Affiliations: [a] State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, China. E-mails: [email protected], [email protected], [email protected] | [b] Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, China | [c] School of Cyber Security, University of Chinese Academy of Sciences, China | [d] Department of Electrical Engineering and Computer Science, University of Kansas, USA. E-mail: [email protected] | [e] School of Computer Science, University of Chinese Academy of Sciences, China. E-mail: [email protected]
Abstract: Cache timing side channels allow a remote attacker to disclose the cryptographic keys, by repeatedly invoking the encryption/decryption functions and measuring the execution time. Warm and Delay are two algorithm-independent and implementation-transparent countermeasures against remote cache-based timing side channels for block ciphers. They destroy the relationship between the execution time and the cache misses/hits which are determined by the secret key, but bring remarkable performance overhead. In this paper, we investigate the performance of cryptographic functions protected by Warm and Delay, and attempt to find the best strategy to integrate these two countermeasures with the optimal performance while effectively eliminate remote cache timing side channels for block ciphers implementations with lookup tables. To the best of our knowledge, this work is the first to systematically analyze the performance of integrating Warm and Delay against cache side channels.We derive the optimal scheme to integrate Warm and Delay, and apply it to AES. It is proven that the integration scheme achieves the optimal performance with the least extra operations on commodity systems. Finally, we implement it on Linux with Intel CPUs. Experimental results confirm that, (a) the execution time does not leak information on cache access, (b) the scheme outperforms other integration strategies of Warm and Delay, and (c) the implementation works without any privileged operations on the computer.
Keywords: Cache side channel, optimal performance, timing side channel, block cipher, AES
