Skip to main content
SpringerLink
Log in

Side-channel cryptographic attacks using pseudo-boolean optimization

  • Application
  • Published:
Constraints Aims and scope Submit manuscript

Abstract

Symmetric block ciphers, such as the Advanced Encryption Standard (AES), are deterministic algorithms which transform plaintexts to ciphertexts using a secret key. These ciphers are designed such that it is computationally very difficult to recover the secret key if only pairs of plaintexts and ciphertexts are provided to the attacker. Constraint solvers have recently been suggested as a way of recovering the secret keys of symmetric block ciphers. To carry out such an attack, the attacker provides the solver with a set of equations describing the mathematical relationship between a known plaintext and a known ciphertext, and then attempts to solve for the unknown secret key. This approach is known to be intractable against AES unless side-channel data – information leaked from the cryptographic device due to its internal physical structure – is introduced into the equation set. A significant challenge in writing equations representing side-channel data is measurement noise. In this work we show how casting the problem as a pseudo-Boolean optimization instance provides an efficient and effective way of tolerating this noise. We describe a theoretical analysis, connecting the measurement signal-to-noise ratio and the tolerable set size of a non-optimizing solver with the success probability. We then conduct an extensive performance evaluation, comparing two optimizing variants for dealing with measurement noise to a non-optimizing method. Our best optimizing method provides a successful attack on the AES cipher which requires surprisingly little side-channel data and works in reasonable computation time. We also make available a set of AES cryptanalysis instances and provide some practical feedback on our experience of using open-source constraint solvers.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Notes

  1. It is believed that this form of attack was well known to the signals intelligence community from as early as WWII.

  2. This is not a sufficient condition – even if all leaks are recovered correctly the problem may still be under-defined or computationally intractable.

  3. It was already established in [13] that the Hamming weights leaked from an 8-bit micro-controller implementation of AES during key expansion are sufficient for full key recovery, even without any additional state information.

References

  1. http://www.msoos.org/cryptominisat2/.

  2. Achterberg, T. (2007). Constraint integer programming. PhD thesis, Berlin: Technische Universität.

    MATH  Google Scholar 

  3. Akdemir K., Dixon M., Feghali W., Fay P., Gopal V., Guilford J., Ozturc E., Worlich G., & Zohar R. (2010). Breakthrough AES performance with intel AES new instructions. In Technical report, Intel Corporation. http://software.intel.com/file/ 27067.

  4. Berthold, T., Heinz, S., Pfetsch, M. E., & Winkler, M. (2009). SCIP – solving constraint integer programs SAT competitive events booklet. http://www.cril.univ-artois.fr/SAT09/solvers/booklet.pdf.

  5. Bogdanov, A., Knudsen, L. R., Leander, G., Paar, C., Poschmann, A., Robshaw, M. J. B., Seurin, Y., & Vikkelsoe, C. (2007). Present: an ultra-lightweight block cipher. In CHES (pp. 450– 466).

  6. Canright, D. (2005). A very compact S-box for AES. In J.R. Rao & B. Sunar (Eds.), CHESS (Vol. 3659, pp. 441–455). Springer. LNCS.

  7. Nicolas, T.C., & Gregory, V.B. (2007). Algebraic cryptanalysis of the data encryption standard. In S.D. Galbraith (Eds.), . Cryptography and coding (Vol. 4887, pp. 152–169). Berlin: Springer. Lecture Notes in Computer Science.

  8. Daemen, J., & Rijmen, V. (1998). AES proposal. Rijndael.

  9. Dawson, S. (1998). Code hopping decoder using a PIC16C56. Microchip confidential, leaked online 2002. http://read.pudn.com/downloads42/sourcecode/embed/144285/keeloq/MCSLRN/DS652B_C.PDF.

  10. Intel Corporation (2008). Intel turbo boost technology in intel core microarchitecture (Nehalem). In Based processors. Technical report. http://download.intel.com/design/ processor/applnots/320354.pdf.

  11. Jovanović, D., & Janiĉić, P. (2005). Logical analysis of hash functions. In B. Gramlich (Ed.),. Frontiers of combining systems (Vol. 3717, pp. 200–215). Berlin: Springer. Lecture Notes in Computer Science.

  12. Kocher, P.C., Jaffe, J., & Jun, B. (1999). Differential power analysis. In CRYPTO (pp. 388– 397).

  13. Mangard, S. (2002). A simple power-analysis (SPA) attack on implementations of the AES key expansion. In P.J. Lee & C.H. Lim (Eds.), ICISC (Vol. 2587, pp. 343–358). Springer. LNCS .

  14. Mangard, S., Oswald, E., & Popp, T. (2007). Power analysis attacks: revealing the secrets of smart cards (Advances in information security). New York: Springer.

    MATH  Google Scholar 

  15. Manquinho, V., & Roussel, O. (2009). Pseudo-boolean competition. http://www.cril.univ-artois.fr/PB09/.

  16. Massacci, F., & Marraro, L. (2000). Logical cryptanalysis as a SAT problem. Journal of Automated Reasoning, 24(1-2), 165–203.

    Article  MathSciNet  MATH  Google Scholar 

  17. Menezes, A., Oorschot, P. C., & Vanstone, S.A. (1996). Handbook of applied cryptography. CRC Press.

  18. Mironov I., & Zhang L. (2006). Applications of SAT solvers to cryptanalysis of hash functions. In B. Armin & C.P. Gomes (Eds.), Theory and applications of satisfiability testing - SAT (Vol. 4121, pp. 102–115). Berlin: Springer. Lecture Notes in Computer Science.

  19. Mohamed, M. S. E., Bulygin, S., Zohner, M., Heuser, A., Walter, M., & Buchmann, J. (2013). Improved algebraic side-channel attack on AES. Journal of Cryptographic Engineering, 3(3), 139–156.

    Article  Google Scholar 

  20. National Institute of Standards and Technology (2001). FIPS PUB 197: announcing the advanced encryption standard (AES). Gaithersburg: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology.

  21. National Institute of Standards and Technology (1999). FIPS PUB 46-3: data encryption standard (DES). Gaithersburg: National Institute for Standards and Technology.

  22. Oren, Y., Kirschbaum, M., Popp, T., & Wool, A. (2010). Algebraic side-channel analysis in the presence of errors. In CHES (pp. 428–442). http://iss.oy.ne.ro/TASCA.

  23. Oren, Y., Mathieu, R., Standaert, F.-X., & Wool, A. (2012). Algebraic side-channel attacks beyond the hamming weight leakage model. In P. Schaumont & E. Prouff (Eds.), Workshop on cryptographic hardware and embedded systems 2012 (CHES 2012), LNCS 7428 (pp. 140–154). Belgium: Leuven. International Association for Cryptologic Research, Springer. http://iss.oy.ne.ro/Template-TASCA.

  24. Oren, Y, Weisse, O., & Wool, A. (2013). Practical template-algebraic side channel attacks with extremely low data complexity. In Proceedings of the 2nd international workshop on hardware and architectural support for security and privacy, HASP ’13 (pp. 7:1–7:8). New York: ACM.

  25. Oren, Y., & Wool, A. (2010). TASCA-on-keeloq pseudo-boolean instances. http://iss.oy.ne.ro/TASCA/Instances.

  26. Oren, Y., & Wool, A. (2012). Template TASCA pseudo-boolean instances. http://iss.oy.ne.ro/Template-TASCA/Instances.

  27. Renauld, M., Standaert, F.-X., & Veyrat-Charvillon, N. (2009). Algebraic side-channel attacks on the AES: why time also matters in DPA. In C. Clavier & K. Gaj (Eds.), CHES (Vol. 5747, pp. 97–111). Springer. LNCS.

  28. Renauld, M., & Standaert F.-X. (2009). Alebraic side-channel attacks. In D. Lin, J. Jing, F. Bao & M. Yung (Eds.), Information security and cryptology (INSCRYPT) (Vol. 6151, pp. 393–410). Springer. Lecture Notes in Computer Science.

  29. Satyanarayana, H. (2004). AES128 package. http://opencores.net/project,aes_crypto_core.

  30. Soos, M., Nohl, K., & Castelluccia, C. (2009). Extending SAT solvers to cryptographic problems. In K. Oliver (Eds.), Theory and applications of satisfiability testing - SAT 2009 (Vol. 5584, pp. 244–257). Lecture Notes in Computer Science, (Vol. 5584 pp. 244–257). Berlin: Springer.

  31. Zhao, X., Wang, T., Guo, S., Zhang, F., Shi, Z., Liu, H., & Wu, K. (2011). SAT based error tolerant algebraic side-channel attacks. In Conference on cryptographic algorithms and cryptographic chips (CASC2011).

Download references

Acknowledgements

The authors thank the anonymous reviewers for their detailed and helpful suggestions. The authors wish to acknowledge Mario Kirschbaum, Thomas Popp, Mathieu Renauld and Francois-Xavier Standaert for their contributions to this research.

Author information

Authors and Affiliations

  1. Department of Information Systems Engineering, Ben-Gurion University of the Negev, P.O.B. 653, Beer-Sheva, 8410501, Israel

    Yossef Oren

  2. Cryptography and Network Security Lab, School of Electrical Engineering, Tel Aviv University, Ramat Aviv, 69978, Israel

    Avishai Wool

Authors
  1. Yossef Oren
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Avishai Wool
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yossef Oren.

Appendix: A sample TASCA instance

Appendix: A sample TASCA instance

The appendix demonstrates some of the equations used in a TASCA attack on AES with set size k = 3, following the notation introduced in Subsection 5.1. We show a sample of the goal function, the plaintext assignment, the round functions and the measurement equations. The equations are given in the OPB format supported by the SCIP solver [4]. Full instances can be downloaded from our website at [26].

figure a

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Oren, Y., Wool, A. Side-channel cryptographic attacks using pseudo-boolean optimization. Constraints 21, 616–645 (2016). https://doi.org/10.1007/s10601-015-9237-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10601-015-9237-3

Keywords

Search

Navigation