Consecutive S-box lookups: A timing attack on SNOW 3G

Billy Bob Brumley; Risto M. Hakala; Kaisa Nyberg; Sampo Sovio

doi:10.1007/978-3-642-17650-0_13

Consecutive S-box lookups: A timing attack on SNOW 3G

Billy Bob Brumley, Risto M. Hakala, Kaisa Nyberg, Sampo Sovio

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Scientific › peer-review

13 Citations (Scopus)

Abstract

We present a cache-timing attack on the SNOW 3G stream cipher. The attack has extremely low complexity and we show it is capable of recovering the full cipher state from empirical timing data in a matter of seconds, requiring no known keystream and only observation of a small number of cipher clocks. The attack exploits the cipher using the output from an S-box as input to another S-box: we show that the corresponding cache-timing data almost uniquely determines said S-box input. We mention other ciphers with similar structure where this attack applies, such as the K2 cipher currently under standardization consideration by ISO. Our results yield new insights into the secure design and implementation of ciphers with respect to side-channels. We also give results of a bit-slice implementation as a countermeasure.

Original language	English
Title of host publication	Information and Communications Security - 12th International Conference, ICICS 2010, Proceedings
Pages	171-185
Number of pages	15
DOIs	https://doi.org/10.1007/978-3-642-17650-0_13
Publication status	Published - 1 Dec 2010
Externally published	Yes
Publication type	A4 Article in conference proceedings
Event	2010 International Conference on Information and Communications Security, ICICS 2010 - Barcelona, Spain Duration: 15 Dec 2010 → 17 Dec 2010

Publication series

Name	Lecture Notes in Computer Science
Volume	6476
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	2010 International Conference on Information and Communications Security, ICICS 2010
Country/Territory	Spain
City	Barcelona
Period	15/12/10 → 17/12/10

Keywords

cache-timing attacks
side-channel attacks
stream ciphers

Publication forum classification

Publication forum level 1

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-642-17650-0_13

Cite this

@inproceedings{280f77d9c3d54a2190cc6e83e4dff2b3,

title = "Consecutive S-box lookups: A timing attack on SNOW 3G",

abstract = "We present a cache-timing attack on the SNOW 3G stream cipher. The attack has extremely low complexity and we show it is capable of recovering the full cipher state from empirical timing data in a matter of seconds, requiring no known keystream and only observation of a small number of cipher clocks. The attack exploits the cipher using the output from an S-box as input to another S-box: we show that the corresponding cache-timing data almost uniquely determines said S-box input. We mention other ciphers with similar structure where this attack applies, such as the K2 cipher currently under standardization consideration by ISO. Our results yield new insights into the secure design and implementation of ciphers with respect to side-channels. We also give results of a bit-slice implementation as a countermeasure.",

keywords = "cache-timing attacks, side-channel attacks, stream ciphers",

author = "Brumley, {Billy Bob} and Hakala, {Risto M.} and Kaisa Nyberg and Sampo Sovio",

year = "2010",

month = dec,

day = "1",

doi = "10.1007/978-3-642-17650-0_13",

language = "English",

isbn = "3642176496",

series = "Lecture Notes in Computer Science",

pages = "171--185",

booktitle = "Information and Communications Security - 12th International Conference, ICICS 2010, Proceedings",

note = "2010 International Conference on Information and Communications Security, ICICS 2010 ; Conference date: 15-12-2010 Through 17-12-2010",

}

Brumley, BB, Hakala, RM, Nyberg, K & Sovio, S 2010, Consecutive S-box lookups: A timing attack on SNOW 3G. in Information and Communications Security - 12th International Conference, ICICS 2010, Proceedings. Lecture Notes in Computer Science, vol. 6476, pp. 171-185, 2010 International Conference on Information and Communications Security, ICICS 2010, Barcelona, Spain, 15/12/10. https://doi.org/10.1007/978-3-642-17650-0_13

Consecutive S-box lookups : A timing attack on SNOW 3G. / Brumley, Billy Bob; Hakala, Risto M.; Nyberg, Kaisa et al.

Information and Communications Security - 12th International Conference, ICICS 2010, Proceedings. 2010. p. 171-185 (Lecture Notes in Computer Science; Vol. 6476).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Consecutive S-box lookups

T2 - 2010 International Conference on Information and Communications Security, ICICS 2010

AU - Brumley, Billy Bob

AU - Hakala, Risto M.

AU - Nyberg, Kaisa

AU - Sovio, Sampo

PY - 2010/12/1

Y1 - 2010/12/1

N2 - We present a cache-timing attack on the SNOW 3G stream cipher. The attack has extremely low complexity and we show it is capable of recovering the full cipher state from empirical timing data in a matter of seconds, requiring no known keystream and only observation of a small number of cipher clocks. The attack exploits the cipher using the output from an S-box as input to another S-box: we show that the corresponding cache-timing data almost uniquely determines said S-box input. We mention other ciphers with similar structure where this attack applies, such as the K2 cipher currently under standardization consideration by ISO. Our results yield new insights into the secure design and implementation of ciphers with respect to side-channels. We also give results of a bit-slice implementation as a countermeasure.

AB - We present a cache-timing attack on the SNOW 3G stream cipher. The attack has extremely low complexity and we show it is capable of recovering the full cipher state from empirical timing data in a matter of seconds, requiring no known keystream and only observation of a small number of cipher clocks. The attack exploits the cipher using the output from an S-box as input to another S-box: we show that the corresponding cache-timing data almost uniquely determines said S-box input. We mention other ciphers with similar structure where this attack applies, such as the K2 cipher currently under standardization consideration by ISO. Our results yield new insights into the secure design and implementation of ciphers with respect to side-channels. We also give results of a bit-slice implementation as a countermeasure.

KW - cache-timing attacks

KW - side-channel attacks

KW - stream ciphers

U2 - 10.1007/978-3-642-17650-0_13

DO - 10.1007/978-3-642-17650-0_13

M3 - Conference contribution

AN - SCOPUS:78650886245

SN - 3642176496

SN - 9783642176494

T3 - Lecture Notes in Computer Science

SP - 171

EP - 185

BT - Information and Communications Security - 12th International Conference, ICICS 2010, Proceedings

Y2 - 15 December 2010 through 17 December 2010

ER -

Consecutive S-box lookups: A timing attack on SNOW 3G

Abstract

Publication series

Conference

Keywords

Publication forum classification

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this