a cache timing analysis of hc 256
play

A Cache Timing Analysis of HC-256 Erik Zenner Technical University - PowerPoint PPT Presentation

Jan 17, 2023 •43 likes •293 views

A Cache Timing Analysis of HC-256 Erik Zenner Technical University Denmark (DTU) Institute for Mathematics e.zenner@mat.dtu.dk SAC 2008, Aug. 14, 2008 Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 1 / 25

  1. A Cache Timing Analysis of HC-256 Erik Zenner Technical University Denmark (DTU) Institute for Mathematics e.zenner@mat.dtu.dk SAC 2008, Aug. 14, 2008 Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 1 / 25

  2. Cache Timing Attacks 1 Our Attack Model 2 Attacking HC-256 3 Conclusions 4 Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 2 / 25

  3. Cache Timing Attacks Outline Cache Timing Attacks 1 Our Attack Model 2 Attacking HC-256 3 Conclusions 4 Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 3 / 25

  4. Cache Timing Attacks Memory Hierarchy (Simplified) In a modern computer, different types of memory are used (simplified): While CPU registers, RAM, and hard disk are protected against other users on the same machine, the cache is not. Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 4 / 25

  5. Cache Timing Attacks Cache Workings (Simplified) Working principle: Let n be the cache size. When data from RAM address a is requested by the CPU: Check whether requested data is at cache address ( a mod n ). If not, load data into cache address ( a mod n ). Load data item directly from cache. ⇒ Next time data from address a can be loaded faster. Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 5 / 25

  6. Cache Timing Attacks Cache Eviction (Simplified) Problem: Cache is much smaller than RAM. Consequence: Many RAM entries compete for the same place in cache. Handling: New data overwrites old data (First in, first out). Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 6 / 25

  7. Cache Timing Attacks Sample Attack Setting Starting point: Reading data is faster if it is in cache (cache hit), and slower if it has to be loaded (cache miss). Sample attack (prime-then-probe): Imagine Eve and Alice sharing a CPU. If Eve knows that Alice is about to encrypt, she can proceed as follows: 1 Eve fills all of the cache with her own data, then stops working. 2 Alice does her encryption. 3 Eve measures loading times to find out which of her entries have been pushed out of the cache. This way, Eve learns which cache addresses have been used by Alice. Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 7 / 25

  8. Cache Timing Attacks Practical Difficulties For didactical reasons, we worked with a simplified cache model. Real-world complexities include: Cache data is not organised in bytes, but in blocks. ⇒ We do not learn the exact index, but only some index bits. Other processes (e.g. system processes) use the cache, too. ⇒ We can not tell “encryption” cache accesses apart from others. Timing noise disturbs the measurement. ⇒ Not all slow timings are due to cache misses. Cache hierarchy is more complex. ⇒ Several layers of cache, several cache blocks for each memory block. Nonetheless, as it turns out, these difficulties can be overcome in practice (Bernstein 2005, Osvik/Shamir/Tromer 2005, Bonneau/Mironov 2006). Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 8 / 25

  9. Our Attack Model Outline Cache Timing Attacks 1 Our Attack Model 2 Attacking HC-256 3 Conclusions 4 Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 9 / 25

  10. Our Attack Model Standard Adversary Standard Oracles: In standard analysis of stream ciphers, the adversary has access to the fol- lowing oracles: KeySetup : Sets up a new cipher instance. Does not return any output. IVSetup( N ) : Resets the cipher instance with initialisation vector N , as chosen by the adversary. Does not return any output. Keystream( i ) : Returns the keystream block i . Note: These oracles overestimate the abilities of a real-world adversary, but they are widely used for analysing stream ciphers. We want to define additional oracles for a cache-timing adversary that are equally universal. Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 10 / 25

  11. Our Attack Model Synchronous Cache Adversary Motivation: Abstract away technical details of the cache timing attacks. Available Oracles: A synchronous cache adversary (SCA) has access to the following additional oracles: SCA KeySetup : Returns an accurate list of the cache blocks accessed while running KeySetup . SCA IVSetup( N ) : Returns an accurate list of the cache blocks accessed while running IVSetup( N ) . SCA Keystream( i ) : Returns an accurate list of the cache blocks accessed while running Keystream( i ) . Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 11 / 25

  12. Our Attack Model Discussion Criticism: This model is rather generous towards the adversary. In the real world, he may not be able to observe every encryption operation, get a precise list of cache block accesses, choose the IV, or observe the keystream. ⇒ Attacks in this model are not necessarily attacks in the real world. Justification: The model is meant for use in cipher design . Designers must not rely on things that the adversary might not be able to do! ⇒ The cache adversary model has to be generous towards the adversary. Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 12 / 25

  13. Attacking HC-256 Outline Cache Timing Attacks 1 Our Attack Model 2 Attacking HC-256 3 Conclusions 4 Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 13 / 25

  14. Attacking HC-256 About HC-256 Stream cipher (FSE 2004), eStream software finalist. Key/IV: 256 bit each. Inner State: Two tables, 1024 · 32 bit each. ⇒ 65 , 536 bits of inner state. One Round: Update one of the tables. Produce 32 bit of output. Performance: Designed for software. Slow key/IV setup (due to table initialisation). Fast keystream generation. Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 14 / 25

  15. Attacking HC-256 Sketch of the Attack The adversary uses the following oracles: 2048 calls to Keystream( i ) . 6148 calls to SCA Keystream( i ) . Then he uses three layers of guess-and-verify to determine the inner state: 1 Determine the block access ordering. 2 Guess-and-eliminate step. 3 Guess-and-determine step. We assume a textbook implementation of the cipher: One call to Keystream( i ) gives 32 output bits. This excludes the optimised eStream implementation (512 output bits). Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 15 / 25

  16. Attacking HC-256 Step 1: Block Access Ordering Adversary makes 6148 calls to SCA Keystream( i ) and maps the resulting observations to inner state bits. Problem: How to map cache accesses to state variables? Each oracle call: 5 cache accesses, e.g.: 001011 xxxx , 011100 xxxx , 010011 xxxx , 101101 xxxx , 111110 xxxx How to assign them to internal state variables? E.g.: (00 || P (7 .. 0) ), (01 || P (15 .. 8) ), (10 || P (23 .. 16) ), (11 || P (31 .. 24) ), ( P 22 ⊕ P − 998 ) (9 .. 0) 13 13 13 13 Solution: Simple internal consistency test works with high probability! End of step 1: For almost all inner state words, we know all upper half-bytes. ⇒ 2 16 candidates for each inner state word. Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 16 / 25

  17. Attacking HC-256 Step 2: Guess-and-Eliminate Step (1) Adversary makes 2048 calls to Keystream( i ) and uses an internal equation to further reduce the number of candidates. Problem: Carry bits complicate the equation. Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 17 / 25

  18. Attacking HC-256 Step 2: Guess-and-Eliminate Step (2) Solution: Guess the carry bits, too. End of step 2: 2 8 remaining candidates for each inner state word. ⇒ Store in a table (size ≈ 3 MByte). Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 18 / 25

  19. Attacking HC-256 Step 3: Guess-and-Determine Step Adversary uses guess-and-determine strategy with a different equation to determine the rest of the inner state. Problems: Many bits (48) have to be guessed before verification becomes possible. Too few verification bits (32) available. Solution: Guesses start to overlap. Search tree grows slower than in the beginning, then starts shrinking. Maximum tree width: 2 64 guesses. End of step 3: Full inner state for one point in time has been recovered. Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 19 / 25

  20. Attacking HC-256 The Attack in a Nutshell Requirements: 6148 precise cache timing measurements. 2 16 known plaintext bits. Computational effort corresponding to testing ≈ 2 55 keys. ≈ 3 MByte of memory. Result: Reconstruction of full inner state. Allows to create arbitrary output bits. Also allows to reconstruct the key. Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 20 / 25

  21. Conclusions Outline Cache Timing Attacks 1 Our Attack Model 2 Attacking HC-256 3 Conclusions 4 Erik Zenner (DTU-MAT) A Cache Timing Analysis of HC-256 SAC 2008, Aug. 14, 2008 21 / 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mitigating Software Instrumentation Cache Effects in Measurement-Based Timing Analysis 1 Enrique

Mitigating Software Instrumentation Cache Effects in Measurement-Based Timing Analysis 1 Enrique

Mitigating Software Instrumentation Cache Effects in Measurement-Based Timing Analysis 1 Enrique Daz 1,2 , Jaume Abella 2 , Enrico Mezzetti 2 , 4 Irune Agirre 3 , Mikel Azkarate-Askasua 3 , 2 Tullio Vardanega 4 , Francisco J. Cazorla 2,5 5 3

545 views • 25 slides
CANAL: A Cache Timing Analysis Framework via LLVM Transformation Chungha Sung | Brandon Paulsen |

CANAL: A Cache Timing Analysis Framework via LLVM Transformation Chungha Sung | Brandon Paulsen |

ASE 2018 CANAL: A Cache Timing Analysis Framework via LLVM Transformation Chungha Sung | Brandon Paulsen | Chao Wang Software verification & analysis Checking Functional Model properties Checking Ex) Abstract assert(x > 1);

638 views • 24 slides
Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l.

Cache-Timing Attacks Matteo BOCCHI System Research & Applications STMicroelectronics S.r.l. 2018/12/06 Agenda 2 STM32 Nucleo Boards STM32 Firewall Cache-Timing Attack Evict&Time vs. MbedTLS AES on STM32

477 views • 20 slides
Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie Xiong and Jakub Szefer Yale University HASP June 2, 2018 Memory System Cache Memory CPU Typical set-associative cache sets ways cache

640 views • 25 slides
1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

1 Classifying cache misses Cache Organization Classifying misses by causes (3Cs) Cache size,

Cache Performance Metrics Cache miss rate: number of cache misses divided by number of accesses Lecture 14: Hardware Approaches for Cache Optimizations Cache hit time: the time between sending address and data returning from cache Cache

608 views • 4 slides
EECS 388: Embedded Systems 10. Timing Analysis Heechul Yun 1 Agenda Execution time analysis

EECS 388: Embedded Systems 10. Timing Analysis Heechul Yun 1 Agenda Execution time analysis

EECS 388: Embedded Systems 10. Timing Analysis Heechul Yun 1 Agenda Execution time analysis Static timing analysis Measurement based timing analysis 2 Execution Time Analysis Will my brake-by-wire system actuate the brakes

1.31k views • 37 slides
CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded Systems (CHES) 2019 Alejandro Cabrera Aldaya 1 , Cesar Pereida Garca 2 , Luis Manuel Alvarez Tapia 1 , Billy Bob Brumley 2 , {aldaya,

371 views • 21 slides
Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This paper reports successful Thanks to: extraction of a complete AES key University of Illinois at Chicago from a network server NSF CCR9983950 on

1.28k views • 91 slides
Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency

Web Cache Consistency Web Cache Consistency Web Cache Consistency Web Cache Consistency Requirements of performance, availability, and disconnected operation require us to relax the goal of semantic transparency. - HTTP 1.1 specification

598 views • 13 slides
Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups

Introduction to Digital VLSI Logic Synthesis Timing Analysis Timing Path Groups and Types Timing paths are grouped into path groups according to the clock associated with the endpoint of the path. There is a default path group that

540 views • 18 slides
Plan Hierarchical memories and their impact on our programs 1 Cache Memories, Cache Complexity

Plan Hierarchical memories and their impact on our programs 1 Cache Memories, Cache Complexity

Plan Hierarchical memories and their impact on our programs 1 Cache Memories, Cache Complexity Cache Analysis in Practice 2 Marc Moreno Maza The Ideal-Cache Model 3 University of Western Ontario, London, Ontario (Canada) Cache Complexity

632 views • 25 slides
A Compact and Accurate Timing Macro Model for Efficient Hierarchical Timing Analysis Pei-Yu Lee ,

A Compact and Accurate Timing Macro Model for Efficient Hierarchical Timing Analysis Pei-Yu Lee ,

A Compact and Accurate Timing Macro Model for Efficient Hierarchical Timing Analysis Pei-Yu Lee , Iris Hui-Ru Jiang, Ting-You Yang National Chiao Tung University Outline Introduction Problem Formulation Proposed Algorithm

807 views • 36 slides
DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir

DAWG : A Defense Against Cache Timing Attacks in Speculative Execution Processors Vladimir Kiriansky, Ilia Lebedev, Saman Amarasinghe, Srinivas Devadas, Joel Emer {vlk, ilebedev, saman, devadas, emer}@csail.mit.edu MICRO'18

949 views • 78 slides
Cache related pre-emption delay aware response time analysis for fixed priority pre-emptive

Cache related pre-emption delay aware response time analysis for fixed priority pre-emptive

Cache related pre-emption delay aware response time analysis for fixed priority pre-emptive systems Sebastian Altmeyer, Robert I. Davis, Claire Maiza RTSS 2011, Vienna 1 Cache Related Pre-emption Delay Useful Cache Blocks Evicting Cache Blocks

644 views • 36 slides
Eliminating cache-based timing attacks with instruction-based scheduling Deian Stefan , Pablo

Eliminating cache-based timing attacks with instruction-based scheduling Deian Stefan , Pablo

Eliminating cache-based timing attacks with instruction-based scheduling Deian Stefan , Pablo Buiras, Edward Z. Yang, Amit Levy, David Terei, Alejandro Russo, and David Mazires Motivation: IFC Web platforms Platforms allow 3rd-party developers

936 views • 61 slides
Cache Memories, Cache Complexity Marc Moreno Maza University of Western Ontario, London, Ontario

Cache Memories, Cache Complexity Marc Moreno Maza University of Western Ontario, London, Ontario

Cache Memories, Cache Complexity Marc Moreno Maza University of Western Ontario, London, Ontario (Canada) CS3101 and CS4402-9635 Plan Hierarchical memories and their impact on our programs Cache Analysis in Practice The Ideal-Cache Model

1.18k views • 100 slides
Live Streaming Board Meetings September 26, 2019 Donna Felezzola, School Business Administrator

Live Streaming Board Meetings September 26, 2019 Donna Felezzola, School Business Administrator

Live Streaming Board Meetings September 26, 2019 Donna Felezzola, School Business Administrator 2 The Process Allows the public to watch the board meetings in real time, or at another time (post meeting) that is more convenient The

347 views • 8 slides
Annual General Meeting CEO Presentation Fredrik Tumegrd May 9, 2017 1 | Annual General

Annual General Meeting CEO Presentation Fredrik Tumegrd May 9, 2017 1 | Annual General

Annual General Meeting CEO Presentation Fredrik Tumegrd May 9, 2017 1 | Annual General Meeting CEO Presentation | Net Insight Market transformation TV 1.0 TV 2.0 TV 3.0 BRINGING PEOPLE TOGETHER 2 | Annual General Meeting CEO

212 views • 20 slides
Introduction to Talent Analytics and Interim View 01 Overview Erich OSaben Talent Analytics

Introduction to Talent Analytics and Interim View 01 Overview Erich OSaben Talent Analytics

NGA.NET Talent Analytics Introduction to Talent Analytics and Interim View 01 Overview Erich OSaben Talent Analytics Consultant The Importance of Talent Analytics Why are Analytics Important? Support organizational

605 views • 12 slides
world-class solutions are created and implemented by world-class people Enetel Solutions Smart

world-class solutions are created and implemented by world-class people Enetel Solutions Smart

Welcome to the house where world-class solutions are created and implemented by world-class people Enetel Solutions Smart business solutions for digital era We truly believe in the transformation power of software solutions and their ability to

438 views • 39 slides
A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd ,

A Timing Attack on Hyperelliptic Curve Cryptosystems Asiacrypt 2003 rump session on Dec. 2 nd , 2003 M.Katagi, I.Kitamura, T.Akishita, and T. Takagi(*) Sony Corporation (*)Technische Universitaet Darmstadt Introduction Optimization of

229 views • 5 slides
Fisc Fiscal al 2015 2015 Th Third ird Quarter Quarter Ea Earning rnings Call Call Pre

Fisc Fiscal al 2015 2015 Th Third ird Quarter Quarter Ea Earning rnings Call Call Pre

Fisc Fiscal al 2015 2015 Th Third ird Quarter Quarter Ea Earning rnings Call Call Pre Presen sentation tation | Fiscal 2015 Third Quarter Earnings Call Presentation | 1 harris.com Forward Forward-looking looking statemen

298 views • 10 slides
Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure

Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure

Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure Coding Universit degli Studi di Genova December 3rd, 2018 Overview Meltdown breaks memory isolation and allows a process to read the entire

335 views • 18 slides
Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack Summary : The attack was severe and sophisticated; categorized as a catastrophic attack. It was highly strategic with regard to timing

329 views • 16 slides

More recommend