google Scholar
  3. [Acıi05]
    Acıiçmez, O.: Remote Timing Attacks. Given at Intel Corporation, Oregon, USA (December 2005), Available at:
  4. [ASK05]
    Acıiçmez, O., Schindler, W., Koç, Ç.K.: Improving Brumley and Boneh timing attack on unprotected SSL implementations. In: ACM Conference on Computer and Communications Security (2005)Google Scholar
  5. [BAK98]
    Biham, E., Anderson, R.J., Knudsen, L.R.: Serpent: A new block cipher proposal. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 222–238. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. [BGNS06]
    Brickell, E., Graunke, G., Neve, M., Seifert, J.-P.: Software mitigations to hedge AES against cache-based software side channel vulnerabilities. IACR ePrint Archive, Report 2006/052 (February 2006)Google Scholar
  7. [BB05]
    Brumley, D., Boneh, D.: Remote timing attacks are practical. Computer Networks 48(5), 701–716 (2005)CrossRefGoogle Scholar
  8. [BBM+06]
    Bertoni, G., Breveglieri, L., Monchiero, M., Palermo, G., Zaccaria, V.: AES power attack based on induced cache miss and countermeasure. ITCC(1) (2005)Google Scholar
  9. [Ber05]
    Bernstein, D.J.: Cache-timing attacks on AES (April 2005),
  10. [CLS06]
    Canteaut, A., Lauradoux, C., Seznec, A.: Understanding cache attacks. Technical Report (April 2006), available at:
  11. [DR99]
    Daemen, J., Rijmen, V.: Resistance against implementation attacks: A comparative study of the AES proposals. In: Second AES Candidate Conference (February 1999)Google Scholar
  12. [DR02]
    Daemen, J., Rijmen, V.: The design of Rijndael: AES—the advanced encryption standard. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  13. [GMO01]
    Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: Concrete results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. [KJJ99]
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  15. [Koc96]
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  16. [KQ99]
    Koeune, F., Quisquater, J.-J.: A timing attack against Rijndael. Technical Report CG-1999/1 (June 1999)Google Scholar
  17. [KSWH00]
    Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Side channel cryptanalysis of product ciphers. J. of Computer Security 8(2/3) (2000)Google Scholar
  18. [Lau05]
    Laradoux, C.: Collision attacks on processors with cache and countermeasures. In: Wolf, C., Lucks, S., Yau, P.-W. (eds.) Western European Workshop on Research in Cryptology—WEWoRC 2005, pp. 76–85 (2005)Google Scholar
  19. [LMV04]
    Ledig, H., Muller, F., Valette, F.: Enhancing collision attacks. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 176–190. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  20. [NBB+00]
    Nechvatal, J., Barker, E., Bassham, L., Burr, W., Dworkin, M., Foti, J., Roback, E.: Report on the development of the Advanced Encryption Standard (AES) (October 2000),
  21. [NSW06]
    Neve, M., Seifert, J.-P., Wang, Z.: A refined look at Bernstein’s AES side-channel analysis. ASIACCS, 369 (2006)Google Scholar
  22. [NS06]
    Neve, M., Seifert, J.-P.: Advances on access-driven cache attacks on AES. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 147–162. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. [OT05]
    O’Hanlan, M., Tonge, A.: Investigation of cache timing attacks on AES. School of Computing, Dublin City University (2005)Google Scholar
  24. [OST06]
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  25. [Pag02]
    Page, D.: Theoretical use of cache memory as a cryptanalytic side-channel. Technical Report CSTR-02-003, University of Bristol (April 2002)Google Scholar
  26. [Pag03]
    Page, D.: Defending against cache based side channel attacks. Technical Report. Department of Computer Science, University of Bristol (2003)Google Scholar
  27. [Pag05]
    Page, D.: Partitioned cache as a side-channel defense mechanism. IACR Cryptology ePrint Archive, Report 2005/280 (August 2005)Google Scholar
  28. [Per05]
    Percival, C.: Cache missing for fun and profit. In: BSDCan 2005 (2005),
  29. [SLFP04]
    Schramm, K., Leander, G., Felke, P., Paar, C.: A collision attack on AES: Combining side channel and differential attack. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 163–175. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  30. [SWP03]
    Schramm, K., Wollinger, T.J., Paar, C.: A new class of collision attacks and its application to DES. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 206–222. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  31. [TSS+03]
    Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H.: Cryptanalysis of DES implemented on computers with cache. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 62–76. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  32. [TTMM02]
    Tsunoo, Y., Tsujihara, E., Minematsu, K., Miyauchi, H.: Cryptanalysis of block ciphers implemented on computers with cache. In: International Symposium on Information Theory and Applications 2002, pp. 803–806 (2002)Google Scholar
  33. [TTS+06]
    Tsunoo, Y., Tsujihara, E., Shigeri, M., Kubo, H., Minematsu, K.: Improving cache attacks by considering cipher structure. International Journal of Information Security (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Joseph Bonneau
    • 1
  • Ilya Mironov
    • 2
  1. 1.Computer Science DepartmentStanford University 
  2. 2.Microsoft Research, Silicon Valley Campus 

Personalised recommendations