Side-channel cryptographic attacks using pseudo-boolean optimization
Symmetric block ciphers, such as the Advanced Encryption Standard (AES), are deterministic algorithms which transform plaintexts to ciphertexts using a secret key. These ciphers are designed such that it is computationally very difficult to recover the secret key if only pairs of plaintexts and ciphertexts are provided to the attacker. Constraint solvers have recently been suggested as a way of recovering the secret keys of symmetric block ciphers. To carry out such an attack, the attacker provides the solver with a set of equations describing the mathematical relationship between a known plaintext and a known ciphertext, and then attempts to solve for the unknown secret key. This approach is known to be intractable against AES unless side-channel data – information leaked from the cryptographic device due to its internal physical structure – is introduced into the equation set. A significant challenge in writing equations representing side-channel data is measurement noise. In this work we show how casting the problem as a pseudo-Boolean optimization instance provides an efficient and effective way of tolerating this noise. We describe a theoretical analysis, connecting the measurement signal-to-noise ratio and the tolerable set size of a non-optimizing solver with the success probability. We then conduct an extensive performance evaluation, comparing two optimizing variants for dealing with measurement noise to a non-optimizing method. Our best optimizing method provides a successful attack on the AES cipher which requires surprisingly little side-channel data and works in reasonable computation time. We also make available a set of AES cryptanalysis instances and provide some practical feedback on our experience of using open-source constraint solvers.
KeywordsApplication paper Cryptanalysis Pseudo-boolean optimizers Side-channel attacks
The authors thank the anonymous reviewers for their detailed and helpful suggestions. The authors wish to acknowledge Mario Kirschbaum, Thomas Popp, Mathieu Renauld and Francois-Xavier Standaert for their contributions to this research.
- 3.Akdemir K., Dixon M., Feghali W., Fay P., Gopal V., Guilford J., Ozturc E., Worlich G., & Zohar R. (2010). Breakthrough AES performance with intel AES new instructions. In Technical report, Intel Corporation. http://software.intel.com/file/ 27067.
- 4.Berthold, T., Heinz, S., Pfetsch, M. E., & Winkler, M. (2009). SCIP – solving constraint integer programs SAT competitive events booklet. http://www.cril.univ-artois.fr/SAT09/solvers/booklet.pdf.
- 5.Bogdanov, A., Knudsen, L. R., Leander, G., Paar, C., Poschmann, A., Robshaw, M. J. B., Seurin, Y., & Vikkelsoe, C. (2007). Present: an ultra-lightweight block cipher. In CHES (pp. 450– 466).Google Scholar
- 6.Canright, D. (2005). A very compact S-box for AES. In J.R. Rao & B. Sunar (Eds.), CHESS (Vol. 3659, pp. 441–455). Springer. LNCS.Google Scholar
- 7.Nicolas, T.C., & Gregory, V.B. (2007). Algebraic cryptanalysis of the data encryption standard. In S.D. Galbraith (Eds.), . Cryptography and coding (Vol. 4887, pp. 152–169). Berlin: Springer. Lecture Notes in Computer Science.Google Scholar
- 8.Daemen, J., & Rijmen, V. (1998). AES proposal. Rijndael.Google Scholar
- 9.Dawson, S. (1998). Code hopping decoder using a PIC16C56. Microchip confidential, leaked online 2002. http://read.pudn.com/downloads42/sourcecode/embed/144285/keeloq/MCSLRN/DS652B_C.PDF.
- 10.Intel Corporation (2008). Intel turbo boost technology in intel core microarchitecture (Nehalem). In Based processors. Technical report. http://download.intel.com/design/ processor/applnots/320354.pdf.
- 11.Jovanović, D., & Janiĉić, P. (2005). Logical analysis of hash functions. In B. Gramlich (Ed.),. Frontiers of combining systems (Vol. 3717, pp. 200–215). Berlin: Springer. Lecture Notes in Computer Science.Google Scholar
- 12.Kocher, P.C., Jaffe, J., & Jun, B. (1999). Differential power analysis. In CRYPTO (pp. 388– 397).Google Scholar
- 13.Mangard, S. (2002). A simple power-analysis (SPA) attack on implementations of the AES key expansion. In P.J. Lee & C.H. Lim (Eds.), ICISC (Vol. 2587, pp. 343–358). Springer. LNCS .Google Scholar
- 15.Manquinho, V., & Roussel, O. (2009). Pseudo-boolean competition. http://www.cril.univ-artois.fr/PB09/.
- 17.Menezes, A., Oorschot, P. C., & Vanstone, S.A. (1996). Handbook of applied cryptography. CRC Press.Google Scholar
- 18.Mironov I., & Zhang L. (2006). Applications of SAT solvers to cryptanalysis of hash functions. In B. Armin & C.P. Gomes (Eds.), Theory and applications of satisfiability testing - SAT (Vol. 4121, pp. 102–115). Berlin: Springer. Lecture Notes in Computer Science.Google Scholar
- 20.National Institute of Standards and Technology (2001). FIPS PUB 197: announcing the advanced encryption standard (AES). Gaithersburg: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology.Google Scholar
- 21.National Institute of Standards and Technology (1999). FIPS PUB 46-3: data encryption standard (DES). Gaithersburg: National Institute for Standards and Technology.Google Scholar
- 22.Oren, Y., Kirschbaum, M., Popp, T., & Wool, A. (2010). Algebraic side-channel analysis in the presence of errors. In CHES (pp. 428–442). http://iss.oy.ne.ro/TASCA.
- 23.Oren, Y., Mathieu, R., Standaert, F.-X., & Wool, A. (2012). Algebraic side-channel attacks beyond the hamming weight leakage model. In P. Schaumont & E. Prouff (Eds.), Workshop on cryptographic hardware and embedded systems 2012 (CHES 2012), LNCS 7428 (pp. 140–154). Belgium: Leuven. International Association for Cryptologic Research, Springer. http://iss.oy.ne.ro/Template-TASCA.
- 24.Oren, Y, Weisse, O., & Wool, A. (2013). Practical template-algebraic side channel attacks with extremely low data complexity. In Proceedings of the 2nd international workshop on hardware and architectural support for security and privacy, HASP ’13 (pp. 7:1–7:8). New York: ACM.Google Scholar
- 25.Oren, Y., & Wool, A. (2010). TASCA-on-keeloq pseudo-boolean instances. http://iss.oy.ne.ro/TASCA/Instances.
- 26.Oren, Y., & Wool, A. (2012). Template TASCA pseudo-boolean instances. http://iss.oy.ne.ro/Template-TASCA/Instances.
- 27.Renauld, M., Standaert, F.-X., & Veyrat-Charvillon, N. (2009). Algebraic side-channel attacks on the AES: why time also matters in DPA. In C. Clavier & K. Gaj (Eds.), CHES (Vol. 5747, pp. 97–111). Springer. LNCS.Google Scholar
- 28.Renauld, M., & Standaert F.-X. (2009). Alebraic side-channel attacks. In D. Lin, J. Jing, F. Bao & M. Yung (Eds.), Information security and cryptology (INSCRYPT) (Vol. 6151, pp. 393–410). Springer. Lecture Notes in Computer Science.Google Scholar
- 29.Satyanarayana, H. (2004). AES128 package. http://opencores.net/project,aes_crypto_core.
- 30.Soos, M., Nohl, K., & Castelluccia, C. (2009). Extending SAT solvers to cryptographic problems. In K. Oliver (Eds.), Theory and applications of satisfiability testing - SAT 2009 (Vol. 5584, pp. 244–257). Lecture Notes in Computer Science, (Vol. 5584 pp. 244–257). Berlin: Springer.Google Scholar
- 31.Zhao, X., Wang, T., Guo, S., Zhang, F., Shi, Z., Liu, H., & Wu, K. (2011). SAT based error tolerant algebraic side-channel attacks. In Conference on cryptographic algorithms and cryptographic chips (CASC2011).Google Scholar