, Volume 21, Issue 4, pp 616–645 | Cite as

Side-channel cryptographic attacks using pseudo-boolean optimization

  • Yossef Oren
  • Avishai Wool


Symmetric block ciphers, such as the Advanced Encryption Standard (AES), are deterministic algorithms which transform plaintexts to ciphertexts using a secret key. These ciphers are designed such that it is computationally very difficult to recover the secret key if only pairs of plaintexts and ciphertexts are provided to the attacker. Constraint solvers have recently been suggested as a way of recovering the secret keys of symmetric block ciphers. To carry out such an attack, the attacker provides the solver with a set of equations describing the mathematical relationship between a known plaintext and a known ciphertext, and then attempts to solve for the unknown secret key. This approach is known to be intractable against AES unless side-channel data – information leaked from the cryptographic device due to its internal physical structure – is introduced into the equation set. A significant challenge in writing equations representing side-channel data is measurement noise. In this work we show how casting the problem as a pseudo-Boolean optimization instance provides an efficient and effective way of tolerating this noise. We describe a theoretical analysis, connecting the measurement signal-to-noise ratio and the tolerable set size of a non-optimizing solver with the success probability. We then conduct an extensive performance evaluation, comparing two optimizing variants for dealing with measurement noise to a non-optimizing method. Our best optimizing method provides a successful attack on the AES cipher which requires surprisingly little side-channel data and works in reasonable computation time. We also make available a set of AES cryptanalysis instances and provide some practical feedback on our experience of using open-source constraint solvers.


Application paper Cryptanalysis Pseudo-boolean optimizers Side-channel attacks 



The authors thank the anonymous reviewers for their detailed and helpful suggestions. The authors wish to acknowledge Mario Kirschbaum, Thomas Popp, Mathieu Renauld and Francois-Xavier Standaert for their contributions to this research.


  1. 1.
  2. 2.
    Achterberg, T. (2007). Constraint integer programming. PhD thesis, Berlin: Technische Universität.zbMATHGoogle Scholar
  3. 3.
    Akdemir K., Dixon M., Feghali W., Fay P., Gopal V., Guilford J., Ozturc E., Worlich G., & Zohar R. (2010). Breakthrough AES performance with intel AES new instructions. In Technical report, Intel Corporation. 27067.
  4. 4.
    Berthold, T., Heinz, S., Pfetsch, M. E., & Winkler, M. (2009). SCIP – solving constraint integer programs SAT competitive events booklet.
  5. 5.
    Bogdanov, A., Knudsen, L. R., Leander, G., Paar, C., Poschmann, A., Robshaw, M. J. B., Seurin, Y., & Vikkelsoe, C. (2007). Present: an ultra-lightweight block cipher. In CHES (pp. 450– 466).Google Scholar
  6. 6.
    Canright, D. (2005). A very compact S-box for AES. In J.R. Rao & B. Sunar (Eds.), CHESS (Vol. 3659, pp. 441–455). Springer. LNCS.Google Scholar
  7. 7.
    Nicolas, T.C., & Gregory, V.B. (2007). Algebraic cryptanalysis of the data encryption standard. In S.D. Galbraith (Eds.), . Cryptography and coding (Vol. 4887, pp. 152–169). Berlin: Springer. Lecture Notes in Computer Science.Google Scholar
  8. 8.
    Daemen, J., & Rijmen, V. (1998). AES proposal. Rijndael.Google Scholar
  9. 9.
    Dawson, S. (1998). Code hopping decoder using a PIC16C56. Microchip confidential, leaked online 2002.
  10. 10.
    Intel Corporation (2008). Intel turbo boost technology in intel core microarchitecture (Nehalem). In Based processors. Technical report. processor/applnots/320354.pdf.
  11. 11.
    Jovanović, D., & Janiĉić, P. (2005). Logical analysis of hash functions. In B. Gramlich (Ed.),. Frontiers of combining systems (Vol. 3717, pp. 200–215). Berlin: Springer. Lecture Notes in Computer Science.Google Scholar
  12. 12.
    Kocher, P.C., Jaffe, J., & Jun, B. (1999). Differential power analysis. In CRYPTO (pp. 388– 397).Google Scholar
  13. 13.
    Mangard, S. (2002). A simple power-analysis (SPA) attack on implementations of the AES key expansion. In P.J. Lee & C.H. Lim (Eds.), ICISC (Vol. 2587, pp. 343–358). Springer. LNCS .Google Scholar
  14. 14.
    Mangard, S., Oswald, E., & Popp, T. (2007). Power analysis attacks: revealing the secrets of smart cards (Advances in information security). New York: Springer.zbMATHGoogle Scholar
  15. 15.
    Manquinho, V., & Roussel, O. (2009). Pseudo-boolean competition.
  16. 16.
    Massacci, F., & Marraro, L. (2000). Logical cryptanalysis as a SAT problem. Journal of Automated Reasoning, 24(1-2), 165–203.MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Menezes, A., Oorschot, P. C., & Vanstone, S.A. (1996). Handbook of applied cryptography. CRC Press.Google Scholar
  18. 18.
    Mironov I., & Zhang L. (2006). Applications of SAT solvers to cryptanalysis of hash functions. In B. Armin & C.P. Gomes (Eds.), Theory and applications of satisfiability testing - SAT (Vol. 4121, pp. 102–115). Berlin: Springer. Lecture Notes in Computer Science.Google Scholar
  19. 19.
    Mohamed, M. S. E., Bulygin, S., Zohner, M., Heuser, A., Walter, M., & Buchmann, J. (2013). Improved algebraic side-channel attack on AES. Journal of Cryptographic Engineering, 3(3), 139–156.CrossRefGoogle Scholar
  20. 20.
    National Institute of Standards and Technology (2001). FIPS PUB 197: announcing the advanced encryption standard (AES). Gaithersburg: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology.Google Scholar
  21. 21.
    National Institute of Standards and Technology (1999). FIPS PUB 46-3: data encryption standard (DES). Gaithersburg: National Institute for Standards and Technology.Google Scholar
  22. 22.
    Oren, Y., Kirschbaum, M., Popp, T., & Wool, A. (2010). Algebraic side-channel analysis in the presence of errors. In CHES (pp. 428–442).
  23. 23.
    Oren, Y., Mathieu, R., Standaert, F.-X., & Wool, A. (2012). Algebraic side-channel attacks beyond the hamming weight leakage model. In P. Schaumont & E. Prouff (Eds.), Workshop on cryptographic hardware and embedded systems 2012 (CHES 2012), LNCS 7428 (pp. 140–154). Belgium: Leuven. International Association for Cryptologic Research, Springer.
  24. 24.
    Oren, Y, Weisse, O., & Wool, A. (2013). Practical template-algebraic side channel attacks with extremely low data complexity. In Proceedings of the 2nd international workshop on hardware and architectural support for security and privacy, HASP ’13 (pp. 7:1–7:8). New York: ACM.Google Scholar
  25. 25.
    Oren, Y., & Wool, A. (2010). TASCA-on-keeloq pseudo-boolean instances.
  26. 26.
    Oren, Y., & Wool, A. (2012). Template TASCA pseudo-boolean instances.
  27. 27.
    Renauld, M., Standaert, F.-X., & Veyrat-Charvillon, N. (2009). Algebraic side-channel attacks on the AES: why time also matters in DPA. In C. Clavier & K. Gaj (Eds.), CHES (Vol. 5747, pp. 97–111). Springer. LNCS.Google Scholar
  28. 28.
    Renauld, M., & Standaert F.-X. (2009). Alebraic side-channel attacks. In D. Lin, J. Jing, F. Bao & M. Yung (Eds.), Information security and cryptology (INSCRYPT) (Vol. 6151, pp. 393–410). Springer. Lecture Notes in Computer Science.Google Scholar
  29. 29.
    Satyanarayana, H. (2004). AES128 package.,aes_crypto_core.
  30. 30.
    Soos, M., Nohl, K., & Castelluccia, C. (2009). Extending SAT solvers to cryptographic problems. In K. Oliver (Eds.), Theory and applications of satisfiability testing - SAT 2009 (Vol. 5584, pp. 244–257). Lecture Notes in Computer Science, (Vol. 5584 pp. 244–257). Berlin: Springer.Google Scholar
  31. 31.
    Zhao, X., Wang, T., Guo, S., Zhang, F., Shi, Z., Liu, H., & Wu, K. (2011). SAT based error tolerant algebraic side-channel attacks. In Conference on cryptographic algorithms and cryptographic chips (CASC2011).Google Scholar

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  1. 1.Department of Information Systems EngineeringBen-Gurion University of the NegevBeer-ShevaIsrael
  2. 2.Cryptography and Network Security Lab, School of Electrical EngineeringTel Aviv UniversityRamat AvivIsrael

Personalised recommendations