Paper 2009/127

Side Channel Cube Attacks on Block Ciphers

Itai Dinur and Adi Shamir


In this paper we formalize the notion of {\it leakage attacks} on iterated block ciphers, in which the attacker can find (via physical probing, power measurement, or any other type of side channel) one bit of information about the intermediate state of the encryption after each round. Since bits computed during the early rounds can be typically represented by low degree multivariate polynomials, cube attacks seem to be an ideal generic key recovery technique in these situations. However, the original cube attack requires extremely clean data, whereas the information provided by side channel attacks can be quite noisy. To address this problem, we develop a new variant of cube attack which can tolerate considerable levels of noise (affecting more than 11\% of the leaked bits in practical scenarios). Finally, we demonstrate our approach by describing efficient leakage attacks on two of the best known block ciphers, AES (requiring about $2^{35}$ time for full key recovery) and SERPENT (requiring about $2^{18}$ time for full key recovery).

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Submitted to CHES 2009
Contact author(s)
itaid @ weizmann ac il
2009-03-20: received
Short URL
Creative Commons Attribution


      author = {Itai Dinur and Adi Shamir},
      title = {Side Channel Cube Attacks on Block Ciphers},
      howpublished = {Cryptology ePrint Archive, Paper 2009/127},
      year = {2009},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.