Improved Side Channel Attack on the Block Cipher NOEKEON

Improved side channel attack on the block cipher NOEKEON

Changyong Peng a Chuangying Zhu b Yuefei Zhu a Fei Kang a aZhengzhou Information Science and Technology Institute,Zhengzhou, China, Email: [email protected],[email protected],[email protected],k [email protected] bSchool of Computer and Control, Guillin University of Electronic Technology, Guilin, China

Abstract NOEKEON is a block cipher having key-size 128 and block size 128,proposed by Daemen, J et al.Shekh Faisal Abdul-Latip et al. give a side channel attack(under the single bit leakage model) on the cipher at ISPEC 2010.Their analysis shows that one can recover the 128-bit key of the cipher, by considering a one-bit information leakage from the internal state after the second round, with time complexity of O(268) evaluations of the cipher, and data complexity of about 210 chosen plaintexts.Our side channel attack improves upon the previous work of Shekh Faisal Abdul-Latip et al. from two aspects. First, we use the Hamming weight leakage model(Suppose the Hamming weight of the lower 64 bits and the higher 64 bits of the output of the ﬁrst round can be obtained without error) which is a more relaxed leakage assumption, supported by many previously known practical results on side channel attacks, compared to the more challenging leakage assumption that the adversary has access to the ”exact” value of the internal state bits as used by Shekh Faisal Abdul-Latip et al. Second, our attack has also a reduced complexity compared to that of Shekh Faisal Abdul-Latip et al. Namely, our attack of recovering the 128-bit key of NOEKEON has a time complexity 20.1 seconds on a PC with 2.6 GHZ CPU and 8G RAM and data complexity of 99 known plaintexts; whereas, that of Shekh Faisal Abdul-Latip et al. has time complexity of O(268) and needs about 210 chosen plaintexts. Keywords: NOEKEON, symbolic computation, Grobner¨ Basis, side channel attack, algebraic-side channel attack, method of formal coding-side channel attack

1. Introduction and Shamir in [2] which was used to attack the block cipher PRESENT[5,6,7], NOEKEON [9],and the Classical cryptanalysis generally considers adver- ASCA(Algebraic-Side Channel Attack) proposed by saries getting black box access to the cryptographic Renauld et al. in [3,4]. primitives they target, e.g. the inputs and outputs of In this paper,we propose the Method of Formal a block cipher. However,considering the practical im- Coding-Side Channel Attack(MFCSCA) by combing plementations of a block cipher, especially in resource the method of formal coding and side channel at- limited systems such as smart cards, there is a stronger tack.The idea of MFC[10] is to ﬁnd the algebraic ex- attack model, namely the side channel attack model, pression of each bit in the ciphertext as an XOR sum where the adversary is given more power by having ac- of products of the bits of the plaintext and the mas- cess to some limited information leaked about the in- ter key.The XOR-sum form of the ciphertext is also ternal state of the cipher. This information leakage can known as the algebraic normal form(ANF).The for- be via physical side channels, such as timing, electrical mal manipulations of these expressions may decrease power consumption, electromagnetic radiation, prob- the key search eﬀort.Schaumuller-Bichl [11,12] stud- ing, etc. ied this method and concluded that it requires an enor- One of a recent trend is to combine the classi- mous amount of computer memory which makes the cal cryptanalysis such as algebraic cryptanalysis with whole approach impractical.However,by combing with side channel attacks, e.g. the work of Bogdanov, side channel attack,especially when the leaked informa- Kizhvatov and Pyshkin at INDOCRYPT 2008 [1], tion comes from earlier rounds,MFC is practical.The the side channel cube attack introduced by Dinur idea of MFCSCA is to give the explicit algebraic ex-

Preprint submitted to October 15, 2012 pressions of the leaked information,with the plaintext 2. Description of the Method of Formal Coding-Side bits and master key bits as variables.These algebraic Channel Attack(MFCSCA) expressions can be obtained by modern symbolic computation software such as Mathematica[16].If the alge- MFCSCA can also be thought of an extended version braic expressions are not very complex,the correspond- of algebraic-side channel[3,4].Algebraic side-channel ing equation system can be solved by Grobner¨ basis- attacks are made of three separate steps. based method [15] or using a SAT solver as in [14].We (1)Offline phase 1: algebraic description of the cryp- selected Grobner¨ basis-based method in this paper. tosystem. (2)Online measurement phase to obtain leaked infor- As an application, we exhibit an MFCSCA attack mation. against the block cipher NOEKEON. (3)Offine phase 2: equation system solving by SAT Comparing Side Channel Cube attack of [9] with Our method. attack. The leakage model used by Shekh Faisal Abdul- MFCSCA has also the above 3 steps.Howerver,the Latip et al. [9] assumes that adversary has access to the step 1 and 2 of MFCSCA is different from that of exact value of some of the internal state bits after each ASCA. round. We note that obtaining the exact value of the in- In step (1) of ASCA,the algebraic description of a ternal state bits in practice will require a probe station block cipher consists of two parts:one is the equation that allows the attacker to monitor the value of a specific system following the idea of algebraic attack[13].This bit position in the internal state during the encryption is an implicit equation system by setting the interme- or decryption process. This implies an intrusive physi- diate state as variables.The other is the equation system cal measurement and is known to involve a wide range generated from the leaked Hamming weight.In MFC- of difficulties such as penetrating the device to access SCA,we first give the direct explicit representation of its internals and guessing which bit position is being the outputs of earlier rounds of a block cipher in terms recorded. To relax the leakage model, in contrast, we of the bits of plaintext and master key.This is just the assume the Hamming weight leakage as a more com- idea of the method of formal coding.This can be done mon side channel leakage model, e.g. see [18-22].In with the help of symbolic computation software such as this paper,we suppose that the Hamming weight of the Mathematica [16].Then the Hamming weight(mod 2) of lower 64 bits and the higher 64 bits of the output of the the outputs can be explicitly represented by the bits of first round can be obtained without error. In this paper plaintext and master key. we do not consider these specific issues and counter- In step (3) of ASCA,SAT solving technique [14] is measures about the actual physical aspects of the im- used to find the solution of the equation system.In step plementation attacks and how information leakage can (3) of MFCSCA,we choose Grobner¨ basis-based [15] be measured. Rather, we assume the Hamming weight methods to find the solution. leakage side channel model as an abstract attack model, and concentrate on investigating the security of ciphers 3. Experimental results–Method of formal coding- against MFCSCA attacks in this attack model. side channel attack on NOEKEON Our side channel attack improves upon the previous work of Shekh Faisal Abdul-Latip et al. from two 3.1. Description of NOEKEON aspects. First, we use the Hamming weight leakage NOEKEON is an iterated 128-bit block cipher with model which is a more relaxed leakage assumption, sup- 128-bit keys, which runs in 16 rounds. Each round ported by many previously known practical results on consists of some subfunctions, a linear function called side channel attacks, compared to the more challenging Theta, three rotations called Pi1, 32 parallel 4-bit leakage assumption that the adversary has access to the S-box(see Table 1) lookups called Gamma and three ”exact” value of the internal state bits as used by Shekh rotations called Pi2. All functions take a 128-bit text Faisal Abdul-Latip et al. Second, our attack has also input. The function Theta takes as input also the a reduced complexity compared to that of Shekh Faisal 128-bit round key. To avoid round symmetries a round Abdul-Latip et al. Namely, our attack of recovering the constant is added to 32 bits of the ciphertexts in each 128-bit key of NOEKEON has a time complexity 10 round. After the 16 rounds, an output transformation seconds on a PC with 2.6 GHZ CPU and 8G RAM and is applied. This consists of the addition of a round data complexity of 99 known plaintexts; whereas, that constant and a final application of Theta. The output of Shekh Faisal Abdul-Latip et al. has time complexity transformation and the nature of the individual round of O(268) and needs about 210 chosen plaintexts. function components allow for very similar encryption 2 Theta key_, a_ := Module Table 1: Specification of the S-box in the function Gamma. i 0 1 2 3 4 5 6 7 K0, K1, K2, K3, a0, a1, a2, a3, temp , S[i] 7 A 2 C 4 8 F 0 a0@= a 1 ;;D32 ; a1 =@a 33 ;; 64 ; i 8 9 A B C D E F 8a2 = a 65 ;; 96 ; a3 = a 97 ;; 128 < ; S[i] 5 9 1 E 3 D B 6 K0 = key@@ 1 ;; D32D ; K1 =@@key 33 ;;DD64 ; K2 = key@@ 65 ;; D96D ; K3 =@@key 97 ;;DD128 ; temp = a0@@+ a2; DD @@ DD and decryption routines. Figure 1 illustrates the round temp = temp@@ + RotateLeftDD temp,@@8 DD + RotateRight temp, 8 ; function in NOEKEON, where Ci is a round dependent a1 = a1 + temp; a3 = a3 + temp; constant and K0, ..., K3 are the 32-bit subkeys.The @ D a0 = a0 + K0; a1 = a1 + K1; a2 = a2 + K2; least significant byte of C0 to C16 are(in hexideci- @ D mal):80,1b,36,6c,d8,ab,4d,9a,2f,5e,bc,63,c6,97,35,6a,d4. a3 = a3 + K3; temp = a1 + a3; (We refer to [8] for a complete description of the ci- temp = temp + RotateLeft temp, 8 pher). + RotateRight temp, 8 ; r r r r a0 = a0 + temp; a2 = a2 + temp@ ; D Let Ar = a0a1a2a3 denote the 128-bit internal r Return a0, a1,@a2, a3 D Flatten ; state after round r; where ai ’s are 32-bit words, and A0 contains the input plaintext P to the cipher.Then NOEKEON encryption algorithm can be described as @8 < DD follows: Figure 2: Mathematica code of the subfunction Theta of NOEKEON

For r = 0; r < 16; r + + We use the powerful symbolic computation soft- A = Pi2(Gamma(Pi1(Theta(A , K)))); r+1 r ware Mathematica [16] to obtain the result.To ob- A = Theta(A , K) 17 16 tain the algebraic expressions of each bit of B = b0b1...b127, output of the 1st round of NOEKEON,we The specification of NOEKEON [8], provides a key need only give the symbolic encryption code for schedule which converts the 128-bit Master Key (i.e. NOEKEON.This can easily be done with Mathematica the original key) into a 128-bit Working Key, which is in just the same way we write a C encryption code for used in the round function. However, the use of the NOEKEON.First,we give the Mathematica code of each key schedule is optional. If related-key attack scenar- of the subfunctions(Theta,Pi1,Pi2 and Gamma,see fig- ios [23] are not of a concern, then the key schedule is ure 1).The Mathematica code of each of the subfunc- not applied (i.e. the Master Key is used directly as the tions are very simple.We give only the source code of Working Key), and the cipher is called to be used in the Theta here(see figure 2). direct- key mode. Otherwise, it operates in the indirect- The whole symbolic encryption code(in direct-key key mode, where the Master Key is processed by the mode) is given in appendix A.We test the correctness key schedule algorithm to produce the Working Key. of the symbolic encryption code using the test vector given in [24](see Table 2). 3.2. Algebraic expressions of the bits of the output of we use the following Mathematica code to test the the 1st round of NOEKEON correctness of the symbolic encryption code(see appendix A). In this section,we give the algebraic expressions of m = Table[0, {128}]; the bits of the output of the 1st round of NOEKEON k = Table[0, {128}]; with the plaintext bits and master key bits as variables. c = encryption[m, k]; Notation: BaseForm[FromDigits[c, 2], 16] m = Table[1, {128}]; K = k0k1...k127: master key of NOEKEON, { } P = p0 p1...p127 : plaintext of NOEKEON, k = Table[1, 128 ]; B = b0b1...b127 : output of the 1st round of NOEKEON. c = encryption[m, k]; Note:In this paper we number bits from zero BaseForm[FromDigits[c, 2], 16] with bit zero(the most significant bit) on the left of a k = IntegerDigits[16ˆˆb1656851699e29fa24b70148503d2dfc, block or word. 2, 128]; m = IntegerDigits[16ˆˆ2a78421b87c7d0924f26113f1d1349b2, 3 Figure 1: Round function of NOEKEON

2, 128]; c = encryption[m, k]; BaseForm[FromDigits[c, 2], 16]

Table 2: Correctness test result of our symbolic encryption code(in Obtaining the algebraic expressions of the output direct-key mode) for NOEKEON. of the 1st round: key1 00000000000000000000000000000000 plaintext1 00000000000000000000000000000000 Let K = k0k1...k127(pure symbol) be the master key ciphertext1 b1656851699e29fa24b70148503d2dfc and P = p0 p1...p127(pure symbol) be the plaintext of NOEKEON.Then we run the symbolic encryption of our ci- b1656851699e29fa24b70148503d2dfc phertext1 NOEKEON and output the state B = b0b1...b127 after the 1st round. key2 ffffffffffffffffffffffffffffffff The followings(see appendix A for details) are the plaintext2 ffffffffffffffffffffffffffffffff Mathematica code for obtaining the algebraic expres- ciphertext2 2a78421b87c7d0924f26113f1d1349b2 sions of each bit of B = b0b1...b127. our ci- 2a78421b87c7d0924f26113f1d1349b2 phertext2 K = Table[ToExpression[StringJoin[”k”,ToString[i]]], key3 b1656851699e29fa24b70148503d2dfc {i,0,127}]; plaintext3 2a78421b87c7d0924f26113f1d1349b2 P = Table[ToExpression[StringJoin[”p”,ToString[i]]], ciphertext3 e2f687e07b75660ffc372233bc47532c {i,0,127}]; our ci- e2f687e07b75660ffc372233bc47532c c = encryption[P,K,1] phertext3

Here, encryption[P,K,1] means the output B = b0b1...b127 of round 1. In this way can obtain the algebraic expressions of each bit of B = b0b1...b127. 4 We list only three of them,b0, b63, b127: p96 k35+k43+k59+k67+k99+k107+k123+p35+p43+p59+ b0 = k98 + p2 + p10 + p26 + p66 + p74 + p90 + p98 + k0 + p67 +p99 +p107 +p123 +1 +k63 +p7 +p23 +p31 +p63 +p71 + k32 +k33 +k37 +k40 +k45 +k56 +k61 +k69 +k96 +k98 +k101 + p87 + p95 +k30 +k35 +k38 +k43 +k54 +k59 +k62 +k63 +k67 + k104 +k109 +k120 +k125 +p0 +p1 +p2 +p9 +p10 +p25 +p26 + k96+k99+k102+k107+k118+k123+k126+p0+p7+p8+p23+ p32+p33+p37+p40+p45+p56+p61+p65+p66+p69+p73+ p24+p30+p31+p35+p38+p43+p54+p59+p62+p63+p64+ p74 +p89 +p90 +p96 +p98 +p101 +p104 +p109 +p120 +p125 + p p p p p p p p p p 67 + 71 + 72 + 87 + 88 + 95 + 96 + 99 + 102 + 107 + k98 + p2 + p10 + p26 + p66 + p74 + p90 + p98 +1 k37 +k45 + p118+p123+p126 +k63+p7+p23+p31+p63+p71+p87+p95. k61 +k69 +k101 +k109 +k125 + p37 + p45 + p61 + p69 + p101 + p109 + p125 +1 + k37 +k45 +k61 +k69 +k101 +k109 +k125 + b127 = k34 + k42 + k58 + k66 + k98 + k106 + k122 + p34 + p37+p45+p61+p69+p101+p109+p125 k33+p1+p9+p25+ p p p p p p k k k k 42 + 58 + 66 + 98 + 106 + 122 34 + 42 + 58 + 66 + p33+p65+p73+p89+ k98+p2+p10+p26+p66+p74+p90+ k98 +k106 +k122 + p34 + p42 + p58 + p66 + p98 + p106 + p122 + 1 k127 + p7 + p23 + p31 + p71 + p87 + p95 + p127 +1 +k62 + p98 +1 k37 +k45 +k61 +k69 +k101 +k109 +k125 + p37 + p45 + p6 +p22 +p30 +p62 +p70 +p86 +p94 +k29 +k37 +k53 +k61 + p61+p69+p101+p109+p125+1 k33+p1+p9+p25+p33+ k101 +k117 +k125 + p29 + p37 + p53 + p61 + p101 + p117 + p125. p65+p73+p89+ k98+p2+p10+p26+p66+p74+p90+p98+ Note:The correctness of these expressions are 1 k37 +k45 +k61 +k69 +k101 +k109 +k125 + p37 + p45 + p61 + guaranteed by the correctness of the symbolic en- p69+p101+p109+p125+1 + k0+k32+k40+k56+k96+k104+ cryption code on which we have made a correctness test using the test vector in [24] and the encryption k +p +p +p +p +p +p +p + k +k +k + 120 0 32 40 56 96 104 120 37 45 61 code for digital encryption and symbolic encryption k +k +k +k + p + p + p + p + p + p + 69 101 109 125 37 45 61 69 101 109 are the same. p125 k33 + p1 + p9 + p25 + p33 + p65 + p73 + p89 + k98 + p2 + p10 + p26 + p66 + p74 + p90 + p98 +1 k37 +k45 +k61 +k69 + 3.3. Algebraic expressions of the Hamming weight k k k p p p p p p p 101 + 109 + 125 + 37 + 45 + 61 + 69 + 101 + 109 + 125 + mod2 of the lower half and higher half of the out- 1 +1 k0 +k32 +k33 +k37 +k40 +k45 +k56 +k61 +k69 +k96 + put of the 1st round of NOEKEON k98 +k101 +k104 +k109 +k120 +k125 +p0 +p1 +p2 +p9 +p10 + Based on the algebraic expressions of the output B = p +p +p +p +p +p +p +p +p +p +p + 25 26 32 33 37 40 45 56 61 65 66 b0b1...b127 of the 1st round,we can obtain the algebraic p p p p p p p p p p 69 + 73 + 74 + 89 + 90 + 96 + 98 + 101 + 104 + 109 + expressions of Hamming weight mod2 of the lower half p120 + p125 + k98 + p2 + p10 + p26 + p66 + p74 + p90 + p98 + and higher half of B = b b ...b . 0 1 127 1 k37 +k45 +k61 +k69 +k101 +k109 +k125 + p37 + p45 + p61 + Let hl = b64 ⊕ b65 ⊕ ... ⊕ b127,which is the Ham- ming weight mod2 of the lower 64 bits of the output p69 + p101 + p109 + p125 +1 + k37 +k45 +k61 +k69 +k101 + of round 1,then by summing the expressions of bi, 64 ≤ k109 +k125 + p37 + p45 + p61 + p69 + p101 + p109 + p125 k33 + i ≤ 127,we have p1 + p9 + p25 + p33 + p65 + p73 + p89 + k98 + p2 + p10 + p26 + hl = hl(k , k , ..., k , k , p , p , ..., p ) = 32 33 126 127 0 1 127 p66 + p74 + p90 + p98 +1 k37 +k45 +k61 +k69 +k101 +k109 + k64 +k65 +k66 +k67 +k68 +k69 +k70 +k71 +k72 +k73 +k74 + k75 +k76 +k77 +k78 +k79 +k80 +k81 +k82 +k83 +k84 +k85 + k125 + p37 + p45 + p61 + p69 + p101 + p109 + p125 +1 +1 . k86 +k87 +k88 +k89 +k90 +k91 +k92 +k93 +k94 +k95 + p64 + p65+p66+p67+p68+p69+p70+p71+p72+p73+p74+p75+ b63 = k96 + p0 + p8 + p24 + p64 + p72 + p88 + p96 k35 + p p p p p p p p p p p 76+ 77+ 78+ 79+ 80+ 81+ 82+ 83+ 84+ 85+ 86+ k43+k59+k67+k99+k107+k123+p35+p43+p59+p67+p99+ p87+p88+p89+p90+p91+p92+p93+p94+p95+ k101+p5+ p107 + p123 +1 + k35 +k43 +k59 +k67 +k99 +k107 +k123 + p13 + p29 + p69 + p77 + p93 + p101 +1 k32 +k40 +k48 +k72 + p35+p43+p59+p67+p99+p107+p123 k96+p0+p8+p24+ k k k p p p p p p p 96 + 104 + 112 + 32 + 40 + 48 + 72 + 96 + 104 +112 + p64+p72+p88+p96 k35+k43+k59+k67+k99+k107+k123+ 1 + k102 + p6 + p14 + p30 + p70 + p78 + p94 + p102 +1 k33 + k41+k49+k73+k97+k105+k113+p33+p41+p49+p73+p97+ p35 +p43 +p59 +p67 +p99 +p107 +p123 +1 +k63 +p7 +p23 + p105 + p113 +1 + k103 + p7 + p15 + p31 + p71 + p79 + p95 + p31+p63+p71+p87+p95 +k30+k38+k54+k62+k102+k118+ p103 +1 k34 +k42 +k50 +k74 +k98 +k106 +k114 + p34 + p42 + k126 + p30 + p38 + p54 + p62 + p102 + p118 + p126 +1 k96 + p50+p74+p98+p106+p114+1 + k104+p0+p8+p16+p64+ p0 + p8 + p24 + p64 + p72 + p88 + p96 k35 +k43 +k59 +k67 + k k k p p p p p p p p72 + p80 + p104 +1 k35 +k43 +k51 +k75 +k99 +k107 +k115 + 99 + 107 + 123 + 35 + 43 + 59 + 67 + 99 + 107 + 123 + 1 + k35 +k43 +k59 +k67 +k99 +k107 +k123 +p35 +p43 +p59 + p35+p43+p51+p75+p99+p107+p115+1 + k105+p1+p9+ p67+p99+p107+p123 k96+p0+p8+p24+p64+p72+p88+ p17 + p65 + p73 + p81 + p105 +1 k36 +k44 +k52 +k76 +k100 + 5 k108 +k116 + p36 + p44 + p52 + p76 + p100 + p108 + p116 +1 + k41+k57+k65+k97+k105+k121+p33+p41+p57+p65+p97+ k p p p p p p p k k p105+p121+1 k126+p6+p22+p30+p70+p86+p94+p126+ 106 + 2 + 10 + 18 + 66 + 74 + 82 + 106 +1 37 + 45 + k k k k k p p p p p k p p p p p p p k k 53 + 77 + 101+ 109 + 117 + 37 + 45 + 53 + 77 + 101 + 1 + 99+ 3+ 11+ 27+ 67+ 75+ 91+ 99+1 38+ 46+ p109 + p117 +1 + k107 + p3 + p11 + p19 + p67 + p75 + p83 + k62 +k70 +k102 +k110 +k126 + p38 + p46 + p62 + p70 + p102 + p110 + p126 +1 + k123 + p3 + p19 + p27 + p67 + p83 + p91 + p107 +1 k38 +k46 +k54 +k78 +k102 +k110 +k118 +p38 +p46 + p123 +1 k38 +k54 +k62 +k94 +k102 +k118 +k126 +p38 +p54 + p54 + p78 + p102 + p110 + p118 +1 + k108 + p4 + p12 + p20 + p62 + p94 + p102 + p118 + p126 +1 + k115 + p11 + p19 + p27 + p68 + p76 + p84 + p108 +1 k39 +k47 +k55 +k79 +k103 +k111 + p75 + p83 + p91 + p115 +1 k46 +k54 +k62 +k86 +k110 +k118 + k119 + p39 + p47 + p55 + p79 + p103 + p111 + p119 +1 + k117 + k126 + p46 + p54 + p62 + p86 + p110 + p118 + p126 +1 + k34 + p13 + p21 + p29 + p77 + p85 + p93 + p117 +1 k32 +k48 +k56 + k k k k p p p p p p k42+k58+k66+k98+k106+k122+p34+p42+p58+p66+p98+ 88 + 96+ 112 + 120 + 32 + 48 + 56 + 88 + 96 + 112 + p106+p122+1 k127+p7+p23+p31+p71+p87+p95+p127+ p120 +1 + k109 + p5 + p13 + p21 + p69 + p77 + p85 + p109 + 1 + k100 + p4 + p12 + p28 + p68 + p76 + p92 + p100 +1 k39 + 1 k40 +k48 +k56 +k80 +k104 +k112 +k120 + p40 + p48 + p56 + k47 +k63 +k71 +k103 +k111 +k127 + p39 + p47 + p63 + p71 + p80 + p104 + p112 + p120 +1 + k118 + p14 + p22 + p30 + p78 + p103 + p111 + p127 +1 + k124 + p4 + p20 + p28 + p68 + p84 + p86 + p94 + p118 +1 k33 +k49 +k57 +k89 +k97 +k113 +k121 + p92 +p124 +1 k39 +k55 +k63 +k95 +k103 +k119 +k127 +p39 + p33 + p49 + p57 + p89 + p97 + p113 + p121 +1 + k110 + p6 + p55 + p63 + p95 + p103 + p119 + p127 +1 + k116 + p12 + p20 + p p p p p p k k k k 14 + 22 + 70 + 78 + 86 + 110 +1 41 + 49 + 57 + 81 + p + p + p + p + p +1 k +k +k +k +k + k k k p p p p p p p 28 76 84 92 116 47 55 63 87 111 105 + 113 + 121 + 41 + 49 + 57 + 81 + 105 + 113 + 121 + k119 +k127 + p47 + p55 + p63 + p87 + p111 + p119 + p127 +1 . 1 + k119 + p15 + p23 + p31 + p79 + p87 + p95 + p119 +1 k34 + k k k k k k p p p p p 50+ 58+ 90+ 98+ 114+ 122+ 34+ 50+ 58+ 90+ 98+ Let hh = b0 ⊕ b1 ⊕ ... ⊕ b63,which is the Hamming p114 + p122 +1 + k111 + p7 + p15 + p23 + p71 + p79 + p87 + weight mod2 of the higher 64 bits of the output of round p111 +1 k42 +k50 +k58 +k82 +k106 +k114 +k122 +p42 +p50 + 1.Similarly,we can also obtain its expression,which is p58+p82+p106+p114+p122+1 + k96+p0+p8+p24+p64+ too complex to be given here.Each plaintext variable p72+p88+p96 k35+k43+k59+k67+k99+k107+k123+p35+ and key variable appears in the expression.i.e. we have hh = hh(k0, k1, ..., k126, k127, p0, p1, ..., p127). p43 + p59 + p67 + p99 + p107 + p123 +1 + k120 + p0 + p16 + p24+p64+p80+p88+p120 k35+k51+k59+k91+k99+k115+ 3.4. Improved side channel attack on NOEKEON by k123 + p35 + p51 + p59 + p91 + p99 + p115 + p123 +1 + k112 + MFCSCA In this section,we give our MFCSCA attack on p8 + p16 + p24 + p72 + p80 + p88 + p112 k43 +k51 +k59 +k83 + NOEKEON,which improves the work of Shekh Faisal k107 +k115 +k123 +p43 +p51 +p59 +p83 +p107 +p115 +p123 + Abdul-Latip et al in [9]. We use the Hamming weight 1 + k97+p1+p9+p25+p65+p73+p89+p97+1 k36+k44+ k k k k k p p p p p leakage model.We suppose that the Hamming weight of 60 + 68 + 100+ 108 + 124 + 36 + 44 + 60 + 68 + 100 + the lower 64 bits b64b65...b127 and the higher 64 bits p108 + p124 +1 + k121 + p1 + p17 + p25 + p65 + p81 + p89 + b0b1...b63 of the output of the first round can be ob- p121 +1 k36 +k52 +k60 +k92 +k100 +k116 +k124 +p36 +p52 + tained without error.We give a simulation MFCSCA at- p60 + p92 + p100 + p116 + p124 +1 + k113 + p9 + p17 + p25 + tack on NOEKEON,which shows that the 128-bit key p73 + p81 + p89 + p113 +1 k44 +k52 +k60 +k84 +k108 +k116 + of NOEKEON can be recovered in 10 seconds on a PC with 2.6GHZ cpu and 8G RAM,with 99 known plain- k + p + p + p + p + p + p + p +1 + k + 124 44 52 60 84 108 116 124 32 texts. k +k +k +k +k +k +p +p +p +p +p + 40 56 64 96 104 120 32 40 56 64 96 The simulation attack contains two parts. p104+p120+1 k125+p5+p21+p29+p69+p85+p93+p125+ 1.Recovering k96, k97, ..., k127 with n ≥ 64 1 + k98+p2+p10+p26+p66+p74+p90+p98+1 k37+k45+ known plaintexs,using the expressions of k +k +k +k +k + p + p + p + p + p + 61 69 101 109 125 37 45 61 69 101 hl = hl(k32, k33, ..., k126, k127, p0, p1, ..., p127) in sec- p109 + p125 +1 + k122 + p2 + p18 + p26 + p66 + p82 + p90 + tion 3.3. The simulation steps are as follows: p122 +1 k37 +k53 +k61 +k93 +k101 +k117 +k125 +p37 +p53 + (1)Random choose a key K = k0k1...k127. (2)Random choose n known plaintexts.Encrypt each p61 + p93 + p101 + p117 + p125 +1 + k114 + p10 + p18 + p26 + plaintext with the key in (1) and output the Hamming p74 + p82 + p90 + p114 +1 k45 +k53 +k61 +k85 +k109 +k117 + weight(mod 2) of the lower 64 bits of the output of the k125 + p45 + p53 + p61 + p85 + p109 + p117 + p125 +1 + k33 + 1st round. 6 (3)Using the n Hamming weights(mod Table 3: Summary of side channel attack on NOEKEON h 2) and the expressions of l = Source Leakage Data Com- Recovered h k , k , ..., k , k , p , p , ..., p l( 32 33 126 127 0 1 127) in section model plexity Key 3.3,we can obtain n equations with k , k , ..., k , k 32 33 126 127 [9] A 210 CP 60 bits as variables. this paper B 99 KP 128 bits (4)Output these equations to a text file mg.txt,of Note:CP:Chosen Plaintext;KP:Known Plaintext; which Magma v2.12-16 can find the Grobner¨ basis.Here A:single bit leakage of the output of the second round; we use the lexicographical order for finding the Grobner¨ B:Hamming weight leakage of the lower 64 bits and basis in Magma. higher 64 bits of the output of the 1st round; (5)Use the Magma command ”load mg.txt” to find the Grobner¨ basis of the equation system. The steps (1)-(4) are simulated in Mathematica and step (5) in Magma. which means that k0 = 1, k1 = 0, k2 = 0, k3 = 0, k4 = We have made 100 simulations of (1)-(5) with n = 0, k5 = 1, ..., k92 = 0, k93 = 1, k94 = 1, k95 = 1.The 70.Each time Magma can find 64 bits key,of which the average running time of step (1)-(4) in Mathematica exact value of k96, k97, ..., k127 can be obtained.The av- is 4.8 seconds and the average running time of step erage running time of step (1)-(4) in Mathematica is (5) in Magma is 10.8 seconds on a PC with 2.6GHZ 3.5 seconds and the average running time of step (5) CPU and 8G RAM.Hence the average time of recover- in Magma is less than 1 second on a PC with 2.6GHZ ing k0, k1, ..., k95 is 15.6 seconds and the total time of CPU and 8G RAM.Hence the average time of recover- recovering the 128-bit key is 15.6+4.5=20.1 seconds. ing k96, k97, ..., k127 is 4.5 seconds. We summarize our work and the known side channel attack on NOEKEON in Table 3. Our side channel at- 2.Recovering k0, k1, ..., k95 with another m(i.e. total m + n,denoted by u) known plaintexs,using the ex- tack improves upon the previous work of Shekh Faisal Abdul-Latip et al. from two aspects. First, we use the pressions of hh = hh(k0, k1, ..., k126, k127, p0, p1, ..., p127) Hamming weight leakage model(we suppose the Ham- in section 3.3. Now the variables k96, k97, ..., k127 are replaced by the value obtained in 1. The simulation steps ming weight of the lower 64 bits and the higher 64 bits are as follows: of the output of the first round can be obtained without error) which is a more relaxed leakage assumption, sup- (1)Random choose a key K = k0k1...k127. (2)Random choose u known plaintexts.Encrypt each ported by many previously known practical results on plaintext with the key in (1) and output the Hamming side channel attacks, compared to the more challenging weight(mod 2) of the higher 64 bits of the output of the leakage assumption that the adversary has access to the 1st round. ”exact” value of the internal state bits as used by Shekh (3)Using the u Hamming weights(mod 2) and the ex- Faisal Abdul-Latip et al. Second, our attack has also a reduced complexity compared to that of Shekh Faisal pressions of hh = hh(k0, k1, ..., k126, k127, p0, p1, ..., p127) in section 3.3,we can obtain u equations with Abdul-Latip et al. Namely, our attack of recovering the 128-bit key of NOEKEON has a time complexity k0, k1, ..., k94, k95 as variables(The variables 20.1 seconds on a PC and data complexity of 99 known k96, k97, ..., k127 are replaced by the actual digital value in (1)). plaintexts; whereas, that of Shekh Faisal Abdul-Latip et 68 10 (4)Output these equations to a text file mg.txt,of al. has time complexity of O(2 ) and needs about 2 which Magma v2.12-16 can find the Grobner¨ basis.Here chosen plaintexts. we use the lexicographical order for finding the Grobner¨ basis in Magma. 4. Conclusion (5)Use the Magma command ”load mg.txt” to find the Grobner¨ basis of the equation system. This paper proposes a new method of cryptanalysis The steps (1)-(4) are simulated in Mathematica and of block cipher-MFCSCA,by combining the method of step (5) in Magma. formal coding and side channel attack.The experimental We have made 100 simulations of (1)-(5) with u = result shows that if the Hamming weights of the output 99.Each time Magma can find the Grobner¨ basis of the of the earlier rounds of a block cipher are leaked,then equation system in (3).One running instance of the ob- we can set up explicit equation system about the mas- tained Grobner¨ basis by Magma is: ter key bits.By Grobner¨ basis-based method,we can find the master key.Although the diffusion is not enough,the [k0 +1, k1, k2, k3, k4, k5 +1, ..., k92, k93 +1, k94 +1, k95 +1], Hamming weight of the entire state of earlier rounds 7 may contain all the information concerning the mas- tivariate Polynomials over GF(2) via SAT-Solvers, Cryptology ter key.If enough Hamming weights are leaked,than the ePrint Archive, Report 2007/024. master key can easily be recovered by equation solving [15] G. Ars, J.-C. Faugre, H. Imai, M. Kawazoe, M. Sugita, Com- parison Between XL and Grobner¨ Basis Algorithms, in the pro- technique.The following work is to use MFCSCA to at- ceedings of ASIACRYPT 2004, LNCS, vol 3329, pp 338-353, tack other block ciphers. Jeju Island, Korea, December 2004. [16] http://www.wolfram.com/mathematica/ [17] http://magma.maths.usyd.edu.au/magma/ Appendix A. Symbolic encryption code of [18] Bevan, R., Knudsen, R.: Ways to Enhance Differential Power NOEKEON in Mathematica plat- Analysis. In: Lee, P.J, Lim, C.H. (Eds.) ICISC 2002. LNCS, vol. 2587, pp. 327-342. Springer, Heidleberg (2003) form [19] Clavier, C., Coron, J.S., Dabbous, N.: Differential Power Anal- [1] Bogdanov, A., Kizhvatov, I., Pyshkin, A.: Algebraic Methods ysis in the Presence of Hardware Countermeasures. In: Koc, in Side-Channel Collision Attcks and Practical Collision De- C.K., Paar, C. (Eds.) CHES 2000. LNCS, vol. 1965, pp. 252- tection. In: Chowdhury, D.R., Rijmen, V., Das, A. (Eds.) IN- 263. Springer, Heidelberg (2000) DOCRYPT 2008. LNCS, vol. 5365, pp. 251-265. Springer, Hei- [20] Coron, J.S., Kocher, P., Naccache, D.: Statistics and Secret delberg (2008) Leakage. In: Frankel, Y. (Ed.) FC 2000. LNCS, vol. 1962, pp. [2] Dinur, I., Shamir, A.: Side Channel Cube Attacks on Block 157-173. Springer, Heidelberg (2001) Ciphers. Cryptology ePrint Archive, Report 2009/127 (2009), [21] Akkar, M.L., Bevan, R., Dischamp, P., Moyart, D.: Power http://eprint.iacr.org/2009/127 analysis, what is now possible... In: Okamoto, T. (Ed.) ASI- [3] Mathieu Renauld and Frano¸is-Xavier Standaert. Algebraic Side- ACRYPT 2000. LNCS, vol. 1976, pp. 489-502. Springer, Hei- Channel Attacks. In Feng Bao, Moti Yung, Dongdai Lin, and delberg (2000) Jiwu Jing, editors, Inscrypt, volume 6151 of Lecture Notes in [22] Mayer-Sommer, R.: Smartly Analysis the Simplicity and the Computer Science, pages 393-410. Springer, 2009. Power of Simple Power Analysis on Smartcards. In: Koc, [4] Mathieu Renauld, Frano¸is-Xavier Standaert, and Nicolas C.K., Paar, C. (Eds.) CHES 2000. LNCS, vol. 1965, pp. 78-92. Veyrat-Charvillon. Algebraic Side-Channel Attacks on the AES: Springer, Heidelberg (2000) Why Time also Matters in DPA. In Christophe Clavier and Kris [23] Biham, E.: New Types of Cryptanalytic Attacks Using Related Gaj, editors, CHES, volume 5747 of Lecture Notes in Computer Keys. In: Tor Helleseth (Ed.) EUROCRYPT 1993. LNCS, vol. Science, pages 97-111. Springer, 2009. 7, pp. 229-246. Springer, Heidel- berg (1994) [5] Yang, L., Wang, M., Qiao, S.: Side Channel Cube Attack [24] http://gro.noekeon.org/Noekeon ref.zip on PRESENT. In: Garay, J.A., Miyaji, A., Otsuka, A. (Eds.) CANS 2009. LNCS, vol. 5888, pp. 379-391. Springer, Heidel- berg (2009) [6] Shekh Faisal Abdul-Latip, Mohammad Reza Reyhanitabar, Willy Susilo and Jennifer Seberry.Extended Cubes: Enhancing the cube attack by Extracting Low-Degree Non-linear Equa- tions. In Bruce Cheung, Lucas Chi Kwong Hui, Ravi Sandhu, Duncan S.Wong (Eds.): ASIACCS 2011, pp.296-305,2011. [7] XinJie Zhao, Tao Wang and ShiZe Guo: Improved Side Channel Cube Attacks on PRESENT. Cryptology ePrint Archive, Report 2011/165 (2011), http://eprint.iacr.org/2011/165 [8] Daemen, J., Peeters, M., Van Assche, G.,Rijmen, V.: Nessie Proposal: NOEKEON. First Open NESSIE Workshop (2000), http://gro.noekeon.org [9] Shekh Faisal Abdul-Latip, Mohammad Reza Reyhanitabar, Willy Susilo, and Jennifer Seberry. On the Security of NOEKEON against Side Channel Cube Attacks. ISPEC 2010, LNCS 6047, 2010, pp. 45-55,2010. [10] M. E. Hellman, R. Merkle, R. Schroppel, L. Washington, W. Diffe, S. Pohlig and P. Schweitzer, Results of an Initial Attempt to Cryptanalyze the NBS Data Encryption Standard, Technical Report, SEL 76-042, Stanford university, September 1976. [11] Ingrid Schaumuller-Bichl, Zur Analyse des Data Encryption Standard und Synthese Verwandter Chiffriersysteme, Ph.D. Thesis, Linz university, May 1981. [12] Ingrid Schaumuller-Bichl, Cryptanalysis of the Data Encryption Standard by the Method of Formal Coding, Lecture Notes in Computer Science, Cryptography, proceedings of the Workshop on Cryptography, Burg Feuerstein, Germany, March 29,April 2, pp. 235-255, 1982. [13] Nicolas Courtois and Josef Pieprzyk: Cryptanalysis of Block Ci- phers with Overdefined Systems of Equations, Asiacrypt 2002, LNCS 2501, pp.267-287, Springer. [14] G. Bard, N. Courtois, C. Jefferson, Efficient Methods for Con- version and Solution of Sparse Systems of Low-Degree Mul- 8 theta key_, a_ := Module K0, K1, K2, K3, a0, a1, a2, a3, temp , a0 = a 1 ;; 32 ; a1 = a 33 ;; 64 ; a2 = a 65 ;; 96 ; a3 = a 97 ;; 128 ; K0@= key 1 D;; 32 ; K1@=8 key 33 ;; 64 ; K2 = key 65 ;; 96< ; K3 = key 97 ;; 128 ; temp =@@a0 + a2; DtempD = temp@@+ RotateLeftDD temp@,@8 + RotateRightDD temp@@ , 8 ; DD a1 = a1 +@temp@ ; a3D=D a3 + temp;@a0@ = a0 + K0DD; a1 = a1 +@K1@ ; a2 = a2DD+ K2; @@ DD a3 = a3 + K3; temp = a1 + a3; temp = temp @+ RotateLeftD temp, 8 +@RotateRightD temp, 8 ; a0 = a0 + temp; a2 = a2 + temp; Return a0, a1, a2, a3 Flatten ; pai1 x_ := x 1 ;; 32 , RotateLeft x 33 ;; 64 , 1@ , D @ D RotateLeft x 65 ;; 96 , 5 , RotateLeft@8 x 97 ;;<128 , 2 DD Flatten; gamma@ a_D :=8Module@@ A0D,D A1, A2, A3, tmp@ @@, A0 = a DD1 ;;D32 ; A1 = a 33 ;;@ 64@@ ; A2 = aDD 65D;; 96 ; A3 =@a @@97 ;; 128 DD; D< A1@= A1D + A2 + 1 @*8 A3 + 1 ; A0 = A0 + A1<* A2; tmp@@= A3; A3DD= A0; A0 = tmp; A2 = A2@@+ A0 + A1 +DDA3; A1 = @A1@ + A2 + 1DD * A3 + 1@@; DD A0 = A0 + HA2 * A1L; ReturnH LA0, A1, A2, A3 Flatten ; pai2 x_ := x 1 ;; 32 , RotateRightH Lx H33 ;; L64 , 1 , RotateRight x 65 ;; 96@8 , 5 , RotateRight< x 97D;;D 128 , 2 Flatten; *round@ Dconstant8 @@ of NOEKEONDD * @ @@ DD D rc1 = 128, 27, 54@,@108@ , 216,D171D ,D77, 154, 47, 94@, @188@ , 99, 198DD, 151D<, 53, 106, 212 ; Hrc = Table Table 0, 32 , 17L ; For r8= 1, r £ 17, r++, rc r 25 ;; 32 = IntegerDigits rc1 r , 2, 8 ; < encryption@ m_, key_@ ,8 s_: ToString@ i @, i,D 0, 127D ; Hk = Table ToExpression "k" <> ToString i , i, 0L, 127 ; c = encryption@ m, k, 1 @; @ DD 8