Cold Boot Key Recovery by Solving Polynomial Systems with Noise

  • Martin Albrecht
  • Carlos Cid
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6715)


A method for extracting cryptographic key material from DRAM used in modern computers has been recently proposed in [9]; the technique was called Cold Boot attacks. When considering block ciphers, such as the AES and DES, simple algorithms were also proposed in [9] to recover the cryptographic key from the observed set of round subkeys in memory (computed via the cipher’s key schedule operation), which were however subject to errors due to memory bits decay. In this work we extend this analysis to consider key recovery for other ciphers used in Full Disk Encryption (FDE) products. Our algorithms are also based on closest code word decoding methods, however apply a novel method for solving a set of non-linear algebraic equations with noise based on Integer Programming. This method should have further applications in cryptology, and is likely to be of independent interest. We demonstrate the viability of the Integer Programming method by applying it against the Serpent block cipher, which has a much more complex key schedule than AES. Furthermore, we also consider the Twofish key schedule, to which we apply a dedicated method of recovery.


Integer Program Block Cipher Mixed Integer Programming Problem Integer Program Method Explicit Degree 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Achterberg, T.: Constraint Integer Programming. PhD thesis, TU Berlin (2007),
  2. 2.
    Biham, E., Anderson, R.J., Knudsen, L.R.: Serpent: A New Block Cipher Proposal. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 222–238. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  3. 3.
    Biham, E., Dunkelman, O., Keller, N.: A Related-Key Rectangle Attack on the Full KASUMI. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 443–461. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Borghoff, J., Knudsen, L.R., Stolpe, M.: Bivium as a Mixed-Integer Linear Programming Problem. In: Parker, M.G. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 133–152. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  6. 6.
    Cid, C., Murphy, S., Robshaw, M.J.B.: Algebraic Aspects of the Advanced Encryption Standard. Springer, Heidelberg (2007)zbMATHGoogle Scholar
  7. 7.
    Daemen, J., Rijmen, V.: The Design of Rijndael. Springer, Heidelberg (2002)CrossRefzbMATHGoogle Scholar
  8. 8.
    Feldman, J.: Decoding Error-Correcting Codes via Linear Programming. PhD thesis, Massachusetts Institute of Technology (2003)Google Scholar
  9. 9.
    Alex Halderman, J., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest We Remember: Cold Boot Attacks on Encryption Keys. In: USENIX Security Symposium, USENIX Association, pp. 45–60 (2009)Google Scholar
  10. 10.
    Heninger, N., Shacham, H.: Reconstructing RSA Private Keys from Random Key Bits. Cryptology ePrint Archive, Report 2008/510 (2008)Google Scholar
  11. 11.
    Kamal, A.A., Youssef, A.M.: Applications of SAT Solvers to AES key Recovery from Decayed Key Schedule Images. In: Proceedings of The Fourth International Conference on Emerging Security Information, Systems and Technologies – SECURWARE 2010, Venice/Mestre, Italy, July 18-25 (2010)Google Scholar
  12. 12.
    Lloyd, J.: Re: cold boot attacks on disk encryption. Message posted to The Cryptography Mailing List on February 21 (2008), archived at
  13. 13.
    Oren, Y., Kirschbaum, M., Popp, T., Wool, A.: Algebraic Side-Channel Analysis in the Presence of Errors. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 428–442. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Schneier, B., Kelsey, J., Whiting, D., Wagner, D., Hall, C., Ferguson, N.: Twofish: A 128-Bit Block Cipher (1998),
  15. 15.
    Stein, W., et al.: Sage Mathematics Software (Version 4.4.1). The Sage Development Team (2010)
  16. 16.
    TrueCrypt Project,
  17. 17.
    Tsow, A.: An Improved Recovery Algorithm for Decayed AES Key Schedule Images. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 215–230. Springer, Heidelberg (2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Martin Albrecht
    • 1
    • 2
  • Carlos Cid
    • 1
    • 2
  1. 1.UPMC Univ Paris 06, UMR 7606, LIP6, F-75005, Paris, France, CNRS, UMR 7606, LIP6INRIA, Paris-Rocquencourt Center, SALSA ProjectParisFrance
  2. 2.Information Security GroupUniversity of LondonEghamUnited Kingdom

Personalised recommendations