Consecutive S-box lookups: A timing attack on SNOW 3G

Billy Bob Brumley, Risto M. Hakala, Kaisa Nyberg, Sampo Sovio

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review

13 Citations (Scopus)


We present a cache-timing attack on the SNOW 3G stream cipher. The attack has extremely low complexity and we show it is capable of recovering the full cipher state from empirical timing data in a matter of seconds, requiring no known keystream and only observation of a small number of cipher clocks. The attack exploits the cipher using the output from an S-box as input to another S-box: we show that the corresponding cache-timing data almost uniquely determines said S-box input. We mention other ciphers with similar structure where this attack applies, such as the K2 cipher currently under standardization consideration by ISO. Our results yield new insights into the secure design and implementation of ciphers with respect to side-channels. We also give results of a bit-slice implementation as a countermeasure.

Original languageEnglish
Title of host publicationInformation and Communications Security - 12th International Conference, ICICS 2010, Proceedings
Number of pages15
Publication statusPublished - 1 Dec 2010
Externally publishedYes
Publication typeA4 Article in conference proceedings
Event2010 International Conference on Information and Communications Security, ICICS 2010 - Barcelona, Spain
Duration: 15 Dec 201017 Dec 2010

Publication series

NameLecture Notes in Computer Science
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference2010 International Conference on Information and Communications Security, ICICS 2010


  • cache-timing attacks
  • side-channel attacks
  • stream ciphers

Publication forum classification

  • Publication forum level 1

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)


Dive into the research topics of 'Consecutive S-box lookups: A timing attack on SNOW 3G'. Together they form a unique fingerprint.

Cite this