Friday, October 23, 2009
3:30 pm, MC 5158

Tutte Seminar Series
Combinatorics & Optimization
Fall 2009


Adi Shamir
Weizmann Institute

Plumbing 101: How to Deal With a Small Cryptographic Leakage

In this talk I will formalize the notion of leakage attacks on iterated cryptosystems, in which the attacker can find (via physical probing, power measurement, or any other type of side channel) one bit of information about the intermediate state of the encryption after each round. Unlike most of the other types of side channel attacks proposed so far which are very specific, the new attack I will describe can be applied even when the attacker does not know the layout of the chip, the algorithm used to compute the ciphertext, the hardware and software countermeasures employed, or even the physical source of the leaked information he is measuring. In addition, the new attack can tolerate considerable levels of noise (affecting 10% to 15% of the leaked bits in practical scenarios). Finally, I will demonstrate the new approach by describing efficient leakage attacks on two of the best known block ciphers, AES (requiring about 235 time for full key recovery) and SERPENT (requiring about 218 time for full key recovery).

This is joint work with Itai Dinur.