Analysis of the algebraic side channel attack (original) (raw)
Related papers
Comparative Study of Algebraic Attacks
IARJSET, 2016
Cryptographic schemes have an algebraic structure and can be described as multivariate polynomial equations. Even though algebra is the default tool in the cryptanalysis of asymmetric cryptosystems, there has been recently an increase in interest in the use of algebraic cryptanalysis techniques in the analysis of symmetric cryptosystems. The basic idea behind the algebraic attack is to express the whole cryptosystem as a large system of multivariate polynomial equations, then considers methods for solving the system to recover the key. Solving multivariate polynomial systems is a typical problem studied in Algebraic Geometry and Computational Algebra. Computing Grobner basis is the best well known method to solve this problem. Finding grobner bases is a difficult task which requires lots of computational resources. This paper discusses and explains in depth different algorithms to compute grobner bases using examples. This paper also, compares these algorithms from the point of views of accuracy and efficiency (the required resources: time and effort) to get the accurate results. Finally, the worthiness of these algorithms to be applied to cryptanalysis has been discussed.
On Asymptotic Security Estimates In Xl and Gröbner Bases-Related Algebraic Cryptanalysis
Information and Communications …, 2004
Algebraic Cryptanalysis" against a cryptosystem often comprises finding enough relations that are generally or probabilistically valid, then solving the resultant system. The security of many schemes (most important being AES) thus depends on the difficulty of solving multivariate polynomial equations. Generically, this is NP-hard. The related methods of XL (eXtended Linearization), Gröbner Bases, and their variants (of which a large number has been proposed) form a unified approach to solving equations and thus affect our assessment and understanding of many cryptosystems. Building on prior theory, we analyze these XL variants and derive asymptotic formulas giving better security estimates under XL-related algebraic attacks; through this examination we have hopefully improved our understanding of such variants. In particular, guessing a portion of variables is a good idea for both XL and Gröbner Bases methods.
Algebraic Side-Channel Attacks Beyond the Hamming Weight Leakage Model
2012
Algebraic side-channel attacks (ASCA) are a method of cryptanalysis which allow performing key recoveries with very low data complexity. In an ASCA, the side-channel leaks of a device under test (DUT) are represented as a system of equations, and a machine solver is used to find a key which satisfies these equations. A primary limitation of the ASCA method is the way it tolerates errors. If the correct key is excluded from the system of equations due to noise in the measurements, the attack will fail. On the other hand, if the DUT is described in a more robust manner to better tolerate errors, the loss of information may make computation time intractable. In this paper, we first show how this robustness-information tradeoff can be simplified by using an optimizer, which exploits the probability data output by a side-channel decoder, instead of a standard SAT solver. For this purpose, we describe a way of representing the leak equations as vectors of aposteriori probabilities, enabling a natural integration of template attacks and ASCA. Next, we put forward the applicability of ASCA against devices which do not conform to simple leakage models (e.g. based on the Hamming weight of the manipulated data). We finally report on various experiments that illustrate the strengths and weaknesses of standard and optimizing solvers in various settings, hence demonstrating the versatility of ASCA.
Groups – Complexity – Cryptology, 2009
This is the first in a two-part survey of current techniques in algebraic cryptanalysis. After introducing the basic setup of algebraic attacks and discussing several attack scenarios for symmetric cryptosystems, public key cryptosystems, and stream ciphers, we discuss a number of individual methods. The XL, XSL, and MutantXL attacks are based on linearization techniques for multivariate polynomial systems. Then we look at Gröbner basis and border bases methods. In the last section we introduce attacks based on integer programming techniques and try them in some concrete cases.
Guess-and-Determine Attack and Algebraic Attack
2010
Recently, algebraic attacks on cryptosystems as a method that tries to solve a system of multivariate polynomial equations, has gained a lot of attention. In this approach, we must do two phases, one phase is to find a system of multivariate polynomial equations and second phase is to solve the system of equations. There are many methods for solving a system of multivariate polynomial equations, such as XL and Gröbner basis algorithms, but these algorithms have a high complexity for a system with many numbers of variables and equations. On the other hand, usually the system of equations, obtained from a cryptosystems, has a high total degree. So one way for reducing the complexity of solving such a system by current algorithms is reducing the total degree of the system and one way for reducing the total degree of the system can be guessing some unknowns in the system. As a contribution, we consider the effect of guessing some unknowns within reducing the total degree of the system of multivariate polynomial equations on the complexity of solving the system by XL and Gröbner basis algorithms.
Improved algebraic side-channel attack on AES
2012
In this paper we present improvements of the algebraic side-channel analysis of the Advanced Encryption Standard (AES) proposed in [1]. In particular, we optimize the algebraic representation of AES and the algebraic representation of the obtained side-channel information in order to speed up the attack and increase the success rate. We study the performance of our improvements in both known and unknown plaintext/ciphertext attack scenarios. Our experiments indicate that in both cases the amount of required side-channel information is less than the one required in the attacks introduced in [1]. Furthermore, we introduce a method for error handling, which allows our improved algebraic side-channel attack to escape the assumption of an error-free environment and thus become applicable in practice. We demonstrate the practical use of our improved algebraic side-channel attack by inserting predictions from a single-trace template attack.
Algebraic Attacks From a Groebner Basis Perspective
International Journal of …, 2010
In this paper we propose a new algorithm for computing Groebner basis for a system of multivariate polynomial equations describing a cryptosystem. The objective for designing this algorithm is to reduce the degree and number of polynomials resulting in a Groebner basis, which appears in the output of the algorithm. To attain this goal, a new division algorithm is proposed. The proposed algorithm, improved Buchberger and F4 algorithm have been applied to the system of algebraic equations extracted from the Courtois Toy Cipher and their efficiencies have been compared. The results show that the proposed algorithm has advantages over improved Buchberger and F4 algorithms from the view point of the number of polynomials within the obtained Groebner basis and computational (time) complexity.
An Improvement of Linearization-Based Algebraic Attacks
Lecture Notes in Computer Science, 2011
In an algebraic attack on a cipher, one expresses the encryption function as a system (usually overdefined) of multivariate polynomial equations in the bits of the plaintext, the ciphertext and the key, and subsequently solves the system for the unknown key bits from the knowledge of one or more plaintext/ciphertext pairs. The standard eXtended Linearization algorithm (XL) expands the initial system of equations by monomial multiplications. The expanded system is treated as a linear system in the monomials. For most block ciphers (like the Advanced Encryption Standard (AES)), the size of the linearized system turns out to be very large, and consequently, the complexity to solve the system often exceeds the complexity of brute-force search. In this paper, we propose a heuristic strategy XL SGE to reduce the number of linearized equations. This reduction is achieved by applying structured Gaussian elimination before each stage of monomial multiplication. Experimentation on small random systems indicates that XL SGE has the potential to improve the performance of the XL algorithm in terms of the size of the final solvable system. This performance gain is exhibited by our heuristic also in the case of a toy version of AES.
General Principles of Algebraic Attacks and New Design Criteria for Cipher Components
Advanced Encryption StandardAES, 2005
This paper is about the design of multivariate public key schemes, as well as block and stream ciphers, in relation to recent attacks that exploit various types of multivariate algebraic relations. We survey these attacks focusing on their common fundamental principles and on how to avoid them. From this we derive new very general design criteria, applicable for very different cryptographic components. These amount to avoiding (if possible) the existence of, in some sense "too simple" algebraic relations. Though many ciphers that do not satisfy this new paradigm probably still remain secure, the design of ciphers will never be the same again.