1

The Latest Attacks on AES

Mehrdad Abdi

بسم الله الرحمن الرحیم

2

Content• AES• Attacks on AES– Brute force Attack– Theoretical Attacks– Side channel Attacks

• Conclusion• Open problem• References

3

AES

• Rijndael– Rijmen and Daemen – 1st publish on 1998

• AES Contest– AES winner (2001)

4

AES (cont.)

• The three criteria: [1]

– Resistance against all known attacks– Speed and code compactness on a wide range of

platforms– Design simplicity

• A fixed block size of 128 bits• A key size of 128, 192, or 256 bits• Number of rounds: 10, 12, 14

5

AES (cont.)

• Specification– Rounds transformation based on SP Network– A Simple Key Scheduler

6

Attacks on AES

7

Brute force

2 256256

bit is roughly

equal to the number

of atoms in universeThe Largest successful brute force

RC 564 bit key

Distributed networks 5 years [2]

8

Attacks on AES

• Theoretical Attacks• Side channel Attacks

9

XSL

• Multivariate quadratic equations• Linearization (L) [3]

– Kipnis and Shamir - 1999– HFE– Too few equations

• eXtended Linearization (XL) [4]

– Courtois et al. – 2000– Complexity

Complexity estimates showed that the XL attack would not work against the

equations derived from block ciphers such as AES

10

XSL (cont.)

• eXtended Sparse Linearization (XSL) [5]

– Courtois and Pieprzyk – 2002– AES, SERPENT– The S-box of AES : algebraically simple inverse

function.– Only one or two known plaintexts– High work-factor

11

XSL (cont. )

Rijmen

The XSL attack is not an attack. It is a dream

Courtois

It will become your nightmare

Cid and Leurent - 2005 :the XSL algorithm does not provide an efficient method for solving the

AES system of equations

N!!

12

Related-Key

• Attack based on Key Scheduler weakness• Related key Attack– Biham – 1992 [6]

• Alex Biryukov – 2 119

– 2 99.5

– 2 96

– 2 35

13

Biclique

• Microsoft Research [7]

• August 2011• Results:– The full AES-128 with computational complexity 2126.1

– The full AES-192 with computational complexity 2189.7

– The full AES-256 with computational complexity 2254.4

Why you might want to rename AES-128 into AES-126 in a few minutes

14

Side channel Attacks

• Any attack based on information gained from the physical implementation of a cryptosystem– Timing information– Power consumption– Electromagnetic leaks – Sound

15

Side channel Attacks (cont. )

• AES– Cache-timing attack – 2005– Differential fault analysis – 2010

16

Cache-timing attack

• Bernstein – 2005 [8]

– A custom server that used OpenSSL's AES encryption

– 200 million chosen plaintexts– The custom server: give out as much timing

information as possible

17

Cache-timing attack (cont. )

• Dag Arne Osvik, Adi Shamir and Eran Tromer [9]

– 2005– AES key after only 800 operations– 65 milliseconds– The attacker to be able to run programs on the

same system

18

Differential fault analysis

• Dhiman Saha et al. – 2009 – India [10]

• Inducing a random fault anywhere in one of the four diagonals of the state matrix leads to the deduction of the entire AES key.

• 232

19

Conclusion

• Theoretical weaknesses on AES– Key Scheduler

• Side Channel Attacks• AES: First public algorithm for [11]

– CLASSIFIED up to SECRET : 128,192,256 bit key– TOP SECRET: 192, 256 bit key

20

Open Problems

*

Side-Channel Attacks

Cache-Timing channels

S-BOX

Power consumption

Biclique

XSLCache Games

Electromagnetic leaks

Fault analysis

Timing information

Related-Key

Key Scheduler

SP NetworkBreaking AES Theoretically

Known Plain TextChosen Plain Text

21

MS Project

• A new key scheduler for AES resistant to related-key

22

References• [1] Daemen, Rijmen, "AES Proposal : Rijndael", The First Advanced

Encryption Standard Candidate Conference, N.I.S.T., 1998.• [2] Ou, George (April 30, 2006). "Is encryption really crackable?".

(http://www.zdnet.com/blog/ou/is-encryption-really-crackable/204)• [3] Cryptanalysis of the HFE Public Key Cryptosystem by

Relinearization. - Aviad Kipnis, Adi Shamir - CRYPTO '99• [4] Nicolas Courtois, Alexander Klimov, Jacques Patarin, Adi Shamir

(2000). "Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations“, LNCS 1807: 392–407

• [5] Nicolas Courtois, Josef Pieprzyk (2002). "Cryptanalysis of Block Ciphers with Overdefined Systems of Equations". LNCS 2501: 267–287

23

Reference• [6] Eli Biham, New Types of Cryptanalytic Attacks Using Related

Keys, Proceedings of Eurocrypt'93, LNCS 765• [7] Andrey Bogdanov, Dmitry Khovratovich, and Christian

Rechberger. "Biclique Cryptanalysis of the Full AES“, Microsoft Research, 2011

• [8] cr.yp.to/antiforgery/cachetiming-20050414.pdf• [9] Dag Arne Osvik1; Adi Shamir2 and Eran Tromer2. Cache Attacks

and Countermeasures: the Case of AES. Eprint 2008• [10] Dhiman Saha, Debdeep Mukhopadhyay, Dipanwita

RoyChowdhury. A Diagonal Fault Attack on the Advanced Encryption Standard. Eprint - 2009

• [11] http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

24

?