Cache attacks on subkey calculation of Blowfish

Abstract

Cache attacks pose a serious security threat to cryptographic implementations in processor architectures. In this paper, we first propose cache attacks against Blowfish, which can break the protection of key-dependent S-box. This attack targets at the subkey calculation of Blowfish, and fully exploits features of the subkey calculation to construct a leakage equation group about the key. Without any knowledge of plaintext and ciphertext, the attacker only needs to obtain the cache leakage once to recover a variable-length key in minute-level time. More than that, we establish a leakage model for cache attack situations to evaluate the exhausting space of the intermediate value of block ciphers, and estimate the time complexity of cache attacks. In our experiments, we perform Flush + Reload and Prime + Probe attacks and recover the random key of Blowfish in OpenSSL 1.1.1h in 4 minutes. Furthermore, we have applied our attacks to existing systems, such as JavaScript-blowfish and Bcrypt. Our attack on JavaScript-blowfish can recover any plaintext input by the user. As for Bcrypt, our attack can recover the hash values stored in the database, thereby allowing attackers to impersonate the user’s identity.