Error-Tolerant Side-Channel Cube Attack Revisited

Zhenqi Li; Bin Zhang; Arnab Roy; Junfeng Fan

doi:10.1007/978-3-319-13051-4_16

SAC 2014: Selected Areas in Cryptography -- SAC 2014 pp 261-277 | Cite as

Error-Tolerant Side-Channel Cube Attack Revisited

Authors
Authors and affiliations

Zhenqi LiEmail author
Bin Zhang
Arnab Roy
Junfeng Fan

Conference paper

First Online: 29 November 2014

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8781)

Abstract

Error-tolerant side-channel cube attacks have been recently introduced as an efficient cryptanalytic technique against block ciphers. The known Dinur-Shamir model and its extensions require error-free data for at least part of the measurements. Then, a new model was proposed at CHES 2013, which can recover the key in the scenario that each measurement contains noise. The key recovery problem is converted to a decoding problem under a binary symmetric channel. In this paper, we propose a high error-tolerant side-channel cube attack. The error-tolerant rate is significantly improved by utilizing the polynomial approximation and a new variant of cube attack. The simulation results on PRESENT show that given about $2^{21.2}$ measurements, each with an error probability of $40.5\,\%$, the new model achieves a success probability of $50\,\%$ for the key recovery. The error-tolerant level can be enhanced further if the attacker can obtain more measurements.

Keywords

Cube attack Side-channel attack PRESENT

This is a preview of subscription content, to check access.

Supplementary material

Open image in new window

A Proof of Theorem 1

Proof

The fact that we can derive at most $2^{m-d}$ variant maxterm equations is obvious, since the number of static public variables is $m-d$. The master multivariate polynomial $p$ can be represented as $p(k_1,...,k_n,v_1,...,v_m)=t_I\cdot p_{S(I)}+q(k_1,...,k_n,v_1,...,v_m)$. Since $t_I$ is a maxterm, then the degree of $p_{S(I)}$ in secret variables is $\text{ deg }(p_{S(I)}) \equiv 1$. Then $p_{S(I)}$ can be represented as $p_{S(I)}=C+C_0+C_1k_1+C_2k_2+...+C_nk_n$, where $C \in \{0,1\}$ is a constant and $C_i$, $0\le {i}\le {n}$ contains only static public variables.

Since $\text{ deg }(p_{S(I)}) \equiv 1$, then $\bigvee _{i=1}^{n}C_i \ne 0 $, which means that there is at least one key variables $k_i$ with $C_i=1$. Suppose the set of key variables with all their coefficients equal to $1$ is $K=\{k_{i_1},k_{i_2},...,k_{i_u}\}$ and each $C_{i_t}=1$, $1\le {t}\le {u}$. By setting all the static public variables to $0$, then $p^*_{S(I)}=C+\sum _{j=i_1}^{i_u} k_{j}$. The variant maxterm equations by choosing those static public variables can thus be represented as

$$\begin{aligned} p_{S(I)}'=p^*_{S(I)}+C_0+ \sum _{j \notin \{i_1,i_2,...,i_u\} } C_{j}k_j \end{aligned}$$

(4)

Then, if the chosen static public variables make all the $C_j=0$, where $1\le {j}\le {n}$ and $j \notin \{i_1,i_2,...,i_u\}$, then equation (4) is the Type I variant. Inversely, if the chosen static public variables make that there is at least one $C_j \ne 0$, where $1\le {j}\le {n}$ and $j \notin \{i_1,i_2,...,i_u\}$, the equation (4) is the Type II variant. $\Box $

B Proof of Corollary 1

Proof

The key recovery problem is now converted to decoding a $[(L-\gamma \cdot n')\cdot E,n-n']$ linear code, where $1\le {E}\le {2^{m-\bar{d}}}$. Suppose $L^*=(L-\gamma \cdot n')\cdot E$ and $n^*=n-n'$. Recall that the error probability $p$ for each evaluation of the maxterm equation is $p=1/2-\varepsilon $. The capacity of BSC can be approximated as $C(p)\approx {\varepsilon }^2 \cdot 2/(ln(2)).$ Simulations [16] show that the critical length $L^* \ge 0.35\cdot n^* \cdot {\varepsilon }^{-2} $ provides the probability of successful decoding close to $1/2$. Thus we get $ \varepsilon \ge {\sqrt{\frac{0.35 \cdot n^*}{L^*}}}. $ Since $\varepsilon =2^{t-1}\mu ^{t}$ holds, then we can derive $ \mu \ge {(\frac{0.35\cdot n^*}{L^*})^{\frac{1}{2\cdot t}} \cdot 2^{\frac{1}{t}-1} }. $ From $q=1/2-\mu $, we have $ q \le {\frac{1}{2}\cdot (1- (\frac{0.35\cdot n^*}{L^*})^{\frac{1}{2\cdot t}} \cdot 2^{\frac{1}{t}})}. $ $\Box $

C ML-decoding

Siegenthaler [16] firstly proposed the use of ML-decoding in cryptanalysis of a stream cipher by exhaustively searching through all the codewords of $[L,n]$ code. The complexity is about $O(2^n\cdot n/C(p))$. Let $A=(a_i^j)_{L\times n}$ $(1\le {i}\le {L},1\le {j}\le {n})$ be the generator matrix of (1) and $A_i$ denote the $i$-th row vector of $A$. The aim of the decoding is to find the closet codeword $(b_1,b_2,...,b_L)$ to the received vector $(z_1,z_2,...,z_L)$, and decode the key variables $\mathbf k =(k_1,k_2,...,k_n)$ such that $b_i=\mathbf k \cdot A_i^T$, where $T$ denotes the matrix transpose, i.e., find such $\mathbf k $ that minimizes $D(\mathbf k )=\sum _{i=1}^{L}(z_i \bigoplus b_i)$. It is known that ML-decoding is optimal since it has the smallest error probability among all decoding algorithms.

References

1.
Aumasson, J.-P., Dinur, I., Henzen, L., Meier, W. and Shamir, A.: Efficient FPGA implementations of high-dimensional cube testers on the stream cipher Grain-128. In: Special Purpose Hardware for Attacking Cryptographic Systems-SHARCS’09’ (2009)Google Scholar
2.
Aumasson, J.-P., Dinur, I., Meier, W., Shamir, A.: Cube testers and key recovery attacks on reduced-round MD6 and trivium. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 1–22. Springer, Heidelberg (2009)CrossRefGoogle Scholar
3.
Bedi, S.S., Rajesh Pillai, N.: Cube attacks on Trivium. Cryptology ePrint Archive. Report 2009/015 (2009)Google Scholar
4.
Blum, M., Luby, M., Rubinfeld, R.: Self-testing/correcting with applications to numerical problems. J. Comput. Syst. Sci. 47, 549–595 (1993)MathSciNetCrossRefMATHGoogle Scholar
5.
Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an altra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
6.
Dinur, I., Shamir, A.: Applying cube attacks to stream ciphers in realistic scenarios. Crypt. Commun. 4, 217–232 (2012)MathSciNetCrossRefMATHGoogle Scholar
7.
Dinur, I., Shamir, A.: Breaking grain-128 with dynamic cube attacks. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 167–187. Springer, Heidelberg (2011)CrossRefGoogle Scholar
8.
Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009)CrossRefGoogle Scholar
9.
Dinur, I., Shamir, A.: Generic analysis of small cryptographic leaks. In: 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography. pp. 39–48 (2010)Google Scholar
10.
Dinur, I., Shamir, A.: Side channel cube attacks on block ciphers. Cryptology ePrint Archive. Report 2009/127 (2009)Google Scholar
11.
Fouque, P.-A., Vannet, T.: Improving key recovery to 784 and 799 rounds of trivium using optimized cube attacks. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 502–517. Springer, Heidelberg (2014)Google Scholar
12.
Bard, G.V., Courtois, N.T., Nakahara Jr., J., Sepehrdad, P., Zhang, B.: Algebraic, AIDA/Cube and side channel analysis of KATAN family of block ciphers. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 176–196. Springer, Heidelberg (2010)CrossRefGoogle Scholar
13.
Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello Jr., D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography: Two Sides of One Tapestry. The Springer International Series in Engineering and Computer Science, vol. 276, pp. 227–233. Springer, New York (1994)CrossRefGoogle Scholar
14.
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)CrossRefGoogle Scholar
15.
Quedenfeld, F.-M., Wolf, C.: Algebraic Properties of the Cube Attack. Cryptology ePrint Archive. Report 2013/800 (2013)Google Scholar
16.
Siegenthaler, T.: Decrypting a class of stream ciphers using ciphertext only. IEEE Trans. Comput. 34(1), 81–85 (1985)CrossRefGoogle Scholar
17.
Vielhaber, M.: AIDA Breaks (BIVIUM A and B) in 1 Minute Dual Core CPU Time. IACR Cryptology ePrint Archive, 402 (2009)Google Scholar
18.
Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack. IACR Cryptology ePrint Archive, 413 (2007)Google Scholar
19.
Li, Z., Zhang, B., Fan, J., Verbauwhede, I.: A new model for error-tolerant side-channel cube attacks. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 453–470. Springer, Heidelberg (2013)CrossRefGoogle Scholar
20.
Li, Z., Zhang, B., Yao, Y., Lin, D.: Cube cryptanalysis of LBlock with noisy leakage. In: Kwon, T., Lee, M.-K., Kwon, D. (eds.) ICISC 2012. LNCS, vol. 7839, pp. 141–155. Springer, Heidelberg (2013)CrossRefGoogle Scholar

Copyright information

Authors and Affiliations

Zhenqi Li
- 1
Email author
Bin Zhang
- 2
- 3
Arnab Roy
- 4
- 5
Junfeng Fan
- 6

1.Trusted Computing and Information Assurance Laboratory, Institute of SoftwareChinese Academy of SciencesBeijingChina
2.Trusted Computing and Information Assurance Laboratory, Institute of SoftwareChinese Academy of SciencesBeijingChina
3.State Key Laboratory of Computer Science, Institute of SoftwareChinese Academy of SciencesBeijingChina
4.University of LuxembourgLuxembourgLuxembourg
5.Technical University of DenmarkKongens LyngbyDenmark
6.Nationz Technologies IncShenzhenChina

Error-Tolerant Side-Channel Cube Attack Revisited

Abstract

Keywords

Supplementary material

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite paper