Consecutive S-box Lookups: A Timing Attack on SNOW 3G

We present a cache-timing attack on the SNOW 3G stream cipher. The attack has extremely low complexity and we show it is capable of recovering the full cipher state from empirical timing data in a matter of seconds, requiring no known keystream and only observation of a small number of cipher clocks. The attack exploits the cipher using the output from an S-box as input to another S-box: we show that the corresponding cache-timing data almost uniquely determines said S-box input. We mention other ciphers with similar structure where this attack applies, such as the K2 cipher currently under standardization consideration by ISO. Our results yield new insights into the secure design and implementation of ciphers with respect to side-channels. We also give results of a bit-slice implementation as a countermeasure.

[1]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[2]  Thomas Johansson,et al.  A New Version of the Stream Cipher SNOW , 2002, Selected Areas in Cryptography.

[3]  Joan Boyar,et al.  A New Combinational Logic Minimization Technique with Applications to Cryptology , 2010, SEA.

[4]  Peter Schwabe,et al.  Faster and Timing-Attack Resistant AES-GCM , 2009, CHES.

[5]  Onur Aciiçmez,et al.  Trace-Driven Cache Attacks on AES , 2006, IACR Cryptol. ePrint Arch..

[6]  David Pointcheval Topics in Cryptology - CT-RSA 2006, The Cryptographers' Track at the RSA Conference 2006, San Jose, CA, USA, February 13-17, 2006, Proceedings , 2006, CT-RSA.

[7]  Ingrid Verbauwhede,et al.  Cryptographic hardware and embedded systems : CHES 2007 : 9th International Workshop, Vienna, Austria, September 10-13, 2007 : proceedings , 2007 .

[8]  Christophe Clavier,et al.  Cryptographic Hardware and Embedded Systems - CHES 2009, 11th International Workshop, Lausanne, Switzerland, September 6-9, 2009, Proceedings , 2009, CHES.

[9]  Eli Biham,et al.  A Fast New DES Implementation in Software , 1997, FSE.

[10]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[11]  Onur Aciiçmez,et al.  Trace-Driven Cache Attacks on AES (Short Paper) , 2006, ICICS.

[12]  Anne Canteaut,et al.  Sosemanuk, a Fast Software-Oriented Stream Cipher , 2008, The eSTREAM Finalists.

[13]  Mitsuru Matsui,et al.  On the Power of Bitslice Implementation on Intel Core2 Processor , 2007, CHES.

[14]  Philip Hawkes,et al.  Cache Timing Analysis of LFSR-Based Stream Ciphers , 2009, IMACC.

[15]  Çetin Kaya Koç,et al.  About Cryptographic Engineering , 2008, Cryptographic Engineering.

[16]  Kouichi Sakurai,et al.  K2: A Stream Cipher Algorithm using Dynamic Feedback Control , 2007, SECRYPT.

[17]  Erik Zenner,et al.  A Cache Timing Analysis of HC-256 , 2009, Selected Areas in Cryptography.

[18]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[19]  Matthew J. B. Robshaw,et al.  New Stream Cipher Designs: The eSTREAM Finalists , 2008 .

[20]  Colin Boyd,et al.  Cryptography and Coding , 1995, Lecture Notes in Computer Science.