Score:0

AES XEX Mode: Cache-attacks demonstrated?

az flag

Assume AES in XEX mode, so we encrypt a plaintext $x$ as $E_K[x \oplus k_1] \oplus k_2$ where $E_K$ is the usual AES Block cipher (assume $x$ is of block size).

Assume the implementation of AES is vulnerable to cache-side channel attacks. Have any attacks against this XEX mode of AES been demonstrated? It seems to me quite difficult, because the attacker neither knows the input nor the output to $E_K$.

Score:2
my flag

Assume the implementation of AES is vulnerable to cache-side channel attacks. Have any attacks against this XEX mode of AES been demonstrated?

Actually, XEX wouldn't appear to make a side channel attack that much more difficult.

AES uses the first subkey as an XOR to the plaintext; it uses the last subkey as a final XOR to generate the ciphertext. Hence, AES-XEX can be viewed as normal AES, except that the first and last subkeys are set to arbitrary values.

What this does mean is (for example) your side channel attack manages to recover the first subkey for AES-128, that does not immediately give you the entire key. However, you could still logically peel off the AES internal operations until you get to the second AddRoundKey and attack that (using the same side channel attack); getting that will get you (for AES-128) everything...

kelalaka avatar
in flag
Poncho, AFAIK, the cache attacks concentrate on the first round key. Do you know one that doesn't use the first-round key?
poncho avatar
my flag
@kelalaka: actually, in this case, you're always attacking the 'first round key'; however what is the first round changes. First, you attack the logical 'first round key' (which is actually the AES first round key xor'ed with the XEX initial xor). Once you've recover that, you treat the cipher as a 9/11/13 round AES with some public operations in front (the XEX initial xor and the first round) and attack the first round key of that shorted AES (which is the second round key of the real AES)
kelalaka avatar
in flag
Yes, that is true, however, my real point is this; it is how much realistic to attack the second round since one has to catch the context switch on the CPU...
poncho avatar
my flag
@kelalaka: "one has to catch the context switch on the CPU" - I believe you misunderstand the cache attack, where you allow the entire block encryption to happen, and then you determine (by what's in the cache) what regions were accessed) - regions touched by the second round will be in the cache just as the regions touched by the first round
kelalaka avatar
in flag
That is what I know, the problem is how one can be sure which round occurs on encryption in the realistic model, not in the ideal model where the adversary can change the cache per round. Ok, I should turn back and read some articles...
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.