0

I've been trying to find a solid method to prevent cache timing or other possible side channel attacks on an AES implementation, that uses lookup tables for S-box substitution. I realize that there are methods to eliminate table lookups using techniques like BitSlice AES and also AES NI instruction set. But I'm stuck with a self made implementation that depends on 256 byte S-box lookups. An attacker observing a shared CPU cache can easily observe my patterns of access and hence gain information about the secret keys used.

I've tried various techniques to make table lookup undetectable, but it all seems to have some vulnerabilities, and some of them are performance taxing.

Can I apply any programming hacks on the table or its storage or ways to access it to make cache timing attacks difficult for an attacker, but not loosing performance?

So, are there methods to prevent an attacker from knowing a table lookup, and make it difficult for an attacker as brute forcing AES ?

Also, how difficult is a practical cache timing attacks/side channel attacks on AES that uses 256 bit keys?

Is AES-128 more vulnerable to side channel attacks than AES 192 or AES 256 ?

Every help and advice will be greatly, appreciated!

Aravind A
  • 1,020
  • 10
  • 21
  • 1
    Have you considered calculating the inversion on the transform instead of using lookup tables? – b degnan May 21 '20 at 01:32
  • 1
    https://crypto.stackexchange.com/questions/44828/how-would-a-side-channel-attack-be-carried-out-in-a-real-life-situation/44840#44840

    https://crypto.stackexchange.com/questions/53528/why-dont-table-lookups-run-in-constant-time/53627#53627

     – b degnan May 21 '20 at 11:55
  • @bdegnan Thankyou for the reply ! Yes I have considered taking the inverse of the elements in $GF(2^{8})$ , and then performing the affine transformation. But this slowed down my implementation drastically. Reading the full table per every requirement also, took a toll on my performance... Are there other methods to mitigate attacks? I've implemented the Galois field multiplications, thereby eliminating the T-tables in most AES implementations. But calculating the Sbox on demand is very computationally expensive! :) Thankyou in advance! Every help will be appreciated! – Aravind A May 21 '20 at 19:21
  • 1
    hardware is faster than a lookup table, a lookup table is faster than explicit calculation. If you want a side-channel robust implementation, you are stuck with explicit calculation from what I can tell from what you've described. BTW, even AES-NI is susceptible to power attacks as it's not dual rail encoded. – b degnan May 22 '20 at 00:23
  • @bdegnan I never knew of AES NI's vulnerability to power analysis. By the way can you please tell me, some of the fastest methods to calculate the multiplicative inverse of elements in the AES field... The algorithm that I used was modular exponentiation of the input to the power 254 where, the modulus is the AES magic polynomial 0x11b. I dont know, how to implement the extended Euclidean algorithm, for AES field, but Googling gave me code to test that, but still the performance gain that, I gained was not as expected! :) Are there other techniques for calculating inverse ? – Aravind A May 22 '20 at 01:23
  • 1
    You can implement it completely with XOR instructions: https://github.com/bpdegnan/aes/blob/master/aes-sbox/documentation/aessbox.pdf If you stop the clock and have JTAG, I can pretty much get data out of anything that is non dual rail encoded. – b degnan May 22 '20 at 14:15
  • @bdegnan Sorry, I'm unable to open the link ! – Aravind A May 22 '20 at 14:37
  • @bdegnan Dont worry ! I was able to find it via Google :) https://github.com/bpdegnan/aes/raw/master/aes-sbox/documentation/aessbox.pdf – Aravind A May 22 '20 at 14:47
  • 1
    Let us continue this discussion in chat. – b degnan May 22 '20 at 15:17
  • @bdegnan I'm struggling to understand the math behind finding inverse of elements in $GF(2^8)$ using subfield arithmetic. I'm lacking the intuition in seeing how, the math fits together? Can you please suggest some online resource/books to deeply comprehend the math for designing the algorithm? – Aravind A Jul 05 '20 at 08:36
  • 1
    I'm unaware of something online, but it's abstract algebra over fields. I feel that there should be a text out there somewhere. – b degnan Jul 05 '20 at 10:55
  • @bdegnan I purchased a book "Contemporary Abstract Algebra" by Joseph A. Gallian. But, I have to go through everything to understand the concept that I want to. Meanwhile, I've been looking at Portable SIMD vectors made available by my compiler (Clang) and using that to optimize many parts of my AES implementation. I got a good speedup, but it's no were near the Sbox look up table based one. But is SIMD vulnerable to side channel attacks? Can an attacker trace SIMD operations done by the ALU, using some sensor or anything? – Aravind A Jul 07 '20 at 15:28

0 Answers0