Generic Analysis of Small Cryptographic Leaks

Side channel attacks are typically divided into two phases: In the{\it collection phase} the attacker tries to measure some physical property of the implementation, and in the {\it analysis phase} he tries to derive the cryptographic key from the measured information. The field is highly fragmented, since there are many types of leakage, and each one of them usually requires a different type of analysis. In this paper we formalize a general notion of {\it leakage attacks} on iterated cryptosystems, in which the attacker can collect (via physical probing, power measurement, or any other type of side channel) one bit of information about the intermediate state of the encryption after each round. Since bits computed during the early rounds can be usually represented by low degree multivariate polynomials in the plaintext and key bits, we can use the recently discovered cube attack as a generic analysis phase which can be applied in principle to any type of leaked data. However, the original cube attack requires extremely clean data, whereas the information provided by side channel attacks can be quite noisy. To address this problem, we develop in this paper a new type of {\it robust cube attack}, which can recover the key even when some of the leaked bits are unreliable. In particular, we show how to exploit{\it trivial equations} (of the form $0=0$, which are plentiful but useless in standard cube attacks) in order to correct a fraction of measurement errors which can be arbitrarily close to1. Finally, we demonstrate our approach by describing efficient leakage attacks on Serpent (requiring only $2^{18}$ time for full key recovery when the leaked state bits are clean) and on AES (requiring $2^{35}$ time in the same scenario), and show how to make them robust with a small additional complexity.

[1]  Josh Jae A First-Order DPA Attack Against AES in Counter Mode with Unknown Initial Counter , 2007 .

[2]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[3]  Bruce Schneier,et al.  Improved Cryptanalysis of Rijndael , 2000, FSE.

[4]  Bart Preneel,et al.  Power-analysis attack on an ASIC AES implementation , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[5]  Vinod Vaikuntanathan,et al.  Simultaneous Hardcore Bits and Cryptography against Memory Attacks , 2009, TCC.

[6]  Silvio Micali,et al.  Physically Observable Cryptography , 2003, IACR Cryptol. ePrint Arch..

[7]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[8]  Joan Daemen,et al.  AES Proposal : Rijndael , 1998 .

[9]  Moti Yung,et al.  A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks (extended version) , 2009, IACR Cryptol. ePrint Arch..

[10]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[11]  Adi Shamir,et al.  Side Channel Cube Attacks on Block Ciphers , 2009, IACR Cryptol. ePrint Arch..

[12]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[13]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[14]  Ross Anderson,et al.  Serpent: A Proposal for the Advanced Encryption Standard , 1998 .

[15]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[16]  Orr Dunkelman,et al.  A Differential-Linear Attack on 12-Round Serpent , 2008, INDOCRYPT.

[17]  Vinod Vaikuntanathan,et al.  Signature Schemes with Bounded Leakage Resilience , 2009, ASIACRYPT.

[18]  Bruce Schneier,et al.  Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent , 2000, FSE.

[19]  Alex Biryukov Design of a New Stream Cipher-LEX , 2008, The eSTREAM Finalists.

[20]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[21]  Vincent Rijmen,et al.  Low-Data Complexity Attacks on AES , 2012, IEEE Transactions on Information Theory.

[22]  Michael Vielhaber Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack , 2007, IACR Cryptol. ePrint Arch..

[23]  Daniel A. Spielman,et al.  Efficient erasure correcting codes , 2001, IEEE Trans. Inf. Theory.

[24]  Eli Biham,et al.  The Rectangle Attack - Rectangling the Serpent , 2001, EUROCRYPT.

[25]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.