Generic analysis of small cryptographic leaks

Side channel attacks are typically divided into two phases: In the collection phase the attacker tries to measure some physical property of the implementation, and in the analysis phase he tries to derive the cryptographic key from the measured information. The field is highly fragmented, since there are many types of leakage, and each one of them usually requires a different type of analysis. In this paper we formalize a general notion of leakage attacks on iterated cryptosystems, in which the attacker can collect (via physical probing, power measurement, or any other type of side channel) one bit of information about the intermediate state of the encryption after each round. Since bits computed during the early rounds can be usually represented by low degree multivariate polynomials in the plaintext and key bits, we can use the recently discovered cube attack as a generic analysis phase which can be applied in principle to any type of leaked data. However, the original cube attack requires extremely clean data, whereas the information provided by side channel attacks can be quite noisy. To address this problem, we develop in this paper a new type of robust cube attack, which can recover the key even when some of the leaked bits are unreliable. In particular, we show how to exploit trivial equations (of the form 0 = 0, which are plentiful but useless in standard cube attacks) in order to correct a fraction of measurement errors which can be arbitrarily close to 1. Finally, we demonstrate our approach by describing efficient leakage attacks on Serpent (requiring only 2¹⁸ time for full key recovery when the leaked state bits are clean) and on AES (requiring 2³⁵ time in the same scenario), and show how to make them robust with a small additional complexity.