|
Friday, October 23, 2009 |
|
|
|
|
Plumbing 101: How to Deal With a Small Cryptographic Leakage |
|
|
In this talk I will formalize the notion of leakage attacks on
iterated cryptosystems, in which the attacker can find (via physical
probing, power measurement, or any other type of side channel) one bit of
information about the intermediate state of the encryption after each
round. Unlike most of the other types of side channel
attacks proposed so far which are very specific, the new attack I will
describe can be applied even when the attacker does not know the layout of
the chip, the algorithm used to compute the ciphertext, the hardware and
software countermeasures employed, or even the physical source of the
leaked information he is measuring. In addition, the new attack can
tolerate considerable levels of noise (affecting 10% to 15% of the leaked
bits in practical scenarios). Finally, I will demonstrate the new approach
by describing efficient leakage attacks on two of the best known block
ciphers, AES (requiring about 235 time for full key recovery) and
SERPENT (requiring about 218 time for full key recovery). |