How Secure is AES Under Leakage
Abstract
While traditionally cryptographic algorithms have been designed with the blackbox security in mind, they often have to deal with a much stronger adversary – namely, an attacker that has some access to the execution environment of a cryptographic algorithm. This can happen in such greybox settings as physical sidechannel attacks or digital forensics as well as due to Trojans.
In this paper, we aim to address this challenge for symmetrickey cryptography. We study the security of the Advanced Encryption Standard (AES) in the presence of explicit leakage: We let a part of the internal secret state leak in each operation. We consider a wide spectrum of settings – from adversaries with limited control all the way to the more powerful attacks with more knowledge of the computational platform. To mount key recoveries under leakage, we develop several novel cryptanalytic techniques such as differential bias attacks. Moreover, we demonstrate and quantify the effect of uncertainty and implementation countermeasures under such attacks: blackboxed rounds, space randomization, time randomization, and dummy operations. We observe that the residual security of AES can be considerable, especially with uncertainty and basic countermeasures in place.
Keywords
Greybox Sidechannel attacks Leakage AES Bitwise multiset attacks Differential bias attacks Malware Mass surveillance1 Introduction
1.1 Background: Black Box, Grey Box and White Box
It is symmetrickey algorithms that are in charge of bulk data encryption and authentication in the field. Plenty of multiple widespread applications such as mobile networks, access control, banking, content protection, and storage encryption often feature only symmetrickey algorithms, with no publickey cryptography involved.
Traditionally, the security of symmetrickey cryptographic primitives has been analyzed in the blackbox model, where the adversary is mainly limited to observing and manipulating the inputs and outputs of the algorithm, the relatedkey model [2] being a notable extension. Multiple techniques have been extensively elaborated upon, such as differential and linear cryptanalysis, integral and algebraic attacks, to call a small subset of the cryptanalytic tools available today. Cryptographers have excelled at preventing those by design [8].
In late 1990s, with the introduction of timing attacks [13] by Kocher, differential fault analysis [1] by Boneh, DeMillo and Lipton, simple power analysis as well as differential power analysis [14] by Kocher, Jaffe and Jun, the research community has become aware of sidechannel attacks that operate in the greybox model: Now the attacker has access to the physical parameters of cryptographic implementations or can even inject faults into their execution. Numerous countermeasures have been proposed to hamper those attacks, providing a practical level of security in many cases.
Since mid 2000s, a trend of sidechannel analysis has been towards analytical sidechannel attacks that assume leakage of fixed values of variables instead of stochastic variables and whose techniques border the blackbox cryptanalysis. So, collision attacks [22] by Shramm et al. observe an equation within one or several executions of an algorithm. Algebraic sidechannel attacks [21] by Renauld and Standaert work under the assumption that the attacker can see the Hamming weight of the internal variables of an algorithm. The attacker uses the techniques of algebraic cryptanalysis to solve the systems of nonlinear equations arising from collisions and algebraic sidechannel attacks [5, 19, 20]. Dinur and Shamir [9] apply integral and cube attacks to block ciphers in a setting where a fixed bit after a round is leaked due to physical probing, power analysis or similar. Also differential fault analysis uses elements of differential cryptanalysis.
As an extreme development of the greybox setting, the whitebox model [7] by Chow et al. poses the assumption that the adversary has full control over the implementation of the cryptographic algorithm. The major goal of whitebox cryptography is to protect the confidentiality of secret keys in such a whitebox environment. However, all published whitebox implementations of standard symmetrickey algorithms such as AES to date have been practically broken in this model [18]. The whitebox setting may be too strong for standard symmetrickey algorithms such as AES, because such a cipher was designed with the blackbox security in mind.
1.2 Leakage and AES
In this paper, we enhance the DinurShamir setting [9] and aim to bridge the gap between the physical sidechannel attacks, the techniques of provable leakage resilience [17] and whitebox setting (dealing with attackers too hard to protect against). Namely, we let the AES implementation leak some information during its execution which is defined as follows.
Definition 1
(Leakage Model). A malicious agent leaks a part of the intermediate internal secret state (including the key state) of a cryptographic algorithm in each algorithm execution.

Frequency: There is a single leak per encryption/decryption. This simplifies complexity estimations in our analysis. If more leaks are available in each execution, the complexities can be adjusted accordingly.

Granularity: A leak can only happen after a full round. This situation corresponds e.g., to a 32bit serial or roundbased hardware implementation of AES or a software implementation using an instruction set extension such as AESNI available on most Intel/AMD CPUs or the Cryptography Extension on ARMv8.

Knowledge: The attacker does not have any knowledge of the location of leaked bits, i.e., it does not know the bit position and the number of round of leaked bits. He also does not know whether the leak is from the key schedule or data processing part. This circumstance models the limited control of the adversary over the platform.

Time and space: The location of the leak in terms of the round number (time) and bit position within the round (space) can either be fixed or vary.

Known/chosen plaintext/ciphertext: We consider both known and chosen text models. In case of a passive attacker, we talk about the known text setting. Otherwise, the attacker is allowed to choose text.

Alignment: We consider singlebit leaks, byte leaks and multiplebit leaks. While singlebit leaks are more likely to happen due to physical probing, byte leaks correspond more to software settings.
1.3 Our Contributions
The contributions of this paper are as follows. The cryptanalytic results are also summarized in Table 1.
AES Under Leakage with Space/Time Uncertainty and Differential Bias Attacks. We let time, space or both be randomized. The space randomization makes the position of leaked bits random in each execution. The time randomization makes the round number of leaked bits random in each execution. A combination of time and space randomization is also an advanced model we consider. See Fig. 1 for an illustration.
This setting takes account of a more realistic environment, such as the lack of knowledge of the implementation, and the presence of countermeasures. Here, our multiset attacks are infeasible, as no clean multiset is available. To cope with that, we develop a differential bias attack and a biased state attack inspired by techniques for distinguishing attacks against stream ciphers [15, 16, 23]. More specifically, by properly choosing differences and values of plaintexts, we create biased (differential) states, where the distribution of bitwise differences or value is strongly biased only if the key is correctly guessed. Thus, we are able to distinguish the leak corresponding to the correct key. See Sect. 3 for the techniques as well as Sect. 4 and Table 1 for the results.
AES Under Noisy Leakage. We consider leakage with noise, where the attacker does not know exactly if the variable it accesses corresponds to the execution of the algorithm under attack. For example, it can be the case if multiple instances of encryption (with different keys) are run simultaneously or if the implementation uses dummy operations to hide the AES execution. The differential bias attack remains applicable in this setting, with adjusted complexities. See Sect. 6 and Table 1 for details. To characterize noise, we define \(\pi \) to be the probability that the leak is correctly read. The complexities of our attacks grow quadratically with the increase of \(1/\pi \).
Security of AES128 under leakage in various settings
Time and space of leaked bits  BB round(s)  Best attack  Bit alignment  Byte alignment  

Time  Data  Section  Time  Data  Section  
Fixed time/space  none  MA\(^{*2}\)  \(2^{18}\)  \(2^{8}\) CC  Sect. 3  \(2^{12}\)  \(2^{8}\) CC  Sect. 7.1 
round 9  MA\(^{*1}\)  \(2^{44}\)  \(2^{34}\) CP  Sect. 3  \(2^{42}\)  \(2^{34}\) CP  Sect. 7.1  
rounds 1, 9  MA  \(2^{47}\)  \(2^{8}\) CP  Sect. 3  \(2^{44}\)  \(2^{34}\) CP  Sect. 7.1  
Uncertain space  none  BSA  \(2^{26}\)  \(2^{26}\) CC  Sect. 5.1  \(2^{23}\)  \(2^{23}\) CC  Sect. 7.2 
round 9  DBA  \(2^{48}\)  \(2^{42}\) CP  Sect. 5.1  \(2^{41}\)  \(2^{39}\) CP  Sect. 7.2  
rounds 1, 2, 8, 9  DBA  \(2^{63}\)  \(2^{42}\) CP  Sect. 5.1  \(2^{56}\)  \(2^{42}\) CP  Sect. 7.2  
Uncertain time  none  BSA  \(2^{23}\)  \(2^{23}\) CC  Sect. 5.2  \(2^{23}\)  \(2^{23}\) CC  Sect. 7.2 
round 9  DBA  \(2^{48}\)  \(2^{38}\) CP  Sect. 5.2  \(2^{44}\)  \(2^{38}\) CP  Sect. 7.2  
rounds 1, 2, 8, 9  DBA  \(2^{61}\)  \(2^{37}\) CP  Sect. 5.2  \(2^{53}\)  \(2^{37}\) CP  Sect. 7.2  
Uncertain space and time  none  BSA  \(2^{33}\)  \(2^{33}\) CC  Sect. 5.3  \(2^{24}\)  \(2^{24}\) CC  Sect. 7.2 
round 9  DBA  \(2^{58}\)  \(2^{46}\) CP  Sect. 5.3  \(2^{47}\)  \(2^{43}\) CP  Sect. 7.2  
rounds 1, 2, 8, 9  DBA  \(2^{72}\)  \(2^{45}\) CP  Sect. 5.3  \(2^{62}\)  \(2^{42}\) CP  Sect. 7.2  
Random space and time w/ \(\pi = 2^{10}\)  none  BSA  \(2^{53}\)  \(2^{53}\) CC  Sect. 6  \(2^{44}\)  \(2^{44}\) CC  Sect. 7.2 
round 9  DBA  \(2^{68}\)  \(2^{56}\) CP  Sect. 6  \(2^{57}\)  \(2^{53}\) CP  Sect. 7.2  
rounds 1, 2, 8, 9  DBA  \(2^{82}\)  \(2^{55}\) CP  Sect. 6  \(2^{72}\)  \(2^{52}\) CP  Sect. 7.2  
Random space and time w/ \(\pi = 2^{20}\)  none  BSA  \(2^{73}\)  \(2^{73}\) CC  Sect. 6  \(2^{64}\)  \(2^{64}\) CC  Sect. 7.2 
round 9  DBA  \(2^{78}\)  \(2^{66}\) CP  Sect. 6  \(2^{67}\)  \(2^{63}\) CP  Sect. 7.2  
rounds 1, 2, 8, 9  DBA  \(2^{92}\)  \(2^{65}\) CP  Sect. 6  \(2^{82}\)  \(2^{62}\) CP  Sect. 7.2 
Our Observations and Recommendations. To summarize the residual security of AES under leakage in the various settings, we observe the following. First, if no rounds are blackboxed and all intermediate internal states can be visible to the attacker, there are practical attacks, even with uncertain time and space. Second, to approach practical infeasibility of attacks in our leakage model without blackboxing, a substantial level of noise are be needed, \(\pi =2^{10}\) and lower when combined with randomized time and space.
On the other hand, the blackboxing of round 9 is very effective. Indeed, if round 9 is blackboxed^{2} (i.e., when the state between round 9 and round 10 is invisible to the attacker), the complexities of our attacks grow beyond \(2^{44}\) even with fixed time and space. Third, if uncertainty in time and space is combined with the blackboxed 9th round, our attacks require more than \(2^{58}\) operations, even with clean leaks. Then, if more rounds (1,2,8, and 9) are blackboxed, the complexities increase to \(2^{72}\). If noise is applied as countermeasure on top of that, it is possible to attain security levels of \(2^{80}\) and beyond against our attacks.
Thus, blackboxed round 9, noise or both are needed to hamper our attacks at a practical security level under leakage. Note that a highbudget organization can practically afford an attack of complexity \(2^{80}\) and higher [12]. However, the countermeasures considered here may still be effective against a mass surveillance attacker.
2 Preliminaries
This section fixes AES notations that we will use throughout the paper and describes the leakage attack by DinurShamir on AES as a starting point.
2.1 Notations of AES
Two types of internal states in each round of AES128 are defined as follows: \(\#1\) is the state before SubBytes in round 1, \(\#2\) is the state after MixColumns in round 1, \(\#3\) is the state before SubBytes in round 2,\(\ldots \), \(\#19\) is the state before SubBytes in round 10, and \(\#20\) is the state after ShiftRow in round 10 (MixColumns is omitted in the last round). The states in the last round of AES192 are addressed as \(\#23\) and \(\#24\), and of AES256 as \(\#27\) and \(\#28\). We let \(\#0\) be a plaintext and \(\#21\), \(\#25\) and \(\#29\) be a ciphertext in AES128/192/256, respectively. 128bit subkeys are denoted as $0 , $1, \(\ldots \), and so on. The ith byte in the state x is denoted as \(x_i\) and the jth bit in \(x_i\) is represented as \(x_i[j]\).
2.2 DinurShamir ChosenPlaintext Attack on AES128 with Leakage
As a starting point of our analysis, we outline the leakage attack proposed by Dinur and Shamir in [9]. As explained above, the DinurShamir model is different from our leakage models as the adversary knows the time (round number) and space (bit position inside the round) of the leak, only singlebit leaks are considered there, and no leaks from the key schedule are allowed.
In the attack of [9], one uses the following multiset properties of a byte: In set A, all \(2^8\) values appear exactly once; In set C, all \(2^8\) values are fixed to a constant; In set B, the XOR sum of all \(2^8\) values is zero; In set U, all \(2^8\) values is not A, C or B. Let an Nround attack be an attack based on leaked bits after the Nth round function, e.g., a 2round attack is based on only leaked bits of \(\#5\).
In the first step, the attacker guesses 4 bytes of the key $0, and chooses a set of \(2^8\) plaintexts, so that \(\#2\) consists of \(\varLambda \)set in which only one byte is A and the other 15 bytes are \(\mathsf{C}\). If 4 bytes of $0 are correctly guessed, \(\#5\) consists of 4 bytes of A and 12 bytes of \(\mathsf{C}\), while in a wrong key, all bytes in \(\#5\) become U. Thus, by checking whether the all \(2^8\) values of \(\#5\) are fixed, an attacker is able to sieve wrong keys after \(2^{32}\) operations. The procedure can be repeated for three times with the three 4byte sets of the key $0 depending on the position of the leaked bit. The remaining 4 bytes of $0 are exhaustively searched. Time complexity is estimated as \(2^{42}\) \((\approx (2^{32} \times 2^8 \times 3))\) encryptions and the required data is \(2^{34}\) \((= 2^{32} \times 4)\) chosen plaintexts. The work [9] also proposes other types of 2round attack using cubes, with a time complexity of \(2^{35}\). However, the details are not given.
The paper [9] mentioned that 3 and 4round attacks were possible by using similar techniques but omitted the details. As A expands into all state after 3 rounds even if the key is correctly guessed, at least the 2round attack has a limited application to 3 and 4 rounds.
3 AES Under Leakage with Fixed Time and Space
In this section, we present new key recovery attacks on AES under leakage with fixed time and space. That is, a bit of the internal state is leaked whose location (round and bit position) is unknown but fixed for the entire attack. Our attack is an extension of the DinurShamir integral attacks [9]. While their attack requires the location of leaked bits in advance, our attack is feasible even if an attacker does not have any knowledge of it. First, we describe a technique to detect whether leaked bits come from the key schedule or the data transformation, and show that leaked bits from the key schedule are of very limited use for a key recovery attack in this setting. Then we introduce key recovery attacks based on leaked bits from the data transformation. Our attacks utilize a bitwise multiset characteristic.
Formalization of Fixed Time and Space. The fixed (unknown) location setting assumes that each execution of encryption leaks only one bit of the internal state at the fixed location. Specifically, leaked bits are assumed to come from internal states after each round function of the data processing part: \(\#3, \#5, \ldots , \#19\) or each state of the key schedule (i.e., subkeys): $0 , $1, \(\ldots \), $10 at the fixed position of the fixed rounds in each encryption, e.g., \(\#9_{11}[2]\) or $5\(_{8}[5]\). The adversary is able to access the encryption function with known/chosen plaintexts/ciphertexts and obtain corresponding leaked bits.
Leakage From Key Schedule. The states in the key schedule, $0 , $1, \(\ldots \), $10, are deterministic with respect to the value of the key, i.e., if a key is fixed, all states of the key schedule are fixed independently of the values of plaintexts. On the other hand, the states in the data processing part depend on the values of plaintexts. This difference allows us to detect whether leaked bits come from the key schedule. More specifically, we encrypt N different plaintexts and obtain N leaked bits. If all N bits are the same, they come from the key schedule with probability \((1 2^{N})\).
If the leaked bits come from the key schedule, information theoretically, the attacker is able to get at most one bit of the subkey information, as each encryption leaks the same state information at the fixed location. In addition, since an attacker does not know where leaked bits come from, leaked information from the leaked bits is negligible. Therefore, we will focus on the case where leaked bits come from the data processing part in the following.
3.1 Bitwise Multiset Characteristic
Our attacks utilize the following bitwise multiset property in the data transform.
Proposition 1
(Bitwise ZeroSum Property). If only one byte of \(\#2\) is A and the other 15 bytes are C (\(\varLambda \) set), the bitwise XORsum of \(2^8\) multiset of any bits in \(\#3\) to \(\#10\) is zero.
3.2 ChosenPlaintext Bitwise Multiset Attack
The bitwise zerosum property allows us to develop chosenplaintext key recovery attacks using leaked bits at a fixed position in \(\#3\), \(\#5\), \(\#7\) or \(\#9\). Our attack firstly guesses 4 bytes of the key $0, and chooses a set of \(2^8\) plaintexts resulting in \(\varLambda \) set in \(\#2\). If 4 bytes of $0 are correctly guessed, the bitwise XOR sum of \(2^8\) leaked bits in any bit position of \(\#3\) to \(\#10\) is zero (Proposition 1). Otherwise, the probability that the bitwise XOR sum of leaked bits of \(\#5\), \(\#7\) and \(\#9\) is zero is \(2^{1}\). If this procedure repeats with N different sets of \(2^8\) plaintexts, wrong keys can be detected with a probability of \((1 2^{N})\).
 1.
Guess $0\(_0\), $0\(_{5}\), $0\(_{10}\), $0\(_{15}\) (4 bytes ) and choose \(\#2_1\), \(\#2_2\), \(\#2_3\) (3 bytes).
 2.
Compute \(2^8\) the 4 bytes of \(\#0_0\), \(\#0_5\), \(\#0_{10}\), \(\#0_{15}\) backwards with all \(2^8\) values of \(\#2_{0}\).
 3.
Get \(2^8\) leaked bits by accessing the prepared table, and compute the XOR sum of \(2^8\) leaked bits.
 4.
Repeat steps 1 to 3 N times with different values of \(\#2_1\), \(\#2_2\), \(\#2_{3}\). If all N sets of XORsums are zero, regard it as a correct key.
 5.
Repeat steps 1 to 4 with all \(2^{32}\) key candidates for $0\(_0\), $0\(_{5}\), $0\(_{10}\), $0\(_{15}\).
 6.
Repeat steps 1 to 5 for three times with the other three 4byte sets of the key $0 and corresponding bitwise multiset characteristics and tables.
The number of surviving keys after the above procedure is estimated as \((1 + 2^{N} \times (2^{32}  1))^4\). If the remaining key candidates are exhaustively searched, time complexity is estimated as \(\{(2^{32} \times 2^8 \times N) \times 4 \} + (1 + 2^{N} \times (2^{32}  1))^4 \) encryptions. When \(N = 22\), the time complexity is estimated as \(2^{46.46}\) encryptions, the required data is \(2^{34}\) \((= 2^{32} \times 4)\) chosen plaintexts and the required memory is \(2^{34}\) bits. This attack is successful if leaked bits come from any bits of \(\#5\), \(\#7\) and \(\#9\) without any knowledge of the location of leaked bits.
3.3 Partial Key Recovery Attack Using Leaked Bits from \(\#3\)
If leaked bits come from \(\#3\), a 32bit partial keyrecovery attack is feasible as AES takes 2 rounds to achieve the full diffusion. If 4 bytes of keys $0 are guessed correctly, \(2^8\) multiset in only one byte of \(\#3\) is not C as shown in Fig. 2, while for a wrong key, \(2^8\) multisets in 4 bytes of one column are not C. We exploit the gap of the number of C in \(\#3\) between a correct key and a wrong key.
We guess the column in \(\#3\) where leaked bits come from and then guess corresponding 4 bytes of $0. We check whether the \(2^8\) multiset of leaked bits is fixed with N different sets of \(2^8\) plaintexts. A correct key can be detected with probability of \((1  2^{8N})\) if leaked bits come from the byte which is C for a correct key and B for a wrong key. We repeat this \(4 \times 4/3\) times by guessing different columns and the byte position of leaked bits in \(\#3\) and corresponding 4 bytes of $0. The corresponding 32 bits of the key $0 can be recovered with about \(2^{44}\) \((\approx 2^{32} \times 2^8 \times 4 \times 4 \times 4/3)\) encryptions when \(N = 4\), \(2^{34}\) chosen ciphertexts and \(2^{34}\) memory.
3.4 ChosenCiphertext Bitwise Multiset Attack
In the chosenciphertext setting, backward direction attacks are feasible by using leaked bits from \(\#13\), \(\#15\), \(\#17\) or \(\#19\). As shown in Fig. 3, if 4 bytes of $10 are correctly guessed and a set of ciphertexts is properly chosen, the XORsum of \(2^8\) multiset of any bit in \(\#12\) to \(\#17\) is zero (Proposition 1). Since states \(\#13\), \(\#15\) and \(\#17\) correspond to \(\#7\), \(\#5\) and \(\#3\), respectively, chosenciphertext attacks using these bits are feasible in the same manner as for chosenplaintext attacks.
3.5 Combined Key Recovery Attacks on AES
Finally, we introduce a key recovery attack on the full AES128 by combining the forward and the backward direction attacks. Since we do not know in which round the bits leak, we guess it and then mount each round attack in the following order: \(\#19\) \(\rightarrow \) \(\#17\) \(\rightarrow \) \(\#3\) \(\rightarrow \) \(\#5\) \(\rightarrow \) \(\#7\) \(\rightarrow \) \(\#9\) \(\rightarrow \) \(\#13\) \(\rightarrow \) \(\#15\), i.e., if a correct key is not found by the guessedround attack, the next round attack is applied in that given order. Our attacks find a correct key successfully except the case where the leaked bits come from \(\#11\). Thus the success probability without any knowledge of locations of leaked bits is 0.899 \((= 8/9)\).
Time complexity is estimated as \(2^{48}\) \((\approx 2^{18} + 2^{44} + 2^{44} + 2^{46.46} + 2^{46.46})\) encryptions. The required data is about \(2^{35} \) \((= 2^{34} + 2^{34})\) chosen plaintexts and \(2^{34}\) chosen ciphertexts and the required memory is \(2^{34}\) bits. Note that if the leaked bits come from \(\#3\), \(\#17\), \(\#19\), partial key recovery attacks are possible.
4 Uncertainty and Differential Bias Attacks
The attacker can also have limited control over the execution environment. In particular, the time and space can be uncertain. We assume now that the attacker does not know bit positions and/or the number of rounds of leaked bits. Moreover, the values leaked can be incorrect due to noise or other operations executed in parallel to encryption/decryption. This can happen both for purely technical reasons on a complex multiprocess platform and due to countermeasures. This section deals with these uncertainties and develops a cryptanalytic technique that is coined differential bias attack.
In a nutshell, the technique works as follows. Let \(Z_i\) be a leaked bit from an ith execution of the encryption function. Our attacks observe a stream of leaked bits \(Z_0, Z_1, Z_2, Z_3, \ldots \) and recover the correct key by applying techniques of distinguishing attacks from the domain of stream ciphers [15, 16, 23]. More specifically, we guess a part of the key $0, and set wellchosen differences for a pair of plaintexts resulting in biased differential states, where the distribution of bitwise differences is biased, if the part of key $0 is correctly guessed. As a leaked bit stream from biased differential states is also biased, we are able to detect the bit stream corresponding to the correct key by checking bias on the differences of bits. Also, if leakage after round 9 is available, a more powerful attack, called biased state attack, is feasible by using similar techniques.
4.1 Truncated Differential Characteristic
Our attacks utilize a bytewise truncated differential characteristic of Fig. 4, where a coloredcell is a probabilityone nonzero truncated difference, a blank cell is a probabilityone zero truncated difference, and ? is an unknown truncated difference. Define 4 bytes of differences {\(\varDelta \#0_0,\) \(\varDelta \#0_5\), \(\varDelta \#0_{10}\), \(\varDelta \#0_{15}\)} in a pair of plaintexts as \( (\varDelta \#0_0, \varDelta \#0_5, \varDelta \#0_{10}, \varDelta \#0_{15}) = S^{1}(MC^{1}(\varDelta \#2_0, 0, 0, 0)), \) where \(S^{1}\) and \(MC^{1}\) are the inverses of SubBytes and MixColumns in a column, respectively, and \(\varDelta \#2_0\) is an arbitrary byte difference in \(\#2_0\). Given \(\{ \varDelta \#2_0\), \(\#2_0, \ldots , \#2_3 \}\) and {$0\(_0\), $0\(_5\), $0\(_{10}\), $0\(_{15}\)}, {\(\varDelta \#0_0, \varDelta \#0_5, \varDelta \#0_{10}, \varDelta \#0_{15}\)} and {\(\#0_0, \#0_5, \#0_{10}, \#0_{15}\)} are determined. Let \(\#0'\) be a plaintext having differences {\(\varDelta \#0_0\), \(\varDelta \#0_5\), \(\varDelta \#0_{10}\), \(\varDelta \#0_{15}\)}, i.e., \(\#0'_0 = \#0_0 \oplus \varDelta \#0_0, \#0'_5 = \#0_5 \oplus \varDelta \#0_5, \#0'_{10} = \#0_{10} \oplus \varDelta \#0_{10}, \#0'_{15} = \#0_{15} \oplus \varDelta \#0_{15}\). Also, let \(\#'1, \ldots , \#'21\) be the corresponding states of \(\#0'\), and \(Z'_0, Z'_1, Z'_2, Z'_3, \ldots \) be leaked bits of each execution of \(\#0'\).
4.2 Biased Differential State
Choosing 4byte differences {\(\varDelta \#0_0\), \(\varDelta \#0_5\), \(\varDelta \#0_{10}\), \(\varDelta \#0_{15}\)} properly and guessing the 4 bytes of {$0\(_0\), $0\(_5\), $0\(_{10}\), $0\(_{15}\)} correctly, we are able to create biased differential states in \(\#3\): consisting of 15 bytes of probabilityone zero differences and 1 byte of a probabilityone nonzero difference, \(\#5\): consisting of 12 bytes of probabilityone zero differences and 4 bytes of probabilityone nonzero differences, and \(\#7\): consisting of 16 bytes of probabilityone nonzero differences. As shown in Fig. 4, a correct key has 27 bytes of probabilityone zero differences \(\#3_1, \ldots , \#3_{15}\) and \(\#5_4, \ldots , \#5_{15}\) and 21 bytes of probabilityone nonzero differences \(\#3_1\), \(\#5_0, \ldots , \#5_{3}\), and \(\#7_0, \ldots , \#7_{15}\), while a wrong key has only 12 bytes of probabilityone zero differences \(\#3_4, \ldots , \#3_{15}\) and does not have any probabilityone nonzero difference in the state of the data processing part.
In addition, a pair of plaintexts has 12 bytes of probabilityone zero differences and 4 bytes of probabilityone nonzero differences for both a correct key and a wrong key. Also, the key schedule has 176 \((=16 \times 11)\) bytes of probabilityone zero differences, as the subkeys are always fixed under the same key.
4.3 Bitwise Differential Bias in Biased Differential State
For a probabilityone zero/nonzero truncated difference, we derive positive and negative bitwise differential biases. Our attack exploits the gap of the number of positive and negative biases between a correct key and a wrong key when a pair of \(\#0\) and \(\#'0\) is encrypted.
Positive Bitwise Bias for ProbabilityOne Zero Truncated Difference. If a bytewise pair \(\#x_y\) and \(\#x'_y\) has a probabilityone zero truncated difference, a bitwise difference at the same position is also zero with probability one: \( Pr(\varDelta [\#x_y[j], \#'x_y[j]] = 0) = 1, 0 \le j \le 7, \) where \(\varDelta [a, b] = a \oplus b\). A correct key has 1720 \((= 27 \times 8 + 176 \times 8 + 12 \times 8)\) positive bitwise differential biases, while a wrong key has only 1600 \((= 12 \times 8 + 176 \times 8 + 12 \times 8)\) such biases.
Negative Bitwise Bias for ProbabilityOne Nonzero Truncated Difference. If a pair \(\#x_y\) and \(\#x'_y\) has a probabilityone nonzero truncated difference, the probability that a bitwise difference at the same bit position is zero is estimated as follows: \( Pr(\varDelta [\#x_y[j], \#'x_y[j]] = 0) = 127/255 = 1/2 \cdot (1  2^{7.99})\ \) In experiments with \(2^{40}\) randomlychosen plaintexts and keys, we confirmed that these negative biases toward zero exist in each bit of the probabilityone nonzero truncated difference, where the experimental value is \(Pr(\varDelta [\#7_i[j], \#'7_i[j]] = 0) = 1/2 \cdot (1  2^{7.92})\).
Bitwise differential biases for truncated differential of Fig. 4
Positive biases toward zero  Negative biases toward zero  

Correct key  \(\#3_i[j] \ (1 \le i \le 15, 0 \le j \le 7)\)  \(\#3_0[j] \ (0 \le j \le 7)\) 
\(\#5_i[j] \ (4 \le i \le 15, 0 \le j \le 7)\)  \(\#5_i[j] \ (0 \le i \le 3, 0 \le j \le 7)\)  
\(\#7_i[j] \ (0 \le i \le 15, 0 \le j \le 7)\)  
Wrong key  \(\#3_i[j] \ (4 \le i \le 15, 0 \le j \le 7)\)   
Both keys  \(\#0_i[j] \ (i \ne {0, 5, 9, 15} \le j \le 7)\)  \(\#0_i[j] \ (i = {0, 5, 9, 15}, 0 \le j \le 7)\) 
\({\$}x_i[j] (0 \le x \le 10, 1 \le i \le 15, 0 \le j \le 7) \) 
4.4 Bitwise Differential Biases in the Stream of Leaked Bits
The number of required samples for distinguishing the two distributions with probability of \(1\alpha \) is given by the following lemmata.
Lemma 1
[15, 16] Let X and Y be two distributions and suppose that the independent events E occur with probabilities \(Pr_X(E) = p\) in X and \(Pr_Y(E)=(1 + q) \cdot p\) in Y. Then the discrimination D of the distributions is \(p\cdot q^{2}\).
Lemma 2
[15] The number of samples \(N_{sample}\) that is required for distinguishing two distributions that have discrimination D with success probability \(1\alpha \) is \((1/D) \cdot (1 2\alpha ) \cdot log_2 \frac{1\alpha }{\alpha }\).
4.5 ChosenPlaintext Differential Bias Attack
 1.
Guess the 4 bytes of key $0\(_0\), $0\(_5\), $0\(_{10}\), $0\(_{15}\), and choose \(\varDelta \#2_0\), \(\#2_0, \ldots , \#2_3\).
 2.
Compute a pair of 4 bytes of plaintexts, \(\#0_0\), \(\#0_5\), \(\#0_{10}\), \(\#0_{15}\) and \(\#0'_0\), \(\#0'_5\), \(\#0'_{10}\), \(\#0'_{15}\), resulting in biased #3, #5 and #7 states if a key is correctly guessed.
 3.
Get \(N^2_{s}\) pairs of leaked bits \(\varDelta [Z_i, Z'_j]\), \( 0 \le i, j < N_s\) by accessing the prepared table.
 4.
Repeat steps 23 \(N_{sample}/N^2_s\) times with different values of \(\#2\).
 5.
Check whether a distribution of \(N_{sample}\) pairs is the one for a correct key. If so, regard it as a candidate for the correct key.
 6.
Repeat steps 1 to 5 with all \(2^{32}\) candidates of keys $0\(_0\), $0\(_5\), $0\(_{10}\), $0\(_{15}\).
 7.
Repeat steps 1 to 6 for three times with the other three 4byte sets of the key $0, corresponding truncated differential characteristics, and the tables of plaintexts and leaked bits.
4.6 ChosenCiphertext Differential Bias Attack
If the decryption function is accessible, chosenciphertext attacks are applicable. Similarly to the setting of bitwise mutiset attacks before, the chosenciphertext attacks are more efficient and it makes sense to blackbox the output of round 9 also in the cases with time and space uncertainty.
Biased State Attack of \(\mathbf {\#19}\) : Leakage After Round 9. If leaked bits from \(\#19\) are obtained, a more powerful attack is feasible. Each byte in \(\#19\) can be controlled by one byte of $10 and one byte of a ciphertext. Thus, we are able to create a biased state in \(\#19\) whose one byte (8 bits) is fixed to 0, if the corresponding byte of $10 is correctly guessed and the respective byte of the ciphertext is property chosen. Suppose that the values of the other bits of the states are randomly distributed. The probabilities that each leaked bit is zero (\(Z_i= 0\)) for a correct key is estimated as \( Pr^c(Z_i= 0) = 1/2 \cdot (N'^c_{random}/N'_{all}) + N'^c_{bias_p}/N'_{all}, \) where \(N'_{all}\), \(N'_{bias_p}\), and \(N'_{random}\) are the numbers of bits in entire space, positive biased space and randomlydistributed space, respectively. Also, \(Pr^w(Z_i= 0)\) is assumed to be 1 / 2.
Assuming that the target event E is \(Z_i= 0\), p and q are estimated as \(p =1/2\) and \(q = N'^c_{bias_p}/N'_{all}\). For the success rate of \(1  2^{8}\) (\(\alpha = 2^{8}\)), the sample requirement is estimated as \(N'_{sample} \approx 2 \cdot 8 \cdot (q)^{2}\) =\(2^4 \cdot (q)^{2}\). We repeat the procedure for all 16 bytes of $10. Therefore, time complexity is estimated as \(2^{12} \times N'_{sample} \) \((= 16 \times 2^{8} \times N'_{sample}\)) encryptions and the required data is \(2^{12} \times N'_{sample} \) \((= 16 \times 2^{8} \times N'_{sample}\)) chosen ciphertexts. The memory requirement is negligible.
4.7 KnownPlaintext Differential Bias Attack
Finally, we introduce a knownplaintext differential bias attack using a truncated differential characteristic of Fig. 8. For a correct key, one has 24 \((=3 \times 8)\) positive bitwise differential biases toward zero and 8 negative bitwise differential biases in \(\#3\), while for a wrong key, there are not such biases. The key schedule has the same number of positive biases of chosenplaintext attacks and the plaintext has 32 \((=4 \times 8)\) negative biases in both of a correct and a wrong key.
5 AES Under Leakage with Uncertainty in Time/Space
This section evaluates the security of AES if the attacker is uncertain about time and space, that is, if the round of leak and/or the bit position of leak within the round are randomized. Since the multiset of leaked bits at the fixed location is not available in the random unknown setting, our bitwise multiset attacks are not applicable to these variants. Thus, we estimate the costs of differential (state) bias attacks on each variant of AES with countermeasures as shown in Fig. 1.
Formalization of Time/Space Uncertainty for AES. We speak of randomized time, when one bit of the state information is leaked at a fixed bit position after a random number of rounds, e.g., \(\#(2x + 1)_{10}[7]\) (\(0 \le x \le 10\)) or $x \(_{3}[4]\) (\(0 \le x \le 10\)). We speak of randomized space, when one bit of the state information is leaked at a random bit position after a fixed number of rounds, e.g., {\(\#17_{i}[j]\), $8\(_{i}[j]\)} (\(0 \le i \le 15\), \(0 \le j \le 7\)). Randomized time and space occur, when one bit of state information is leaked at a random bit position after a random number of rounds, e.g., \(\#(2x + 1)_{i}[j]\) (\(0 \le x \le 10\), \(0 \le i \le 15\) and \(0 \le j \le 7\)) or $x \(_{i}[j]\) (\(0 \le x \le 10\), \(0 \le i \le 15\) and \(0 \le j \le 7\)).
5.1 Uncertainty in Space
The space randomization makes the bit position of leaked bits random in each execution, i.e., \(Z_i\) and \(Z'_i\) randomly come from two 256bit spaces consisting of a 128bit state in the data processing part and a 128bit state in the key schedule at the unknown fixed round, assuming encryptions are executed with a 256bit working memory for a internal state and a subkey.
Assuming that leaked bits come from the states after round 2, i.e., {#5\(_{i}[j]\) and $2\(_{i}[j]\)} and {#’5\(_{i}[j]\) and $’2\(_{i}[j]\)} (\(0 \le i \le 15\), \(0 \le j \le 7\)), the parameters of our differential bias attacks are chosen as \(N_{all} = (256)^2\), \(N^{(c)}_{bias_p} = 224 \) \((=96 + 128)\), \(N^{(w)}_{bias_p} = 128 \) \((= 0 + 128)\), \(N^{(c)}_{bias_n} = 32\) and \(N^{(w)}_{bias_n} = 0\) (see Table 2). Then, \(Pr^{c}(\varDelta [Z_i, Z'_j] = 0)\) and \(Pr^{w}(\varDelta [Z_i, Z'_j] = 0)\) are estimated as \(1/2 \cdot (1 + 2^{8.192})\), and \(1/2 \cdot (1 + 2^{9.000})\), respectively, and \(q = 2^{9.42}\). In our experiment with \(2^{40}\) randomlychosen correct and wrong pairs of keys and plaintexts, \(Pr_{c}(\varDelta [Z_i, Z'_j] = 0)\) and \(Pr_{w}(\varDelta [Z_i, Z'_j] = 0)\) are \(1/2 \cdot (1 + 2^{8.191})\) and \(1/2 \cdot (1 + 2^{9.001})\), respectively, and \(q = 2^{9.42}\). The number of required samples to detect a stream for a correct key is estimated as \(N_{sample} = 2^{24.84}\) \(( = 2^6 \times 2^{9.42 \times 2})\). We experimentally confirmed that this number of samples is enough for a successful attack. With \(N_s = (N_{all})^{1/2}\), time complexity is estimated as \(2^{47.84} \) \((= (2^{31} \times 2^{24.84})/(2^8))\) encryptions and the required data is \(2^{42} \) \((= 2^{34} \times 2^8)\) chosen plaintexts and corresponding leaked bits with \(2^{42}\) bits of prepared tables.
The details of attacks for \(N_s = (N_{all})^{1/2}\) are provided in Table 3, where \(q^{(e)}\) is our experimental value with \(2^{40}\) randomlychosen correct and wrong pairs of keys and plaintexts/ciphertexts, and T and D are time complexity and the amount of the required data, respectively. Our theoretical values closely approximate the experimental data in all cases. Since an attacker does not know the round number of leaked bits, he firstly guesses the round of leaked bits and then mounts an attack similar to the combined attack of the bitwise multiset attacks. If the decryption is accessible, our attacks are successful except the case where leaked bits come from states after 4 or 5 round only. Also, a known plaintext attack is possible if leaked bits from \(\#3\) are available.
5.2 Uncertainty in Time
The time randomization makes the round number of leaked bits random in each execution, i.e., \(Z_i\) and \(Z'_i\) come from the fixed bit position at a random round of the data processing part. Additionally, we take into account the leaked bits from plaintexts \(\#0\) or ciphertexts \(\#21\) in the data processing part. For instance, assuming that leaked bits come from 33th bits of the data processing part, i.e., \(\#0_4[1]\), \(\#3_4[1]\), \(\ldots \), \(\#19_4[1]\) or \(\#21_4[1]\), the attack parameters are given as \(N_{all} = 11 ^ 2\), \(N^{(c)}_{bias_p} = 3\), \(N^{(w)}_{bias_p} = 2\), \(N^{(c)}_{bias_n} = 1\), \(N^{(w)}_{bias_n} = 0\). Then \(q = 2^{6.45}\), \(N_{sample} = 2^{19.9}\), \(T = 2^{47.44}\) and \(D = 2^{37.46}\).
Differential bias and biased state attacks for space randomization
Chosenplaintext(ciphertext) differential bias attack  

Round  \(N_{all}\)  \(N^c_{bias_p}\)  \(N^w_{bias_p}\)  \(N^c_{bias_n}\)  \(N^w_{bias_n}\)  q  \(q^{(e)}\)  \(N_{sample}\)  T  D 
1 (8)  \(256^2\)  248  224  8  0  \(2^{11.42}\)  \(2^{11.38}\)  \(2^{28.84}\)  \(2^{51.84}\)  \(2^{42.00}\) CP(CC) 
2 (7)  \(256^2\)  224  128  32  0  \(2^{9.42}\)  \(2^{9.42}\)  \(2^{24.84}\)  \(2^{47.84}\)  \(2^{42.00}\) CP(CC) 
3 (6)  \(256^2\)  128  128  128  0  \(2^{16.99}\)  \(2^{16.84}\)  \(2^{39.98}\)  \(2^{62.98}\)  \(2^{42.00}\) CP(CC) 
Knownplaintext differential bias attack  
1  \(256^2\)  152  128  8  0  \(2^{11.42}\)  \(2^{11.10}\)  \(2^{28.84}\)  \(2^{51.84}\)  \(2^{43.00}\) KP 
Chosenciphertext biased state attack  
Round  \(N'_{all}\)  \(N'^c_{bias_p}\)  \(N'^w_{bias_p}\)      q  \(q^{(e)}\)  \(N'_{sample}\)  T  D 
9  256  8  0      \(2^{5.00}\)  \(2^{5.00}\)  \(2^{14}\)  \(2^{26.00}\)  \(2^{26.00}\) CC 
5.3 Uncertainty in Both Space and Time
Differential bias and biased state attacks for time randomization
Chosenplaintext differential bias attack  

BB round  \(N_{all}\)  \(N^c_{bias_p}\)  \(N^w_{bias_p}\)  \(N^c_{bias_n}\)  \(N^w_{bias_n}\)  q  \(q^{(e)}\)  \(N_{sample}\)  T  D 
None  \(11^2\)  3  2  1  0  \(2^{6.95}\)  \(2^{6.94}\)  \(2^{19.90}\)  \(2^{47.44}\)  \(2^{37.46}\) CP 
9  \(10^2\)  3  2  1  0  \(2^{6.68}\)  \(2^{6.68}\)  \(2^{19.36}\)  \(2^{47.04}\)  \(2^{37.32}\) CP 
1, 2, 8, 9  \(7^2\)  0  0  1  0  \(2^{13.61}\)  \(2^{13.23}\)  \(2^{33.22}\)  \(2^{60.41}\)  \(2^{36.81}\) CP 
Knownplaintext differential bias attack  
None  \(11^2\)  1  0  0  0  \(2^{6.92}\)  \(2^{7.30}\)  \(2^{19.84}\)  \(2^{47.38}\)  \(2^{38.46}\) KP 
Chosenciphertext biased state attack  
BB round  \(N'_{all}\)  \(N'^c_{bias_p}\)  \(N'^w_{bias_p}\)      q  \(q^{(e)}\)  \(N'_{sample}\)  T  D 
None  11  1  0      \(2^{3.46}\)  \(2^{3.45}\)  \(2^{10.92}\)  \(2^{22.92}\)  \(2^{22.92}\) CC 
Differential bias and biased state attacks for space and time randomization
Chosenplaintext differential bias attack  

BB round  \(N_{all}\)  \(N^c_{bias_p}\)  \(N^w_{bias_p}\)  \(N^c_{bias_n}\)  \(N^w_{bias_n}\)  q  \(q^{(e)}\)  \(N_{sample}\)  T  D 
None  \((256 \cdot 11)^2\)  1720  1600  200  32  \(2^{16.02}\)  \(2^{15.92}\)  \(2^{38.04}\)  \(2^{57.58}\)  \(2^{45.46}\) CP 
9  \((256 \cdot 10)^2\)  1592  1472  200  32  \(2^{15.75}\)  \(2^{15.70}\)  \(2^{37.49}\)  \(2^{57.17}\)  \(2^{45.32}\) CP 
1, 2 8, 9  \((256 \cdot 7)^2\)  896  896  128  0  \(2^{22.61}\)  \(2^{23.07}\)  \(2^{51.22}\)  \(2^{71.41}\)  \(2^{44.81}\) CP 
Knownplaintext differential bias attack  
None  \((256 \cdot 11)^2\)  1440  1408  40  32  \(2^{17.92}\)  \(2^{17.69}\)  \(2^{41.84}\)  \(2^{61.38}\)  \(2^{46.46}\) KP 
Chosenciphertext biased state attack  
BB round  \(N'_{all}\)  \(N'^c_{bias_p}\)  \(N'^w_{bias_p}\)      q  \(q^{(e)}\)  \(N'_{sample}\)  T  D 
None  \((256 \cdot 11)\)  8  0      \(2^{8.46}\)  \(2^{8.44}\)  \(2^{20.92}\)  \(2^{32.92}\)  \(2^{32.92}\) CC 
Differential bias and biased state attacks for leakage with noise
BB round  Time  Data  Time  Data  Time  Data  Time  Data 

\(\pi = 1\)  \(\pi = 2^{10}\)  \(\pi = 2^{20}\)  \(\pi = 2^{30}\)  
Chosenplaintext differential bias attack  
None  \(2^{57.58}\)  \(2^{45.46}\) CP  \(2^{67.58}\)  \(2^{55.46}\) CP  \(2^{77.58}\)  \(2^{65.46}\) CP  \(2^{87.58}\)  \(2^{75.46}\) CP 
1, 2, 8, 9  \(2^{71.41}\)  \(2^{44.81}\) CP  \(2^{81.41}\)  \(2^{54.81}\) CP  \(2^{91.41}\)  \(2^{64.81}\) CP  \(2^{101.41}\)  \(2^{74.81}\) CP 
Knownplaintext differential bias attack  
None  \(2^{61.38}\)  \(2^{46.46}\) KP  \(2^{71.38}\)  \(2^{56.46}\) KP  \(2^{81.38}\)  \(2^{66.46}\) KP  \(2^{91.38}\)  \(2^{76.46}\) KP 
Chosenciphertext biased state attack  
None  \(2^{32.92}\)  \(2^{32.92}\) CC  \(2^{52.92}\)  \(2^{52.92}\) CC  \(2^{72.92}\)  \(2^{72.92}\) CC  \(2^{92.92}\)  \(2^{92.92}\) CC 
The details of our attacks are given in Table 5. We also provide a chosenplaintext attack when round 9 and round 1, 2, 8 and 9 are blackboxed. If the decryption is accessible, our attacks work as long as leaked bits after round 1, 2, 3, 6, 7, 8 or 9 of the data processing part are available. Also, a knownplaintext attack is applicable if leaked bits from \(\#3\) are observable.
6 AES Under Noisy Leakage
This section studies the effect of additional noise on top of the time and space randomization. The noise can be due to the limited knowledge of the platform by the adversary or due to the implemented countermeasures such as insertion of dummy operations. In the differential bias attack, this reduces the rate of positive/negative biased bits by adding noise bits into the space of the actually leaked bits. To quantify the amount of noise present in the attack, we define \(\pi \) as the probability that an observed bit is not a noise bit. Suppose that the values of the noise bits are randomly distributed, the bias of a leaked bit stream of the correct key with noise bits is estimated as \(q' = q \times \pi \), and the required number of sample bits to distinguish a stream for a correct key increases by the multiple of \((\pi ^2)^{1}\) to \(N'_{sample} = N_{sample} \times (\pi ^2)^{1}\). With \(N_s = (N_{all})^{1/2} \times \pi ^{1}\), the time and data complexities of our known/chosen plaintext differential bias attacks increase by the multiple of \((\pi )^{1}\) as \( T \approx 2^{31} \times (N_{sample} \times \pi ^{2}) /N_s \times \pi ^{1} = 2^{31} \times (N_{sample} \times \pi ^{1}) /N_s\) encryptions and \(D \approx 2^{34}(2^{35}) \times (N_s \times \pi ^{1})\) chosen/knownplaintexts with leaked bits. Also, the time and data complexities of chosenciphertext biased state attacks increase by the multiple of \((\pi )^{2}\). The detailed evaluations for each values of \(\pi \) are shown in Table 6.
7 Towards More Alignment: Bytewise Leakage
Here we deal with the case where each execution leaks one byte of a bytealigned state. In other words, now we let aligned bytes of internal states leak. Such leaks reflect the realities of a byteoriented software implementation better.^{3} In both settings – leakage with fixed and uncertain time/space – our techniques still apply. However, some adjustments are needed, see below.
7.1 Fixed Time/space: Bytewise Multiset Attack
Our bitwise multiset attacks naturally extend to bytewise multiset attacks, because the multiset characteristics are based on the bytewise XORsum property. The success probability for detecting wrong keys increases from \((1  2^{1})\) to \((1  2^{8})\) by using the bytewise zerosum property. Then the time complexities of 2, 3, 4, 6 and 7round attacks are estimated as \(\{(2^{32} \times 2^8 \times N) \times 4 \} + (1 + 2^{8N} \times (2^{32}  1))^4 \) encryptions. With \(N = 4\), it is about \(2^{44}\). The time complexities of 1 and 8round attacks and the 9round attack also improve to \(2^{42}\) \((\approx 2^{32} \times 2^8 \times 4 \times 4/3)\) and \(2^{12} \) \((= 2^8 \times 16)\) encryptions, respectively. The time complexity of the combined attack is \(2^{45}\) \((\approx 2^{12} + 2^{42} + 2^{42} + 2^{44} + 2^{44})\) encryptions and the required data is \(2^{35}\) chosen plaintexts and \(2^{34}\) chosen ciphertexts.
7.2 Uncertain Time/Space: Differential Bias Attack
Our differential bias attacks also extend to bytewise attacks using bytewise differential biases of truncated differential characteristics of Fig. 4, 7 and 8.
Evaluation for bytealigned space randomization (\(N_s = (N_{all})^{1/2}\))
Chosenplaintext(ciphertext) differential bias attack  

Round  \(N_{all}\)  \(N^c_{bias_p}\)  \(N^w_{bias_p}\)  \(N^c_{bias_n}\)  \(N^w_{bias_n}\)  q  \(q^{(e)}\)  \(N_{sample}\)  T  D 
1 (8)  \(32^2\)  31  28  1  1  \(2^{3.41}\)  \(2^{3.42}\)  \(2^{19.84}\)  \(2^{45.84}\)  \(2^{39.00}\) CP(CC) 
2 (7)  \(32^2\)  28  16  4  4  \(2^{0.74}\)  \(2^{0.74}\)  \(2^{14.48}\)  \(2^{40.48}\)  \(2^{39.00}\) CP(CC) 
3 (6)  \(32^2\)  16  16  16  0  \(2^{8.32}\)  \(2^{8.38}\)  \(2^{29.64}\)  \(2^{55.64}\)  \(2^{42.00}\) CP 
Knownplaintext differential bias attack  
1  \(32^2\)  19  16  1  0  \(2^{2.74}\)  \(2^{2.74}\)  \(2^{18.48}\)  \(2^{44.48}\)  \(2^{40.00}\) KP 
Chosenciphertext biased state attack  
Round  \(N'_{all}\)  \(N'^c_{bias_p}\)  \(N'^w_{bias_p}\)      q  \( q^{(e)} \)  \(N_{sample}\)  T  D 
9  32  1  0      \(2^{2.99}\)  \(2^{2.99}\)  \(2^{11.00}\)  \(2^{23.00}\)  \(2^{23.00}\) CC 
Evaluation for bytealigned time randomization (\(N_s = (N_{all})^{1/2}\))
Chosenplaintext differential bias attack  

BB round  \(N_{all}\)  \(N^c_{bias_p}\)  \(N^w_{bias_p}\)  \(N^c_{bias_n}\)  \(N^w_{bias_n}\)  q  \( q^{(e)} \)  \(N_{sample}\)  T  D 
None  \(11^2\)  3  2  1  0  \(2^{1.31}\)  \(2^{1.31}\)  \(2^{15.62}\)  \(2^{43.16}\)  \(2^{37.46}\) CP 
9  \(10^2\)  3  2  1  0  \(2^{1.26}\)  \(2^{1.26}\)  \(2^{15.52}\)  \(2^{43.19}\)  \(2^{37.32}\) CP 
1, 2, 8, 9  \(7^2\)  0  0  1  0  \(2^{5.61}\)  \(2^{5.50}\)  \(2^{24.22}\)  \(2^{52.41}\)  \(2^{36.81}\) CP 
Knownplaintext differential bias attack  
None  \((11)^2\)  1  0  0  0  \(2^{1.08}\)  \(2^{1.08}\)  \(2^{13.00}\)  \(2^{40.54}\)  \(2^{38.46}\) KP 
Chosenciphertext biased state attack  
BB round  \(N'_{all}\)  \(N'^c_{bias_p}\)  \(N'^w_{bias_p}\)      q  \( q^{(e)} \)  \(N_{sample}\)  T  D 
None  11  1  0      \(2^{4.50}\)  \(2^{4.50}\)  \(2^{11.00}\)  \(2^{23.00}\)  \(2^{23.00}\) CP 
ChosenCiphertext BiasedState Attack. Assuming that the target event E is \(Z_i= 0\), p and q are estimated as \(p =1/2^8\) and \(q = (255 \times N^c_{bias_p})/N_{all}\). The number of required samples is estimated as \(N_{sample} \approx 8 \cdot 2^8 \cdot (q)^{2}\). We repeat the procedure for all 16 byte of $10. Therefore, time complexity is estimated as \(2^{12} \times N_{sample} \) \((= 16 \times 2^{8} \times N_{sample}\)) encryptions and the number of required data is \(2^{12} \times N_{sample} \) \((= 16 \times 2^{8} \times N_{sample}\)) chosen ciphertexts.
Evaluation for bytealigned space and time randomization (\(N_s = (N_{all})^{1/2}\))
Chosenplaintext differential bias attack  

BB round  \(N_{all}\)  \(N^c_{bias_p}\)  \(N^w_{bias_p}\)  \(N^c_{bias_n}\)  \(N^w_{bias_n}\)  q  \( q^{(e)} \)  \(N_{sample}\)  T  D 
None  \((32 \cdot 11)^2\)  215  200  25  4  \(2^{5.52}\)  \(2^{5.53}\)  \(2^{24.04}\)  \(2^{46.58}\)  \(2^{42.45}\) CP 
9  \((32 \cdot 10)^2\)  199  184  25  4  \(2^{5.29}\)  \(2^{5.29}\)  \(2^{23.58}\)  \(2^{46.26}\)  \(2^{42.32}\) CP 
1, 2, 8, 9  \((32 \cdot 8)^2\)  112  112  16  0  \(2^{12.52}\)  \(2^{12.58}\)  \(2^{38.04}\)  \(2^{61.23}\)  \(2^{41.80}\) CP 
Knownplaintext differential bias attack  
None  \((32 \cdot 11)^2\)  179  176  5  4  \(2^{7.79}\)  \(2^{7.74}\)  \(2^{28.58}\)  \(2^{52.12}\)  \(2^{43.45}\) KP 
Chosenciphertext biased state attack  
BB round  \(N'_{all}\)  \(N'^c_{bias_p}\)  \(N'^w_{bias_p}\)      q  \( q^{(e)} \)  \(N_{sample}\)  T  D 
None  \((32 \cdot 11)\)  1  0      \(2^{0.46}\)  \(2^{0.46}\)  \(2^{11.92}\)  \(2^{23.92}\)  \(2^{23.92}\) CC 
Evaluation for bytealigned leakage with noise (\(N_s = (N_{all})^{1/2} \times \pi ^{1}\))
BB round  Time  Data  Time  Data  Time  Data  Time  Data 

\(\pi = 1\)  \(\pi = 2^{10}\)  \(\pi = 2^{20}\)  \(\pi = 2^{30}\)  
Chosenplaintext differential bias attack  
None  \(2^{46.58}\)  \(2^{42.45}\) CP  \(2^{56.58}\)  \(2^{52.45}\) CP  \(2^{66.58}\)  \(2^{62.45}\) CP  \(2^{76.58}\)  \(2^{72.45}\) CP 
1, 2, 8, 9  \(2^{61.23}\)  \(2^{41.80}\) CP  \(2^{71.23}\)  \(2^{51.80}\) CP  \(2^{81.23}\)  \(2^{61.80}\) CP  \(2^{91.23}\)  \(2^{71.80}\) CP 
Knownplaintext differential bias attack  
None  \(2^{50.28}\)  \(2^{43.45}\) KP  \(2^{60.28}\)  \(2^{53.45}\) KP  \(2^{70.28}\)  \(2^{63.45}\) KP  \(2^{80.28}\)  \(2^{73.45}\) KP 
Chosenciphertext biased state attack  
None  \(2^{23.92}\)  \(2^{23.92}\) CC  \(2^{43.92}\)  \(2^{43.92}\) CC  \(2^{63.92}\)  \(2^{63.92}\) CC  \(2^{83.92}\)  \(2^{83.92}\) CC 
8 Some Extensions
8.1 AES192 and 256
Bitwise multiset attacks and differential bias attacks on AES128 are directly applicable to AES192 and AES256 in both fixed and random settings. In the backward direction, 6 to 9 round attacks on AES128 are corresponded to 8 to 11round ones on AES192 and 10 to 13 round ones on AES256, respectively.
8.2 MultipleBit Leakage
Here we consider the case where M bits of the bitaligned state information leak in each execution for a small M. Let \(Z^{i}_1, Z^{i}_2,\ldots , Z^{i}_M\) be M leaked bits of the ith execution.
Bitwise Multiset Attack: Assume that \(Z^{i}_0, Z^{i}_1,\ldots , Z^{i}_{M1}\) come from different but fixed locations of the state. If the XOR sum of \(2^8\) multiset of each location is zero, the XORsum of all set of \(2^8 \times M\) bits is also zero. Thus, bitwise multiset attacks are feasible as long as leaked bits come from space where each XOR sum is zero only in a correct key. Time and date complexities are almost the same.
Differential Bias Attack: Assume that \(Z^{i}_1, Z^{i}_2,\ldots , Z^{i}_M\) come from randomlychosen different locations of the state. Since the attacker is able to obtain M bits in each execution, the required data reduces by a factor of M.
8.3 Other Granularities
So far, we have assumed that a leak can only occur after a full round. However, in other granularities such as leaks after SubBytes or MixColumns, our bitwise multiset attacks and differential bias attack still work.
Bitwise Multiset Attack: According to Proposition 1, any bit of the states between \(\#3\) and \(\#10\) has the zerosum property if the key is correctly guessed. Using the difference of zerosum properties between correct and wrong key cases, bitwise multiset attacks are applicable to other states in the same manner.
Differential Bias Attack: By properly choosing attack parameters, our differential bias attacks are also made feasible. For instance, if bits of the states after SubBytes are additionally leaked, the parameters of chosenplaintext differential attacks on AES128 with the space and time randomization are estimated as \(N_{all} = (256 \times 11 + 128 \times 10)^2\), \(N^{(c)}_{bias_p} = 2032\) \((=216 + 216 + 1408 + 96 + 96)\), \(N^{(w)}_{bias_p} = 1792\) \((=96 + 96 + 1408 + 96 + 96)\), \(N^{(c)}_{bias_n} = 400\) \((= 168 + 168 + 0 + 32 + 32)\), \(N^{(w)}_{bias_n} = 64\) \((= 0 + 0 + 32 + 32)\), and \(q = 2^{16.10}\). The number of required samples is estimated as \(N_{sample} = 2^{38.02}( = 2^6 \times 2^{16.01 \cdot 2})\). With \(N_s = (N_{all})^{1/2}\), time complexity is \(2^{57.02}\) \((= (2^{31} \times 2^{38.02})/(256 \times 11 + 128 \times 10))\) encryptions and the required data is \(2^{46}\) \((= 2^{34} \times (256 \times 11 + 128 \times 10))\) chosen plaintexts.
Footnotes
 1.
Further models are worth consideration as well. For instance, the DinurShamir model of the sidechannel cube attacks [9] can be seen as a special case of our leakage model, with the following differences: First, in the DinurShamir model, the adversary knows the location of the leak. Second, the DinurShamir model does not consider leaks of more that a single bit. Third, DinurShamir do not allow for leaks from the key schedule. Finally, the time and location of a leak are fixed, while we allow for time and space uncertainty in our consideration.
 2.
E.g., partly unrolled hardware implementations aimed to reduce latency [6] may have this property.
 3.
 4.
If q is not small, Lemmata 1 and 2 are not applicable [16]. In this case we estimate \(N_{sample} = 2^{11}\) and \(2^{13}\) for knownplaintext differential bias attacks and chosenciphertext biased state attacks, respectively. We confirmed experimentally that these numbers of samples were enough for successful attacks.
References
 1.Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptol. 14(2), 101–119 (2001)zbMATHMathSciNetCrossRefGoogle Scholar
 2.Biham, E.: New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994)zbMATHCrossRefGoogle Scholar
 3.Biryukov, A.: The design of a stream cipher LEX. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 67–75. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 4.Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. J. Cryptol. 23(4), 505–518 (2010)zbMATHMathSciNetCrossRefGoogle Scholar
 5.Bogdanov, A., Kizhvatov, I., Pyshkin, A.: Algebraic methods in sidechannel collision attacks and practical collision detection. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 251–265. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 6.Borghoff, J., Canteaut, A., Güneysu, T., Kavun, E.B., Knezevic, M., Knudsen, L.R., Leander, G., Nikov, V., Paar, C., Rechberger, C., Rombouts, P., Thomsen, S.S., Yalçın, T.: PRINCE – a lowlatency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 7.Chow, S., Eisen, P.A., Johnson, H., van Oorschot, P.C.: Whitebox cryptography and an AES implementation. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 8.Daemen, J., Rijmen, V.: The Design of Rijndael: AES  The Advanced Encryption Standard. Information Security and Cryptography. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 9.Dinur, I., Shamir, A.: Side channel cube attacks on block ciphers. In: Cryptology ePrint Archive, Report 2009/127 (2009). http://eprint.iacr.org/
 10.Dunkelman, O., Keller, N.: A new attack on the LEX stream cipher. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 539–556. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 11.FIPS PUB 197, Advanced Encryption Standard (AES), U.S.Department of Commerce/National Institute of Standards and Technology (2001)Google Scholar
 12.Kleinjung, T., Lenstra, A.K., Page, D., Smart, N.P.: Using the cloud to determine key strengths. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 17–39. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 13.Kocher, P.C.: Timing attacks on implementations of diffiehellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996) Google Scholar
 14.Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999) Google Scholar
 15.Mantin, I.: Predicting and distinguishing attacks on RC4 keystream generator. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 491–506. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 16.Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 152–164. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 17.Micali, S., Reyzin, L.: Physically observable cryptography. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 18.De Mulder, Y.: Whitebox cryptography: analysis of whitebox AES implementations. Ph. D. thesis, KU Leuven (2014)Google Scholar
 19.Oren, Y., Renauld, M., Standaert, F.X., Wool, A.: Algebraic sidechannel attacks beyond the hamming weight leakage model. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 140–154. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 20.Renauld, M., Standaert, F.X.: Representation, leakage and cipherdependencies in algebraic sidechannel attacks. In: The Proceedings of the ACNS 2010 Industrial Track (2010)Google Scholar
 21.Renauld, M., Standaert, F.X., VeyratCharvillon, N.: Algebraic sidechannel attacks on the AES: why time also matters in DPA. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 97–111. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 22.Schramm, K., Wollinger, T., Paar, C.: A new class of collision attacks and its application to DES. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 206–222. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 23.Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Statistical attack on RC4. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 343–363. Springer, Heidelberg (2011) CrossRefGoogle Scholar