Multiple-Differential Side-Channel Collision Attacks on AES

Andrey Bogdanov

Research output: Chapter in Book/Report/Conference proceedingArticle in proceedingsResearchpeer-review

Abstract

In this paper, two efficient multiple-differential methods to detect collisions in the presence of strong noise are proposed - binary and ternary voting. After collisions have been detected, the cryptographic key can be recovered from these collisions using such recent cryptanalytic techniques as linear [1] and algebraic [2] collision attacks. We refer to this combination of the collision detection methods and cryptanalytic techniques as multiple-differential collision attacks (MDCA). When applied to AES, MDCA using binary voting without profiling requires about 2.7 to 13.2 times less traces than the Hamming-weight based CPA for the same implementation. MDCA on AES using ternary voting with profiling and linear key recovery clearly outperforms CPA by requiring only about 6 online measurements for the range of noise amplitudes where CPA requires from 163 to 6912 measurements. These attacks do not need the S-box to be known. Moreover, neither key nor plaintexts have to be known to the attacker in the profiling stage.
Original languageEnglish
Title of host publicationProceedings of 10th International Workshop on Cryptographic Hardware and Embedded Systems – CHES 2008
Volume5154
Publication date2008
Pages30-44
Publication statusPublished - 2008
Externally publishedYes
Event10th International Workshop on Cryptographic Hardware and Embedded Systems (CHES 2008) - Washington, United States
Duration: 10 Aug 200813 Aug 2008
Conference number: 10

Workshop

Workshop10th International Workshop on Cryptographic Hardware and Embedded Systems (CHES 2008)
Number10
Country/TerritoryUnited States
CityWashington
Period10/08/200813/08/2008
SeriesLecture Notes in Computer Science
Volume5154
ISSN0302-9743

Fingerprint

Dive into the research topics of 'Multiple-Differential Side-Channel Collision Attacks on AES'. Together they form a unique fingerprint.

Cite this