Cache misses and the recovery of the full AES 256 key

Briongos Herrerjo, Samira and Malagón Marzo, Pedro José and Goyeneche, Juan Mariano de and Moya Fernández, José Manuel (2019). Cache misses and the recovery of the full AES 256 key. "Applied Sciences- Basel", v. 9 (n. 5); pp. 1-24. ISSN 2076-3417.


Title: Cache misses and the recovery of the full AES 256 key
  • Briongos Herrerjo, Samira
  • Malagón Marzo, Pedro José
  • Goyeneche, Juan Mariano de
  • Moya Fernández, José Manuel
Item Type: Article
Título de Revista/Publicación: Applied Sciences- Basel
Date: 6 March 2019
ISSN: 2076-3417
Volume: 9
Freetext Keywords: side-channel cache attacks; cache misses; AES; cloud computing
Faculty: E.T.S.I. Telecomunicación (UPM)
Department: Ingeniería Electrónica
Creative Commons Licenses: Recognition - No derivative works - Non commercial

Full text

PDF - Requires a PDF viewer, such as GSview, Xpdf or Adobe Acrobat Reader
Download (1MB) | Preview


The CPU cache is a hardware element that leaks significant information about the software running on the CPU. Particularly, any application performing sequences of memory access that depend on sensitive information, such as private keys, is susceptible to suffer a cache attack, which would reveal this information. In most cases, side-channel cache attacks do not require any specific permission and just need access to a shared cache. This fact, combined with the spread of cloud computing, where the infrastructure is shared between different customers, has made these attacks quite popular. Traditionally, cache attacks against AES use the information about the victim to access an address. In contrast, we show that using non-access provides much more information and demonstrate that the power of cache attacks has been underestimated during these last years. This novel approach is applicable to existing attacks: Prime+Probe, Flush+Reload, Flush+Flush and Prime+Abort. In all cases, using cache misses as source of information, we could retrieve the 128-bit AES key with a reduction in the number of samples of between 93% and 98% compared to the traditional approach. Further, this attack was adapted and extended in what we call the encryption-by-decryption cache attack (EBD), to obtain a 256-bit AES key. In the best scenario, our approach obtained the 256 bits of the key of the OpenSSL AES T-table-based implementation using fewer than 10,000 samples, i.e., 135 milliseconds, proving that AES-256 is only about three times more complex to attack than AES-128 via cache attacks. Additionally, the proposed approach was successfully tested in a cross-VM scenario.

Funding Projects

Government of SpainTIN-2015-65277-RCOPHERNICOUnspecifiedEfficient heterogeneous computing: from the processor to the datacenter
Government of SpainAYA2015-65973-C3-3-RUnspecifiedUnspecifiedGas en el interior y en el entorno de las galaxias. preparación científica para SKA y contribución al diseño del flujo de datos - Procesado de datos en hardware
Government of SpainRTC-2016-5434-8HIDRAUnspecifiedHolistic Intrusion Detection and Response Agent

More information

Item ID: 67008
DC Identifier:
OAI Identifier:
DOI: 10.3390/app9050944
Official URL:
Deposited by: Memoria Investigacion
Deposited on: 19 May 2021 13:18
Last Modified: 19 May 2021 13:18
  • Logo InvestigaM (UPM)
  • Logo GEOUP4
  • Logo Open Access
  • Open Access
  • Logo Sherpa/Romeo
    Check whether the anglo-saxon journal in which you have published an article allows you to also publish it under open access.
  • Logo Dulcinea
    Check whether the spanish journal in which you have published an article allows you to also publish it under open access.
  • Logo de Recolecta
  • Logo del Observatorio I+D+i UPM
  • Logo de OpenCourseWare UPM