Improved algebraic side-channel attack on AES (original) (raw)

Tolerant algebraic side-channel analysis of AES

2012

We report on a Tolerant Algebraic Side-Channel Analysis (TASCA) attack on an AES implementation, using an optimizing pseudo-Boolean solver to recover the secret key from a vector of Hamming weights corresponding to a single encryption. We first develop a boundary on the maximum error rate that can be tolerated as a function of the set size output by the decoder and the number of measurements. Then, we show that the TASCA approach is capable of recovering the secret key from errored traces in a reasonable time for error rates approaching this theoretical boundary -specifically, the key was recovered in 10 hours on average from 100 measurements with error rates of up to 20%. We discovered that, perhaps counter-intuitively, there are strong incentives for the attacker to use as few leaks as possible to recover the key. We describe the equation setup, the experiment setup and discuss the results.

Algebraic Side-Channel Attacks on the AES: Why Time also Matters in DPA

Lecture Notes in Computer Science, 2009

Algebraic side-channel attacks have been recently introduced as a powerful cryptanalysis technique against block ciphers. These attacks represent both a target algorithm and its physical information leakages as an overdefined system of equations that the adversary tries to solve. They were first applied to PRESENT because of its simple algebraic structure. In this paper, we investigate the extent to which they can be exploited against the AES Rijndael and discuss their practical specificities. We show experimentally that most of the intuitions that hold for PRESENT can also be observed for an unprotected implementation of Rijndael in an 8-bit controller. Namely, algebraic side-channel attacks can recover the AES master key with the observation of a single encrypted plaintext and they easily deal with unknown plaintexts/ciphertexts in this context. Because these attacks can take advantage of the physical information corresponding to all the cipher rounds, they imply that one cannot trade speed for code size (or gate count) without affecting the physical security of a leaking device. In other words, more intermediate computations inevitably leads to more exploitable leakages. We analyze the consequences of this observation on two different masking schemes and discuss its impact on other countermeasures. Our results exhibit that algebraic techniques lead to a new understanding of implementation weaknesses that is different than classical side-channel attacks.

Analysis of the algebraic side channel attack

At CHES 2009, Renauld, Standaert and Veyrat-Charvillon introduced a new kind of attack called Algebraic Side-Channel Attacks (ASCA). They showed that side-channel information leads to effective algebraic attacks. These results are mostly experiments since strongly based on the use of a SAT solver. This article presents a theoretical study in order to explain and to characterize the algebraic phase of these attacks. We study more general algebraic attacks based on Gröbner methods. We show that the complexity of the Gröbner basis computations in these attacks depends on a new notion of algebraic immunity defined in this paper, and on the distribution of the leakage information of the cryptosystem. We also study two examples of common leakage models: the Hamming weight and the Hamming distance models. For instance the study in the case of the Hamming weight model gives that the probability of obtaining at least 64 (resp. 130) linear relations is about 50% for the substitution layer of PRESENT

Combining Algebraic and Side-Channel Cryptanalysis against Block Ciphers

2009

This paper introduces a new type of cryptanalysis against block ciphers, denoted as algebraic side-channel attacks. In these attacks, we first write the target block cipher as a system of low degree equations. But since directly solving this system is generally hard, we additionally provide it with physical information. As a consequence, the algebraic cryptanalysis that was previously conjectured can be experimented and turns out to be very efficient to break block ciphers in practice. The proposed attacks differ from most previously known side-channel attacks in a number of interesting aspects. Namely they have a significantly reduced data complexity, the possibility to exploit the information of all the cipher rounds in an unknown plaintext/ciphertext scenario and different requirements for countermeasures. As an illustration, we apply them to the implementations of two block ciphers using a single leakage trace and discuss their specificities.

Algebraic Side-Channel Analysis in the Presence of Errors

2010

Measurement errors make power analysis attacks difficult to mount when only a single power trace is available: the statistical methods that make DPA attacks so successful are not applicable since they require many (typically thousands) of traces. Recently it was suggested by to use algebraic methods for the single-trace scenario, converting the key recovery problem into a Boolean satisfiability (SAT) problem, then using a SAT solver. However, this approach is extremely sensitive to noise (allowing an error rate of well under 1% at most), and the question of its practicality remained open. In this work we show how a single-trace side-channel analysis problem can be transformed into a pseudo-Boolean optimization (PBOPT) problem, which takes errors into consideration. The PBOPT instance can then be solved using a suitable optimization problem solver. The PBOPT syntax provides for a more expressive input specification which allows a very natural representation of measurement errors. Most importantly, we show that using our approach we are able to mount successful and efficient single-trace attacks even in the presence of realistic error rates of 10%-20%. We call our new attack methodology Tolerant Algebraic Side-Channel Analysis (TASCA). We show practical attacks on two real ciphers: Keeloq and AES.

Algebraic Cryptanalysis of Simplified AES∗

Cryptologia, 2009

Simplified AES was developed in 2003 as a teaching tool to help students understand AES. It was designed so that the two primary attacks on symmetric-key block ciphers of that time, differential cryptanalysis and linear cryptanalysis, are not trivial on simplified AES. Algebraic cryptanalysis is a technique that uses modern equation solvers to attack cryptographic algorithms. There have been some claims that AES is threatened by algebraic cryptanalysis. We will use algebraic cryptanalysis to attack simplified AES.

Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model

2012

Algebraic side-channel attacks (ASCA) are a method of cryptanalysis which allow performing key recoveries with very low data complexity. In an ASCA, the side-channel leaks of a device under test (DUT) are represented as a system of equations, and a machine solver is used to find a key which satisfies these equations. A primary limitation of the ASCA method is the way it tolerates errors. If the correct key is excluded from the system of equations due to noise in the measurements, the attack will fail. On the other hand, if the DUT is described in a more robust manner to better tolerate errors, the loss of information may make computation time intractable. In this paper, we first show how this robustness-information tradeoff can be simplified by using an optimizer, which exploits the probability data output by a side-channel decoder, instead of a standard SAT solver. For this purpose, we describe a way of representing the leak equations as vectors of aposteriori probabilities, enabling a natural integration of template attacks and ASCA. Next, we put forward the applicability of ASCA against devices which do not conform to simple leakage models (e.g. based on the Hamming weight of the manipulated data). We finally report on various experiments that illustrate the strengths and weaknesses of standard and optimizing solvers in various settings, hence demonstrating the versatility of ASCA.

Algebraic Side Channel Attack on Trivium and Grain Ciphers

IEEE Access

Solving a system of multivariate quadratic equations obtained through algebraic cryptanalysis is a nondeterministic polynomial time-complete problem. Owing to the trend of stream ciphers based on nonlinear update, the success of algebraic attacks has been limited to their reduced variants. On the other hand, side channel attacks (SCAs), although require a continued access to the target device for capturing leakages, are a potent threat against the stream ciphers. Algebraic SCA (ASCA) combines and solves equations obtained through algebraic cryptanalysis and partial SCA of cipher implementation. ASCA is successfully being applied against block ciphers since 2009; however, there is no existing published work on ASCA against stream ciphers as per our knowledge. In this paper, we propose an idea of mounting ASCA on stream ciphers, and we demonstrated it through the application of ASCA on trivium and grain stream ciphers.

Towards an Algebraic Attack on AES-128 Faster Than Brute-Force

2013

In this paper we describe the main ideas of a few versions of an algebraic known plaintext attack against AES-128. The attack could be applied under the hypothesis of knowing a part of the 16-bytes key. These attack versions are based on some specific properties of the key schedule, properties that allow splitting the keys space (2 128 keys) in subspaces based on some well-defined criteria. The practical efficiency of these attacks depends on some conditions including a conjecture. Also, the paper introduces a definition of weak keys, in the context of the presented attack.

Computational and Algebraic Aspects of the Advanced Encryption Standard

The new Advanced Encryption Standard (AES) has been recently selected by the US government to replace the old Data Encryption Standard (DES) for protecting sensitive official information. Due to its simplicity and elegant algebraic structure, the choice of the AES algorithm has motivated the study of a new approach to the analysis of block ciphers. While conventional methods of cryptanalysis (e.g. differential and linear cryptanalysis) are usually based on a "statistical" approach, where an attacker attempts to construct statistical patterns through many interactions of the cipher, the so-called algebraic attacks exploit the intrinsic algebraic structure of a cipher. More specifically, the attacker expresses the encryption transformation as a set of multivariate polynomial equations and attempts to recover the encryption key by solving the system. In this paper we consider a number of algebraic aspects of the AES, and examine a few computational and algebraic techniques that could be used in the cryptanalysis of cipher. We show how one can express the cipher as a very large, though surprisingly simple, system of multivariate quadratic equations over the finite field F 2 8 , and consider some approaches that can be used to solve this system.