scispace - formally typeset
Search or ask a question
Journal ArticleDOI

A comprehensive study of multiple deductions-based algebraic trace driven cache attacks on AES

Xinjie Zhao, Shize Guo, Fan Zhang1, Tao Wang, Zhijie Shi1, Zhe Liu2, Jean-François Gallais2 
University of Connecticut1, University of Luxembourg2
01 Nov 2013-Computers & Security (Elsevier)-Vol. 39, pp 173-189
TL;DR: A mathematical model is constructed to estimate the maximal number of leakage rounds that can be utilized and the minimal number of cache traces required for a successful MDATDCA on AES and attests that combining TDCAs with algebraic techniques is a very efficient way to improve cache attacks.
About: This article is published in Computers & Security.The article was published on 2013-11-01 and is currently open access. It has received 5 citations till now. The article focuses on the topics: AES implementations & Cache.

Summary (6 min read)

Jump to: [1. Introduction][2. Notation][3. The TDCA Problem][4.1. AES implementations][4.2. TDCA on AES of Type A][4.3. TDCA on AES of Type B][4.4. TDCA on AES of Type C][4.5. Limitation of previous TDCAs][5. MDASCA-based Trace Driven Cache Attacks (MDATDCAs)][5.2. Representing a cache miss][6. Evaluation of MDATDCAs on AES][6.1. The Number of rounds that can be exploited][6.2. The Number of cache traces required][7. Experiment Setup][7.1. Build the AES equation set][7.2. Profile the cache traces][7.3. Utilize the cache traces][7.4. Solve the equation system][8. Case 1: Error-free MDATDCAs on AES][8.1. Data and time complexity][8.2. Overhead for the equation system][8.3. Comparisons with previous work][9. Case 2: Error-tolerant MDATDCAs on AES][9.1. Error tolerance strategy][2. qt is a miss.][9.2. Experimental results and comparisons][10. Case 3: MDATDCAs on AES with Preloaded Cache][10.1. Cache analysis strategy][10.2. Experimental results and comparisons][11.1. Different difficulties in TDCAs on AES-128/192/256][11.2. MDATDCA on AES-192] and [11.3. MDATDCA on AES-256]

1. Introduction

  • Cache attacks are a class of Side-channel attacks (SCAs) that extract the secret from the behavior of cache in the processors.
  • Under error-free attack scenario2, the number of cache traces required to attack the AES implemented with a compact lookup table of 256 bytes can be reduced to only five.
  • Section 2 describes the notations used throughout the paper.

2. Notation

  • Throughout the paper, P denotes the public variable (plaintext or ciphertext) and K denotes the targeted secret variable (the master key or equivalent key).
  • Suppose each entry in the table has 2 e bytes and each cache line has 2δ bytes.
  • Assume qt is the t-th targeted cache events in TDCA and yt denotes the related table lookup index.

3. The TDCA Problem

  • The goal of TDCA is to extract the value of all ki in K (the secret key) from the knowledge of the pis (known public variables) and qjs (cache events).
  • Suppose the cache contains no data from the table before each encryption.
  • Otherwise, the assignment is an incorrect guess.
  • In TDCA, the adversary can analyze different table lookups and traces until the search space of K is reduced to a level where a brute-force attack is feasible.

4.1. AES implementations

  • All the AES implementations can be categorized into three types based on (1) gt, the number of the lookup tables; (2) gs, the size of the lookup tables; (3) gl, the number of lookups in one round that access the same table; (4) gc, the size of the cache line, where gc = 2 δ.
  • Note that the scope of this paper is about AES implementations that use one or more lookup tables for the sole S-Box, and not the lookup tables for the field multiplication in the MixColumns operation of AES [8].
  • Recall b is the number of bits revealed from one table lookup.

4.2. TDCA on AES of Type A

  • To further reduce the key search space and the number of plaintexts (or power traces) required, attacks in [8, 9, 10] also utilized some cache events in the second round.
  • In [8], equations are generated only from the cache hits as shown in Eq.(3).
  • To improve the attack, the work in [8] also considered the case where the first two lookups in the second round (q16 and q17) are cache hits.
  • The result in [8] is that 1280 chosen plaintexts are required to reduce the key search space to 224.

4.3. TDCA on AES of Type B

  • Acı̈ıçmez [4] presented the first TDCA on AES for such implementation, in which four lookup tables are used for each round and each is accessed four times.
  • More key bits can be derived via the analysis of the second round.
  • Acı̈ıçmez [4] also pointed out that TDCA on the third or the deeper rounds was an open problem.

4.4. TDCA on AES of Type C

  • The work in [5, 7] showed that under Type C implementations, TDCA on the final round of AES is much more effective than in the first round.
  • While in the last round, f t(·) becomes a complicated nonlinear function.

4.5. Limitation of previous TDCAs

  • Moreover, all current TDCA works are for AES-128.
  • As to AES with longer key lengths (e.g., AES-192 and AES-256), the key expansion algorithms become more complicated and the first 20 lookups only leak partial bits of the master key.
  • The manual representation of table indexes is awkward.
  • Combining algebraic techniques with TDCA seems to be interesting and promising.

5. MDASCA-based Trace Driven Cache Attacks (MDATDCAs)

  • In TDCA, the key issue is to obtain the cache events related to table lookups and to represent the possible (and/or impossible) candidates of lookup indexes with equations.
  • The work in [18] proposes a generic method to convert the multiple deductions into algebraic equations and applies it to TDCA.
  • Finally, the secret key is recovered by solving the whole equation system [21, 22].
  • More details about MDASCA can be found in [18].
  • Next, the authors will describe the core of MDATDCA, which is to represent cache hit and miss events with algebraic equations.

5.2. Representing a cache miss

  • Eji is also introduced as in Section 5.1.
  • They can be easily fed into a solver, e.g., the SAT solver CryptoMiniSAT [22], to recover the key.

6. Evaluation of MDATDCAs on AES

  • For simplicity, this section only estimates the number of rounds that can be exploited, and the number of cache traces required in MDATDCAs on AES-128 under the error-free attack scenario, where the cache does not contain any AES data prior to each encryption.
  • Extending these estimations to AES-192/256 is straightforward.

6.1. The Number of rounds that can be exploited

  • For convenience, D is used to denote the set of cache lines that will be filled up with data from lookup tables.
  • As long as D is not filled up, there may exist some cache misses (before qt) that can be used for key recovery.
  • For Type C, all the 16 lookups in the last round can be used for key recovery.

6.2. The Number of cache traces required

  • The work in [18] presents a preliminary study of estimating the minimal number of cache traces required in TDCA.
  • The authors introduce four metrics and adopt the information-theoretic approach to optimize the estimations on the minimal number of cache traces required for a successful MDATDCA.
  • Note that there are some intersects among.
  • Kt for different table lookups in practice, thus σi satisfies σi ≤ z=16i+15∑ z=16i πz (12) (4) τi: the maximal number of key bits recovered in the i-th round Let τ0, τ1, and τ9 denote the maximal number of the key bits recovered in the first, second and last round.
  • As τ0 bits are recovered in the first round, the authors only need to recover the remaining 128-τ0 bits in the second round.

7. Experiment Setup

  • The overall process of MDATDCA has been described in Section 5.
  • Due to the page limit, here the authors only list a few important details about the setup.
  • Each case will be repeated many times and referred to as instances.

7.1. Build the AES equation set

  • How to represent the S-Box is the most difficult part in algebraic analysis.
  • The authors adopt the technique in [23] to derive every S-Box output bit with high-degree equations (degree 7) from the eight S-Box input bits.

7.2. Profile the cache traces

  • This paper mainly focuses on the analysis part of MDATDCAs.
  • This can be achieved by modifying the AES source code in OpenSSL and generate the sequences of cache events under different configurations.
  • To prove the feasibility of MDATDCA, in Section 9, the authors conduct concrete MDATDCA experiments against AES implemented with 256B compact table on 32-bit ARM microprocessor NXP LPC2124.
  • In practice, the cache hits and misses are not always distinguishable from the EM traces, which are treated as uncertain cache events or errors.

7.3. Utilize the cache traces

  • The authors build additional equations from the generated cache events.
  • In order to verify these multiple solutions, the authors append a set of new equations which describes a full AES encryption with a pair of known plaintext and ciphertext.
  • Some instances cannot be solved within a day.
  • To accelerate the solving process, the authors give the guesses to nk key bits first and run the exhaustive search for all the 2nk guesses.
  • If the guess is correct, the solver can output the correct key within a reasonable amount of time.

7.4. Solve the equation system

  • Many automatic tools can be used, such as Gröbner basis-based [21], or SAT-based solver [22].
  • In Section 8, 9, and 10, three case studies are performed in MDATDCA on AES-128 considering different attack scenarios.

8. Case 1: Error-free MDATDCAs on AES

  • The authors conduct MDATDCA on AES under two assumptions.
  • The first is that the cache does not contain any AES data prior to each encryption.
  • The second is that the adversary can distinguish the cache miss event from the cache hit event precisely.

8.1. Data and time complexity

  • For each case, the authors run 100 instances where the correct values of nk key bits are fed into the equation set first).
  • Fig. 6(a)-6(i) show the distribution of the different solving times (in seconds) for the nine cases by analyzing N cache traces.
  • Similar observations are also reported in [14, 15].
  • The time required in attacking AES for Type A and Type C is less than Type B.
  • If the adversary has more computation power, the attack may require fewer cache traces.

8.2. Overhead for the equation system

  • The original AES with r rounds can be represented with a set of equations.
  • Suppose the number of equations and variables to represent this set are Nre and N r v respectively.
  • For the lookup qt, the overhead introduced can be calculated as in Section 5.1 and 5.2.
  • The ratio of Mre Nre and Mrv Nrv are denoted as EQr and VAr respectively.

8.3. Comparisons with previous work

  • The comparisons of MDATDCAs with previous work are listed in Table 3.
  • The first three columns describe the AES implementations.
  • The next three columns list the attacks, and the number of traces and rounds that are required.
  • The last column lists the reduced key search space.
  • The authors can see that MDATDCAs have better performances than all previous work in terms of both data and time complexity.

9. Case 2: Error-tolerant MDATDCAs on AES

  • Similar to [10], the authors implemented unprotected AES software implementations on a 32-bit ARM microprocessor NXP LPC2124 and profiled the cache collisions via EM probe.
  • The authors reset the cache to clear the AES data prior to each encryption.
  • The acquisition was performed with Langer RF-B 3-2 probe, Langer PA303N 30 dB preamplifier and Tektronix DPO 4104 oscilloscope.
  • For some table lookups, it is hard to tell whether they are cache miss or hit because the peak is not high enough.
  • Next, the authors describe the error-tolerant strategy and present the experimental results on AES.

9.1. Error tolerance strategy

  • In the attack, the authors set two thresholds of the amplitude peak value to deduce the cache events, the upper bound threshold VM and the lower bound threshold VH .
  • The authors adopt the following strategy to analyze each cache event.
  • Then D, the possible deduction set of d (〈yt〉b), is composed of the index set related to both previous cache miss events and uncertain cache events.
  • Thus, the set size sp is much larger than the one in error-free MDATDCA.
  • Note that as some uncertain cache events might be cache hit in reality, there might exist two or more deductions which are both equal to d.

2. qt is a miss.

  • Then the impossible deduction set of d(〈yt〉b) is only composed of the index set related to previous cache miss events.
  • Note that as some cache miss events in practice may be considered as uncertain cache events, the set size sn is much smaller than the one in error-free MDATDCA.

9.2. Experimental results and comparisons

  • The extensions to other cases are straightforward.
  • In practice, the error rate is about 40%.
  • Only 12 cache traces are required to break AES.
  • The authors can see that, their error-tolerant MDATDCA can analyze the cache events of the first three rounds and require less cache traces than [10].

10. Case 3: MDATDCAs on AES with Preloaded Cache

  • The MDATDCAs in Section 8 and 9 are all conducted assuming the cache is cleaned before the attack.
  • In practice, the cache might be partially filled with some lines of the lookup table, which is also named as TDCA in the partially preloaded cache scenario and widely studied in previous work [7, 9, 10].
  • This section presents the cache analysis strategy and experimental results of MDATDCAs on AES with partially preloaded cache.

10.1. Cache analysis strategy

  • Under this scenario, since some data of AES lookup table are already filled in the cache, more cache hit events can be observed for a single cache trace in practice.
  • Then, the cache hits that occur may correspond to preloaded lines, and no valuable information can be provided to the attack.
  • The authors utilized the cache miss events in their MDATDCA on AES.

10.2. Experimental results and comparisons

  • The comparisons of their results with previous work are depicted in Table 5.
  • The authors can see that, under partially preloaded cache scenario, less cache traces are required to break AES by MDATDCA than [10].
  • Even when ten of sixteen cache lines are preloaded into cache before the AES encryption, MDATDCA can still succeed within 120 cache traces, which is better than eight preloaded cache lines reported in [10].

11.1. Different difficulties in TDCAs on AES-128/192/256

  • All previous TDCA work targets AES-128 and can at most analyze 16 lookups in the first round and first 4 lookups in the second round.
  • Let P denote the plaintext, K0, K1, K2 be the round key of the first three rounds, and X1,X2 be the output of the first two rounds (f(·) be the round function).
  • The key leakages in TDCA on AES-128 are depicted in Fig.9.
  • Such preponderance does not exist when attacking AES-192 and AES-256, in which the key expansion algorithm is much more complicated and the second round key has little (e.g., AES-192) or no relation (e.g., AES-256) with the first round key.
  • Next, the authors show that why and how MDATDCA can be used to attack AES-192 and AES-256.

11.2. MDATDCA on AES-192

  • In total 144 key bits can be retrieved , which reduce the search space of the master key to 248.
  • The authors can see that, in order to recover the full 192 bits of the master key, three rounds of cache leakages have to be analyzed, which can be done with MDATDCA.
  • The authors show that 10 cache traces can recover AES key successfully within minutes on average under known plaintext and error-free scenario for the full attack.

11.3. MDATDCA on AES-256

  • In total 144 key bits can be retrieved and reduce the search space of the master key to 2112.
  • According to the key schedule of AES-256, the master key is just the concatenation of K0 and K1.
  • To break AES-256, analyzing at least the cache events of the first 3 rounds has to be considered and MDATDCA works well for this.
  • The authors show that 15 cache traces can recover the AES key within 30 minutes on average under known plaintext and error-free scenario for the full attack.

Did you find this useful? Give us your feedback

Figures (15)
Citations
More filters
Journal ArticleDOI
RK-AES: An Improved Version of AES Using a New Key Generation Process with Random Keys

[...]

Rahul Saha1, G. Geetha1, Gulshan Kumar1, Tai-hoon Kim2
Lovely Professional University1, Sungshin Women's University2
06 Nov 2018-Security and Communication Networks
TL;DR: The results show that the proposed version of AES is better in withstanding attacks and compared with the original AES based upon some parameters such as nonlinearity, resiliency, balancedness, propagation characteristics, and immunity.
Abstract: Advanced Encryption Standard (AES) is a standard algorithm for block ciphers for providing security services. A number of variations of this algorithm are available in network security domain. In spite of the strong security features, this algorithm has been recently broken down by the cryptanalysis processes. Therefore, it is required to improve the security strength of this algorithm as AES is popular in commercial use. In this paper, we have shown the reasons of the loopholes in AES and also have provided a solution by using our Symmetric Random Function Generator (SRFG). The use of randomness in the key generation process in block cipher is novel in this domain. We have also compared our results with the original AES based upon some parameters such as nonlinearity, resiliency, balancedness, propagation characteristics, and immunity. The results show that our proposed version of AES is better in withstanding attacks.

28 citations

Cites background from "A comprehensive study of multiple d..."

  • ...Multiple deductions-based algebraic trace driven cache attack on AES has been shown in [22]....

    [...]

Journal ArticleDOI
Analysis on the parameter selection method for FLUSH+RELOAD based cache timing attack on RSA

[...]

Ping Zhou, Tao Wang, Guang Li, Fan Zhang1, Xinjie Zhao 
Zhejiang University1
15 Jun 2015-China Communications
TL;DR: The complete rules for choosing the monitored instructions based on necessary and sufficient condition are proposed and how to select the optimal threshold based on Bayesian binary signal detection principal is also proposed.
Abstract: FLUSH+RELOAD attack is recently proposed as a new type of Cache timing attacks. There are three essential factors in this attack, which are monitored instructions, threshold and waiting interval. However, existing literature seldom exploit how and why they could affect the system. This paper aims to study the impacts of these three parameters, and the method of how to choose optimal values. The complete rules for choosing the monitored instructions based on necessary and sufficient condition are proposed. How to select the optimal threshold based on Bayesian binary signal detection principal is also proposed. Meanwhile, the time sequence model of monitoring is constructed and the calculation of the optimal waiting interval is specified. Extensive experiments are conducted on RSA implemented with binary square-and-multiply algorithm. The results show that the average success rate of full RSA key recovery is 89.67%.

6 citations

Proceedings ArticleDOI
Cache Based Side Channel Attack: A Survey

[...]

Sandeep Saxena1, Goutam Sanyal1, Manu1
Sharda University1
01 Oct 2018
TL;DR: This paper is provide support and background knowledge for new researchers in area of side channel attack in different environments and the strength of prevention method as well as drawbacks of that method.
Abstract: The Cloud Computing (CC) is famous due to shared resources technology. Cloud computing share resources among distrusting customers and provide on demand, cost effective, elasticity services. Due to rapid growth of cloud computing environment, vulnerabilities and their preventions methods are potential increase. We had seen that conventional prevention methods for Side Channel (SC) attack are not suitable for avoidance of cross-VM cashed based SC attacks.In 2016, shared technology issues is a one of top threat consider by cloud security alliance (CSA), which has been published in February 2016 in The Treacherous 12 [1]. This is a under top threat by CSA from last 5 year. In this paper we will discuss multiple method for performing side channel attack and prevention methods. We also discuss the strength of prevention method as well as drawbacks of that method. So that this paper will generate more research scope and new effective idea for prevention of side channel attack, this paper is provide support and background knowledge for new researchers in area of side channel attack in different environments.

4 citations

Cites methods from "A comprehensive study of multiple d..."

  • ...Paper Title Crypto System Algorithm used Severity In [21] Asymmetric AES HIGH ( Use two metrics: "expected number o f traces" and "average number of operations") In [23] Asymmetric RSA HIGH In [24] Asymmetric AES HIGH (proposed the numerous deductions -based algebraic side-channel attack to cope with the error in leakage capacity and to explo it new leakage Models)...

    [...]

A Quantitative Study of Advanced Encryption Standard Performance as it Relates to Cryptographic Attack Feasibility

[...]

Daniel Hawthorne
01 Jan 2018

3 citations

Dissertation
Efficient Key Management for Data Security using TDES

[...]

Gaurav Puri, Ajay Kakkar
28 Jul 2015

2 citations

References
More filters
Journal Article
Cache based power analysis attacks on AES

[...]

Jacques Fournier, Michael Tunstall
01 Jan 2006-Lecture Notes in Computer Science
TL;DR: This paper describes possible attacks against software implementations of AES running on processors with cache mechanisms, particularly in the case of smart cards, based on side-channel information gained by observing cache hits and misses in the current drawn by the smart card.
Abstract: This paper describes possible attacks against software implementations of AES running on processors with cache mechanisms, particularly in the case of smart cards. These attacks are based on side-channel information gained by observing cache hits and misses in the current drawn by the smart card. Two different attacks are described. The first is a combination of ideas proposed in [2] and [11] to produce an attack that only requires the manipulation of the plain text and the observation of the current. The second is an attack based on specific implementations of the xtime function [10]. These attacks are shown to also work against algorithms using Boolean data masking techniques as a DPA countermeasure.

26 citations

"A comprehensive study of multiple d..." refers background or methods or result in this paper

  • ...…table; (4) gc, the size of the cache line, where gc ¼ 2d. Note that the scope of this paper is about AES implementations that use one or more lookup tables for the sole S-Box, and not the lookup tables for the field multiplication in the MixColumns operation of AES (Fournier and Tunstall, 2006)....

    [...]

  • ...These channels are spy processes [1], timing information [2, 3] and power/electromagnetic (EM) traces [4, 5, 6, 7, 8, 9, 10, 11]....

    [...]

  • ...Note that the scope of this paper is about AES implementations that use one or more lookup tables for the sole S-Box, and not the lookup tables for the field multiplication in the MixColumns operation of AES [8]....

    [...]

  • ...The above abstract model can help us to understand the TDCA problem and is generic to block ciphers using the S-Box (table) lookup structure [4, 5, 6, 7, 8, 9, 10, 11, 24, 25, 26, 27, 28]....

    [...]

  • ...The result in Fournier and Tunstall (2006) is that 1280 chosen plaintexts are required to reduce the key search space to 224....

    [...]

Book ChapterDOI
Cache based power analysis attacks on AES

[...]

Jacques Fournier1, Michael Tunstall2
University of Cambridge1, Royal Holloway, University of London2
03 Jul 2006
TL;DR: In this article, the authors describe possible attacks against software implementations of AES running on processors with cache mechanisms, particularly in the case of smart cards, based on side-channel information gained by observing cache hits and misses in the current drawn by the smart card.
Abstract: This paper describes possible attacks against software implementations of AES running on processors with cache mechanisms, particularly in the case of smart cards. These attacks are based on side-channel information gained by observing cache hits and misses in the current drawn by the smart card. Two different attacks are described. The first is a combination of ideas proposed in [2] and [11] to produce an attack that only requires the manipulation of the plain text and the observation of the current. The second is an attack based on specific implementations of the xtime function [10]. These attacks are shown to also work against algorithms using Boolean data masking techniques as a DPA countermeasure.

23 citations

Journal ArticleDOI
Counting equations in algebraic attacks on block ciphers

[...]

Lars R. Knudsen1, Charlotte V. Miolane1
Technical University of Denmark1
01 Apr 2010-International Journal of Information Security
TL;DR: It is shown that by splitting the equations defined over a block cipher (an SP-network) into two sets, one can determine the exact number of linearly independent equations which can be generated in algebraic attacks within each of these sets of a certain degree.
Abstract: This paper is about counting linearly independent equations for so-called algebraic attacks on block ciphers. The basic idea behind many of these approaches, e.g., XL, is to generate a large set of equations from an initial set of equations by multiplication of existing equations by the variables in the system. One of the most difficult tasks is to determine the exact number of linearly independent equations one obtain in the attacks. In this paper, it is shown that by splitting the equations defined over a block cipher (an SP-network) into two sets, one can determine the exact number of linearly independent equations which can be generated in algebraic attacks within each of these sets of a certain degree. While this does not give us a direct formula for the success of algebraic attacks on block ciphers, it gives some interesting bounds on the number of equations one can obtain from a given block cipher. Our results are applied to the AES and to a variant of the AES, and the exact numbers of linearly independent equations in the two sets that one can generate by multiplication of an initial set of equations are given. Our results also indicate, in a novel way, that the AES is not vulnerable to the algebraic attacks as defined here.

21 citations

Book ChapterDOI
A cache trace attack on CAMELLIA

[...]

Rishabh Poddar1, Amit Datta1, Chester Rebeiro1
Indian Institute of Technology Kharagpur1
19 Oct 2011
TL;DR: An attack on CAMELLIA is presented, which utilizes cache access patterns along with the differential properties of CameLLIA's s-boxes, which requires power traces from 216 different encryptions.
Abstract: CAMELLIA is a 128 bit block cipher certified for its security by NESSIE and CRYPTREC. Yet an implementation of CAMELLIA can easily fall prey to cache attacks. In this paper we present an attack on CAMELLIA, which utilizes cache access patterns along with the differential properties of CAMELLIA's s-boxes. The attack, when implemented on a PowerPC microprocessor having a 32 byte cache line size requires power traces from 216 different encryptions. Further, the work shows that this trace requirement reduces to 211 if a 64 byte cache line is used.

20 citations

"A comprehensive study of multiple d..." refers background or methods in this paper

  • ...…(table) lookup structure (Acıı̈çmez and Koç, 2006a, 2006b; Bertoni et al., 2005; Bonneau, 2006; Fournier and Tunstall, 2006; Gallais et al., 2011; Gallais and Kizhvatov, 2011; Lauradoux, 2005; Poddar et al., 2011; Rebeiro and Mukhopadhyay, 2010, 2011; Rebeiro et al., 2011; Zhao and Wang, 2010)....

    [...]

  • ...The above abstract model can help us to understand the TDCA problem and is generic to block ciphers using the S-Box (table) lookup structure [4, 5, 6, 7, 8, 9, 10, 11, 24, 25, 26, 27, 28]....

    [...]

  • ...Note that MDATDCA can also be extended to improve TDCAs on other block ciphers, such as Camellia [24] and CLEFIA [25, 26, 27, 28]....

    [...]

Posted Content
Tolerant Algebraic Side-Channel Analysis of AES.

[...]

Yossef Oren, Avishai Wool1
Tel Aviv University1
01 Jan 2012-IACR Cryptology ePrint Archive
TL;DR: In this paper, a Tolerant Algebraic Side-Channel Analysis (TASCA) attack on an AES implementation, using an optimizing pseudoBoolean solver to recover the secret key from a vector of Hamming weights corresponding to a single encryption, was presented.
Abstract: We report on a Tolerant Algebraic Side-Channel Analysis (TASCA) attack on an AES implementation, using an optimizing pseudoBoolean solver to recover the secret key from a vector of Hamming weights corresponding to a single encryption. We first develop a boundary on the maximum error rate that can be tolerated as a function of the set size output by the decoder and the number of measurements. Then, we show that the TASCA approach is capable of recovering the secret key from errored traces in a reasonable time for error rates approaching this theoretical boundary – specifically, the key was recovered in 10 hours on average from 100 measurements with error rates of up to 20%. We discovered that, perhaps counter-intuitively, there are strong incentives for the attacker to use as few leaks as possible to recover the key. We describe the equation setup, the experiment setup and discuss the results.

18 citations

Related Papers (5)
A Systematic Study of Cache Side Channels Across AES Implementations

[...]

03 Jul 2017
Heiko Mantel, Alexandra Weber, Boris Köpf
Trace-Driven Cache Attacks on AES.

[...]

01 Jan 2006-IACR Cryptology ePrint Archive
Onur Aciicmez, Çetin Kaya Koç
Trace-driven cache attacks on AES (short paper)

[...]

04 Dec 2006
Onur Aciicmez, Çetin Kaya Koç
Pinpointing Cache Timing Attacks on AES

[...]

03 Jan 2010
Chester Rebeiro, Mainack Mondal, Debdeep Mukhopadhyay
Advances on access-driven cache attacks on AES

[...]

17 Aug 2006
Michael Neve, Jean-Pierre Seifert
Frequently Asked Questions (2)
Q1. What are the contributions in "A comprehensive study of multiple deductions-based algebraic trace driven cache attacks on aes" ?

This paper performs a comprehensive study of MDASCA-based TDCAs ( MDATDCA ) on most of the AES implementations that are widely used. How to utilize the cache events with MDATDCA is presented and the overhead is also calculated. To evaluate MDATDCA on AES, this paper constructs a mathematical model to estimate the maximal number of leakage rounds that can be utilized and the minimal number of cache traces required for a successful MDATDCA. For the first time, the authors show that TDCAs on AES-192 and AES-256 become possible with the MDATDCA technique. 

The study of the trade-off between the data and time complexity in online and offline phases of MDATDCA, how to further quantized evaluating MDATDCA in the contributions of the leaked key bits from cache events to the recovery of the maser key of AES, how to evaluate MDATDCA on AES in case of error-tolerant and pre-loaded cache attack scenarios, how to develop new attack techniques to solve the TDCA problem might also be interesting problems in the future. The authors hope this paper can bring the understanding of both ASCA and TDCA to a new level, and help to evaluate the physical security of block cipher implementations.