We describe several software side-channel attacks based on inter-process leakage through the state of the CPU's memory cache. This leakage reveals memory access patterns, which can be used for cryptanalysis of cryptographic primitives that employ data-dependent table lookups. The attacks allow an unprivileged process to attack other processes running in parallel on the same processor, despite partitioning methods such as memory protection, sandboxing and virtualization. Some of our methods require only the ability to trigger services that perform encryption or MAC using the unknown key, such as encrypted disk partitions or secure network links. Moreover, we demonstrate an extremely strong type of attack, which requires knowledge of neither the specific plaintexts nor ciphertexts, and works by merely monitoring the e#ect of the cryptographic process on the cache.

Abstract. This paper describes several novel timing attacks against the common table-driven software implementation of the AES cipher. We define a general attack strategy using a simplified model of the cache to predict timing variation due to cache-collisions in the sequence of lookups performed by the encryption. The attacks presented should be applicable to most high-speed software AES implementations and computing platforms, we have implemented them against OpenSSL v. 0.9.8.(a) running on Pentium III, Pentium IV Xeon, and UltraSPARC III+ machines. The most powerful attack has been shown under optimal conditions to reliably recover a full 128-bit AES key with 2 13 timing samples, an improvement of almost four orders of magnitude over the best previously published attacks of this type [Ber05]. While the task of defending AES against all timing attacks is challenging, a small patch can significantly reduce the vulnerability to these specific attacks with no performance penalty.

Abstract. We describe several software side-channel attacks based on inter-process leakage through the state of the CPU’s memory cache. This leakage reveals memory access patterns, which can be used for cryptanalysis of cryptographic primitives that employ data-dependent table lookups. The attacks allow an unprivileged process to attack other processes running in parallel on the same processor, despite partitioning methods such as memory protection, sandboxing and virtualization. Some of our methods require only the ability to trigger services that perform encryption or MAC using the unknown key, such as encrypted disk partitions or secure network links. Moreover, we demonstrate an extremely strong type of attack, which requires knowledge of neither the specific plaintexts nor ciphertexts, and works by merely monitoring the effect of the cryptographic process on the cache. We discuss in detail several such attacks on AES, and experimentally demonstrate their applicability to real systems, such as OpenSSL and Linux’s dm-crypt encrypted partitions (in the latter case, the full key can be recovered after just 800 writes to the partition, taking 65 milliseconds). Finally, we describe several countermeasures which can be used to mitigate such attacks.

This paper describes an algorithm to attack AES using sidechannel information from the final round cache lookups performed by the encryption, specifically whether each access hits or misses in the cache, building off of previous work by Acicmez and Koc [AK06]. It is assumed that an attacker could gain such a trace through power consumption analysis or electromagnetic analysis. This information has already been shown to lead to an effective attack. This paper interprets cache trace data available as binary constraints on pairs of key bytes then reduces key search to a constraint-satisfaction problem. In this way, an attacker is guaranteed to perform as little search as is possible given a set of cache traces, leading to a natural tradeo# between online collection and offline processing. This paper also differs from previous work in assuming a partially pre-loaded cache, proving that cache trace attacks are still effective in this scenario with the number of samples required being inversely related to the percentage of cache which is pre-loaded.

acceptability requirements, submission requirements, and evaluation criteria for candidate algorithms to the revised secure hash standard, and solicited comments upon this draft [6]. We strongly concur with the need for a revised standard, and nd the proposed competitionbased methodology to be sound and e ective means for the standardization process to re ect and advance the state of the art. Addressing the details and scope of the draft, we wish to submit the following comments for consideration. Henceforth, Requirement shall refer to an item of the Proposed Draft Submission Requirements, and Criterion shall refer to an item of the Proposed Draft Evaluation Criteria of Candidate Algorithms. 1 Keyed modes of operation The present draft addresses only the basic hash function functionality. However, hash functions are often used to obtain strongly related functionality, most notably: • Message Authentication Codes (MAC) • Pseudorandom Functions (RPF) • Extractors (motivated, e.g., by key derivation [8][4]) Henceforth we shall refer to the above as keyed modes. 1 The prevalence of such use justi es consideration during the submission and evaluation process. In particular, the choice of hash algorithm should be a ected by the performance and plausible security of keyed modes based