Paper 2018/1002

"S-Box" Implementation of AES is NOT side-channel resistant

C Ashokkumar, Bholanath Roy, M Bhargav Sri Venkatesh, and Bernard L Menezes

Abstract

Several successful cache-based attacks have provided strong impetus for developing side channel resistant software implementations of AES. One of the best-known countermeasures - use of a "minimalist" 256-byte look-up table - has been employed in the latest (assembly language) versions. Software and hardware prefetching and out-of-order execution in modern processors have served to further shrink the attack surface. Despite these odds, we devise and implement two strategies to retrieve the complete AES key. The first uses adaptively chosen plaintext and random plaintext in a 2-round attack. The second strategy employs only about 50 blocks of random plaintext in a novel single round attack. The attack can be extended to spying on table accesses during decryption in a ciphertext-only attack. We also present an analytical model to explain the effect of false positives and false negatives and capture various practical tradeoffs involving number of blocks of plaintext, offline computation time for key retrieval and success probability.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint. MINOR revision.
Keywords
AESSide- channelCacheLookup table2-round attack
Contact author(s)
ashokkumar @ cse iitb ac in
History
2018-10-22: received
Short URL
https://ia.cr/2018/1002
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2018/1002,
      author = {C Ashokkumar and Bholanath Roy and M Bhargav Sri Venkatesh and Bernard L Menezes},
      title = {"S-Box" Implementation of AES is NOT side-channel resistant},
      howpublished = {Cryptology ePrint Archive, Paper 2018/1002},
      year = {2018},
      note = {\url{https://eprint.iacr.org/2018/1002}},
      url = {https://eprint.iacr.org/2018/1002}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.