A Cache Timing Analysis of HC-256

Abstract: Abstract. In this paper, we describe a cache-timing attack against the stream cipher HC-256, which is the strong version of eStream winner HC-128. The attack is based on an abstract model of cache timing attacks that can also be used for designing stream ciphers. From the observations made in our analysis, we derive a number of design principles for hardening ciphers against cache timing attacks.

“…This technique is known as Prime+Probe [18]. Cache timing attacks have been successfully mounted on several ciphers, notably the AES [4,18,26,14].…”

“…An asynchronous cache adversary, on the other hand, is able to make cache measurements in parallel to the execution of the routine. She is able to obtain a list of all cache accesses made in chronological order [26]. Here, there are different viewpoints on the resources available to the adversary.…”

“…According to Osvik et al, the adversary has only the distribution of the plaintext/ciphertext and not sample values [18]. Zenner differs in [26] where he argues that the adversary can (partially) control input/output data and observe cache behaviour. Asynchronous attacks are particularly effective on processors with simultaneous multithreading.…”

“…In [26], Zenner makes a mention of a sidechannel oracle ACT KEYSETUP() that provides an asynchronous cache adversary a list of all cache accesses made by KEYSETUP(), the key setup algorithm of HC-256, in chronological order. Similarly, we introduce an oracle ACT Algorithm-3() that provides the adversary with a chronologically ordered list of all cache accesses made by Algorithm 3.…”

“…Similarly, we introduce an oracle ACT Algorithm-3() that provides the adversary with a chronologically ordered list of all cache accesses made by Algorithm 3. Zenner does not mention in [26] whether or not such an ordered list normally contains the time instants of the cache accesses as well. We assume that the instants are contained in the list.…”

The Stream Cipher Core of the 3GPP Encryption Standard 128-EEA3: Timing Attacks and Countermeasures

“…This technique is known as Prime+Probe [18]. Cache timing attacks have been successfully mounted on several ciphers, notably the AES [4,18,26,14].…”

“…An asynchronous cache adversary, on the other hand, is able to make cache measurements in parallel to the execution of the routine. She is able to obtain a list of all cache accesses made in chronological order [26]. Here, there are different viewpoints on the resources available to the adversary.…”

“…According to Osvik et al, the adversary has only the distribution of the plaintext/ciphertext and not sample values [18]. Zenner differs in [26] where he argues that the adversary can (partially) control input/output data and observe cache behaviour. Asynchronous attacks are particularly effective on processors with simultaneous multithreading.…”

“…In [26], Zenner makes a mention of a sidechannel oracle ACT KEYSETUP() that provides an asynchronous cache adversary a list of all cache accesses made by KEYSETUP(), the key setup algorithm of HC-256, in chronological order. Similarly, we introduce an oracle ACT Algorithm-3() that provides the adversary with a chronologically ordered list of all cache accesses made by Algorithm 3.…”

“…Similarly, we introduce an oracle ACT Algorithm-3() that provides the adversary with a chronologically ordered list of all cache accesses made by Algorithm 3. Zenner does not mention in [26] whether or not such an ordered list normally contains the time instants of the cache accesses as well. We assume that the instants are contained in the list.…”

The Stream Cipher Core of the 3GPP Encryption Standard 128-EEA3: Timing Attacks and Countermeasures

Principles of Secure Processor Architecture Design

Combined Cache Timing Attacks and Template Attacks on Stream Cipher MUGI