Side-Channel Analysis of Multiplications in GF(2128)

Application to AES-GCM
  • Sonia Belaïd
  • Pierre-Alain Fouque
  • Benoît Gérard
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8874)


In this paper, we study the side-channel security of the field multiplication in GF(2 n ). We particularly focus on GF(2128) multiplication which is the one used in the authentication part of \(\mathsf{AES}\textrm{-}\mathsf{GCM}\) but the proposed attack also applies to other binary extensions. In a hardware implementation using a 128-bit multiplier, the full 128-bit secret is manipulated at once. In this context, classical DPA attacks based on the divide and conquer strategy cannot be applied. In this work, the algebraic structure of the multiplication is leveraged to recover bits of information about the secret multiplicand without having to perform any key-guess. To do so, the leakage corresponding to the writing of the multiplication output into a register is considered. It is assumed to follow a Hamming weight/distance leakage model. Under these particular, yet easily met, assumption we exhibit a nice connection between the key recovery problem and some classical coding and Learning Parities with Noise problems with certain instance parameters. In our case, the noise is very high, but the length of the secret is rather short. In this work we investigate different solving techniques corresponding to different attacker models and eventually refine the attack when considering particular implementations of the multiplication.


Field Multiplication Authenticated Encryption \(\mathsf{AES}\textrm{-}\mathsf{GCM}\) Side-Channel 


  1. 1.
    Rix, A.W., Beerends, J.G., Hollier, M.P., Hekstra, A.P.: Perceptual evaluation of speech quality (PESQ) – a new method for speech quality assessment of telephone networks and codecs. In: Proceedings ICASSP, pp. 749–752 (2001)Google Scholar
  2. 2.
    Baignères, T., Junod, P., Vaudenay, S.: How Far Can We Go Beyond Linear Cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004)Google Scholar
  3. 3.
    Becker, A., Joux, A., May, A., Meurer, A.: Decoding Random Binary Linear Codes in 2n/20: How 1 + 1 = 0 Improves Information Set Decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012)Google Scholar
  4. 4.
    Belaïd, S., Grosso, V., Standaert, F.-X.: Masking and leakage-resilient primitives: One, the other(s) or both? Cryptology ePrint Archive, Report 2014/053 (2014),
  5. 5.
    Bernstein, D.J.: Bernstein. Faster binary-field multiplication and faster binary-field macs. In: SAC. LNCS, Springer, Heidelberg (2014)Google Scholar
  6. 6.
    Bettale, L.: Magma Package: Hybrid Approach for Solving Multivariate Polynomial Systems over Finite Fields,
  7. 7.
    Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003)Google Scholar
  8. 8.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards Sound Approaches to Counteract Power-Analysis Attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999)Google Scholar
  9. 9.
    Coron, J.-S.: Higher Order Masking of Look-Up Tables. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 441–458. Springer, Heidelberg (2014)Google Scholar
  10. 10.
    Cover, T.M., Thomas, J.A.: Information theory. Wiley series in communications. Wiley (1991)Google Scholar
  11. 11.
    Durvaux, F., Renauld, M., Standaert, F.-X., van Oldeneel tot Oldenzeel, L., Veyrat-Charvillon, N.: Efficient Removal of Random Delays from Embedded Software Implementations Using Hidden Markov Models. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771, pp. 123–140. Springer, Heidelberg (2013)Google Scholar
  12. 12.
    Durvaux, F., Standaert, F.-X., Veyrat-Charvillon, N., Mairy, J.-B., Deville, Y.: Efficient selection of time samples for higher-order DPA with projection pursuits. IACR Cryptology ePrint Archive, 2014:412 (2014)Google Scholar
  13. 13.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero F5. In: International Symposium on Symbolic and Algebraic Computation Symposium - ISSAC (2002)Google Scholar
  14. 14.
    Ferguson, N.: Authentication weaknesses in GCM (2005),
  15. 15.
    Grosso, V., Prouff, E., Standaert, F.-X.: Efficient Masked S-Boxes Processing – A Step Forward –. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT. LNCS, vol. 8469, pp. 251–266. Springer, Heidelberg (2014)Google Scholar
  16. 16.
    Handschuh, H., Preneel, B.: Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008)Google Scholar
  17. 17.
    Jaffe, J.: A first-order DPA attack against AES in counter mode with unknown initial counter. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 1–13. Springer, Heidelberg (2007)Google Scholar
  18. 18.
    Joux, A.: Authentication Failures in NIST version of GCM (2006),
  19. 19.
    Katashita, T., Satoh, A., Kikuchi, K., Nakagawa, H., Aoyagi, M.: Evaluation of DPA Characteristics of SASEBO for Board Level Simulation (2010)Google Scholar
  20. 20.
    Kirchner, P.: Improved generalized birthday attack. Cryptology ePrint Archive, Report 2011/377 (2011),
  21. 21.
    Levieil, É., Fouque, P.-A.: An Improved LPN Algorithm. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 348–359. Springer, Heidelberg (2006)Google Scholar
  22. 22.
    Lyubashevsky, V.: The Parity Problem in the Presence of Noise, Decoding Random Linear Codes, and the Subset Sum Problem. In: Chekuri, C., Jansen, K., Rolim, J.D.P., Trevisan, L. (eds.) APPROX 2005 and RANDOM 2005. LNCS, vol. 3624, pp. 378–389. Springer, Heidelberg (2005)Google Scholar
  23. 23.
    Mangard, S.: Hardware Countermeasures against DPA – A Statistical Analysis of Their Effectiveness. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 222–235. Springer, Heidelberg (2004)Google Scholar
  24. 24.
    Mangard, S., Oswald, E., Popp, T.: Power analysis attacks - revealing the secrets of smart cards. Springer (2007)Google Scholar
  25. 25.
    McGrew, D.A., Viega, J.: The Galois/Counter Mode of Operation, GCM (Day 2005)Google Scholar
  26. 26.
    Medwed, M., Standaert, F.-X., Großschädl, J., Regazzoni, F.: Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 279–296. Springer, Heidelberg (2010)Google Scholar
  27. 27.
    Micali, S., Reyzin, L.: Physically Observable Cryptography. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004)Google Scholar
  28. 28.
    Procter, G., Cid, C.: On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014)Google Scholar
  29. 29.
    Rivain, M., Prouff, E.: Provably Secure Higher-Order Masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010)Google Scholar
  30. 30.
    Saarinen, M.-J.O.: Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012)Google Scholar
  31. 31.
    Veyrat-Charvillon, N., Gérard, B., Renauld, M., Standaert, F.-X.: An Optimal Key Enumeration Algorithm and Its Application to Side-Channel Attacks. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 390–406. Springer, Heidelberg (2013)Google Scholar
  32. 32.
    Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Security Evaluations beyond Computing Power. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 126–141. Springer, Heidelberg (2013)Google Scholar
  33. 33.
    Yang, B., Mishra, S., Karri, R.: A high speed architecture for galois/counter mode of operation (GCM). Cryptology ePrint Archive, Report 2005/146 (2005),

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Sonia Belaïd
    • 1
    • 2
  • Pierre-Alain Fouque
    • 3
    • 4
  • Benoît Gérard
    • 5
  1. 1.École normale supérieureParisFrance
  2. 2.Thales Communications & SecurityGennevilliersFrance
  3. 3.Université de Rennes 1RennesFrance
  4. 4.Institut Universitaire de FranceFrance
  5. 5.DGA–MI and IRISARennesFrance

Personalised recommendations