Self-testing/correcting with applications to numerical problems
STOC '90 Proceedings of the twenty-second annual ACM symposium on Theory of computing
New types of cryptanalytic attacks using related keys
EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
PRESENT: An Ultra-Lightweight Block Cipher
CHES '07 Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems
New Stream Cipher Designs
Cube Attacks on Tweakable Black Box Polynomials
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium
Fast Software Encryption
Side Channel Cube Attack on PRESENT
CANS '09 Proceedings of the 8th International Conference on Cryptology and Network Security
Extended cubes: enhancing the cube attack by extracting low-degree non-linear equations
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
On the security of hummingbird-2 against side channel cube attacks
WEWoRC'11 Proceedings of the 4th Western European conference on Research in Cryptology
Controversy Corner: Efficient Hamming weight-based side-channel cube attacks on PRESENT
Journal of Systems and Software
Hi-index | 0.00 |
In this paper, we investigate the security of the NOEKEON block cipher against side channel cube attacks. NOEKEON was proposed by Daemen et al. for the NESSIE project. The block size and the key size are both 128 bits. The cube attack, introduced by Dinur and Shamir at EUROCRYPT 2009, is a new type of algebraic cryptanalysis. The attack may be applied if the adversary has access to a single bit of information that can be represented by a low degree multivariate polynomial over GF(2) of secret and public variables. In the side channel attack model, the attacker is assumed to have access to some leaked information about the internal state of the cipher as well as the plaintext and ciphertext. Adopting the notion of a single bit leakage as formalized by Dinur and Shamir, we assume that the attacker has only one bit of information about the intermediate state after each round. Using this side channel attack model, we show that it is possible to extract 60 independent linear equations over 99 (out of 128) key variables. To recover the whole 128-bit key, the attack requires only about 210 chosen plaintext and O(268) time complexity.