Cryptographic Hardware and Embedded Systems - CHES 2009

Volume 5747 of the series Lecture Notes in Computer Science pp 97-111

Algebraic Side-Channel Attacks on the AES: Why Time also Matters in DPA

  • Mathieu RenauldAffiliated withUCL Crypto Group, Université catholique de Louvain
  • , François-Xavier StandaertAffiliated withUCL Crypto Group, Université catholique de Louvain
  • , Nicolas Veyrat-CharvillonAffiliated withUCL Crypto Group, Université catholique de Louvain


Algebraic side-channel attacks have been recently introduced as a powerful cryptanalysis technique against block ciphers. These attacks represent both a target algorithm and its physical information leakages as an overdefined system of equations that the adversary tries to solve. They were first applied to PRESENT because of its simple algebraic structure. In this paper, we investigate the extent to which they can be exploited against the AES Rijndael and discuss their practical specificities. We show experimentally that most of the intuitions that hold for PRESENT can also be observed for an unprotected implementation of Rijndael in an 8-bit controller. Namely, algebraic side-channel attacks can recover the AES master key with the observation of a single encrypted plaintext and they easily deal with unknown plaintexts/ciphertexts in this context. Because these attacks can take advantage of the physical information corresponding to all the cipher rounds, they imply that one cannot trade speed for code size (or gate count) without affecting the physical security of a leaking device. In other words, more intermediate computations inevitably leads to more exploitable leakages. We analyze the consequences of this observation on two different masking schemes and discuss its impact on other countermeasures. Our results exhibit that algebraic techniques lead to a new understanding of implementation weaknesses that is different than classical side-channel attacks.