Improved Trace-Driven Cache-Collision Attacks against Embedded AES Implementations

In this paper the authors present two attacks that exploit cache events, which are visible in some side channel, to derive a secret key used in an implementation of AES. The first is an improvement of an adaptive chosen plaintext attack presented at ACISP 2006. The second is a new known plaintext attack that can recover a 128-bit key with approximately 30 measurements to reduce the number of key hypotheses to 2 30. This is comparable to classical Differential Power Analysis; however, the attacks are able to overcome certain masking techniques. They also show how to deal with unreliable cache event detection in the real-life measurement scenario and present practical explorations on a 32-bit ARM microprocessor.