A Collision-Attack on AES

Combining Side Channel- and Differential-Attack
  • Kai Schramm
  • Gregor Leander
  • Patrick Felke
  • Christof Paar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3156)


Recently a new class of collision attacks which was originally suggested by Hans Dobbertin has been introduced. These attacks use side channel analysis to detect internal collisions and are generally not restricted to a particular cryptographic algorithm. As an example, a collision attack against DES was proposed which combines internal collisions with side channel information leakage. It had not been obvious, however, how this attack applies to non-Feistel ciphers with bijective S-boxes such as the Advanced Encryption Standard (AES). This contribution takes the same basic ideas and develops new optimized attacks against AES. Our major finding is that the new combined analytical and side channel approach reduces the attack effort compared to all other known side channel attacks. We develop several versions and refinements of the attack. First we show that key dependent collisions can be caused in the output bytes of the mix column transformation in the first round. By taking advantage of the birthday paradox, it is possible to cause a collision in an output with as little as 20 measurements. If a SPA leak is present from which collisions can be determined with certainty, then each collision will reveal at least 8 bits of the secret key. Furthermore, in an optimized attack, it is possible to cause collisions in all four output bytes of the mix column transformation with an average of only 31 measurements, which results in knowledge of all 32 key bits. Finally, if collisions are caused in all four columns of the AES in parallel, it is possible to determine the entire 128-bit key with only 40 measurements, which a is a distinct improvement compared to DPA and other side channel attacks.


AES side channel attacks internal collisions birthday paradox 


  1. [Cla04]
    Clavier, C.: Side Channel Analysis for Reverse Engineering (SCARE), (2004), Cryptology ePrint Archive: Report 2004/049
  2. [DR02]
    Daemen, J., Rijmen, V.: The Design of Rijndael. Springer, Berlin (2002)zbMATHGoogle Scholar
  3. [GP99]
    Goubin, L., Patarin, J.: DES and differential power analysis: the duplication method. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  4. [KJJ98]
    Kocher, P., Jaffe, J., Jun, B.: Introduction to Differential Power Analysis and Related Attacks (1998), Manuscript, Cryptography Research, Inc.
  5. [KJJ99]
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  6. [MS00]
    Mayer-Sommer, R.: Smartly Analyzing the Simplicity and the Power of Simple Power Analysis on Smart Cards. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 78–92. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. [Nov03]
    Novak, R.: Side-Channel Attack on Substitution Blocks. In: Zhou, J., Yung, M., Han, Y. (eds.) ACNS 2003. LNCS, vol. 2846, pp. 307–318. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. [SWP03]
    Schramm, K., Wollinger, T., Paar, C.: A New Class of Collision Attacks and its Application to DES. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 206–222. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. [Wie03]
    Wiemers, A.: Partial Collision Search by Side Channel Analysis. Presentation at the Workshop: Smartcards and Side Channel Attacks, Horst Goertz Institute, Bochum, Germany (January 2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Kai Schramm
    • 1
  • Gregor Leander
    • 1
  • Patrick Felke
    • 1
  • Christof Paar
    • 1
  1. 1.Horst Görtz Institute for IT SecurityRuhr-Universität Bochum, GermanyBochumGermany

Personalised recommendations