How Secure is AES Under Leakage

1.1 Background: Black Box, Grey Box and White Box

It is symmetric-key algorithms that are in charge of bulk data encryption and authentication in the field. Plenty of multiple wide-spread applications such as mobile networks, access control, banking, content protection, and storage encryption often feature only symmetric-key algorithms, with no public-key cryptography involved.

Traditionally, the security of symmetric-key cryptographic primitives has been analyzed in the black-box model, where the adversary is mainly limited to observing and manipulating the inputs and outputs of the algorithm, the related-key model [2] being a notable extension. Multiple techniques have been extensively elaborated upon, such as differential and linear cryptanalysis, integral and algebraic attacks, to call a small subset of the cryptanalytic tools available today. Cryptographers have excelled at preventing those by design [8].

In late 1990s, with the introduction of timing attacks [13] by Kocher, differential fault analysis [1] by Boneh, DeMillo and Lipton, simple power analysis as well as differential power analysis [14] by Kocher, Jaffe and Jun, the research community has become aware of side-channel attacks that operate in the grey-box model: Now the attacker has access to the physical parameters of cryptographic implementations or can even inject faults into their execution. Numerous countermeasures have been proposed to hamper those attacks, providing a practical level of security in many cases.

Since mid 2000s, a trend of side-channel analysis has been towards analytical side-channel attacks that assume leakage of fixed values of variables instead of stochastic variables and whose techniques border the black-box cryptanalysis. So, collision attacks [22] by Shramm et al. observe an equation within one or several executions of an algorithm. Algebraic side-channel attacks [21] by Renauld and Standaert work under the assumption that the attacker can see the Hamming weight of the internal variables of an algorithm. The attacker uses the techniques of algebraic cryptanalysis to solve the systems of nonlinear equations arising from collisions and algebraic side-channel attacks [5, 19, 20]. Dinur and Shamir [9] apply integral and cube attacks to block ciphers in a setting where a fixed bit after a round is leaked due to physical probing, power analysis or similar. Also differential fault analysis uses elements of differential cryptanalysis.

As an extreme development of the grey-box setting, the white-box model [7] by Chow et al. poses the assumption that the adversary has full control over the implementation of the cryptographic algorithm. The major goal of white-box cryptography is to protect the confidentiality of secret keys in such a white-box environment. However, all published white-box implementations of standard symmetric-key algorithms such as AES to date have been practically broken in this model [18]. The white-box setting may be too strong for standard symmetric-key algorithms such as AES, because such a cipher was designed with the black-box security in mind.

1.2 Leakage and AES

In this paper, we enhance the Dinur-Shamir setting [9] and aim to bridge the gap between the physical side-channel attacks, the techniques of provable leakage resilience [17] and white-box setting (dealing with attackers too hard to protect against). Namely, we let the AES implementation leak some information during its execution which is defined as follows.

1.3 Our Contributions

The contributions of this paper are as follows. The cryptanalytic results are also summarized in Table 1.

AES Under Basic Leakage and Bitwise Multiset Attacks. We develop a bitwise multiset attack, which exploits relations of sets of plaintexts and internal states, to evaluate the security of AES if the time and space of the leakage is fixed. Our attack utilizes a bitwise multiset characteristic which is an extension of Dinur-Shamir integral attacks [9]. Unlike their attacks, our attack is feasible even if an attacker does not have any knowledge of the location of leaked bits. See Sect. 2 and Table 1 for the details.

Open image in new window

AES Under Leakage with Space/Time Uncertainty and Differential Bias Attacks. We let time, space or both be randomized. The space randomization makes the position of leaked bits random in each execution. The time randomization makes the round number of leaked bits random in each execution. A combination of time and space randomization is also an advanced model we consider. See Fig. 1 for an illustration.

This setting takes account of a more realistic environment, such as the lack of knowledge of the implementation, and the presence of countermeasures. Here, our multiset attacks are infeasible, as no clean multiset is available. To cope with that, we develop a differential bias attack and a biased state attack inspired by techniques for distinguishing attacks against stream ciphers [15, 16, 23]. More specifically, by properly choosing differences and values of plaintexts, we create biased (differential) states, where the distribution of bitwise differences or value is strongly biased only if the key is correctly guessed. Thus, we are able to distinguish the leak corresponding to the correct key. See Sect. 3 for the techniques as well as Sect. 4 and Table 1 for the results.

AES Under Noisy Leakage. We consider leakage with noise, where the attacker does not know exactly if the variable it accesses corresponds to the execution of the algorithm under attack. For example, it can be the case if multiple instances of encryption (with different keys) are run simultaneously or if the implementation uses dummy operations to hide the AES execution. The differential bias attack remains applicable in this setting, with adjusted complexities. See Sect. 6 and Table 1 for details. To characterize noise, we define \(\pi \) to be the probability that the leak is correctly read. The complexities of our attacks grow quadratically with the increase of \(1/\pi \).

Our Observations and Recommendations. To summarize the residual security of AES under leakage in the various settings, we observe the following. First, if no rounds are black-boxed and all intermediate internal states can be visible to the attacker, there are practical attacks, even with uncertain time and space. Second, to approach practical infeasibility of attacks in our leakage model without black-boxing, a substantial level of noise are be needed, \(\pi =2^{-10}\) and lower when combined with randomized time and space.

On the other hand, the black-boxing of round 9 is very effective. Indeed, if round 9 is black-boxed² (i.e., when the state between round 9 and round 10 is invisible to the attacker), the complexities of our attacks grow beyond \(2^{44}\) even with fixed time and space. Third, if uncertainty in time and space is combined with the black-boxed 9th round, our attacks require more than \(2^{58}\) operations, even with clean leaks. Then, if more rounds (1,2,8, and 9) are black-boxed, the complexities increase to \(2^{72}\). If noise is applied as countermeasure on top of that, it is possible to attain security levels of \(2^{80}\) and beyond against our attacks.

Thus, black-boxed round 9, noise or both are needed to hamper our attacks at a practical security level under leakage. Note that a high-budget organization can practically afford an attack of complexity \(2^{80}\) and higher [12]. However, the countermeasures considered here may still be effective against a mass surveillance attacker.

2.1 Notations of AES

Two types of internal states in each round of AES-128 are defined as follows: \(\#1\) is the state before SubBytes in round 1, \(\#2\) is the state after MixColumns in round 1, \(\#3\) is the state before SubBytes in round 2,\(\ldots \), \(\#19\) is the state before SubBytes in round 10, and \(\#20\) is the state after ShiftRow in round 10 (MixColumns is omitted in the last round). The states in the last round of AES-192 are addressed as \(\#23\) and \(\#24\), and of AES-256 as \(\#27\) and \(\#28\). We let \(\#0\) be a plaintext and \(\#21\), \(\#25\) and \(\#29\) be a ciphertext in AES-128/192/256, respectively. 128-bit subkeys are denoted as $0 , $1, \(\ldots \), and so on. The i-th byte in the state x is denoted as \(x_i\) and the j-th bit in \(x_i\) is represented as \(x_i[j]\).

2.2 Dinur-Shamir Chosen-Plaintext Attack on AES-128 with Leakage

As a starting point of our analysis, we outline the leakage attack proposed by Dinur and Shamir in [9]. As explained above, the Dinur-Shamir model is different from our leakage models as the adversary knows the time (round number) and space (bit position inside the round) of the leak, only single-bit leaks are considered there, and no leaks from the key schedule are allowed.

In the attack of [9], one uses the following multiset properties of a byte: In set A, all \(2^8\) values appear exactly once; In set C, all \(2^8\) values are fixed to a constant; In set B, the XOR sum of all \(2^8\) values is zero; In set U, all \(2^8\) values is not A, C or B. Let an N-round attack be an attack based on leaked bits after the N-th round function, e.g., a 2-round attack is based on only leaked bits of \(\#5\).

In the first step, the attacker guesses 4 bytes of the key $0, and chooses a set of \(2^8\) plaintexts, so that \(\#2\) consists of \(\varLambda \)-set in which only one byte is A and the other 15 bytes are \(\mathsf{C}\). If 4 bytes of $0 are correctly guessed, \(\#5\) consists of 4 bytes of A and 12 bytes of \(\mathsf{C}\), while in a wrong key, all bytes in \(\#5\) become U. Thus, by checking whether the all \(2^8\) values of \(\#5\) are fixed, an attacker is able to sieve wrong keys after \(2^{32}\) operations. The procedure can be repeated for three times with the three 4-byte sets of the key $0 depending on the position of the leaked bit. The remaining 4 bytes of $0 are exhaustively searched. Time complexity is estimated as \(2^{42}\) \((\approx (2^{32} \times 2^8 \times 3))\) encryptions and the required data is \(2^{34}\) \((= 2^{32} \times 4)\) chosen plaintexts. The work [9] also proposes other types of 2-round attack using cubes, with a time complexity of \(2^{35}\). However, the details are not given.

The paper [9] mentioned that 3- and 4-round attacks were possible by using similar techniques but omitted the details. As A expands into all state after 3 rounds even if the key is correctly guessed, at least the 2-round attack has a limited application to 3 and 4 rounds.

3.1 Bitwise Multiset Characteristic

Our attacks utilize the following bitwise multiset property in the data transform.

Proof. As shown in Fig. 2, if \(\#2\) consists of a \(\varLambda \) set, \(\#3\) is also a \(\varLambda \) set, and \(\#5\) consists of 4 bytes of A and 12 bytes of C. Then, \(\#7\) and \(\#9\) consist of 16 bytes of A and B, respectively. In the \(2^8\) multiset of each bit of A, C and B, the XOR sum becomes zero [4]. \(\quad \square \)

Open image in new window

3.2 Chosen-Plaintext Bitwise Multiset Attack

The bitwise zero-sum property allows us to develop chosen-plaintext key recovery attacks using leaked bits at a fixed position in \(\#3\), \(\#5\), \(\#7\) or \(\#9\). Our attack firstly guesses 4 bytes of the key $0, and chooses a set of \(2^8\) plaintexts resulting in \(\varLambda \) set in \(\#2\). If 4 bytes of $0 are correctly guessed, the bitwise XOR sum of \(2^8\) leaked bits in any bit position of \(\#3\) to \(\#10\) is zero (Proposition 1). Otherwise, the probability that the bitwise XOR sum of leaked bits of \(\#5\), \(\#7\) and \(\#9\) is zero is \(2^{-1}\). If this procedure repeats with N different sets of \(2^8\) plaintexts, wrong keys can be detected with a probability of \((1- 2^{-N})\).

The number of surviving keys after the above procedure is estimated as \((1 + 2^{-N} \times (2^{32} - 1))^4\). If the remaining key candidates are exhaustively searched, time complexity is estimated as \(\{(2^{32} \times 2^8 \times N) \times 4 \} + (1 + 2^{-N} \times (2^{32} - 1))^4 \) encryptions. When \(N = 22\), the time complexity is estimated as \(2^{46.46}\) encryptions, the required data is \(2^{34}\) \((= 2^{32} \times 4)\) chosen plaintexts and the required memory is \(2^{34}\) bits. This attack is successful if leaked bits come from any bits of \(\#5\), \(\#7\) and \(\#9\) without any knowledge of the location of leaked bits.

3.3 Partial Key Recovery Attack Using Leaked Bits from \(\#3\)

If leaked bits come from \(\#3\), a 32-bit partial key-recovery attack is feasible as AES takes 2 rounds to achieve the full diffusion. If 4 bytes of keys $0 are guessed correctly, \(2^8\) multiset in only one byte of \(\#3\) is not C as shown in Fig. 2, while for a wrong key, \(2^8\) multisets in 4 bytes of one column are not C. We exploit the gap of the number of C in \(\#3\) between a correct key and a wrong key.

We guess the column in \(\#3\) where leaked bits come from and then guess corresponding 4 bytes of $0. We check whether the \(2^8\) multiset of leaked bits is fixed with N different sets of \(2^8\) plaintexts. A correct key can be detected with probability of \((1 - 2^{-8N})\) if leaked bits come from the byte which is C for a correct key and B for a wrong key. We repeat this \(4 \times 4/3\) times by guessing different columns and the byte position of leaked bits in \(\#3\) and corresponding 4 bytes of $0. The corresponding 32 bits of the key $0 can be recovered with about \(2^{44}\) \((\approx 2^{32} \times 2^8 \times 4 \times 4 \times 4/3)\) encryptions when \(N = 4\), \(2^{34}\) chosen ciphertexts and \(2^{34}\) memory.

3.4 Chosen-Ciphertext Bitwise Multiset Attack

In the chosen-ciphertext setting, backward direction attacks are feasible by using leaked bits from \(\#13\), \(\#15\), \(\#17\) or \(\#19\). As shown in Fig. 3, if 4 bytes of $10 are correctly guessed and a set of ciphertexts is properly chosen, the XOR-sum of \(2^8\) multiset of any bit in \(\#12\) to \(\#17\) is zero (Proposition 1). Since states \(\#13\), \(\#15\) and \(\#17\) correspond to \(\#7\), \(\#5\) and \(\#3\), respectively, chosen-ciphertext attacks using these bits are feasible in the same manner as for chosen-plaintext attacks.

Also, \(\#19\) is affected by only one byte of $10. Thus, one byte of $10 can be recovered by the exhaustive search with 8 leaked bits from different ciphertexts after guessing 128 positions of the leaked bit. Time complexity is estimated as \(2^{18}\) \((= 2^{8} \times 128 \times 8)\) encryptions, the required data is about \(2^8\) known ciphertexts, and the memory consumption is negligible.

Open image in new window

3.5 Combined Key Recovery Attacks on AES

Finally, we introduce a key recovery attack on the full AES-128 by combining the forward and the backward direction attacks. Since we do not know in which round the bits leak, we guess it and then mount each round attack in the following order: \(\#19\) \(\rightarrow \) \(\#17\) \(\rightarrow \) \(\#3\) \(\rightarrow \) \(\#5\) \(\rightarrow \) \(\#7\) \(\rightarrow \) \(\#9\) \(\rightarrow \) \(\#13\) \(\rightarrow \) \(\#15\), i.e., if a correct key is not found by the guessed-round attack, the next round attack is applied in that given order. Our attacks find a correct key successfully except the case where the leaked bits come from \(\#11\). Thus the success probability without any knowledge of locations of leaked bits is 0.899 \((= 8/9)\).

Time complexity is estimated as \(2^{48}\) \((\approx 2^{18} + 2^{44} + 2^{44} + 2^{46.46} + 2^{46.46})\) encryptions. The required data is about \(2^{35} \) \((= 2^{34} + 2^{34})\) chosen plaintexts and \(2^{34}\) chosen ciphertexts and the required memory is \(2^{34}\) bits. Note that if the leaked bits come from \(\#3\), \(\#17\), \(\#19\), partial key recovery attacks are possible.

4.1 Truncated Differential Characteristic

Our attacks utilize a bytewise truncated differential characteristic of Fig. 4, where a colored-cell is a probability-one non-zero truncated difference, a blank cell is a probability-one zero truncated difference, and ? is an unknown truncated difference. Define 4 bytes of differences {\(\varDelta \#0_0,\) \(\varDelta \#0_5\), \(\varDelta \#0_{10}\), \(\varDelta \#0_{15}\)} in a pair of plaintexts as \( (\varDelta \#0_0, \varDelta \#0_5, \varDelta \#0_{10}, \varDelta \#0_{15}) = S^{-1}(MC^{-1}(\varDelta \#2_0, 0, 0, 0)), \) where \(S^{-1}\) and \(MC^{-1}\) are the inverses of SubBytes and MixColumns in a column, respectively, and \(\varDelta \#2_0\) is an arbitrary byte difference in \(\#2_0\). Given \(\{ \varDelta \#2_0\), \(\#2_0, \ldots , \#2_3 \}\) and {$0\(_0\), $0\(_5\), $0\(_{10}\), $0\(_{15}\)}, {\(\varDelta \#0_0, \varDelta \#0_5, \varDelta \#0_{10}, \varDelta \#0_{15}\)} and {\(\#0_0, \#0_5, \#0_{10}, \#0_{15}\)} are determined. Let \(\#0'\) be a plaintext having differences {\(\varDelta \#0_0\), \(\varDelta \#0_5\), \(\varDelta \#0_{10}\), \(\varDelta \#0_{15}\)}, i.e., \(\#0'_0 = \#0_0 \oplus \varDelta \#0_0, \#0'_5 = \#0_5 \oplus \varDelta \#0_5, \#0'_{10} = \#0_{10} \oplus \varDelta \#0_{10}, \#0'_{15} = \#0_{15} \oplus \varDelta \#0_{15}\). Also, let \(\#'1, \ldots , \#'21\) be the corresponding states of \(\#0'\), and \(Z'_0, Z'_1, Z'_2, Z'_3, \ldots \) be leaked bits of each execution of \(\#0'\).

4.2 Biased Differential State

Choosing 4-byte differences {\(\varDelta \#0_0\), \(\varDelta \#0_5\), \(\varDelta \#0_{10}\), \(\varDelta \#0_{15}\)} properly and guessing the 4 bytes of {$0\(_0\), $0\(_5\), $0\(_{10}\), $0\(_{15}\)} correctly, we are able to create biased differential states in \(\#3\): consisting of 15 bytes of probability-one zero differences and 1 byte of a probability-one non-zero difference, \(\#5\): consisting of 12 bytes of probability-one zero differences and 4 bytes of probability-one non-zero differences, and \(\#7\): consisting of 16 bytes of probability-one non-zero differences. As shown in Fig. 4, a correct key has 27 bytes of probability-one zero differences \(\#3_1, \ldots , \#3_{15}\) and \(\#5_4, \ldots , \#5_{15}\) and 21 bytes of probability-one non-zero differences \(\#3_1\), \(\#5_0, \ldots , \#5_{3}\), and \(\#7_0, \ldots , \#7_{15}\), while a wrong key has only 12 bytes of probability-one zero differences \(\#3_4, \ldots , \#3_{15}\) and does not have any probability-one non-zero difference in the state of the data processing part.

In addition, a pair of plaintexts has 12 bytes of probability-one zero differences and 4 bytes of probability-one non-zero differences for both a correct key and a wrong key. Also, the key schedule has 176 \((=16 \times 11)\) bytes of probability-one zero differences, as the subkeys are always fixed under the same key.

4.3 Bitwise Differential Bias in Biased Differential State

For a probability-one zero/non-zero truncated difference, we derive positive and negative bitwise differential biases. Our attack exploits the gap of the number of positive and negative biases between a correct key and a wrong key when a pair of \(\#0\) and \(\#'0\) is encrypted.

Positive Bitwise Bias for Probability-One Zero Truncated Difference. If a bytewise pair \(\#x_y\) and \(\#x'_y\) has a probability-one zero truncated difference, a bitwise difference at the same position is also zero with probability one: \( Pr(\varDelta [\#x_y[j], \#'x_y[j]] = 0) = 1, 0 \le j \le 7, \) where \(\varDelta [a, b] = a \oplus b\). A correct key has 1720 \((= 27 \times 8 + 176 \times 8 + 12 \times 8)\) positive bitwise differential biases, while a wrong key has only 1600 \((= 12 \times 8 + 176 \times 8 + 12 \times 8)\) such biases.

Negative Bitwise Bias for Probability-One Non-zero Truncated Difference. If a pair \(\#x_y\) and \(\#x'_y\) has a probability-one non-zero truncated difference, the probability that a bitwise difference at the same bit position is zero is estimated as follows: \( Pr(\varDelta [\#x_y[j], \#'x_y[j]] = 0) = 127/255 = 1/2 \cdot (1 - 2^{-7.99})\ \) In experiments with \(2^{40}\) randomly-chosen plaintexts and keys, we confirmed that these negative biases toward zero exist in each bit of the probability-one non-zero truncated difference, where the experimental value is \(Pr(\varDelta [\#7_i[j], \#'7_i[j]] = 0) = 1/2 \cdot (1 - 2^{-7.92})\).

4.4 Bitwise Differential Biases in the Stream of Leaked Bits

The number of required samples for distinguishing the two distributions with probability of \(1-\alpha \) is given by the following lemmata.

Assuming that the target event E is \(\varDelta [Z_i, Z'_j] = 0\) , X is the distribution for a wrong key, and Y is the distribution for a correct key, p and q are estimated as \(p =Pr^w(\varDelta [Z_i, Z'_j] = 0)\) and

$$\begin{aligned} q= \frac{-N^c_{bias_n} + N^w_{bias_n} + 255 ( N^c_{bias_p} - N^w_{bias_p})}{255 N_{all} - N^w_{bias_n} + 255 N^w_{bias_p}}. \end{aligned}$$

For success probability \(1 - 2^{-32}\), the estimated number of required samples is:

$$\begin{aligned} N_{sample} = (pq^{2})^{-1} \cdot (1- 2\cdot 2^{-32}) \cdot log_2 \frac{1 - 2^{-32}}{2^{-32}} \approx 2 \cdot 32 \cdot q^{-2} = 2^6 \cdot q^{-2}. \end{aligned}$$

Open image in new window

Open image in new window

4.5 Chosen-Plaintext Differential Bias Attack

4.6 Chosen-Ciphertext Differential Bias Attack

If the decryption function is accessible, chosen-ciphertext attacks are applicable. Similarly to the setting of bitwise mutiset attacks before, the chosen-ciphertext attacks are more efficient and it makes sense to black-box the output of round 9 also in the cases with time and space uncertainty.

As shown in Fig. 7, the states \(\#13\), \(\#15\) and \(\#17\) correspond to \(\#7\), \(\#5\) and \(\#3\), respectively. Since the state \(\#19\) consists of 12 probability-one zero truncated differences and 4 probability-one non-zero truncated differences, both for a correct key and a wrong key, one additionally has 96 positive and 32 negative bitwise differential biases in the chosen-ciphertext attack.

Open image in new window

Biased State Attack of \(\mathbf {\#19}\) : Leakage After Round 9. If leaked bits from \(\#19\) are obtained, a more powerful attack is feasible. Each byte in \(\#19\) can be controlled by one byte of $10 and one byte of a ciphertext. Thus, we are able to create a biased state in \(\#19\) whose one byte (8 bits) is fixed to 0, if the corresponding byte of $10 is correctly guessed and the respective byte of the ciphertext is property chosen. Suppose that the values of the other bits of the states are randomly distributed. The probabilities that each leaked bit is zero (\(Z_i= 0\)) for a correct key is estimated as \( Pr^c(Z_i= 0) = 1/2 \cdot (N'^c_{random}/N'_{all}) + N'^c_{bias_p}/N'_{all}, \) where \(N'_{all}\), \(N'_{bias_p}\), and \(N'_{random}\) are the numbers of bits in entire space, positive biased space and randomly-distributed space, respectively. Also, \(Pr^w(Z_i= 0)\) is assumed to be 1 / 2.

Assuming that the target event E is \(Z_i= 0\), p and q are estimated as \(p =1/2\) and \(q = N'^c_{bias_p}/N'_{all}\). For the success rate of \(1 - 2^{-8}\) (\(\alpha = 2^{-8}\)), the sample requirement is estimated as \(N'_{sample} \approx 2 \cdot 8 \cdot (q)^{-2}\) =\(2^4 \cdot (q)^{-2}\). We repeat the procedure for all 16 bytes of $10. Therefore, time complexity is estimated as \(2^{12} \times N'_{sample} \) \((= 16 \times 2^{8} \times N'_{sample}\)) encryptions and the required data is \(2^{12} \times N'_{sample} \) \((= 16 \times 2^{8} \times N'_{sample}\)) chosen ciphertexts. The memory requirement is negligible.

4.7 Known-Plaintext Differential Bias Attack

Finally, we introduce a known-plaintext differential bias attack using a truncated differential characteristic of Fig. 8. For a correct key, one has 24 \((=3 \times 8)\) positive bitwise differential biases toward zero and 8 negative bitwise differential biases in \(\#3\), while for a wrong key, there are not such biases. The key schedule has the same number of positive biases of chosen-plaintext attacks and the plaintext has 32 \((=4 \times 8)\) negative biases in both of a correct and a wrong key.

This attack prepares \(2^{33}\) known plaintexts and makes a table of \(\#0_0\), \(\#0_5\), \(\#0_{10}\), \(\#0_{15}\) and the corresponding \(N_s\) leaked bits. The expected number of the entries of each value of \(\#0_0\), \(\#0_5\), \(\#0_{10}\), \(\#0_{15}\) is more than 1. We mount key recovery attacks for $0\(_0\), $0\(_5\), $0\(_{10}\), $0\(_{15}\) in the same manner as in the chosen-plaintext attack. In step 3, the prepared table contains the corresponding values of \(\#0_0\), \(\#0_5\), \(\#0_{10}\), \(\#0_{15}\) with high probability. Thus, time complexity is estimated as \(2^{31} \times N_{sample}/N_s\) encryptions and the required data is \(2^{35} \times N_s \) \((= 4 \times 2^{33} \times N_s)\) known plaintexts with leaked bits and the required memory is about \( 2^{35} \times N_s\) bits.

Open image in new window

5.1 Uncertainty in Space

The space randomization makes the bit position of leaked bits random in each execution, i.e., \(Z_i\) and \(Z'_i\) randomly come from two 256-bit spaces consisting of a 128-bit state in the data processing part and a 128-bit state in the key schedule at the unknown fixed round, assuming encryptions are executed with a 256-bit working memory for a internal state and a subkey.

Assuming that leaked bits come from the states after round 2, i.e., {#5\(_{i}[j]\) and $2\(_{i}[j]\)} and {#’5\(_{i}[j]\) and $’2\(_{i}[j]\)} (\(0 \le i \le 15\), \(0 \le j \le 7\)), the parameters of our differential bias attacks are chosen as \(N_{all} = (256)^2\), \(N^{(c)}_{bias_p} = 224 \) \((=96 + 128)\), \(N^{(w)}_{bias_p} = 128 \) \((= 0 + 128)\), \(N^{(c)}_{bias_n} = 32\) and \(N^{(w)}_{bias_n} = 0\) (see Table 2). Then, \(Pr^{c}(\varDelta [Z_i, Z'_j] = 0)\) and \(Pr^{w}(\varDelta [Z_i, Z'_j] = 0)\) are estimated as \(1/2 \cdot (1 + 2^{-8.192})\), and \(1/2 \cdot (1 + 2^{-9.000})\), respectively, and \(q = 2^{-9.42}\). In our experiment with \(2^{40}\) randomly-chosen correct and wrong pairs of keys and plaintexts, \(Pr_{c}(\varDelta [Z_i, Z'_j] = 0)\) and \(Pr_{w}(\varDelta [Z_i, Z'_j] = 0)\) are \(1/2 \cdot (1 + 2^{-8.191})\) and \(1/2 \cdot (1 + 2^{-9.001})\), respectively, and \(q = 2^{-9.42}\). The number of required samples to detect a stream for a correct key is estimated as \(N_{sample} = 2^{24.84}\) \(( = 2^6 \times 2^{9.42 \times 2})\). We experimentally confirmed that this number of samples is enough for a successful attack. With \(N_s = (N_{all})^{1/2}\), time complexity is estimated as \(2^{47.84} \) \((= (2^{31} \times 2^{24.84})/(2^8))\) encryptions and the required data is \(2^{42} \) \((= 2^{34} \times 2^8)\) chosen plaintexts and corresponding leaked bits with \(2^{42}\) bits of prepared tables.

The details of attacks for \(N_s = (N_{all})^{1/2}\) are provided in Table 3, where \(q^{(e)}\) is our experimental value with \(2^{40}\) randomly-chosen correct and wrong pairs of keys and plaintexts/ciphertexts, and T and D are time complexity and the amount of the required data, respectively. Our theoretical values closely approximate the experimental data in all cases. Since an attacker does not know the round number of leaked bits, he firstly guesses the round of leaked bits and then mounts an attack similar to the combined attack of the bitwise multiset attacks. If the decryption is accessible, our attacks are successful except the case where leaked bits come from states after 4 or 5 round only. Also, a known plaintext attack is possible if leaked bits from \(\#3\) are available.

5.2 Uncertainty in Time

The time randomization makes the round number of leaked bits random in each execution, i.e., \(Z_i\) and \(Z'_i\) come from the fixed bit position at a random round of the data processing part. Additionally, we take into account the leaked bits from plaintexts \(\#0\) or ciphertexts \(\#21\) in the data processing part. For instance, assuming that leaked bits come from 33-th bits of the data processing part, i.e., \(\#0_4[1]\), \(\#3_4[1]\), \(\ldots \), \(\#19_4[1]\) or \(\#21_4[1]\), the attack parameters are given as \(N_{all} = 11 ^ 2\), \(N^{(c)}_{bias_p} = 3\), \(N^{(w)}_{bias_p} = 2\), \(N^{(c)}_{bias_n} = 1\), \(N^{(w)}_{bias_n} = 0\). Then \(q = 2^{-6.45}\), \(N_{sample} = 2^{19.9}\), \(T = 2^{47.44}\) and \(D = 2^{37.46}\).

5.3 Uncertainty in Both Space and Time

The details of our attacks are given in Table 5. We also provide a chosen-plaintext attack when round 9 and round 1, 2, 8 and 9 are black-boxed. If the decryption is accessible, our attacks work as long as leaked bits after round 1, 2, 3, 6, 7, 8 or 9 of the data processing part are available. Also, a known-plaintext attack is applicable if leaked bits from \(\#3\) are observable.

7.1 Fixed Time/space: Bytewise Multiset Attack

Our bitwise multiset attacks naturally extend to bytewise multiset attacks, because the multiset characteristics are based on the bytewise XOR-sum property. The success probability for detecting wrong keys increases from \((1 - 2^{-1})\) to \((1 - 2^{-8})\) by using the bytewise zero-sum property. Then the time complexities of 2, 3, 4, 6 and 7-round attacks are estimated as \(\{(2^{32} \times 2^8 \times N) \times 4 \} + (1 + 2^{-8N} \times (2^{32} - 1))^4 \) encryptions. With \(N = 4\), it is about \(2^{44}\). The time complexities of 1 and 8-round attacks and the 9-round attack also improve to \(2^{42}\) \((\approx 2^{32} \times 2^8 \times 4 \times 4/3)\) and \(2^{12} \) \((= 2^8 \times 16)\) encryptions, respectively. The time complexity of the combined attack is \(2^{45}\) \((\approx 2^{12} + 2^{42} + 2^{42} + 2^{44} + 2^{44})\) encryptions and the required data is \(2^{35}\) chosen plaintexts and \(2^{34}\) chosen ciphertexts.

7.2 Uncertain Time/Space: Differential Bias Attack

Our differential bias attacks also extend to bytewise attacks using bytewise differential biases of truncated differential characteristics of Fig. 4, 7 and 8.

Chosen-Ciphertext Biased-State Attack. Assuming that the target event E is \(Z_i= 0\), p and q are estimated as \(p =1/2^8\) and \(q = (255 \times N^c_{bias_p})/N_{all}\). The number of required samples is estimated as \(N_{sample} \approx 8 \cdot 2^8 \cdot (q)^{-2}\). We repeat the procedure for all 16 byte of $10. Therefore, time complexity is estimated as \(2^{12} \times N_{sample} \) \((= 16 \times 2^{8} \times N_{sample}\)) encryptions and the number of required data is \(2^{12} \times N_{sample} \) \((= 16 \times 2^{8} \times N_{sample}\)) chosen ciphertexts.

8.1 AES-192 and 256

Bitwise multiset attacks and differential bias attacks on AES-128 are directly applicable to AES-192 and AES-256 in both fixed and random settings. In the backward direction, 6- to 9- round attacks on AES-128 are corresponded to 8- to 11-round ones on AES-192 and 10- to 13- round ones on AES-256, respectively.

8.2 Multiple-Bit Leakage

Here we consider the case where M bits of the bit-aligned state information leak in each execution for a small M. Let \(Z^{i}_1, Z^{i}_2,\ldots , Z^{i}_M\) be M leaked bits of the i-th execution.

Bitwise Multiset Attack: Assume that \(Z^{i}_0, Z^{i}_1,\ldots , Z^{i}_{M-1}\) come from different but fixed locations of the state. If the XOR sum of \(2^8\) multiset of each location is zero, the XOR-sum of all set of \(2^8 \times M\) bits is also zero. Thus, bitwise multiset attacks are feasible as long as leaked bits come from space where each XOR sum is zero only in a correct key. Time and date complexities are almost the same.

Differential Bias Attack: Assume that \(Z^{i}_1, Z^{i}_2,\ldots , Z^{i}_M\) come from randomly-chosen different locations of the state. Since the attacker is able to obtain M bits in each execution, the required data reduces by a factor of M.

8.3 Other Granularities

So far, we have assumed that a leak can only occur after a full round. However, in other granularities such as leaks after SubBytes or MixColumns, our bitwise multiset attacks and differential bias attack still work.

Bitwise Multiset Attack: According to Proposition 1, any bit of the states between \(\#3\) and \(\#10\) has the zero-sum property if the key is correctly guessed. Using the difference of zero-sum properties between correct and wrong key cases, bitwise multiset attacks are applicable to other states in the same manner.

Differential Bias Attack: By properly choosing attack parameters, our differential bias attacks are also made feasible. For instance, if bits of the states after SubBytes are additionally leaked, the parameters of chosen-plaintext differential attacks on AES-128 with the space and time randomization are estimated as \(N_{all} = (256 \times 11 + 128 \times 10)^2\), \(N^{(c)}_{bias_p} = 2032\) \((=216 + 216 + 1408 + 96 + 96)\), \(N^{(w)}_{bias_p} = 1792\) \((=96 + 96 + 1408 + 96 + 96)\), \(N^{(c)}_{bias_n} = 400\) \((= 168 + 168 + 0 + 32 + 32)\), \(N^{(w)}_{bias_n} = 64\) \((= 0 + 0 + 32 + 32)\), and \(q = 2^{-16.10}\). The number of required samples is estimated as \(N_{sample} = 2^{38.02}( = 2^6 \times 2^{16.01 \cdot 2})\). With \(N_s = (N_{all})^{1/2}\), time complexity is \(2^{57.02}\) \((= (2^{31} \times 2^{38.02})/(256 \times 11 + 128 \times 10))\) encryptions and the required data is \(2^{46}\) \((= 2^{34} \times (256 \times 11 + 128 \times 10))\) chosen plaintexts.