Algebraic Side-Channel Analysis in the Presence of Errors

Oren, Yossi; Kirschbaum, Mario; Popp, Thomas; Wool, Avishai

doi:10.1007/978-3-642-15031-9_29

Cited by 30 publications

(38 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In fact, the most noticeable exceptions attempting to better exploit computational power in physical attacks are based on advanced techniques, e.g. exploiting the detection of collisions [5,18,31,32], or taking advantage of algebraic cryptanalysis [6,23,27,28], of which the practical relevance remains an open question (because of stronger assumptions). But as again suggested by previous works in statistical cryptanalysis, optimal key ranking procedures would be a more direct approach in order to better trade data and time complexities in "standard" side-channel attacks.…”

Section: Introductionmentioning

confidence: 99%

An Optimal Key Enumeration Algorithm and Its Application to Side-Channel Attacks

Veyrat-Charvillon

Gérard

Renauld

et al. 2013

Lecture Notes in Computer Science

103

View full text Add to dashboard Cite

Abstract. Methods for enumerating cryptographic keys based on partial information obtained on key bytes are important tools in cryptanalysis. This paper discusses two contributions related to the practical application and algorithmic improvement of such tools. On the one hand, we observe that modern computing platforms allow performing very large amounts of cryptanalytic operations, approximately reaching 2 50 to 2 60 block cipher encryptions. As a result, cryptographic key sizes for such ciphers typically range between 80 and 128 bits. By contrast, the evaluation of leaking devices is generally based on distinguishers with very limited computational cost, such as Kocher's Differential Power Analysis. We bridge the gap between these cryptanalytic contexts and show that giving side-channel adversaries some computing power has major consequences for the security of leaking devices. For this purpose, we first propose a Bayesian extension of non-profiled side-channel attacks that allows us to rate key candidates in function of their respective probabilities. Next, we investigate the impact of key enumeration taking advantage of this Bayesian formulation, and quantify the resulting reduction in the data complexity of the attacks. On the other hand, we observe that statistical cryptanalyses usually try to reduce the number and size of lists corresponding to partial information on key bytes, in order to limit the time and memory complexity of the key enumeration. Quite surprisingly, few solutions exist that allow an efficient merging of large lists of subkey candidates. We provide a new deterministic algorithm that significantly reduces the number of keys to test in a divide-and-conquer attack, at the cost of limited (practically tractable) memory requirements. It allows us to optimally enumerate key candidates from any number of (possibly redundant) lists of any size, given that the subkey information is provided as probabilities. As an illustration, we finally exhibit side-channel cryptanalysis experiments where the correct key candidate is ranked up to position 2 32 , in which our algorithm reduces the number of keys to test offline by an average factor 2 5 and a factor larger than 2 10 in the worst observed cases, compared to previous solutions. We also suggest examples of statistical attacks in which the new deterministic algorithm would allow improved results.

show abstract

Section: Introductionmentioning

confidence: 99%

An Optimal Key Enumeration Algorithm and Its Application to Side-Channel Attacks

Veyrat-Charvillon

Gérard

Renauld

et al. 2013

Lecture Notes in Computer Science

103

View full text Add to dashboard Cite

show abstract

“…Since the traces are captured for entire encryptions, exploiting the cache events in the third and later rounds can improve the efficiency of TDCA. Combining TDCAs with algebraic techniques and conducting algebraic side-channel attacks (ASCA) [14,15,16,17] is a very promising way to improve TDCA. Previous ASCA mainly focused on power based Hamming weight leakage model [14,15,17] or Hamming distance leakage model [16].…”

Section: Introductionmentioning

confidence: 99%

“…Combining TDCAs with algebraic techniques and conducting algebraic side-channel attacks (ASCA) [14,15,16,17] is a very promising way to improve TDCA. Previous ASCA mainly focused on power based Hamming weight leakage model [14,15,17] or Hamming distance leakage model [16]. The original ASCA [14,15] can only work when the deduction on the targeted states is single and correct.…”

Section: Introductionmentioning

confidence: 99%

“…The original ASCA [14,15] can only work when the deduction on the targeted states is single and correct. The error tolerant ASCA in [16,17] can only work with limited deductions where the variance of the error is small and fixed. Previous ASCA cannot be directly and easily combined with TDCA because in practice, there are multiple deductions and the variance of the errors are large and uncertain.…”

Section: Introductionmentioning

confidence: 99%

“…As a result, attacks have to deal with the fact that the correct value is among multiple candidates obtained during the process, which are also referred to as multiple deductions. How to represent and utilize these multiple deductions is critical to improving the error tolerance and exploiting new leakage models for ASCAs [14,15,16,17]. They showed that MDASCA can utilize the leakages in the first three rounds of AES in TDCAs.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A comprehensive study of multiple deductions-based algebraic trace driven cache attacks on AES

Zhao

Guo

Zhang

et al. 2013

Computers & Security

View full text Add to dashboard Cite

First, the key recovery in TDCA is depicted by an abstract model regardless of the specific attack techniques.Then, the previous work of TDCAs on AES is classified into three types and its limitations are analyzed.How to utilize the cache events with MDATDCA is presented and the overhead is also calculated. To evaluate MDATDCA on AES, this paper constructs a mathematical model to estimate the maximal number of leakage rounds that can be utilized and the minimal number of cache traces required for a successful MDATDCA.

show abstract

Using the Joint Distributions of a Cryptographic Function in Side Channel Analysis

Linge

Dumas

Lambert-Lacroix

2014

Constructive Side-Channel Analysis and Secure Design

View full text Add to dashboard Cite

The Side Channel Analysis is now a classic way to retrieve a secret key in the smart-card world. Unfortunately, most of the ensuing attacks require the plaintext or the ciphertext used by the embedded algorithm. In this article, we present a new method for exploiting the leakage of a device without this constraint. Our attack is based on a study of the leakage distribution of internal data of a cryptographic function and can be performed not only at the beginning or the end of the algorithm, but also at every instant that involves the secret key. This paper focuses on the distribution study and the resulting attack. We also propose a way to proceed in a noisy context using smart distances. We validate our proposition by practical results on an AES128 software implemented on a ATMega2561 and on the DPA contest v4 [28].

show abstract

Algebraic Side-Channel Analysis in the Presence of Errors

Cited by 30 publications

References 14 publications

An Optimal Key Enumeration Algorithm and Its Application to Side-Channel Attacks

An Optimal Key Enumeration Algorithm and Its Application to Side-Channel Attacks

A comprehensive study of multiple deductions-based algebraic trace driven cache attacks on AES

Using the Joint Distributions of a Cryptographic Function in Side Channel Analysis

Contact Info

Product

Resources

About