Lukas Giner
@giner.cc
Postdoc @Coresec Graz University of Technology
We can also do a modified first-round attack on AES T-Tables, thanks to their innate offset within a page, even though our pattern stretches across all 4 Tables and we can't look at individual lines or even individual Tables. All we need is to know which half of the page sees more accesses!
May 26, 2025 at 8:23 PM
We can also do a modified first-round attack on AES T-Tables, thanks to their innate offset within a page, even though our pattern stretches across all 4 Tables and we can't look at individual lines or even individual Tables. All we need is to know which half of the page sees more accesses!
Now, half a page granularity might not seem very accurate, but the pattern actually helps us quite a bit!
For example, we can choose a pattern size that fits the RSA S&M algorithm and recover an entire 4096 bit key with a single trace.
For example, we can choose a pattern size that fits the RSA S&M algorithm and recover an entire 4096 bit key with a single trace.
May 26, 2025 at 8:23 PM
Now, half a page granularity might not seem very accurate, but the pattern actually helps us quite a bit!
For example, we can choose a pattern size that fits the RSA S&M algorithm and recover an entire 4096 bit key with a single trace.
For example, we can choose a pattern size that fits the RSA S&M algorithm and recover an entire 4096 bit key with a single trace.
We find that AMD does ciphertext coherence with cache line granularity, but instead 32 cache lines (half a page)!
And even crazier, it's not 32 adjacent cache lines, but they're spread over a page in varying patterns: each accessed line evicts all others in its half of the page.
And even crazier, it's not 32 adjacent cache lines, but they're spread over a page in varying patterns: each accessed line evicts all others in its half of the page.
May 26, 2025 at 8:23 PM
We find that AMD does ciphertext coherence with cache line granularity, but instead 32 cache lines (half a page)!
And even crazier, it's not 32 adjacent cache lines, but they're spread over a page in varying patterns: each accessed line evicts all others in its half of the page.
And even crazier, it's not 32 adjacent cache lines, but they're spread over a page in varying patterns: each accessed line evicts all others in its half of the page.