Cold Boot Key Recovery by Solving Polynomial Systems with Noise

Similar documents
Algebraic Techniques in Differential Cryptanalysis

Attacking AES via SAT

Enhancing the Signal to Noise Ratio

How Fast can be Algebraic Attacks on Block Ciphers?

Algebraic Techniques in Differential Cryptanalysis

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Algebraic Aspects of Symmetric-key Cryptography

A Polynomial Description of the Rijndael Advanced Encryption Standard

Cold Boot Attacks in the Discrete Logarithm Setting

An Algebraic Framework for Cipher Embeddings

Better Algorithms for MSB-side RSA Reconstruction

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Chapter 1 - Linear cryptanalysis.

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity

Royal Holloway University of London

Solving LWE with BKW

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

Introduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard

Block Ciphers and Systems of Quadratic Equations

Code-based public-key encryption resistant to key leakage

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Statistical and Linear Independence of Binary Random Variables

Differential-Linear Cryptanalysis of Serpent

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

Algebraic properties of SHA-3 and notable cryptanalysis results

Essential Algebraic Structure Within the AES

Linear Cryptanalysis of Reduced-Round PRESENT

A Five-Round Algebraic Property of the Advanced Encryption Standard

Analysis of SHA-1 in Encryption Mode

Extended Criterion for Absence of Fixed Points

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

Security of the AES with a Secret S-box

Cryptanalysis of PRESENT-like ciphers with secret S-boxes

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Bitslice Ciphers and Power Analysis Attacks

state-recovery analysis of spritz

SMASH - A Cryptographic Hash Function

The Advanced Encryption Standard

Mixed-integer Programming based Differential and Linear Cryptanalysis

MILP-aided Cryptanalysis of Round Reduced ChaCha

Differential Attack on Five Rounds of the SC2000 Block Cipher

Improved Key Recovery Algorithms from Noisy RSA Secret Keys with Analog Noise

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Revisit and Cryptanalysis of a CAST Cipher

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Affine equivalence in the AES round function

Classical hardness of Learning with Errors

RSA meets DPA: Recovering RSA Secret Keys from Noisy Analog Data

CS Topics in Cryptography January 28, Lecture 5

Recovering RSA Secret Keys from Noisy Key Bits with Erasures and Errors

Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Introduction to Symmetric Cryptography

On Multiple Linear Approximations

Analysis of cryptographic hash functions

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

SMASH - A Cryptographic Hash Function

Cryptanalysis of a homomorphic public-key cryptosystem over a finite group

A Sound Method for Switching between Boolean and Arithmetic Masking

On the Security of NOEKEON against Side Channel Cube Attacks

A New Algorithm to Construct. Secure Keys for AES

Intro to Physical Side Channel Attacks

Chapter 2 - Differential cryptanalysis.

Computational and Algebraic Aspects of the Advanced Encryption Standard

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

New Combined Attacks on Block Ciphers

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Practical Fully Homomorphic Encryption without Noise Reduction

Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song

Algebraic Precomputations in Differential and Integral Cryptanalysis

observations on the simon block cipher family

Cryptanalysis of the Stream Cipher ABC v2

New polynomials for strong algebraic manipulation detection codes 1

Linear Cryptanalysis Using Multiple Linear Approximations

PREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

State Recovery Attacks on Pseudorandom Generators

McBits: Fast code-based cryptography

Linear Cryptanalysis of RC5 and RC6

Block Ciphers and Side Channel Protection

Structural Cryptanalysis of SASAS

Differential Power Analysis Attacks Based on the Multiple Correlation Coefficient Xiaoke Tang1,a, Jie Gan1,b, Jiachao Chen2,c, Junrong Liu3,d

GENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay

Collision Attack on Boole

A new version of the RC6 algorithm, stronger against χ 2 cryptanalysis

Perfectly secure cipher system.

Type 1.x Generalized Feistel Structures

Some security bounds for the DGHV scheme

AES side channel attacks protection using random isomorphisms

Concurrent Error Detection in S-boxes 1

Cryptanalysis of Grain

Reconstruction and Error Correction of RSA Secret Parameters from the MSB Side

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Security of Random Feistel Schemes with 5 or more Rounds

Structural Cryptanalysis of SASAS

Symmetric Crypto Systems

Transcription:

Cold Boot Key Recovery by Solving Polynomial Systems with Noise Martin R. Albrecht 1 & Carlos Cid 2 Team Salsa, LIP6, UPMC Information Security Group, Royal Holloway, University of London DTU, 04. April 2011

Outline Coldboot Attacks Polynomial System Solving with Noise Mixed Integer Programming Application

Outline Coldboot Attacks Polynomial System Solving with Noise Mixed Integer Programming Application

Coldboot Attacks I In [5] a method for extracting cryptographic key material from DRAM used in modern computers was proposed. Contrary to popular belief information in DRAM is not instantly lost when the power is cut, but decays slowly over time. This decay can be further slowed down by cooling the chip. Thus, an attacker can 1. deep-freeze a DRAM module 2. move it to a target machine which dumps the content to disk 3. find the most likely key candidate (which is erroneous due to decay) 4. use some mechanism to correct those errors The technique is called Coldboot attack in literature.

Coldboot Attacks II Definition (The Coldboot Problem) We are given 1. K : F n 2 FN 2 where N > n, 2. two real numbers 0 δ 0, δ 1 1, 3. K = KS(k) and K i the i-th bit of K. 4. K = (K 0, K 1,..., K N 1 ) FN 2 with the following distribution: Pr[K i = 0 K i = 0] = 1 δ 1, Pr[K i = 1 K i = 0] = δ 1, Pr[K i = 1 K i = 1] = 1 δ 0, Pr[K i = 0 K i = 1] = δ 0. 5. and some control function E : F n 2 {True, False}, which returns true for the pre-image of the noise free version of K. The task is to recover k such that E(k) returns True or a noise-free K. The Coldboot problem is equivalent to decoding a (non-)linear code with biased noise.

Coldboot Attacks III A bit K i = 0 of K is correct with probability Pr[K i = 0 K i = 0] = Pr[K i = 0 K i = 0]Pr[K i = 0] Pr[K i = 0] Likewise, a bit K i = 1 of K is correct with probability denote these values by 0 and 1 respectively. = (1 δ 1) (1 δ 1 + δ 0 ). (1 δ 0) (1 δ 0+δ 1). We

Coldboot Attacks IV Results in [5]: Cipher δ 0 δ 1 Success Time DES 0.10 0.001 100% DES 0.50 0.001 98% AES 0.15 0.001 100% 1s AES 0.30 0.001 100% 30s Can we do better and can we recover keys for more complicated key schedules like Serpent?

Outline Coldboot Attacks Polynomial System Solving with Noise Mixed Integer Programming Application

PoSSo We define polynomial system solving (PoSSo) as the problem of finding a solution to a system of polynomial equations over some field. Definition (PoSSo) Consider the set F = {f 0,..., f m 1 } where each f i F[x 0,..., x n 1 ]. A solution to F is any point x F n such that f i F : f i (x) = 0. Note, that we restrict ourselves to solutions in the base field here.

Max-PoSSo I We can define a family of Max-PoSSo problems, analogous to the well known Max-SAT family of problems. http://en.wikipedia.org/wiki/max-sat

Max-PoSSo II Definition (Max-PoSSo) Find a point x F n which satisfies the maximum number of polynomials in F = {f 0,..., f m 1 } F[x 0,..., x n 1 ].

Max-PoSSo III Definition (Partial Max-PoSSo) Find a point x F n such that for two sets of polynomials H and S in F[x 0,..., x n 1 ] f H : f (x) = 0 and the number of polynomials f S with f (x) = 0 is maximised. Max-PoSSo is Partial Max-Posso with H =. H for hard and S for soft. Both terms are borrowed from Partial Max-SAT.

Max-PoSSo IV Definition (Partial Weighted Max-PoSSo) Find a point x F n such that f H : f (x) = 0 and f S C(f, x) is minimized where C : f S, x F n R 0 is a cost function which returns 0 if f (x) = 0 and some value > 0 if f (x) 0. Partial Max-PoSSo is Weighted Partial Max-PoSSo where C(f, x) returns 1 if f (x) 0 for all f S.

Coldboot as Partial Weighted Max-PoSSo Let F K be an equation system corresponding to K. Assume that for each noisy output bit K i there is some f i F K of the form g i + K i where g i is some polynomial. Assume that these are the only polynomials involving output bits. Denote the set of these polynomials S. Denote the set of all remaining polynomials F K as H. Define the cost function C as a function which returns 1 1 0 for K i = 0, f (x) 0, 1 1 1 for K i = 1, f (x) 0, 0 otherwise. Express E as a polynomial system which is satisfiable for k only and add these polynomials to H.

Other Applications RFID authentication protocols often based on the LPN problem which is easily described as a Max-PoSSo problem. Homomorphic Gentry s scheme rests on the LWE problem which is easily described as a Max-PoSSo problem. Side-Channel data leakage is often noisy. Alg. Attacks can be improved by simplifying equation systems using probabilistic equations.

Outline Coldboot Attacks Polynomial System Solving with Noise Mixed Integer Programming Application

Mixed Integer Programming I Integer optimization deals with the problem of minimising (or maximising) a function in several variables subject to linear equality and inequality constraints and integrality restrictions on some or all of the variables. Definition (MIP) A linear mixed-integer programming problem (MIP) is defined as a problem of the form where min x {c T x Ax b, x Z k R l } A is an m n-matrix (n = k + l), b is an m-vector and c is an n-vector.

Mixed Integer Programming II Example Maximise x + 5y, thus c = (1, 5), subject to the constraints x + 0.2y 4 and 1.5x + 3y 4 where x 0 is real valued and y 0 is integer valued. The optimal value for c T x is 5 2 3 for x = 2 3 and y = 1. sage : p = M i x e d I n t e g e r L i n e a r P r o g r a m ( ) sage : x, y = p. n e w v a r i a b l e ( ), p. n e w v a r i a b l e ( ) sage : p. s e t i n t e g e r ( y [ 0 ] ) sage : p. a d d c o n s t r a i n t ( x [ 0 ] + 0. 2 y [ 0 ], max=4) sage : p. a d d c o n s t r a i n t ( 1. 5 x [ 0 ] + 3 y [ 0 ], max=4) sage : p. s e t m i n ( x [ 0 ], 0 ) ; p. s e t m i n ( y [ 0 ], 0 ) sage : p. s e t o b j e c t i v e ( x [ 0 ] + 5 y [ 0 ] ) sage : p. s o l v e ( ) 5. 6666666666666661

PoSSo as MIP I Consider some f F 2 [x 0,..., x n 1 ] and let Z a function that takes a polynomial over F 2 lifts it to the integers. Analogous for elements in F 2. 1. Restrict all x i to binary values. 2. Let l be zero if 1 does not appear in f and one otherwise.them 3. Let w be the number of monomials in f and u = 2 w/2. 4. Introduce some integer variable 0 m u 2. 5. Replace each monomial in f 2m by a new linearised variable, call the result g and add the linear constraint g = 0. 6. For each monomial t = N i=1 x i add a constraint xi t and add a constraint 0 N i=1 x i t N 1. This is the Integer Adapted Standard Conversion [2].

PoSSo as MIP II Example Consider f = ac + a + b + c + 1 u = 2 1. g = M + a + b + c + 1 2m = 0 2. a M 3. c M 4. 0 a + c M 1

PoSSo as MIP III sage : a t t a c h anf2mip. py sage : B.<a, b, c> = B o o l e a n P o l y n o m i a l R i n g ( ) sage : f = a c + a + b sage : bc = B o o l e a n P o l y n o m i a l M I P C o n v e r t e r ( ) sage : p = bc. i n t e g e r a d a p t e d s t a n d a r d c o n v e r s i o n ( [ f ] ) ; p Mixed I n t e g e r Program ( m i n i m i z a t i o n,... sage : p. show ( ) M i n i m i z a t i o n : x 1 +x 2 +x 3 +x 4 C o n s t r a i n t s : 0 <= 2 x 0 +x 1 +x 2 +x 3 <= 0 1 <= x 2 1 x 3 <= 0 1 <= x 2 1 x 4 <= 0 0 <= 1 x 2 +x 3 +x 4 <= 1 V a r i a b l e s : x 0 i s an i n t e g e r v a r i a b l e ( min =0.0, max=1.0) x 1 i s an b o o l e a n v a r i a b l e ( min =0.0, max=1.0) x 2 i s a r e a l v a r i a b l e ( min =0.0, max=1.0) x 3 i s an b o o l e a n v a r i a b l e ( min =0.0, max=1.0) x 4 i s an b o o l e a n v a r i a b l e ( min =0.0, max=1.0)

PoSSo as MIP IV sage : a t t a c h anf2mip. py sage : B.<a, b, c> = B o o l e a n P o l y n o m i a l R i n g ( ) sage : f = a c + a + b + 1 sage : g = a + c + 1 sage : p = bc. i n t e g e r a d a p t e d s t a n d a r d c o n v e r s i o n ( [ f ] ) ; p Mixed I n t e g e r Program (... sage : p. s o l v e ( ) 1. 0 sage : bc. s o l v e ( [ f ] ) CPU Time : 0. 0 0 Wall time : 0. 0 0, Obj : 1. 0 0 {b : 1, c : 0, a : 0} sage : bc. s o l v e ( [ f, g ], s o l v e r= SCIP ) CPU Time : 0. 0 0 Wall time : 0. 0 0, Obj : 1. 0 0 {b : 0, c : 0, a : 1}

Partial Weighted Max-PoSSo as MIP We only need to consider Partial Weighted Max-PoSSo because it is the most general case: Convert each f H to linear constraints as before. For each f i S add a new binary slack variable e i to f i and convert the resulting polynomial as before. The objective function we minimise is c i e i where c i is the value of C(f, x) for some x such that f (x) 0. Any optimal solution x S will be an optimal solution to the Partial Weighted Max-PoSSo problem.

Coldboot as MIP Coldboot Partial Weighted Max-PoSSo MIP This approach is essentially the non-linear generalisation of decoding random linear codes with linear programming [4].

Outline Coldboot Attacks Polynomial System Solving with Noise Mixed Integer Programming Application

Simplifications We do not model E since its representation is often too costly; consequently we have no guarantee that the optimal k returned is indeed the k we are looking for. We do not include all equations available to us but restrict our attention to a subset (e.g. one or two rounds). We may use an aggressive modelling strategy where we assume δ 1 = 0 which allows us to promote some polynomials from S to H. The normal modelling assumes δ 1 = 0 + ɛ.

AES [3] I Core Core

AES [3] II Most of the key schedule is linear. The original key k appears in the output. The S-box size is 8-bit (explicit degree: 7).

AES [3] III N δ 0 aggr limit t r min t avg. t max t 2 0.05 3600.00 59% 50.80 s 2124.90 s 3600.00 s 3 0.15 + 60.0s 63% 1.38 s 8.84 s 41.66 s 4 0.15 + 60.0s 70% 1.78 s 11.77 s 59.16 s 4 0.30 + 600.0s 66% 4.81 s 116.07 s 600.00 s 4 0.30 + 3600.0s 69% 4.86 s 117.68 s 719.99 s 4 0.35 + 600.0s 65% 4.66 s 185.14 s 600.00 s 4 0.35 + 3600.0s 68% 4.45 s 207.07 s 1639.55 s 4 0.40 + 600.0s 47% 4.95 s 284.99 s 600.00 s 4 0.40 + 3600.0s 61% 4.97 s 481.99 s 3600.00 s 5 0.40 + 3600.0s 62% 7.72 s 704.33 s 3600.00 s 4 0.50 + 3600.0s 8% 6.57 s 3074.36 s 3600.00 s 4 0.50 + 7200.0s 13% 6.10 s 5882.66 s 7200.00 s Table: AES considering N rounds of key schedule output.

Serpent [1] I w 8 w 7 w 6 w 5 w 4 w 3 w 2 w 1 φ i w i 8 w i 7 w i 6 w i 5 w i 4 w i 3 w i 2 w i 1 w i 11 w i w i+1 w i+2 w i+3 S k i k i+1 k i+2 k i+3

Serpent [1] II All key schedule output bits depend non-linearly on the input. The original key k does not appear in the output. The S-box size is 4-bit (explicit degree: 3).

Serpent [1] III N δ 0 aggr limit t r min t avg. t max t 12 0.05 600.0s 37% 8.22 s 457.57 s 600.00 s 12 0.15 + 60.0s 84% 0.67 s 11.25 s 60.00 s 16 0.15 + 60.0s 79% 0.88 s 13.49 s 60.00 s 16 8 0.15 + 1800.0s 64% 95.52 s 1089.80 s 1800.00 s 16 0.30 + 600.0s 74% 1.13 s 57.05 s 425.48 s 16 0.50 + 1800.0s 21% 135.41 s 1644.53 s 1800.00 s 16 0.50 + 3600.0s 38% 136.54 s 2763.68 s 3600.00 s Table: Serpent considering 32 N bits of key schedule output

Serpent [1] IV Ad-hoc approach: We wish to recover a 128-bit key, so we need to consider at least 128-bit of output. On average the noise free output should have 64 bits set to zero. In order to consider an error rate up to δ 0, we have to consider δ 0 64 i=0 candidates and test them. If δ 0 = 0.15 we have 2 36.87. If δ 0 = 0.30 we have 2 62. ( ) 64 + δ0 64 i

Thank you for your attention!

Literature I Eli Biham, Ross J. Anderson, and Lars R. Knudsen. Serpent: A new block cipher proposal. In S. Vaudenay, editor, Fast Software Encryption 1998, volume 1372 of Lecture Notes in Computer Science, pages 222 238. Springer Verlag, 1998. Julia Borghoff, Lars R. Knudsen, and Mathias Stolpe. Bivium as a Mixed-Integer Linear programming problem. In Matthew G. Parker, editor, Cryptography and Coding 12th IMA International Conference, volume 5921 of Lecture Notes in Computer Science, pages 133 152, Berlin, Heidelberg, New York, 2009. Springer Verlag. Joan Daemen and Vincent Rijmen. AES Proposal: Rijndael, 9 1999. Available at http://csrc.nist.gov/cryptotoolkit/aes/ rijndael/rijndael-ammended.pdf.

Literature II Jon Feldman. Decoding Error-Correcting Codes via Linear Programming. PhD thesis, Massachusetts Institute of Technology, 2003. J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. Lest we remember: Cold boot attacks on encryption keys. In Proceedings of 17th USENIX Security Symposium, pages 45 60, 2008.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback