Applications of SAT Solvers to AES Key Recovery from Decayed Key Schedule Images

Kamal, Abdel Alim; Youssef, Amr M.

doi:10.1109/securware.2010.42

Cited by 25 publications

(30 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The performance obtained in [5] confirmed the superiority of SAT solvers in AES key recovery. However, Abdel et al [5] thoroughly excluded the possibility of reverse flipping errors, by assuming that all 1s are correct with absolute certainty.…”

Section: Our Contributionsupporting

confidence: 57%

“…Although it was noted in [4] that the proposed algorithm did still work for realistic assumption, the methodology was not mentioned in their work, and the performance in this case was not demonstrated in [4]. Later on, motivated by the dramatic speed-up of Boolean Satisfiability (SAT) solvers, Abdel et al [5] took the initial step to model the AES key recovery problem as a SAT problem by making full use of bits equal to 1. Based on the perfect assumption, all 1s in the decayed key schedule are correct, thus a set of correct constraints could be constructed from 1s.…”

Section: Previous Workmentioning

confidence: 99%

“…However, Abdel et al [5] thoroughly excluded the possibility of reverse flipping errors, by assuming that all 1s are correct with absolute certainty. In fact, based on δ 1 = 0.1%, the event of reverse flipping is expected to arise around 1 or 2 times in a real key recovery attack for AES-128 where the total number of key bits is 1408, and more times for AES-192 and AES-256, which contain larger number of bits apt to decay.…”

Section: Our Contributionmentioning

confidence: 99%

See 2 more Smart Citations

Reconstructing AES Key Schedule Images with SAT and MaxSAT

Liao

Zhang

Koshimura

2016

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARY Cold boot attack is a side channel attack that recovers data from memory, which persists for a short period after power is lost. In the course of this attack, the memory gradually degrades over time and only a corrupted version of the data may be available to the attacker. Recently, great efforts have been made to reconstruct the original data from a corrupted version of AES key schedules, based on the assumption that all bits in the charged states tend to decay to the ground states while no bit in the ground state ever inverts. However, in practice, there is a small number of bits flipping in the opposite direction, called reverse flipping errors. In this paper, motivated by the latest work that formulates the relations of AES key bits as a Boolean Satisfiability problem, we move one step further by taking the reverse flipping errors into consideration and employing off-theshelf SAT and MaxSAT solvers to accomplish the recovery of AES-128 key schedules from decayed memory images. Experimental results show that, in the presence of reverse flipping errors, the MaxSAT approach enables reliable recovery of key schedules with significantly less time, compared with the SAT approach that relies on brute force search to find out the target errors. Moreover, in order to further enhance the efficiency of key recovery, we simplify the original problem by removing variables and formulas that have relatively weak relations to the whole key schedule. Experimental results demonstrate that the improved MaxSAT approach reduces the scale of the problem and recover AES key schedules more efficiently when the decay factor is relatively large. key words: cold boot attack, maximum satisfiability, advanced encryption standard, key recovery

show abstract

Section: Our Contributionsupporting

confidence: 57%

Section: Previous Workmentioning

confidence: 99%

Section: Our Contributionmentioning

confidence: 99%

See 1 more Smart Citation

Reconstructing AES Key Schedule Images with SAT and MaxSAT

Liao

Zhang

Koshimura

2016

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

show abstract

“…Similar to the previous work in [3] [6] [32], throughout our experimental results, we assume an asymmetric decay model where bits overwhelmingly decay to their ground state rather than their charged state. Using this model, only the bits that remain in their charged state are useful to the cryptanalyst since one cannot be sure about the original values of the 0 bits, i.e., whether they were originally 0's or decayed 1's.…”

Section: Resultsmentioning

confidence: 93%

A Comparison between Two Off-the-Shelf Algebraic Tools for Extraction of Cryptographic Keys from Corrupted Memory Images

Kamal

Zahno²,

Youssef³

2013

Security Engineering and Intelligence Informatics

Self Cite

View full text Add to dashboard Cite

Abstract.Cold boot attack is a class of side channel attacks which exploits the data remanence property of random access memory (RAM) to retrieve its contents which remain readable shortly after its power has been removed. Specialized algorithms have been previously proposed to recover cryptographic keys of several ciphers from decayed memory images. However, these techniques were cipher-dependent and certainly uneasy to develop and fine tune. On the other hand, for symmetric ciphers, the relations that have to be satisfied between the subround key bits in the key schedule always correspond to a set of nonlinear Boolean equations. In this paper, we investigate the use of an off-the-shelf SAT solver (CryptoMiniSat), and an open source Gröbner basis tool (PolyBoRi) to solve the resulting system of equations. We also provide the pros and cons of both approaches and present some simulation results for the extraction of AES and Serpent keys from decayed memory images using these tools.

show abstract

“…For AES, Halderman et al [35] describe a simple algorithm to recover the encryption key in this case. Improved attacks were later given by Albrecht et al [2] using integer programming, and by Tsow [58], and Kamal and Youssef [41] using a SAT solver.…”

Section: Discussionmentioning

confidence: 99%

Multi-key Security: The Even-Mansour Construction Revisited

Mouha

Luykx

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. At ASIACRYPT 1991, Even and Mansour introduced a block cipher construction based on a single permutation. Their construction has since been lauded for its simplicity, yet also criticized for not providing the same security as other block ciphers against generic attacks. In this paper, we prove that if a small number of plaintexts are encrypted under multiple independent keys, the Even-Mansour construction surprisingly offers similar security as an ideal block cipher with the same block and key size. Note that this multi-key setting is of high practical relevance, as real-world implementations often allow frequent rekeying. We hope that the results in this paper will further encourage the use of the Even-Mansour construction, especially when a secure and efficient implementation of a key schedule would result in significant overhead.Keywords: Even-Mansour, multi-key setting, broadcast attack, relatedkey setting. IntroductionModern block cipher design is based on the concept of iterating a round function [44]. This round function typically consists of a subkey addition followed by an unkeyed invertible function. All commonly-used block ciphers, including the DES [46] and AES [23] standards, follow this design strategy.As such, the design of an iterated block cipher consists of two parts: the design of a round function, and a key schedule to generate the subkeys for every round. Although round function design seems to be a relatively well-understood problem, this is much less the case for the key schedule. For example, Rijmen and Daemen already stated in the AES design book that: "There is no consensus on the criteria that a key schedule must satisfy [23, p. 77]. This fact has been repeated many times since, for example in the SHA-3 finalist Grøstl design document [32, p. 5]. In particular, there seems to be no consensus on whether ⋆ © IACR 2015. This article is the final version submitted by the authors to the IACR and to Springer-Verlag in June 2015. It will appear in the proceedings of CRYPTO 2015.a "strong" or a "simple" key schedule is required, a choice which appears to depend on the application. An argument for a "simple" key schedule is that keys should be chosen uniformly at random from the entire key space anyway, in order to avoid a speed-up of brute-force attacks due to low key entropy. As a result, attacks based on weak keys [25] and known keys [42] are no longer applicable. Similarly, when multiple keys are used, they should be chosen independently to prevent a compromise of one key helping the recovery of other keys. This avoids attacks based on related keys [9][10][11].Proponents of a "strong" key schedule point out that in practice, keys may not always be chosen independently from a uniformly random distribution. The cause of this could be a weak protocol, a programming error or an insecure implementation.Complexity, however, always comes at a cost. It makes cryptosystems more difficult to design, to implement and to analyze. Hence, we argue for a block cipher with a simple key schedule, ...

show abstract

Applications of SAT Solvers to AES Key Recovery from Decayed Key Schedule Images

Cited by 25 publications

References 19 publications

Reconstructing AES Key Schedule Images with SAT and MaxSAT

Reconstructing AES Key Schedule Images with SAT and MaxSAT

A Comparison between Two Off-the-Shelf Algebraic Tools for Extraction of Cryptographic Keys from Corrupted Memory Images

Multi-key Security: The Even-Mansour Construction Revisited

Contact Info

Product

Resources

About