Highly Accurate Key Extraction Method for Access-Driven Cache Attacks Using Correlation Coefficient

  • Junko Takahashi
  • Toshinori Fukunaga
  • Kazumaro Aoki
  • Hitoshi Fuji
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7959)


This paper proposes a new highly-accurate key extraction method for access-driven cache attacks (CAs). We show that a mathematical correlation method can be utilized to evaluate quantitatively the access-driven CAs. To the best of our knowledge, this is the first study on CAs that clarifies precisely and mathematically the key candidate space based on memory allocation, and analyzes quantitatively how the correlation values change based on the number of plaintexts. We show empirical improvement of the proposed method based on real processors. We correctly examine the correlation between the access timing data and the key within a few minutes even in a noisy environment. Based on the proposed method, we show the key candidate space with the mathematical proof and find the relationship between the correlation values and the number of plaintexts needed to examine the required number of plaintexts for a successful attack.


Side-Channel Attacks Cache Attacks Access-Driven Cache Attacks Block Ciphers AES Software Implementation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Takahashi, J., Sakamoto, H., Fukunaga, T., Fuji, H., Sakiyama, K.: Automatic Evaluation Method of Access-Driven Cache Attack. In: The 29th Symposium on Cryptography and Information Security (SCIS 2012), p. 2C2-2, 7 pages (2012) (in Japanese)Google Scholar
  2. 2.
    Takahashi, J., Fukunaga, T.: Analysis on Number of Plaintexts for Cache Attacks Using Highly Accurate Key Extraction Method. In: The 30th Symposium on Cryptography and Information Security (SCIS 2013), p. 3E3-3, 8 pages (2013) (in Japanese) Google Scholar
  3. 3.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  4. 4.
    Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Side channel cryptanalysis of product ciphers. In: Quisquater, J.-J., Deswarte, Y., Meadows, C., Gollmann, D. (eds.) ESORICS 1998. LNCS, vol. 1485, pp. 97–110. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  5. 5.
    Page, D.: Theoretical Use of Cache Memory as a Cryptanalytic Side-Channel. Technical Report CSTR-02-003, Department of Computer Science, University of Bristol (2002)Google Scholar
  6. 6.
    Page, D.: Defending against cache based side-channel attacks. Information Security Technical Report 8(1), 30–44 (2003)CrossRefGoogle Scholar
  7. 7.
    Tsunoo, Y., Tsujihara, E., Minematsu, K., Miyauchi, H.: Cryptanalysis of Block Ciphers Implemented on Computers with Cache. In: Proc of ISITA 2002 (2002)Google Scholar
  8. 8.
    Tsunoo, Y., Saito, T., Suzaki, T., Shigeri, M., Miyauchi, H.: Cryptanalysis of DES Implemented on Computers with Cache. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 62–76. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Bernstein, D.J.: Cache Timing Attacks on AES (April 2005), http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
  10. 10.
    Tiri, K., Acıiçmez, O., Neve, M., Andersen, F.: An Analytical Model for Time-Driven Cache Attacks. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 399–413. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Acıiçmez, O., Koç, Ç.K.: Trace-Driven Cache Attacks on AES (Short Paper). In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 112–121. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Bertoni, G., Zaccaria, V., Breveglieri, L., Monchiero, M., Palermo, G.: AES Power Attack Based on Induced Cache Miss and Countermeasure. In: ITCC 2005, vol. 1, pp. 586–591. IEEE Computer Society (2005)Google Scholar
  13. 13.
    Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. Journal of Cryptology 23(1), 37–71 (2010)MathSciNetMATHCrossRefGoogle Scholar
  14. 14.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: The case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Neve, M., Seifert, J.-P.: Advances on Access-Driven Cache Attacks on AES. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 147–162. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  16. 16.
    Xinjie, Z., Tao, W.: Dong, Mi., Yuanyuan, Z., Zhaoyang, L.: Robust First Two Rounds Access Driven Cache Timing Attack on AES. In: CSSE 2008, pp. 785–788. IEEE Computer Society (2008)Google Scholar
  17. 17.
    Spreitzer, R., Plos, T.: Cache-Access Pattern Attack on Disaligned AES T-Tables. Pre-Proceedings of the Fourth International Workshop on Constructive Side-Channel Analysis and Secure Design, COSADE 2013 (2013)Google Scholar
  18. 18.
    Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. In: ACM CCS 2009, pp. 199–212 (2009)Google Scholar
  19. 19.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks -Revealing the Secret of Smart Cards. Springer-Verlag New York Inc. (C); ISBN: 978-0-387-30857-9Google Scholar
  20. 20.
    OpenSSL, Cryptography and SSL/TLS Toolkit, http://www.openssl.org/
  21. 21.
    Xinjie, Z., Tao, W.: Improved Cache Trace Attack on AES and CLEFIA by Considering Cache Miss and S-box Misalignment. IACR Cryptology ePrint Archive 2010/056 (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Junko Takahashi
    • 1
  • Toshinori Fukunaga
    • 2
  • Kazumaro Aoki
    • 1
  • Hitoshi Fuji
    • 1
  1. 1.NTT Secure Platform LaboratoriesMusashino-shiJapan
  2. 2.NTT Technology Planning DepartmentChiyoda-kuJapan

Personalised recommendations