Journal of Cryptographic Engineering

, Volume 2, Issue 1, pp 45–62 | Cite as

Analysis of the algebraic side channel attack

  • Claude Carlet
  • Jean-Charles Faugère
  • Christopher Goyet
  • Guénaël Renault
Regular Paper

Abstract

At CHES 2009, Renauld, Standaert and Veyrat-Charvillon introduced a new kind of attack called algebraic side-channel attacks (ASCA). They showed that side-channel information leads to effective algebraic attacks. These results are mostly experiments since strongly based on the use of a SAT solver. This article presents a theoretical study to explain and to characterize the algebraic phase of these attacks. We study more general algebraic attacks based on Gröbner methods. We show that the complexity of the Gröbner basis computations in these attacks depends on a new notion of algebraic immunity defined in this paper, and on the distribution of the leakage information of the cryptosystem. We also study two examples of common leakage models: the Hamming weight and the Hamming distance models. For instance, the study in the case of the Hamming weight model gives that the probability of obtaining at least 64 (resp. 130) linear relations is about 50% for the substitution layer of PRESENT (resp. AES). Moreover if the S-boxes are replaced by functions maximizing the new algebraic immunity criterion then the algebraic attacks (Gröbner and SAT) are intractable. From this theoretical study, we also deduce an invariant which can be easily computed from a given S-box and provides a sufficient condition of weakness under an ASCA. This new invariant does not require any sophisticated algebraic techniques to be defined and computed. Thus, for cryptographic engineers without an advanced knowledge in algebra (e.g. Gröbner basis techniques), this invariant may represent an interesting tool for rejecting weak S-boxes.

Keywords

Algebraic side channel attack Gröbner basis Algebraic immunity Block cipher 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Armknecht, F., Ars, G.: Introducing a new variant of fast algebraic attacks and minimizing their successive data complexity. In: Mycrypt, pp. 16–32 (2005)Google Scholar
  2. 2.
    Akkar, M.-L., Bevan, R., Dischamp, P., Moyart, D.: Power analysis, what is now possible . . . . In: ASIACRYPT, pp. 489–502 (2000)Google Scholar
  3. 3.
    Albrecht, M., Cid, C.: Cold boot key recovery using polynomial system solving with noise. In: 2nd International Conference on Symbolic Computation and Cryptography (2010)Google Scholar
  4. 4.
    Ars, G., Faugère, J.-C.: Algebraic immunities of functions over finite fields. Research Report RR-5532, INRIA (2005)Google Scholar
  5. 5.
    Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: Camellia: a 128-bit block cipher suitable for multiple platforms (2000)Google Scholar
  6. 6.
    Armknecht, F., Krause, M.: Constructing single- and multi-output Boolean functions with maximal immunity. In: Proceedings of ICALP 2006, Lecture Notes of Computer Science, vol. 4052, pp. 180–191 (2006)Google Scholar
  7. 7.
    Ars, G.: Applications des bases de Gröbner en cryptographie. PhD thesis, University of Rennes (2005)Google Scholar
  8. 8.
    Bardet, M.: Étude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à à la cryptographie. PhD thesis, Université de Paris VI (2004)Google Scholar
  9. 9.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: CHES’04, pp. 16–29 (2004)Google Scholar
  10. 10.
    Bosma W., Cannon J., Playoust C.: The MAGMA algebra system: the user language. J. Symb. Comput. 24, 235–265 (1997)MathSciNetMATHCrossRefGoogle Scholar
  11. 11.
    Bardet, M., Faugère, J.-C., Salvy, B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: Proceedings of International Conference on Polynomial System Solving (ICPSS), pp. 71–75 (2004)Google Scholar
  12. 12.
    Bardet, M., Faugère, J.-C., Salvy, B., Yang, B.-Y.: Asymptotic behaviour of the degree of regularity of semi-regular polynomial systems. In: Proceedings of MEGA 2005, Eighth International Symposium on Effective Methods in Algebraic Geometry (2005)Google Scholar
  13. 13.
    Bogdanov, A., Knudsen, L.R., Le, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: CHES’07. Springer, Berlin (2007)Google Scholar
  14. 14.
    Bogdanov, A., Kizhvatov, I., Pyshkin, A.: Algebraic Methods in Side-Channel Collision Attacks and Practical Collision Detection. In: INDOCRYPT, pp. 251–265 (2008)Google Scholar
  15. 15.
    Bogdanov, A.: Improved side-channel collision attacks on AES. In: Adams, C., Miri, A., Wiener, M. (eds.) Selected Areas in Cryptography, Lecture Notes in Computer Science, vol. 4876, pp. 84–95. Springer, Heidelberg (2007)Google Scholar
  16. 16.
    Bogdanov, A.: Multiple-differential side-channel collision attacks on AES. In: Oswald, E., Rohatgi, P. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2008 Proceedings, Lecture Notes in Computer Science, vol. 5154, pp. 30–44. Springer, Berlin (2008)Google Scholar
  17. 17.
    Carlet, C.: On the algebraic immunities and higher order nonlinearities of vectorial Boolean functions. In: NATO Science for Peace and Security Series, D: Information and Communication Security, vol. 13, pp. 104–116. IOS Press, Amsterdam (2009)Google Scholar
  18. 18.
    Carlet, C.: Vectorial Boolean functions for cryptography, pp. 398–469. In: Boolean Models and Methods in Mathematics, Computer Science, and Engineering. Cambridge University Press, Cambridge (2010)Google Scholar
  19. 19.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Proceedings of Advances in Cryptology—CRYPTO ’99, 19th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 15–19, 1999, pp. 398–412. Springer, Berlin (1999)Google Scholar
  20. 20.
    Cid C., Leurent G.: An Analysis of the XSL Algorithm. In: ASIACRYPT, pp. 333–352 (2005)Google Scholar
  21. 21.
    Cox D.A., Little J., O’Shea D.: Ideals, Varieties, and Algorithms: An Introduction to Computational Algebraic Geometry and Commutative Algebra, 3/e (Undergraduate Texts in Mathematics). Springer, New Jersey (2007)Google Scholar
  22. 22.
    Courtois, N., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feedback. In: EUROCRYPT, pp. 345–359 (2003)Google Scholar
  23. 23.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: ASIACRYPT, pp. 267–287 (2002)Google Scholar
  24. 24.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases (F4). In: Journal of Pure and Applied Algebra, pp. 75–83. ACM Press, New York (1999)Google Scholar
  25. 25.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, ISSAC ’02, pp. 75–83. ACM, New York (2002)Google Scholar
  26. 26.
    Faugère, J.-C.: Françoise Levy dit Vehel, and Ludovic Perret. Cryptanalysis of MinRank. In: CRYPTO, pp. 280–296 (2008)Google Scholar
  27. 27.
    Faugère, J.-C., Joux, A.: Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases. In: CRYPTO, pp. 44–60 (2003)Google Scholar
  28. 28.
    Fischer, S., Meier, W.: Algebraic immunity of S-boxes and augmented functions. In: FSE, pp. 366–381 (2007)Google Scholar
  29. 29.
    Faugère, J.-C., Perret, L.: Cryptanalysis of 2R schemes. In: CRYPTO, pp. 357–372 (2006)Google Scholar
  30. 30.
    Faugère, J.-C., Perret, L.: Polynomial equivalence problems: algorithmic and theoretical aspects. In: EUROCRYPT, pp. 30–47 (2006)Google Scholar
  31. 31.
    Handschuh, H., Preneel, B.: Blind differential crypt analysis for enhanced power attacks. In: Selected Areas in Cryptography, pp. 163–173 (2006)Google Scholar
  32. 32.
    Moradi, A., Mischke, O., Eisenbarth, T.: Correlation-enhanced power analysis collision attack. In: CHES’10 (2010)Google Scholar
  33. 33.
    Mangard S., Oswald E., Popp T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer, New York (2007)MATHGoogle Scholar
  34. 34.
    Office of State Commercial Cryptography Administration. The SMS4 block cipher (in Chinese) (2006). http://www.oscca.gov.cn/UpFile/200621016423197990.pdf
  35. 35.
    Oren, Y., Kirschbaum, M., Popp, T., Wool, A.: Algebraic side-channel analysis in the presence of errors. In: CHES’10 (2010)Google Scholar
  36. 36.
    Prouff, E.: DPA attacks and S-boxes. In: FSE, pp. 424–441 (2005)Google Scholar
  37. 37.
    Renauld, M., Standaert, F.-X.: Algebraic side-channel attacks. In: Inscrypt 2009, LNCS, Springer, Berlin (2009)Google Scholar
  38. 38.
    Renauld, M., Standaert, F.-X.: Representation-, leakage- and cipher- dependencies in algebraic side-channel attacks. In: ACNS 2010 Industrial Track, pp. 1–18 (2010)Google Scholar
  39. 39.
    Renauld, M., Standaert, F.-X., Veyrat-Charvillon, N.: Algebraic side-channel attacks on the AES: why time also matters in DPA. In: CHES’09, pp. 97–111. Springer, Berlin (2009)Google Scholar
  40. 40.
    Schramm, K., Leander, G., Felke, P., Paar, C.: A collision-attack on AES combining side channel and differential attack. In: CHES’04, pp. 163–175 (2004)Google Scholar
  41. 41.
    Soos, M., Nohl, K., Castelluccia, C.: Extending SAT solvers to cryptographic problems. In: SAT, pp. 244–257 (2009)Google Scholar
  42. 42.
    Schramm, K., Wollinger, T., Paar, C.: A new class of collision attacks and its application to DES. In: Fast Software Encryption FSE 03, LNCS, vol. 2887, pp. 206–222. Springer, Berlin (2003)Google Scholar

Copyright information

© Springer-Verlag 2012

Authors and Affiliations

  • Claude Carlet
    • 1
  • Jean-Charles Faugère
    • 2
  • Christopher Goyet
    • 2
    • 3
  • Guénaël Renault
    • 2
  1. 1.Université Paris 8, UMR LAGA, MTII teamSaint-Denis Cedex 02France
  2. 2.UPMC, Université Paris 6, LIP6, INRIA, Centre Paris-Rocquencourt, PolSys Project-Team, CNRS, UMR 7606, LIP6Paris Cedex 5France
  3. 3.Thales Communications and SecurityColombesFrance

Personalised recommendations