Algebraic Side-Channel Analysis in the Presence of Errors

  • Yossef Oren
  • Mario Kirschbaum
  • Thomas Popp
  • Avishai Wool
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6225)


Measurement errors make power analysis attacks difficult to mount when only a single power trace is available: the statistical methods that make DPA attacks so successful are not applicable since they require many (typically thousands) of traces. Recently it was suggested by [18] to use algebraic methods for the single-trace scenario, converting the key recovery problem into a Boolean satisfiability (SAT) problem, then using a SAT solver. However, this approach is extremely sensitive to noise (allowing an error rate of well under 1% at most), and the question of its practicality remained open. In this work we show how a single-trace side-channel analysis problem can be transformed into a pseudo-Boolean optimization (PBOPT) problem, which takes errors into consideration. The PBOPT instance can then be solved using a suitable optimization problem solver. The PBOPT syntax provides for a more expressive input specification which allows a very natural representation of measurement errors. Most importantly, we show that using our approach we are able to mount successful and efficient single-trace attacks even in the presence of realistic error rates of 10%–20%. We call our new attack methodology Tolerant Algebraic Side-Channel Analysis (TASCA). We show practical attacks on two real ciphers: Keeloq and AES.


Algebraic attacks power analysis side-channel attacks  pseudo-Boolean optimization 


  1. 1.
    IEEE standard VHDL language reference manual. IEEE Std 1076-2008 (Revision of IEEE Std 1076-2002), pp. c1–626 (26, 2009)Google Scholar
  2. 2.
    Achterberg, T.: Constraint Integer Programming. PhD thesis, Technische Universität Berlin (2007)Google Scholar
  3. 3.
    Berthold, T., Heinz, S., Pfetsch, M.E.: Nonlinear pseudo-boolean optimization: Relaxation or propagation? In: Kullmann, O. (ed.) SAT 2009. LNCS, vol. 5584, pp. 441–446. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Berthold, T., Heinz, S., Pfetsch, M.E., Winkler, M.: SCIP – solving constraint integer programs. In: SAT 2009 competitive events booklet (2009)Google Scholar
  5. 5.
    Bertsimas, D., Weismantel, R.: Optimization Over Integers. Dynamic Ideas (2005)Google Scholar
  6. 6.
    Canright, D.: A very compact S-Box for AES. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 441–455. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Courtois, N., Bard, G.V., Wagner, D.: Algebraic and slide attacks on KeeLoq. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 97–115. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Daemen, J., Rijmen, V.: AES proposal: Rijndael (1998)Google Scholar
  9. 9.
    Dawson, S.: Code hopping decoder using a PIC16C56. Microchip confidential, leaked online in 2002 (1998)Google Scholar
  10. 10.
    Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., Manzuri Shalmani, M.T.: On the power of power analysis in the real world: A complete break of the Keeloq code hopping scheme. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 203–220. Springer, Heidelberg (2008)Google Scholar
  11. 11.
    Karlof, C., Wagner, D.: Hidden Markov model cryptoanalysis. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 17–34. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  13. 13.
    Mangard, S.: A simple power-analysis (SPA) attack on implementations of the AES key expansion. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 343–358. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards (Advances in Information Security). Springer, New York (2007)Google Scholar
  15. 15.
    Manquinho, V., Roussel, O.: Pseudo-boolean competition 2009 (July 2009)Google Scholar
  16. 16.
    Massacci, F., Marraro, L.: Logical cryptanalysis as a SAT problem. J. Autom. Reason. 24(1-2), 165–203 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Potlapally, N.R., Raghunathan, A., Ravi, S., Jha, N.K., Lee, R.B.: Aiding side-channel attacks on cryptographic software with satisfiability-based analysis. IEEE Trans. on VLSI Systems 15(4), 465–470 (2007)CrossRefGoogle Scholar
  18. 18.
    Renauld, M., Standaert, F.-X., Veyrat-Charvillon, N.: Algebraic side-channel attacks on the AES: Why time also matters in DPA. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 97–111. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Satyanarayana, H.: AES128 package (December 2004)Google Scholar
  20. 20.
    Viterbi, A.: Error bounds for convolutional codes and an asymptotically optimum decoding algorithm. IEEE Transactions on Information Theory 13(2), 260–269 (1967)zbMATHCrossRefGoogle Scholar
  21. 21.
    Wunderling, R.: Paralleler und objektorientierter Simplex-Algorithmus. PhD thesis, Technische Universität Berlin (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Yossef Oren
    • 1
  • Mario Kirschbaum
    • 2
  • Thomas Popp
    • 2
  • Avishai Wool
    • 1
  1. 1.Computer and Network Security Lab, School of Electrical EngineeringTel-Aviv UniversityRamat AvivIsrael
  2. 2.Institute for Applied Information Processing and CommunicationsGraz University Of TechnologyAustria

Personalised recommendations