Paper 2007/318

On the complexity of side-channel attacks on AES-256 -- methodology and quantitative results on cache attacks

Michael Neve and Kris Tiri

Abstract

Larger key lengths translate into an exponential increase in the complexity of an exhaustive search. Side-channel attacks, however, use a divide-and-conquer approach and hence it is generally assumed that increasing the key length cannot be used as mitigation. Yet, the internal round structure of AES-256 and its key-scheduling seem to hinder a direct extension of the existing attacks on AES-128 and thus challenge the proposition above. Indeed two consecutives round keys are required to infer the secret key and the MixColumns operation, not present in the last round, apparently increases the key search complexity from to 2^8 to 2^32. Additionally, it is unclear what the impact of the different round structures is on the number of required measurements. In this paper, we explore this question and show how to attack AES-256 with a key search complexity of O(2^8). This work confirms with practical experiments that AES-256 only offers a marginal increase in resistance against the attacks –both in the required number of measurements and in the required processing time. As an example, we quantify this increase for the case of cache-based side-channel attacks: AES-256 only provides an increase in complexity of 6 to 7 compared to cache-based attacks on AES-128.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Unknown where it was published
Contact author(s)
michael neve de mevergnies @ intel com
History
2007-08-16: received
Short URL
https://ia.cr/2007/318
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2007/318,
      author = {Michael Neve and Kris Tiri},
      title = {On the complexity of side-channel attacks on {AES}-256 -- methodology and quantitative results on cache attacks},
      howpublished = {Cryptology {ePrint} Archive, Paper 2007/318},
      year = {2007},
      url = {https://eprint.iacr.org/2007/318}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.