We expand on the idea, proposed by Kelsey et al. [14], of cache memory being used as a side-channel which leaks information during the run of a cryptographic algorithm. By using this side-channel, an attacker may be able to reveal or narrow the possible values of secret information held on the target device. We describe an attack which encrypts 2 chosen plaintexts on the target processor in order to collect cache profiles and then performs around 2 computational steps to recover the key. As well as describing and simulating the theoretical attack, we discuss how hardware and algorithmic alterations can be used to defend against such techniques.

Abstract. This paper describes several novel timing attacks against the common table-driven software implementation of the AES cipher. We define a general attack strategy using a simplified model of the cache to predict timing variation due to cache-collisions in the sequence of lookups performed by the encryption. The attacks presented should be applicable to most high-speed software AES implementations and computing platforms, we have implemented them against OpenSSL v. 0.9.8.(a) running on Pentium III, Pentium IV Xeon, and UltraSPARC III+ machines. The most powerful attack has been shown under optimal conditions to reliably recover a full 128-bit AES key with 2 13 timing samples, an improvement of almost four orders of magnitude over the best previously published attacks of this type [Ber05]. While the task of defending AES against all timing attacks is challenging, a small patch can significantly reduce the vulnerability to these specific attacks with no performance penalty.

The recently proposed multiplicative masking countermeasure against power analysis attacks on AES is interesting as it does not require the costly recomputation and RAM storage of S-boxes for every run of AES. This is important for applications where the available space is very limited such as the smart card applications. Unfortunately, it is here shown that this method is in fact inherently vulnerable to di#erential power analysis. However, it is also shown that the multiplicative masking method can be modified so as to provide resistance to di#erential power analysis of nonideal but controllable security level, at the expense of increased computational complexity. Other possible random masking methods are also discussed.

I hereby declare that I am the sole author of this thesis. This is a true copy of the thesis, including any required final revisions, as accepted by my examiners. I understand that my thesis may be made electronically available to the public. ii The traditional model of cryptography examines the security of cryptographic prim-itives as mathematical functions. This approach does not account for the physical side effects of using these primitives in the real world. A more realistic model em-ploys the concept of a side channel. A side channel is a source of information that is inherent to a physical implementation of a primitive. Research done in the last half of the 1990s has shown that the information transmitted by side channels, such as execution time, computational faults and power consumption, can be detrimental to the security of ciphers like DES and RSA. This thesis surveys the techniques of side channel cryptanalysis presented in [30], [10], and [31] and shows how side channel information can be used to break imple-mentations of DES and RSA. Some specific techniques covered include the timing attack, differential fault analysis, simple power analysis and differential power anal-ysis. Possible defenses against each of these side channel attacks are also discussed. iii

Abstract. This article presents a simple power-analysis (SPA) attack on implementations of the AES key expansion. The attack reveals the secret key of AES software implementations on smart cards by exploiting the fact that the power consumption of most smart-card processors leaks information during the AES key expansion. The presented attack efficiently utilizes this information leakage to substantially reduce the key space that needs to be considered in a brute-force search for the secret key. The details of the attack are described on the basis of smart cards that leak the Hamming weight of intermediate results occurring during the AES key expansion.

This paper describes an algorithm to attack AES using sidechannel information from the final round cache lookups performed by the encryption, specifically whether each access hits or misses in the cache, building off of previous work by Acicmez and Koc [AK06]. It is assumed that an attacker could gain such a trace through power consumption analysis or electromagnetic analysis. This information has already been shown to lead to an effective attack. This paper interprets cache trace data available as binary constraints on pairs of key bytes then reduces key search to a constraint-satisfaction problem. In this way, an attacker is guaranteed to perform as little search as is possible given a set of cache traces, leading to a natural tradeo# between online collection and offline processing. This paper also differs from previous work in assuming a partially pre-loaded cache, proving that cache trace attacks are still effective in this scenario with the number of samples required being inversely related to the percentage of cache which is pre-loaded.

Using non-deterministic execution of cryptographic algorithms has been proposed as an effective defence against differential power analysis (DPA) attacks.

MAFTIA's Work-package 6 is pursuing the overall goal of "rigorously defining the basic concepts developed by MAFTIA, and verifying results of the work on dependable middle-ware." In the former MAFTIA deliverable D4, we presented a general rigorous model for the security of reactive systems. This model comprised various types of faults (attacks) and topology as considered in MAFTIA, but was restricted to a synchronous timing model. In this deliverable, we focus on a modelvariant for asynchronous reactive systems. This variant is highly important for MAFTIA, since several of the major MAFTIA middle-ware-protocols are asynchronous. To illustrate the use of the asynchronous model a proof of secure message transmission in the asynchronous case is included. We chose this example which delivers a similar service as the example from D4, to illustrate the analogies as well as the di#erences between the two variants of the secure reactive systems model. As in the synchronous model, we prove a composition theorem for its asynchronous counterpart, which allows modular proofs in this model. Furthermore, we discuss how to model adaptive corruptions in the presented models.

Using non-deterministic execution of cryptographic algorithms has been proposed as an effective defence against differential power analysis (DPA) attacks.

Differential power analysis (DPA) has become a real-world threat to the security of cryptographic hardware devices such as smart-cards. By using cheap and readily available equipment, attacks can easily compromise algorithms running on these devices in a non-invasive manner. Adding non-determinism to the execution of cryptographic algorithms has been proposed as a defence against these attacks.