Algebraic Side-Channel Attacks on the AES: Why Time also Matters in DPA
Algebraic side-channel attacks have been recently introduced as a powerful cryptanalysis technique against block ciphers. These attacks represent both a target algorithm and its physical information leakages as an overdefined system of equations that the adversary tries to solve. They were first applied to PRESENT because of its simple algebraic structure. In this paper, we investigate the extent to which they can be exploited against the AES Rijndael and discuss their practical specificities. We show experimentally that most of the intuitions that hold for PRESENT can also be observed for an unprotected implementation of Rijndael in an 8-bit controller. Namely, algebraic side-channel attacks can recover the AES master key with the observation of a single encrypted plaintext and they easily deal with unknown plaintexts/ciphertexts in this context. Because these attacks can take advantage of the physical information corresponding to all the cipher rounds, they imply that one cannot trade speed for code size (or gate count) without affecting the physical security of a leaking device. In other words, more intermediate computations inevitably leads to more exploitable leakages. We analyze the consequences of this observation on two different masking schemes and discuss its impact on other countermeasures. Our results exhibit that algebraic techniques lead to a new understanding of implementation weaknesses that is different than classical side-channel attacks.
- 1.Bard, G., Courtois, N., Jefferson, C.: Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers, Cryptology ePrint Archive, Report 2007/024Google Scholar
- 7.Carlier, V., Chabanne, H., Dottax, E., Pelletier, H.: Generalizing Square Attack using Side-Channels of an AES Implementation on an FPGA. In: The proceedings of FPL 2005, Tampere, Finland, August 2005, pp. 433–437 (2005)Google Scholar
- 12.Faugère, J.-C.: Groebner Bases. In: Applications in Cryptology, FSE 2007, Invited Talk (2007), http://fse2007.uni.lu/slides/faugere.pdf
- 13.FIPS 197, “Advanced Encryption Standard,” Federal Information Processing Standard, NIST, U.S. Dept. of Commerce, November 26 (2001)Google Scholar
- 21.Petit, C., Standaert, F.-X., Pereira, O., Malkin, T.G., Yung, M.: A Block Cipher based PRNG Secure Against Side-Channel Key Recovery. In: The proceedings of ASIACCS 2008, Tokyo, Japan, March 2008, pp. 56–65 (2008)Google Scholar
- 23.Renauld, M., Standaert, F.-X.: Algebraic Side-Channel Attacks, Cryptology ePrint Archive, report 2009/179, http://eprint.iacr.org/2009/279