Side Channel Attacks on AES

Transcript of Side Channel Attacks on AES

Highly Efficient Algorithms for AES Key Retrieval inCache Access Attacks

Ashokkumar C. , Ravi Prakash Giri , Bernard Menezes

Indian Institute of Technology, Bombay, INDIA

IEEE European Symposium on Security and Privacy, Saarbrucken, GERMANYMarch 21-24, 2016

Outline

1 Preliminaries (Side Channel Attacks, AES Implementation)

2 First Round Attack

3 Second Round Attack

4 Results

5 Limitations and Extensions

6 Summary and Conclusions

Preliminaries (Side Channel Attacks, AES Implementation)

Problem Statement

Retrieve entire 128-bit AES key in a cache access attack given

Known plaintext blocks and corresponding sets of cache line numbersof table elements accessed during AES encryption

or

Known ciphertext blocks and corresponding sets of cache linenumbers of table elements accessed during AES decryption

Euro S&P ’16 Highly Efficient Algorithms for AES Key Retrieval in Cache Access Attacks 3/29 3 / 29

Problem Statement

Retrieve entire 128-bit AES key in a cache access attack given

Known plaintext blocks and corresponding sets of cache line numbersof table elements accessed during AES encryption

or

Known ciphertext blocks and corresponding sets of cache linenumbers of table elements accessed during AES decryption

Attacks on Crypto Algorithms

Traditionally, attacks on cryptographic algorithms have focused on hardmathematical problems (such as the factorization problem or the dis-crete logarithm) or linear/differential cryptanalysis

A different approach is to exploit leakage of sensitive information throughvarious side channels – power, timing, etc. to obtain the key

Cache-based Side Channel Attacks

Exploit the fact that memory access times vary by 1–2 orders of mag-nitude depending on which level of the memory hierarchy the requireddata/instruction currently resides

Typically depend on the actual implementation of the algorithm

Algorithms targeted – RSA, DSA, EC-DSA, AES, etc.

Cache-based Side Channel Attacks

Exploit the fact that memory access times vary by 1–2 orders of mag-nitude depending on which level of the memory hierarchy the requireddata/instruction currently resides

Typically depend on the actual implementation of the algorithm

Algorithms targeted – RSA, DSA, EC-DSA, AES, etc.

AES Basics

Secret key cipher, 128-bit block size, key size = 128/192/256

Plaintext, ciphertext and key are each represented as a 4× 4 matrix ofbytes

P =

p0 p4 p8 p12p1 p5 p9 p13p2 p6 p10 p14p3 p7 p11 p15

K =

k0 k4 k8 k12k1 k5 k9 k13k2 k6 k10 k14k3 k7 k11 k15

10 rounds for 128-bit AES. Round keys obtained from original AES keyvia “Key Expansion Algorithm”

Plaintext is XORed with AES key before first round

AES Basics

Secret key cipher, 128-bit block size, key size = 128/192/256

Plaintext, ciphertext and key are each represented as a 4× 4 matrix ofbytes

P =

p0 p4 p8 p12p1 p5 p9 p13p2 p6 p10 p14p3 p7 p11 p15

K =

k0 k4 k8 k12k1 k5 k9 k13k2 k6 k10 k14k3 k7 k11 k15

10 rounds for 128-bit AES. Round keys obtained from original AES keyvia “Key Expansion Algorithm”

Plaintext is XORed with AES key before first round

AES Operations with pictures

x(r)0 x

(r)4 x

(r)8 x

(r)12

x(r)1 x

(r)5 x

(r)9 x

(r)13

x(r)2 x

(r)6 x

(r)10 x

(r)14

x(r)3 x

(r)7 x

(r)11 x

(r)15

↓02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

•

x(r)0 x

(r)4 x

(r)8 x

(r)12

x(r)5 x

(r)9 x

(r)13 x

(r)1

x(r)10 x

(r)14 x

(r)2 x

(r)6

x(r)15 x

(r)3 x

(r)7 x

(r)11

⊕

k(r)0 k

(r)4 k

(r)8 k

(r)12

k(r)1 k

(r)5 k

(r)9 k

(r)13

k(r)2 k

(r)6 k

(r)10 k

(r)14

k(r)3 k

(r)7 k

(r)11 k

(r)15

=

x(r+1)0 x

(r+1)4 x

(r+1)8 x

(r+1)12

x(r+1)1 x

(r+1)5 x

(r+1)9 x

(r+1)13

x(r+1)2 x

(r+1)6 x

(r+1)10 x

(r+1)14

x(r+1)3 x

(r+1)7 x

(r+1)11 x

(r+1)15

x(r)0 x

(r)4 x

(r)8 x

(r)12

x(r)1 x

(r)5 x

(r)9 x

(r)13

x(r)2 x

(r)6 x

(r)10 x

(r)14

x(r)3 x

(r)7 x

(r)11 x

(r)15

↓

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

•

x(r)0 x

(r)4 x

(r)8 x

(r)12

x(r)5 x

(r)9 x

(r)13 x

(r)1

x(r)10 x

(r)14 x

(r)2 x

(r)6

x(r)15 x

(r)3 x

(r)7 x

(r)11

⊕

k(r)0 k

(r)4 k

(r)8 k

(r)12

k(r)1 k

(r)5 k

(r)9 k

(r)13

k(r)2 k

(r)6 k

(r)10 k

(r)14

k(r)3 k

(r)7 k

(r)11 k

(r)15

=

x(r+1)0 x

(r+1)4 x

(r+1)8 x

(r+1)12

x(r+1)1 x

(r+1)5 x

(r+1)9 x

(r+1)13

x(r+1)2 x

(r+1)6 x

(r+1)10 x

(r+1)14

x(r+1)3 x

(r+1)7 x

(r+1)11 x

(r+1)15

x(r)0 x

(r)4 x

(r)8 x

(r)12

x(r)1 x

(r)5 x

(r)9 x

(r)13

x(r)2 x

(r)6 x

(r)10 x

(r)14

x(r)3 x

(r)7 x

(r)11 x

(r)15

↓

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

•

x(r)0 x

(r)4 x

(r)8 x

(r)12

x(r)5 x

(r)9 x

(r)13 x

(r)1

x(r)10 x

(r)14 x

(r)2 x

(r)6

x(r)15 x

(r)3 x

(r)7 x

(r)11

⊕

k(r)0 k

(r)4 k

(r)8 k

(r)12

k(r)1 k

(r)5 k

(r)9 k

(r)13

k(r)2 k

(r)6 k

(r)10 k

(r)14

k(r)3 k

(r)7 k

(r)11 k

(r)15

=

x(r+1)0 x

(r+1)4 x

(r+1)8 x

(r+1)12

x(r+1)1 x

(r+1)5 x

(r+1)9 x

(r+1)13

x(r+1)2 x

(r+1)6 x

(r+1)10 x

(r+1)14

x(r+1)3 x

(r+1)7 x

(r+1)11 x

(r+1)15

x(r)0 x

(r)4 x

(r)8 x

(r)12

x(r)1 x

(r)5 x

(r)9 x

(r)13

x(r)2 x

(r)6 x

(r)10 x

(r)14

x(r)3 x

(r)7 x

(r)11 x

(r)15

↓

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

•

x(r)0 x

(r)4 x

(r)8 x

(r)12

x(r)5 x

(r)9 x

(r)13 x

(r)1

x(r)10 x

(r)14 x

(r)2 x

(r)6

x(r)15 x

(r)3 x

(r)7 x

(r)11

⊕

k(r)0 k

(r)4 k

(r)8 k

(r)12

k(r)1 k

(r)5 k

(r)9 k

(r)13

k(r)2 k

(r)6 k

(r)10 k

(r)14

k(r)3 k

(r)7 k

(r)11 k

(r)15

=

x(r+1)0 x

(r+1)4 x

(r+1)8 x

(r+1)12

x(r+1)1 x

(r+1)5 x

(r+1)9 x

(r+1)13

x(r+1)2 x

(r+1)6 x

(r+1)10 x

(r+1)14

x(r+1)3 x

(r+1)7 x

(r+1)11 x

(r+1)15

x(r)0 x

(r)4 x

(r)8 x

(r)12

x(r)1 x

(r)5 x

(r)9 x

(r)13

x(r)2 x

(r)6 x

(r)10 x

(r)14

x(r)3 x

(r)7 x

(r)11 x

(r)15

↓

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

•

x(r)0 x

(r)4 x

(r)8 x

(r)12

x(r)5 x

(r)9 x

(r)13 x

(r)1

x(r)10 x

(r)14 x

(r)2 x

(r)6

x(r)15 x

(r)3 x

(r)7 x

(r)11

⊕

k(r)0 k

(r)4 k

(r)8 k

(r)12

k(r)1 k

(r)5 k

(r)9 k

(r)13

k(r)2 k

(r)6 k

(r)10 k

(r)14

k(r)3 k

(r)7 k

(r)11 k

(r)15

=

x(r+1)0 x

(r+1)4 x

(r+1)8 x

(r+1)12

x(r+1)1 x

(r+1)5 x

(r+1)9 x

(r+1)13

x(r+1)2 x

(r+1)6 x

(r+1)10 x

(r+1)14

x(r+1)3 x

(r+1)7 x

(r+1)11 x

(r+1)15

Software Implementation of AES

Makes extensive use of table look-ups in lieu of time-consuming fieldoperations (5-table implementation targeted by us)

Each table has 256 entries, each entry is 4 bytes

Line size or block size is 64 bytes in most machines

So a single table occupies 16 lines, 16 elements per line

Round Functions implemented with table lookups

(x(r+1)0 , x

(r+1)1 , x

(r+1)2 , x

(r+1)3

)←T0

[x(r)0

]⊕T1

[x(r)5

]⊕T2

[x(r)10

]⊕T3

[x(r)15

]⊕ K

(r)0(

x(r+1)4 , x

(r+1)5 , x

(r+1)6 , x

(r+1)7

)←T0

[x(r)4

]⊕T1

[x(r)9

]⊕T2

[x(r)14

]⊕T3

[x(r)3

]⊕ K

(r)1(

x(r+1)8 , x

(r+1)9 , x

(r+1)10 , x

(r+1)11

)←T0

[x(r)8

]⊕T1

[x(r)13

]⊕T2

[x(r)2

]⊕T3

[x(r)7

]⊕ K

(r)2(

x(r+1)12 , x

(r+1)13 , x

(r+1)14 , x

(r+1)15

)←T0

[x(r)12

]⊕T1

[x(r)1

]⊕T2

[x(r)6

]⊕T3

[x(r)11

]⊕ K

(r)3

where,x(r)i is the i th byte of the inputs to round r

K (r) is the r th round key and K(r+1)i refers to the i th

column of K (r+1).

Organization of Tables in Cache

0

15

0

15

T0

T1

T2

T3

T4 Element 255

Euro S&P ’16 Highly Efficient Algorithms for AES Key Retrieval in Cache Access Attacks 10/2910 / 29

line size = 64 bytes

16 lines

Element 255

0

15

0

15

T0

T1

T2

T3

T4

Element 15

Element 0

Element 240 Element 255

0

15

0

15

T0

T1

T2

T3

T4

line size = 64 bytes

16 lines

First Round Attack

Experimental Setup

Multi-threaded spy + Victim (running AES) on one core

Spy controller on another core

First Round Attack

Run and Run size

The executions of the spy threads and victim are interleaved

Each execution instance of the victim is referred to as a run

The number of table accesses made during a run is referred to as therun size (between 12 and 35 in our experiments)

First Round Attack

Run and Run size

The executions of the spy threads and victim are interleaved

Each execution instance of the victim is referred to as a run

The number of table accesses made during a run is referred to as therun size (between 12 and 35 in our experiments)

First Round Attack

1st Round Attack - Goal and Input

Goal:

To obtain the high-order nibble of each of the 16 bytes of the AES key

Input:

Several blocks of plaintext (Scenario 1) or ciphertext (Scenario 2)

Sets of cache line numbers accessed by victim in each run duringencryption (Scenario 1) or decryption (Scenario 2) of those blocks

First Round Attack

1st Round Attack - Goal and Input

Goal:

To obtain the high-order nibble of each of the 16 bytes of the AES key

Input:

Several blocks of plaintext (Scenario 1) or ciphertext (Scenario 2)

Sets of cache line numbers accessed by victim in each run duringencryption (Scenario 1) or decryption (Scenario 2) of those blocks

First Round Attack

1st Round Attack - ExampleUses input to the first round

p0 ⊕ k0 p4 ⊕ k4 p8 ⊕ k8 p12 ⊕ k12p1 ⊕ k1 p5 ⊕ k5 p9 ⊕ k9 p13 ⊕ k13p2 ⊕ k2 p6 ⊕ k6 p10 ⊕ k10 p14 ⊕ k14p3 ⊕ k3 p7 ⊕ k7 p11 ⊕ k11 p15 ⊕ k15

Table line number of elements accessed are (p0 ⊕ k0)

′, (p1 ⊕ k1)

′, ...,

(p15 ⊕ k15)′

If we know the (pi ⊕ ki )′

and pi , we can deduce (ki )′

ExampleActual sequence of line numbers: 5, 19, 44, 57, 3, 30, 40, 55, 14, 26, 37, 49, 10, 20, 32,63, 15, 30, 41, 53, 5, 23, 39, 51, 11, 23, 37, 62, 2, 28, 39,...

Run 0: 3, 5, 14, 19, 26, 30, 40, 44, 55, 57, 64, 65, 73, 75Run 1: 2, 3, 5, 10, 11, 14, 15, 19, 20, 23, 26, 30, 32, 37, 39, 40, 41, 44, 49, 51, 53, 55,57, 62, 63Run 2: 2, 5, 6, 8, 11, 14, 17, 21, 23, 27, 28, 31, 33, 37, 38, 39, 40, 44, 49, 50, 51, ...

First Round Attack

1st Round Attack - ExampleUses input to the first round

p0 ⊕ k0 p4 ⊕ k4 p8 ⊕ k8 p12 ⊕ k12p1 ⊕ k1 p5 ⊕ k5 p9 ⊕ k9 p13 ⊕ k13p2 ⊕ k2 p6 ⊕ k6 p10 ⊕ k10 p14 ⊕ k14p3 ⊕ k3 p7 ⊕ k7 p11 ⊕ k11 p15 ⊕ k15

Table line number of elements accessed are (p0 ⊕ k0)

′, (p1 ⊕ k1)

′, ...,

(p15 ⊕ k15)′

If we know the (pi ⊕ ki )′

and pi , we can deduce (ki )′

ExampleActual sequence of line numbers: 5, 19, 44, 57, 3, 30, 40, 55, 14, 26, 37, 49, 10, 20, 32,63, 15, 30, 41, 53, 5, 23, 39, 51, 11, 23, 37, 62, 2, 28, 39,...

Run 0: 3, 5, 14, 19, 26, 30, 40, 44, 55, 57, 64, 65, 73, 75Run 1: 2, 3, 5, 10, 11, 14, 15, 19, 20, 23, 26, 30, 32, 37, 39, 40, 41, 44, 49, 51, 53, 55,57, 62, 63Run 2: 2, 5, 6, 8, 11, 14, 17, 21, 23, 27, 28, 31, 33, 37, 38, 39, 40, 44, 49, 50, 51, ...

First Round Attack

Histogram of scores for each guessed value

First Round Attack

First Round Attack

First Round Attack

First Round Attack

Second Round Attack

2nd Round Attack - Strategy

Goal

To obtain the low-order nibble of each byte of the AES key

Treat the low-order nibble of each of the 16 bytes of the key as anattribute of a relation (table)

Each tuple in the table is a potential subkey values. Initially, any ofthe 264 subkey values are possible

As in RDBMS, selection predicates are used to filter out tuples

Second Round Attack

2nd Round Attack - Strategy

Goal

To obtain the low-order nibble of each byte of the AES key

Treat the low-order nibble of each of the 16 bytes of the key as anattribute of a relation (table)

Each tuple in the table is a potential subkey values. Initially, any ofthe 264 subkey values are possible

As in RDBMS, selection predicates are used to filter out tuples

Second Round Attack

Selection Predicate for Key Retrieval

The selection predicates we employ are the 16 equations that relate theindices of line numbers of table elements accessed in the second roundand various bytes of the plaintext and key

Example

x(2)0 = 2• s(p0⊕k0)⊕3• s(p5⊕k5)⊕ s(p10⊕k10)⊕ s(p15⊕k15)⊕ s(k13)⊕k0⊕1

Second Round Attack

Applying the selection predicate

(x(2)0 )

′= (2 • s(p0 ⊕ k0)⊕ 3 • s(p5 ⊕ k5)⊕ s(p10 ⊕ k10)⊕ s(p15 ⊕ k15)

⊕ s(k13)⊕ k0 ⊕ 1)′

The LHS is the line number on which the required element resides

Actually what is provided by the spy is not a single number but a setof line numbers

We retain a tuple only if the RHS evaluates to any element in the set

Second Round Attack

Performance and Cost considerations

The number of plaintexts (encryptions) required to retrieve the key isε = −4

log2 c, where c = (per table run size) /16

If c = 8/16 = 0.5, the number of encryptions required is just 4!

But at what cost?

Handling 264 tuples

Solution

Use relational join operations and Cartesian products in addition toselects

Carefully choose the relational schema and which operations are per-formed when and on which relations

Second Round Attack

But at what cost?

Handling 264 tuples

Solution

Second Round Attack

But at what cost?

Handling 264 tuples

Solution

Second Round Attack

But at what cost?

Handling 264 tuples

Solution

Second Round Attack

Relational Join Recap

Student Dept.

Cynthia EE

Mustafa ME

Prashant CS

Tsai-Shing CS

on

Dept. Building

CS Niagara

EE Danube

EE Nile

ME Ganges

Which students visit which buildings for department-related work?

=

Student Dept. Building

Cynthia EE Danube

Cynthia EE Nile

Mustafa ME Ganges

Prashant CS Niagara

Tsai-Shing CS Niagara

Second Round Attack

Student Dept.

Cynthia EE

Mustafa ME

Prashant CS

Tsai-Shing CS

on

Dept. Building

CS Niagara

EE Danube

EE Nile

ME Ganges

=

Cynthia EE Danube

Cynthia EE Nile

Mustafa ME Ganges

Prashant CS Niagara

Second Round Attack

Student Dept.

Cynthia EE

Mustafa ME

Prashant CS

Tsai-Shing CS

on

Dept. Building

CS Niagara

EE Danube

EE Nile

ME Ganges

=

Cynthia EE Danube

Cynthia EE Nile

Mustafa ME Ganges

Prashant CS Niagara

Second Round Attack

Key Retrieval Algo in action (Round 2 Attack)

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′13

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′14

k′′0 , k

′′5 , k

′′10, k

′′15

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′12

216

Second Round Attack

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′13

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′14

k′′0 , k

′′5 , k

′′10, k

′′15

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′12

S (σ)

216 216 * cε

212

Second Round Attack

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′13

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′14

k′′0 , k

′′5 , k

′′10, k

′′15

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′12

S (σ)

A

216

216 * cε * 24

216

216 * cε

212

216

Second Round Attack

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′13

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′14

k′′0 , k

′′5 , k

′′10, k

′′15

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′12

S (σ)

A

216

216 * cε * 24

216

216 * cε

212

216

216 * c2ε * 24

212

Second Round Attack

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′13

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′14

k′′0 , k

′′5 , k

′′10, k

′′15

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′12

S (σ)

J ( ⋈)

S (σ)

A

216

216 * cε * 24

216

216 * cε

212

216

216 * c2ε * 24

212

224 * c3ε

212

Second Round Attack

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′13

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′14

k′′0 , k

′′5 , k

′′10, k

′′15

k′′0 , k

′′5 , k

′′10, k

′′15, k

′′12

J ( ⋈)

228 * c4ε

212

S (σ)

J ( ⋈)

S (σ)

A

216

216 * cε * 24

216

216 * cε

212

216

216 * c2ε * 24

212

224 * c3ε

212

Second Round Attack

k′′0 , k

′′5 , k

′′10, k

′′12, k

′′13, k

′′14, k

′′15

k′′3 , k

′′4 , k

′′9 , k

′′12, k

′′13, k

′′14, k

′′15

k′′2 , k

′′7 , k

′′8 , k

′′12, k

′′13, k

′′14, k

′′15

k′′1 , k

′′6 , k

′′11, k

′′12, k

′′13, k

′′14, k

′′15

228 * c4ε

212

240 * c8ε

28

264 * c16ε

212

28

J ( ⋈)

Results

Key Retrieval Algo in action (contd.) (Round 2 Attack)

Results

Results

Results

Results

Performance of Key Retrieval Algorithms

First Round Attack:

70% → in 5–7 encryptions

16% → in 8 encryptions

Second Round Attack:

Results

Performance of Key Retrieval Algorithms

First Round Attack:

70% → in 5–7 encryptions

Second Round Attack:

Results

Algorithm’s performance as a function of run size

Limitations and Extensions

Limitations

False Negatives in spy input will result in an incorrect key being de-duced

Assumptions made may not always hold

1 Victim and multi-threaded spy process are located on same core

2 Hardware prefetching of cache line is turned off

3 No other processes are accessing AES table

Limitations

False Negatives in spy input will result in an incorrect key being de-duced

Assumptions made may not always hold

1 Victim and multi-threaded spy process are located on same core

2 Hardware prefetching of cache line is turned off

3 No other processes are accessing AES table

Extensions

Design and implementation of error-tolerant key retrieval algorithm

Key retrieval algorithms with hardware prefetching turned on

Further optimizations in First Round Attack

Operationalization of the attack

Summary and Conclusions

Conclusions

Designed and implemented a suite of algorithms to deduce the 128-bitAES key using as input sets of unordered lines captured by spy threads

Two attack scenarios where either plaintext or ciphertext is known

Algorithms expressed using simple relational algebraic operations andrun in under a minute

In practice only 6–7 blocks of plaintext or ciphertext were required

Developed analytical models to estimate number of encryptions or de-cryptions required

Function of Spy Thread and Spy Controller

Spy Thread

1: block until cond variable is true2: for each line of AES tables do3: measure access time4: flush line5: end for6: finished ← true

Spy Controller

1: while finished 6= true do2: keep polling3: end while4: signal(nextThreadID)5: finished ← false

Function of Spy Thread and Spy Controller

Spy Thread

1: block until cond variable is true2: for each line of AES tables do3: measure access time4: flush line5: end for6: finished ← true

Spy Controller

1: while finished 6= true do2: keep polling3: end while4: signal(nextThreadID)5: finished ← false

No. of surviving tuples

(x(2)0 )

′= (2 • s(p0 ⊕ k0)⊕ 3 • s(p5 ⊕ k5)⊕ s(p10 ⊕ k10)⊕ s(p15 ⊕ k15)

⊕ s(k13)⊕ k0 ⊕ 1)′

For an incorrect/random “guess” of the key, the RHS takes a valuebetween 0 and F with equal probability

The probability that a tuple survives (satisfies the predicate) is c =(per table run size) /16

The number of surviving tuples is hence 264 × c

No. of plaintexts required for Key Retrieval

We have a total of 16 equations and inputs from ε encryptions or atotal of 16ε predicates

The size of the output relation after being subject to 16ε selectoperations is 264 × c16ε

To estimate the number of plaintexts (encryptions) required toretrieve the key, we solve for ε from 264 × c16ε = 1 to obtainε = −4

log2 c, where ε is no. of plaintext(s) required

Side Channel Attacks on AES

Engineering

Transcript of Side Channel Attacks on AES