How low can you go? Using side-channel data to enhance brute-force key recovery

Side-channel analysis techniques can be used to construct key recovery attacks by observing a side-channel medium such as the power consumption or electromagnetic radiation of a device while is it performing cryptographic operations. These attack results can be used as auxiliary information in an enhanced brute-force key recovery attack, enabling the adversary to enumerate the most likely keys first. We use algorithmic and implementation techniques to implement a timeand memory-efficient key enumeration algorithm, and in tandem identify how to optimise throughput when bulk-verifying quantities of candidate AES-128 keys. We then explore how to best distribute the workload so that it can be deployed across a significant number of CPU cores and executed in parallel, giving an adversary the capability to enumerate a very large number of candidate keys. We introduce the tool labynkyr, developed in C++11, that can be deployed across any number of CPUs and workstations to enumerate keys in parallel. We conclude by demonstrating the effectiveness of our tool by successfully enumerating 2 AES-128 keys in approximately 30 hours using a modest number of CPU cores, at an expected cost of only 700 USD using a popular cloud provider.

[1]  Thomas Eisenbarth,et al.  Bounded, yet Sufficient? How to Determine Whether Limited Side Channel Information Enables Key Recovery , 2014, CARDIS.

[2]  Martin Schläffer,et al.  Fast Software Encryption Attacks on AES , 2013, AFRICACRYPT.

[3]  Stefan Mangard,et al.  One for All - All for One: Unifying Standard DPA Attacks , 2009, IACR Cryptol. ePrint Arch..

[4]  François-Xavier Standaert,et al.  An optimal Key Enumeration Algorithm and its Application to Side-Channel Attacks , 2012, IACR Cryptol. ePrint Arch..

[5]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[6]  Michael Tunstall,et al.  SoC It to EM: ElectroMagnetic Side-Channel Attacks on a Complex System-on-Chip , 2015, CHES.

[7]  François-Xavier Standaert,et al.  Security Evaluations beyond Computing Power , 2013, EUROCRYPT.

[8]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[9]  Romain Poussier,et al.  Simple Key Enumeration (and Rank Estimation) Using Histograms: An Integrated Approach , 2016, CHES.

[10]  Elisabeth Oswald,et al.  Counting Keys in Parallel After a Side Channel Attack , 2015, ASIACRYPT.

[11]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[12]  Tanja Lange,et al.  Tighter, faster, simpler side-channel security evaluations beyond computing power , 2015, IACR Cryptol. ePrint Arch..

[13]  Elisabeth Oswald,et al.  Characterisation and Estimation of the Key Rank Distribution in the Context of Side Channel Evaluations , 2016, IACR Cryptol. ePrint Arch..

[14]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[15]  Romain Poussier,et al.  Simpler and More Efficient Rank Estimation for Side-Channel Security Assessment , 2015, FSE.

[16]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[17]  Andrey Bogdanov,et al.  Fast and Memory-Efficient Key Recovery in Side-Channel Attacks , 2015, SAC.