Consecutive S-box Lookups: A Timing Attack on SNOW 3G

  • Billy Bob Brumley
  • Risto M. Hakala
  • Kaisa Nyberg
  • Sampo Sovio
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6476)


We present a cache-timing attack on the SNOW 3G stream cipher. The attack has extremely low complexity and we show it is capable of recovering the full cipher state from empirical timing data in a matter of seconds, requiring no known keystream and only observation of a small number of cipher clocks. The attack exploits the cipher using the output from an S-box as input to another S-box: we show that the corresponding cache-timing data almost uniquely determines said S-box input. We mention other ciphers with similar structure where this attack applies, such as the K2 cipher currently under standardization consideration by ISO. Our results yield new insights into the secure design and implementation of ciphers with respect to side-channels. We also give results of a bit-slice implementation as a countermeasure.


side-channel attacks cache-timing attacks stream ciphers 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Acıiçmez, O., Koç, Ç.K.: Trace-driven cache attacks on AES (short paper). In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 112–121. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Berbain, C., Billet, O., Canteaut, A., Courtois, N., Gilbert, H., Goubin, L., Gouget, A., Granboulan, L., Lauradoux, C., Minier, M., Pornin, T., Sibert, H.: Sosemanuk, a fast software-oriented stream cipher. In: Robshaw, M.J.B., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 98–118. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Biham, E.: A fast new DES implementation in software. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 260–272. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  4. 4.
    Boyar, J., Peralta, R.: A new combinational logic minimization technique with applications to cryptology. In: Festa, P. (ed.) SEA 2010. LNCS, vol. 6049, pp. 178–189. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Ekdahl, P., Johansson, T.: A new version of the stream cipher SNOW. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 47–61. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    ETSI/SAGE: Specification of the 3GPP confidentiality and integrity algorithms UEA2 & UIA2. Document 2: SNOW 3G specification. Version 1.1. Tech. rep. (2006),
  7. 7.
    Käsper, E., Schwabe, P.: Faster and timing-attack resistant AES-GCM. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 1–17. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Koç, Ç.K. (ed.): Cryptographic Engineering. Springer, Heidelberg (2009)Google Scholar
  9. 9.
    Kiyomoto, S., Tanaka, T., Sakurai, K.: K2: A stream cipher algorithm using dynamic feedback control. In: Hernando, J., Fernández-Medina, E., Malek, M. (eds.) SECRYPT, pp. 204–213. INSTICC Press (2007)Google Scholar
  10. 10.
    Leander, G., Zenner, E., Hawkes, P.: Cache timing analysis of LFSR-based stream ciphers. In: Parker, M.G. (ed.) Cryptography and Coding. LNCS, vol. 5921, pp. 433–445. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Matsui, M., Nakajima, J.: On the power of bitslice implementation on Intel core2 processor. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 121–134. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    Paar, C.: Efficient VLSI Architectures for Bit-Parallel Computation in Galois Fields. Ph.D. thesis, Institute for Experimental Mathematics, Universität Essen, Germany (1994)Google Scholar
  14. 14.
    Zenner, E.: A cache timing analysis of HC-256. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 199–213. Springer, Heidelberg (2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Billy Bob Brumley
    • 1
  • Risto M. Hakala
    • 1
  • Kaisa Nyberg
    • 1
    • 2
  • Sampo Sovio
    • 2
  1. 1.School of Science and TechnologyAalto UniversityFinland
  2. 2.Nokia Research CenterFinland

Personalised recommendations