Chapter 1: Introduction

Security is the most important thing needed in the 21st century. It is very much needed in the
field of communications. Let it be military secrets or a company's confidential policy, secrecy and
safety are a necessary. Thus, a significant amount of research effort had been put into the field of
security. To address this issue, we have many Cryptographic algorithms, ciphers, hash functions,
and many more. They are considered as the basic blocks for more better methods to make
information more secure. And with the advent of Internet, a public-interacted system, the need for
Network Security has escalated.

At present, many cryptographic algorithms are in use for providing security for information
such as DES (Data Encryption Standard), RSA (a public-key system), HASH algorithm, AES
(Advanced Encryption Standard), HMAC, etc. This paper is aimed at presenting one such
algorithm by hybridizing both DES and AES algorithms. DES is a symmetric-key algorithm first
published in 1975 by IBM. Though it was regarded as highly dominant in early days, it is now
considered to be insecure for many applications. So, superseding DES, another powerful
algorithm, AES was designed in 1998, by Vincent Rijmen and Joan Daemen. From May 26, 2002
when it had become effective as a federal government standard in USA, to till date, it is regarded
as the unbreakable cipher. It is mainly used in wide range of applications like Archive and
compression tools, Disk encryption, Security for communications, File encryption, etc.

Even though it is a very strong cipher algorithm, there have been successful published attacks
against AES, which are known as Side-channel attacks. These Side channel attacks(SCA) do not
attack cipher as a who, but attack its performance on systems which involuntarily leak
information. Few number of side channel attacks have been demonstrated experimentally against
AES. This paper reports such SCA which are Cache and Timing attacks, which make AES
vulnerable.

It also presents a Hybridized version of AES to protect it from such side channel attacks. With
the increasing technologies, it is easier to conduct side channel attacks, and steal the sensitive
information. As, these attacks get more versatile and powerful, traditional encryption algorithms
may not be secure enough. So, a new version of encryption algorithm is needed.

This paper reports a hybrid algorithm as it inherits both systems and qualities and provides
more security.
1.1 Problem Statement
The present Advanced Encryption Standard (AES), is regarded as a fail proof encryption
algorithm and is widely used in many services, like National Institute of Standards and
Technology (NSIT) of United States government. But recent research show that Side Channel
attacks have become a real concern. Particularly cache based attacks are being more powerful on
this encryption standard. Since it is an attack which works on weakness in the implementation of
algorithm, attackers can break-in to the encryption system. This project aims at providing a
software solution to the Side Channel attacks on Advanced Encryption Standard (AES).

1.2 Contribution
As stated in the problem statement, the Side Channel attacks have become a big trouble in
terms of security. In this project, a certain type of side channel attack called the cache attack is
worked upon. This report tries to eliminate the weakness in the algorithm, which makes AES
vulnerable to cache attacks. A software solution to the problem is given in the report. After a
considerable amount of research, it can be said that, the sub-bytes generation step in each round
of iteration, uses a look-up table. This look-up table is stored in the cache for frequent utilization.
But a study tells that the time taken or a single round, is directly proportional to the time taken to
access the cache for the look-up table element. So, by examining many rounds of AES encryption
an attacker can obtain the knowledge of the number of element being accessed.

As a solution to this vulnerability, we replaced the look-up table with a permutation

procedure taken from another algorithm called Data Encryption Standard (DES). By taking an
element from the DES algorithm, we are presenting a hybridized algorithm. Our contribution in
the project is a hybrid encryption algorithm using AES and DES, to overcome the cache side
channel attacks in Advanced Encryption Standard.

1.3 Organization of the Report

The entire report is organized as follows, chapter 2 presents the Literature Review of the
topic. It mentions all the previous work done on this topic. Various research works on Side
Channel attacks, Hybrid encryption algorithms, implementations of Advanced Encryption
Standard have been cited in the report. In, chapter 3, we have presented our proposed
methodology for the problem statement. This chapter starts with basic introduction of algorithms.
Then we discuss about the SCA in general. After that, cache attacks are discussed in general. That
is followed by the possible solutions which include various software and hardware
implementations.

Chapter 4, presentation of our final Hybrid algorithm. In this chapter, we explain the
entire hybrid algorithm in detail. We discuss how it helps in eliminating vulnerabilities for a
cache attack. It also presents the implementation of the hybrid algorithm. Chapter 5 is the
conclusion chapter for the report. It winds-up the report stating the need for such a hybrid
algorithm. This chapter also discusses about future scope in this field of study. And finally, we
end the report by stating the references which helped us completing this project successfully.

Chapter 2: Literature Survey

 Even with many strong cryptographic mechanisms in application, they sometimes fail in
providing ultimate safety. By saying that, we come an agreement on an idea that, all the security
encryptions cannot provide you with supreme security. To get hold of sensitive information, an
attacker not only need to entirely break an encryption algorithm. It can also be done by many
other methods. An interesting analogy can be cited to support the above statement. When a
burglar tries to break into a house, he doesn't waste time in trying all the possible patterns for the
lock. He either break in through a window, or break the hinges of the door, try to forge the key.
Similarly, all the security attacks try to target the vulnerable weakness in implementations.
Falling into this category, a new type of attacks has been developed in the last few years, called
the side channel attacks. Official information related to cache attacks go back to 1985. It was
suggested by P Wright to British Intelligence Agency to bug the rotor machine used by Egyptian
Embassy, London, with a microphone. Thus, they could listen the clicks on rotors. This additional
information helped them to spy on the embassy for years.

Side channel attacks have been proved to be more effective than the conventional
methods. In most of the cases they proved to be more successful than expected. Bernstein
extracted a complete AES key by successfully performing his attack using OpenSSL on a
Pentium III desktop. He also mentioned that similar procedure can be performed on more
powerful servers. At the same time, Kocher executed timing attacks on DSS, RSA and other
cryptosystems.

Sometime after Kocher, a similar timing attack was performed against AES
implementation using branch statements. Along with them, Alawatugoda et al produced a
research paper on countermeasures against remote cache timing attacks by planning, in 2011.
They implemented an approach of masking. This is done by adding many several lines of code in
to the AES implementation, to hide the leaking information. Their software solution included
adding randomness in the AES encryption and little changes in T-tables and their usage. They
were successful in reaching their target. Their work acknowledged the use of look-up tables in
cached memory as an exploitable cryptographic side channel. Attacks demonstrated by Osvik,
Shamir and Tromer have clearly exhibited how a specific information about cache memory
values can be leaked, which is almost enough to construct an AES key.

In 2012, constant time encryption has been presented as a solution to cache timing
attacks. This was presented by Jayasinghe et al. Their solution to the problem includes
rescheduling the AES instructions. In general, most of the software countermeasures are again
vulnerable to statistical analysis. So, keeping it in mind, they have developed a countermeasure
which is also safe to any kind of statistical analysis. By this method, they make sure, the time
taken constant amount of time regardless of cache hit or miss. This way they showed how they
eliminated the side channel vulnerabilities.

Another class of cache attacks involve focusing on use of power analysis as a

vulnerability for leaking. Lauradox was the first to construct an attack based on power
consumption. This approach was then extended by Acnmez and Ko, by considering first 2 rounds
of AES. To perform this attack, they require very less number of encryptions (almost less than
50), but mainly require access to power supply of the machine.

A cache access patterns can also be used to construct a more structured timing attacks
against AES. This principle was first implemented by Tusnoo et al. who demonstrated this against
MISTY and DES. This work was bad on the assumption (which was verified later) that
encryption time is correlated with cache hit ratio. Though this principle worked in breaking DES,
substantial detail was not provided on AES.

Chapter 3: Current Methodologies

3.1 Data Encryption Algorithm (DES)

 National Institute of Standards and Technology (NIST) published a symmetric block
cipher named the Data Encryption Standard. (DES) implementation will be almost like the
implementation of a Feistel Cipher. Sixteen round Feistel structure is used by it. 64-bit is its block
size. DES will have an effective key length of 56 bits even though, key length will be sixty-four-
bit, meanwhile eight of the sixty-four bits of the key will not be applied to the encryption
algorithm. DESs general Structure is as shown in the below design

Figure:3.1

Everything that is essential to specify DES is as given below, because DES is based on Feistel
Cipher. Which includes:

Round function

Key schedule

Any additional processing Initial and final permutation

3.1.1 Initial and Final Permutation
Straight Permutation boxes which are treated as inverses of each other are the format of initial
and final permutations. There isnt any significance of cryptography in DES. We can observe
below the initial and final permutations:

Figure:3.2
3.1.2 Round Function
DES function, f will be the heart of this cipher. A forty-eight-bit key along with the rightmost
thirty-two bits to produce a thirty-two -bit output is applied by the DES function.
 Figure:3.3
Expansion Permutation Box Meanwhile input on right side will be thirty-two -bit
and round key will be a forty-eight-bit, input is needed to be expanded on right side to
forty-eight bits. The graphical representation of permutation logic will be as shown
below:

Figure:3.4
Permutation logic in DES specification which is graphically represented is normally
defined in a tabular form as shown below:
 Figure:3.5
XOR (Whitener). DES performs XOR operation is applied on the right section which
is expanded and the round key after the expansion permutation. In this operation only the
round key will be used.

Substitution Boxes. The real mixing is performed by the S-boxes. Eight S-boxes are
used by DES, everything with a six-bit input and a four-bit output. Observe the below
representation:

Figure:3.6

The representation of S box rule is as follows:

 Figure:3.7
8 is the total count of S-box tables. In to 32-bit part the output of all 8 s-boxes is then
mixed.

Straight Permutation The rule for subjection of thirty-two-bit output from the S-
boxes is changed to the straight permutation is as shown below -

Figure:3.8

3.1.3 Key Generation

16 forty-eight-bit keys out of a 56-bit cipher key are created by the round-key generator. The key
generation process is as shown below:
 Figure:3.9
In the DES description, the logic for shifting, Parity drop, and P-box Compression is specified.

3.1.4 DES Analysis

Both block cipher desired properties are satisfied by DES. These properties make cipher very
strong.

Effect of Avalanche Huge modification in the ciphertext is observed by a minor

modification in plaintext.

Completeness Huge number of bits of plaintext are dependent on every bit of

ciphertext.

Some weaknesses related to DES when with a selected key are weak keys were found by the
cryptanalysis during the previous few years. Avoided these keys would be better.
DES had evidenced to be a greatly designed block cipher. Other than exhaustive key search, any
other significant cryptanalytic attacks on DES were not discovered which are significant.

3.2. Advanced Encryption Algorithm (AES)

Now a days Advanced Encryption Standard (AES) is the well-known and widely used
secure algorithm which is symmetric. Triple DES is found at least six time slower than Data.
The basic DES was needed a replacement because of its very small key size. With the
advancement of computing power, it was considered as susceptible to attack against tired key
search attack. To overcome this Triple DES was designed+ but it was found slow.

AES features are as follows

It is a symmetric key and symmetric block cipher

128-bit data, 128,192 and 256-bit keys

Faster and stronger than Triple-DES

Provide design and full important and required details

Software which is both efficient in Java and C

3.2.1 Operation of Advanced Encryption Standard

Advanced Encryption Standard is an iterative cipher instead of Feistel cipher. Advanced
Encryption Standard is which working on permutation and substitution network. It consists of a
series of highly interconnected operations, some of which require replacing inputs by certain
outputs, this is called substitutions and other methods incur shuffling bit strings, this is called
permutations.

Unlike DES AES performs its operations on bytes which is different from bits. Hence, it
considers 128 bits of a plaintext block scheduled into 16-byte matrix., arranged in rows and
columns that is 4x4 matrix.
The number of rounds in AES changes and it is dependent on the key length unlike DES.128-bit
keys are used by AES for 10 rounds, 12 rounds is for 192-bit keys and 14 rounds for 256-bit
keys. A different 128-bit round key is used by each of these rounds, which will be calculated
from the original AES key.

3.2.2 Schematic AES structure:

Figure:3.10

3.2.3 Encryption Process

In this process, we will limit to explanation of a specific round of AES encryption. Every round
contains 4 sub-processes. The initial round process will be portrayed underneath
 Figure:3.11

Byte Substitution (Sub-Bytes)

By viewing up a (S-box) given in design, the 16 input bytes will be replaced. The output will be
in the form of a matrix of 4 rows and 4 columns.

Figure:3.12

Example:
 Figure:3.13

Shift rows
In the matrix, every four rows are shifted towards the left side. On the right side of row, any
entries that fall off would be re-inserted. The Shift process will be carried out as follows

First row is never shifted.

Row 2 is shifted one (byte) to the left.

Row 3 is changed two positions to the left.

Row 4 is changed three positions towards left.

We get a resulted matrix consisting of the16 bytes but shifted with respect to each other.

Figure:3.14
Mix Columns
Using a special polynomial/constant function each column in the state matrix is transformed.
Outputs four completely new bytes by using the function that takes input as four bytes of one
column that replace the previous column. Another new matrix is the result that consisting of 16
new bytes. In the last round, we cannot perform this step.

Figure:3.15

Figure:3.16

Add round key

Now, the sixteen matrix bytes are well-thought-out as one hundred twenty and eight bits and are
XORed to the one hundred twenty and eight bits of the round key. If it will be the last round then
the output will be the ciphertext. Or else, the resulting 120 and 8 bits are interpreted as 16 bytes
and we begin the entire process again, naming it as another round.

Fi
gure:3.17

AES Round

Figure:3.18

3.2.4 Decryption Process

The decryption procedure of an AES cipher text is same as process of encryption in the inverse
order. Each individual round contains all the four processes accompanied in the opposite order:
 Add round key

Mixed Columns

Shift of Rows

Sub Bytes

Meanwhile child processes in each round are in opposite manner, dislike a Feistel Cipher, the
decryption and encryption algorithms wishes to be implemented separately, even though they are
related very closely.

3.2.5 AES Analysis

In the present scenario of cryptography, AES is supported and widely adopted in both hardware
and software. Until today, any applicable cryptanalytic attacks against any cipher such as AES
has not been discovered. Even, key length of AES has built in flexibility, which would allow a
future-proofing degree against development in the capability to perform tired key searches.
Anyhow, only for DES, the AES safety is ensured just if it is rightly implemented and nice key
organizing is maintained.

3.3 Side Channel Attacks

Many attacks known on the traditional security models, mainly focus on exploiting
mathematical specification. But in the recent years many researches are becoming aware of more
possible types of attacks that exploit the properties of working environments and
implementations. These attacks being called side channel attacks utilize various types of
information that is leaked during the execution. For example, an adversary can observe the power
consumed by a smart key, during its performance of private key, etc. A side-channel information
can be easily gathered in practice, therefore pose a threat to the present-day security systems. The
picture given below gives an illustration of how many ways, a side channel leakage can take
place.
 Figure 3.19
These side channels are referred to as unintended outputs of a system implementations.
There are certain ways based on which they are classified. They are:

Based on computer process control.

Depending on the module access
Based on the method used to analyze.
Well known Cache based attack, is one of the many side channel attacks. When a cache
miss occurs, a delay will be generated, for loading of item from main memory into cache. By
measuring and understanding these delays help attackers know the occurrence and frequency of
these delays. Kelsey et al. proposed the idea that usage of cache is possible as a side-channel
during the application of cryptographic algorithm. Many such attacks based on the CPU delay
against block ciphers have been published later. Osvik et al, presented an attack, which doesnt
require any plain texts or cipher texts, but just by monitoring the cryptographic procedure over
cache. It is claimed that like bitsliced serpent and SHA family which are implemented without
any look-up tables are impermeable to such cache attacks.
 Chapter 4: Our Approached Method of Work

4.1 Cache based SCA on AES

Consider a variable index look up table L0[x [0] +n [0]] which stores the substitution
values in the cache for Sub-Bytes transformation in AES. Observed research have showed us that
time of this lookup array is entirely depended on array index. And the entire AES computation
time is correlated to this array look-up table. So, by observing and using perfect technology, an
attacker, can deduce the exact value of x [0], as the entire cache timing leak information is about
x [0] +n [0]. Similar steps can be applied to x [1] +n [1], x [2] +n [2], etc. The time taken by the
user to handle many ns is observed by the attacker.

Generally, this entire attack is divided into 3 main parts. The initial step is profiling.
Which is collecting a lot of information on providing a baseline of timing information. We set
AES key as all zeros and send 400, 600 and 800 byte packets to observe timing. Next step is the
attack, where we observe the actual set of timings for these 400, 600 and 800 byte packets. The
final step is analysis, which is getting correlation of the baseline profile to the date. This analysis
provides potential keys and with provided correlations and combined with output from server we
can get the whole key.

4.2. Proposed Algorithm

The proposed algorithm is a hybrid of both AES and DES encryption algorithms. It
incorporates a method of DES into AES. Advanced Encryption Standard, being the fail-proof
encryption algorithm, has vulnerabilities to the cache side channel attacks. The look-up table
which is used for Sub Bytes generation in AES algorithm, is kept in cache. Thus, a series of cache
hit ratios is enough to identify the number of element being accessed from the look-up table. This
way it is very much possible for construction of an entire key. So, to eliminate this cache
vulnerability, we replace sub-byte generation with Permutation of the 16 Bit key. This
permutation follows the same technique as in Data Encryption Standard.
Hybrid Algorithm: Keeping in the AES quality, this hybrid algorithm remains iterative cipher. It
takes 128 bits as an input. In this report, we preferred to work with a 128-bit key, due its less
complexity. Since the size of the key is 128 bits, the number of rounds to be performed would
remain 10.

1.Scheduling: 128-bit input, which is considered as 16-Bytes, is scheduled in to a 4x4 matrix.

This matrix will undergo a series of transformations over 10 iterations. The next transformations
include Round-Key, Internal Permutation, Shift Rows, Mix Columns.

Example: 0 89 fe 76
1
Plaintext: 2 ab dc 54
0123456789abcdeffedcba987654321
3
0 4 cd ba 32
5
6 ef 98 10
7
Figure: 4.1

2.Round-Key: In the forward add round key transformation, 128 bits of input is XORed with the
128 bits of the key. The key XORed is not the one initially given. It is expanded according to the
Key Generation (discussed later).

0 89 fe 76 0f 47 0c af
1 d9 b7 7f 0e ce f2 d9
1 3 72 6b 2b
2 ab dc 54 5
7 e8 ad 67 6
3 3 25 17 55
4 cd ba 32 1
c9 59 d6 98 4
5 ae b6 4e 88
6 ef 98 10
7
Figure: 4.2
 3.Internal Permutation: This is an important aspect of Fiestel Structure, taken from DES is
applied to this state. The permutation is applied to entire 128-bit block. This entire permutation
provides a new matrix, as shown in the below example.

0 89 fe 76 4d 76 ba e3
9 c6 9b 70
1
2 ab dc 54 2
5 16 9b e5
3
4 cd ba 32 1
6 ef 98 10
5
6 ef 98 10 7

7
Figure: 4.3

4. Shift Rows: The forward shifting of rows is a kind of transformation, is called shift rows. The
initial row of state matrix is not altered. For the row 2, a 1-byte is shifted circularly. For the row
3, 2-byte is shifted circularly. For the row 4, a 3-bytes are shifted circularly in the matrix.

Example shown below,

a3 52 4a ff
a3 52 4a ff
8 57 d3 59
5 86 57 d3
6
9
c6 7a f7 92
f7 92 c6 7a
de 36 f3 93
3 f3 93 de
6

Figure: 4.4

5. Mix Columns Transformation: This function works individually on each column of state
matrix. Each byte of in a column blank, is applied to a certain given function, and the solution is
put into the same block of column. Dot product of another matrix containing constants, is
4 8d fe 29
multiplied with the state matrix, to produce the required transformations.
1 2a 47 c4 48
9a 36 16 85 8 e8 18 ba
7 87 e4 06
3
8 8 18 27 23
6 9b fd 88
4
5 eb 10 0a f3
 Figure: 4.5

These transformations are repeated in each of the 10 rounds. Thus, without the use of a look-up
table, we produce another version of AES, which eliminates the vulnerabilities of cache side
channel attacks.

4.3 Advantages of Hybrid Algorithm

From reasonable amount research done, it is concluded that DES is designed in such a
way that is properly resistant to any cache-timing attacks. Due to its Feistel structure, and very
little use of smaller substitution tables, it is not vulnerable to any kind of cache side channel
attacks. So, picking up an important feature of this Feistel structure and applying it to the AES,
proves to be a very efficient method.

According to Feistel structure block ciphers, two things are important, to make an
algorithm stronger. They are:

Substitution
Permutation

And more over a permutation followed by a function, provides a lot of diffusion to the
cipher. So, a good amount of diffusion is obtained by this hybrid algorithm, which contains, an
internal permutation followed by matrix transformation functions.

Chapter 5: Conclusions and Future Scope

5.1 Conclusion
 A cache based timing attack is a major risk on the AES encryption. With the proposed
hybrid algorithm, the chances of them is eliminated. This solution is entirely based upon the
theoretical work. With the replacement of look-up tables, with permutations, there isnt any need
for a cache access. So, we can conclude that the proposed algorithm in the report makes the AES
encryption more better. It can be called as the verified version of AES in terms of bettering it
against cache based side channel attacks.

5.2 Future Scope

There is a lot of future scope in the field of network security and cryptography. With
everyday advancements in this filed, more secure and efficient encryption methods are in great
need. Every major encryption algorithm has some type of vulnerability to be taken care. In future,
these vulnerabilities should be overcome, to make them more strong and efficient.

But there are pretty much chances of other kinds of side channel attacks. They need to be
worked upon, as they can pose a major problem for the encryption. So, in future an algorithm,
which acts as a unified solution for all kinds of side channel attacks. A hybrid AES encryption
which is very secure against any type of side channel attacks. This kind of AES need to be
worked upon as, there are more and more technologies coming every day which help in these side
channel attacks, in reproducing any secure aspect.

Coming to the Advanced Encryption Standard(AES), by the proposed algorithm in the report,
cache based attack can be overcome. In future, we would like to implement it in very efficient
way. And this algorithm is mainly focused in 128-bit plain text. But AES works on 128, 192 and
256 bit plain texts. So, in future works, we need to work on making it more efficient it against,
cache side channel attacks. So, in the future scope, a hybrid version of AES which secure against
all kinds of side channel attacks, and is working on 128, 192 and 256 bit plain-text and keys

References

Each listed reference in the bibliography are cited in the text of the report.
1. William Stallings, Cryptography and Network Security, sixth editions, chapter 2, and
chapter 4. Published by Pearson India Education Services, Third Impression 2015.
2. Mohamed Saied Emam Mohamed, Stanislav Bulygin, Michael Zohner, Annelie Heuser,
Micheal Walter, Improved Algebraic Side-Channel attack on AES, Technische
Universitat Darmstadt, Germany,
3. Udyani Herath, Janaka Alwatugoda, on Software implementation level countermeasures
against the Cache Timing attack on Advanced Encryption Standard.
4. Joseph Bonneau, Ilya Mironov, Cache-collision timing attacks against AES.
5. Wei Liu, Ariel Di Segni, Ye Ding, Teng Zhang, Cache-timing attacks on AES, at
Polytechnic Institute of New York University, published in May 2013.
6. YongBin Zhou, DengGuo Feng, on Side-Channel Attacks: Ten years after its publications
and the impacts on Cryptographic Module of security, at Chinese Academy of Sciences,
Beijing, at https://eprint.iacr.org/2005/388.pdf
7. Daniel J. Bernstein, on Cache timing attacks on AES, at University of Illinois at Chicago,
in 2005. At https://cr.yp.to/antiforgery/cachetiming-20050414.pdf
8. https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
9. https://en.wikipedia.org/wiki/Data_Encryption_Standard
10. https://crypto.stackexchange.com/questions/41399/side-channel-attacks
11. https://eprint.iacr.org/2007/318.pd
12. https://en.wikipedia.org/wiki/Side-channel_attack
13. https://www.schneier.com/blog/archives/2005/05/aes_timing_atta_1.htm
14. https://cr.yp.to/antiforgery/cachetiming-20050414.pdf