Abstract
Side-channel cube attack (SCCA) is executed in a situation where an adversary can access some information about the internal states of the cipher. The adversary can obtain a system of linear equations by a set of chosen plaintexts called cube and recover the secret key using the system. Error tolerance is a challenging problem in SCCA. To recover the secret key based on likelihoods under an error-prone environment, we propose SCCA with key enumeration (SCCA-KE). Precise likelihoods are computed to obtain lists for sub-key candidates and an optimal list for the complete key candidate is generated by key enumeration. Then, we propose an evaluation method for SCCA-KE which includes information-theoretic evaluation and experimental evaluation by rank estimation. We apply the proposed evaluation method to PRESENT and show some conditions required to thwart SCCA-KE in realistic assumptions. Using the evaluation method, we can consider countermeasures with a sufficient security margin.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abdul-Latip, S.F., Reyhanitabar, M.R., Susilo, W., Seberry, J.: On the security of NOEKEON against side channel cube attacks. In: Kwak, J., Deng, R.H., Won, Y., Wang, G. (eds.) ISPEC 2010. LNCS, vol. 6047, pp. 45–55. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12827-1_4
Arikan, E.: An inequality on guessing and its application to sequential decoding. IEEE Trans. Inf. Theor. 42(1), 99–105 (1996)
Bellare, M., Coppersmith, D., Hastad, J., Kiwi, M., Sudan, M.: Linearity testing in characteristic two. IEEE Trans. Inf. Theor. 42(6), 1781–1795 (1996)
Bogdanov, A., et al.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74735-2_31
Bogdanov, A., Kizhvatov, I., Manzoor, K., Tischhauser, E., Witteman, M.: Fast and memory-efficient key recovery in side-channel attacks. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 310–327. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31301-6_19
David, L., Wool, A.: A bounded-space near-optimal key enumeration algorithm for multi-dimensional side-channel attacks. IACR Cryptology ePrint Archive 2015, 1236 (2015)
Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_16
Dinur, I., Shamir, A.: Side channel cube attacks on block ciphers. IACR Cryptology ePrint Archive 2009, 127 (2009)
Faisal, S., Reza, M., Susilo, W., Seberry, J.: Extended cubes: enhancing the cube attack by extracting low-degree non-linear equations (2011)
Glowacz, C., Grosso, V., Poussier, R., Schüth, J., Standaert, F.-X.: Simpler and more efficient rank estimation for side-channel security assessment. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 117–129. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_6
Islam, S., Afzal, M., Rashdi, A.: On the security of lblock against the cube attack and side channel cube attack. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 105–121. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40588-4_8
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_25
Köpf, B., Basin, D.: An information-theoretic model for adaptive side-channel attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 286–296. ACM (2007)
Li, Z., Zhang, B., Fan, J., Verbauwhede, I.: A new model for error-tolerant side-channel cube attacks. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 453–470. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_26
MacKay, D.J.: Information Theory, Inference and Learning Algorithms. Cambridge University Press, Cambridge (2003)
Manzoor, K., et al.: Efficient practical key recovery for side-channel attacks. Master’s thesis, Aalto University, June 2014. http://cse. aalto. fi/en/personnel/antti-yla-jaaski/msc-thesis/2014-msc-kamran-manzoor. pdf (2014)
Martin, D.P., O’Connell, J.F., Oswald, E., Stam, M.: Counting keys in parallel after a side channel attack. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 313–337. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_13
Massey, J.L.: Guessing and entropy. In: 1994 IEEE International Symposium on Information Theory, 1994. Proceedings., p. 204. IEEE (1994)
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_33
Poussier, R., Standaert, F.-X., Grosso, V.: Simple key enumeration (and Rank Estimation) using histograms: an integrated approach. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 61–81. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_4
Renauld, M., Standaert, F.-X.: Algebraic side-channel attacks. In: Bao, F., Yung, M., Lin, D., Jing, J. (eds.) Inscrypt 2009. LNCS, vol. 6151, pp. 393–410. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16342-5_29
Siegenthaler, T.: Decrypting a class of stream ciphers using ciphertext only. IEEE Trans. Comput. 34(1), 81–85 (1985)
Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_26
Veyrat-Charvillon, N., Gérard, B., Renauld, M., Standaert, F.-X.: An optimal key enumeration algorithm and its application to side-channel attacks. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 390–406. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35999-6_25
Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Security evaluations beyond computing power. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 126–141. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_8
Veyrat-Charvillon, N., Gérard, B., Standaert, F.-X.: Soft analytical side-channel attacks. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 282–296. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_15
Xinjie, Z., Shize, G., Zhang, F., Tao, W., Zhijie, S., Hao, L.: Enhanced side-channel cube attacks on PRESENT. IEICE Trans. Fundam. Electron., Commun. Comput. Sci. 96(1), 332–339 (2013)
Yang, L., Wang, M., Qiao, S.: Side channel cube attack on PRESENT. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 379–391. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10433-6_25
Zhao, X.j., Wang, T., Guo, S.: Improved side channel cube attacks on PRESENT. IACR Cryptology ePrint Archive 2011, 165 (2011)
Acknowledgment
This work was supported by JSPS KAKENHI Grant Number 17K0645.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Intuitive explanation for the observation
If the number of variables in a linear equation is large, it shares variables with other equations and \(n^j\) becomes large. In early rounds, the number of secret-key variables are small in all superpolies since diffusion of key variables is not enough. In other rounds, the number of secret-key variables in each superpoly increases. However, superpolies with many secret-key variables tend to be non-linear in these rounds. Therefore, the number of secret-key variables in each linear equation is small in any round and \(n^j\) tends to be small.
B Rank estimation algorithm of [10]
Algorithm 3 shows the rank estimation algorithm. The rank-estimation algorithm outputs an estimated rank. The algorithm executes \(t_{re}\) times additions in the convolution:
There is an estimation error caused by the convolution of histograms; however, the rank can be lower bounded by \(\sum _{b=b^\psi +\lceil \eta /2 \rceil }^{\eta \times n_{bin}-(\eta -1) } {\mathsf {H}_{1:\eta }(b)}\) and upper bounded by \(\sum _{b=b^\psi -\lceil \eta /2 \rceil }^{\eta \times n_{bin}-(\eta -1) } {\mathsf {H}_{1:\eta }(b)}\).
C Proof for Proposition 1
A lower bound of guessing entropy can be computed in each sub system.
Note that we assume that uniform prior distribution holds (\(Pr[\mathbf {k}_j]=2^{-n_j}\), \(Pr[\mathbf {rk}]=2^{-n'}\)). Then, we can simplify \(LG_j\) by expanding the square part as follows.
In the last rearrangement, we only consider products of probabilities such that \(x_{j,i}^{o} \ne x_{j,i}^{o'}\), since a product of probabilities is always 1 if \(x_{j,i}^{o} = x_{j,i}^{o'}\). If \(o=o'\), the above product is always 1 and there are \(2^{n_j}\) pairs of the same candidate; therefore, \(2^{n_j}\cdot 2^{-n_j}=1\) is added in the last. \(\square \)
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Kosuge, H., Tanaka, H. (2019). Theoretical Security Evaluation Against Side-Channel Cube Attack with Key Enumeration. In: Lange, T., Dunkelman, O. (eds) Progress in Cryptology – LATINCRYPT 2017. LATINCRYPT 2017. Lecture Notes in Computer Science(), vol 11368. Springer, Cham. https://doi.org/10.1007/978-3-030-25283-0_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-25283-0_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-25282-3
Online ISBN: 978-3-030-25283-0
eBook Packages: Computer ScienceComputer Science (R0)