using maxsat to correct errors in aes key schedule images
DESCRIPTION
Using MaxSAT to Correct Errors in AES Key Schedule Images. Xiaojuan Liao, Miyuki Koshimura , Hiroshi Fujita, Ryuzo Hasegawa Hasegawa - Fujita Laboratory Kyushu University. Outline. Cold Boot Attack Advanced Encryption Standard (AES) Recover AES key Schedule Using SAT solvers - PowerPoint PPT PresentationTRANSCRIPT
AES Key Recovery from Decayed Key Schedule Images using MaxSAT Solvers
Xiaojuan Liao, Miyuki Koshimura, Hiroshi Fujita, Ryuzo HasegawaHasegawa-Fujita Laboratory Kyushu University2013-7-261Using MaxSAT to Correct Errors in AES Key Schedule ImagesThe 3rd CSPSAT2 Meeting1Outline2013-7-262Cold Boot AttackAdvanced Encryption Standard (AES)Recover AES key ScheduleUsing SAT solversUsing MaxSAT solversComparisonExperimentConclusion2Cold Boot Attack (1/2)2013-7-263DRAM: Dynamic Random Access MemoryDRAM cell: a capacitor that is either 0 or 10: ground state1: charged stateDRAM remanence: DRAM retains its contents for a period (seconds) after power is lostAs time goes on, data may decay and eventually disappearCold boot attack:Exploit DRAM remanence to access sensitive data (e.g., encryption keys)
3A Scenario of Cold Boot Attack2013-7-264
leavePublic computer roomattacker comesUse secret key to complete an online transactionRemove the memory and retrieve the contents
Get the correct secret key!secret key in memory
Get the decayed key. How to recover?Case 1Case 24Cold Boot Attack (2/2)2013-7-265Decay patterns 1Decay aggravates as time goes onMost bits decay to ground states (10)Only a small fraction (0.1%) flips to charged states (01)This workRecover AES keys from decayed bits1 J. Alex Halderman et al., Lest We Remember: Cold Boot Attacks on Encryption Keys. USENIX08.5Outline2013-7-266Cold Boot AttackAdvanced Encryption Standard (AES)Recover AES key ScheduleUsing SAT solversUsing MaxSAT solversComparisonExperimentConclusion6Advanced Encryption Standard(AES)2013-7-267What is AESA specification for theencryptionof electronic data established by the U.S.NIST 1Adopted by the U.S. government and used worldwideAES key 2Initial key length: 128 bits (options:192 bits, 256 bits)AES-128 key schedule:
128-bit initial key128-bit round key10 rounds0th round key128-bit round key128-bit round key1 NIST: National Institute of Standards and Technology2 Federal Information Processing, Announcing the ADVANCED ENCRYPTION STANDARD (AES), 2001.7
Example of Key Schedule2013-7-268
Original key scheduleDecayed key scheduleGoal: correct errors in the decayed key schedulereverse flipping error8
Key Expansion Algorithm2013-7-269(r-1)th round key bitrth round key bitAES-128 key expansion algorithm: ith bit of the rth round key, 1r10, 0i127: ith bit of the 0th round key, copied from the initial key, 0i127
: ith bit of a round-dependent word, 0i31, 1r10
: an S-Box function in algebraic normal form (ANF), 0x7 input: , output: one bit
Given the 128-bit initial key, the following equations characterize bit-relations among the bits in the last 10 round keys:9Example of S0(B0)2013-7-2610+: xor operation*: and operation
ANF formula:
10Example of Bit Representation2013-7-2611
Summary: each bit in the latter 10 rounds is computed from its former bits bit-relations
11Outline2013-7-2612Cold Boot AttackAdvanced Encryption Standard (AES)Recover AES key ScheduleUsing SAT solversUsing MaxSAT solversComparisonExperimentConclusion12Assumption of AES Key Recovery2013-7-2613AssumptionPerfect assumptionDecay occurs only on 1sNo reverse flipping errors: no 0s flip to 1Realistic assumptionDecay occurs mainly on 1sA few reverse flipping errors: 0.1% of 0s flip to 1This work Recover AES-128 key schedule based on the realistic assumption13
All 1s in the key schedule are treated as hard constraints
All bit-relations are treated as hard constraints
CryptoMiniSat: support XOR operation nativelye.g., understand Recover AES keys using SAT solvers2013-7-2614
Perfect assumption 1No bit flips from 0 to 1All 1s in the key schedule are correct...
1 Kamal et al., Applications of SAT solvers to AES key recovery from decayed key schedule images, 2010.No. of formulas: 128*10=128014All 1s in the key schedule are treated as hard constraints
All bit-relations are treated as hard constraints
CryptoMiniSat: support XOR functions nativelye.g., Recover AES keys using SAT solvers2013-7-2615
Sx(Bi): ANF formula, XORing conjunctions of variables, e.g.,
...15All 1s in the key schedule are treated as hard constraints
All bit-relations are treated as hard constraints
Recover AES keys using SAT solvers2013-7-2616
...Perfect assumption No bit flips from 0 to 1All 1s in the key schedule are correct
CryptoMiniSatinputoutputSAT + assignment of all bits16
Recover AES keys using SAT solvers2013-7-26171Flip from 0 to 1Realistic assumptionSome bits flip from 0 to 1Not all 1s in the key schedule are correct...All 1s in the key schedule are treated as hard constraints
All bit-relations are treated as hard constraints
incorrectUNSATCryptoMiniSatinputoutput17All 1s in the key schedule are treated as hard constraints
Hard constraints on bit-relations
Recover AES keys using SAT solvers2013-7-2618Realistic assumptionSome bits flip from 0 to 1Not all 1s in the key schedule are correct...1Flip from 0 to 1
0000SAT?NoYesSAT + assignment of all bitsCryptoMiniSat18Recover AES keys using SAT solvers2013-7-2619To recover a key schedule with n 1s and k reverse flipping errorsIn the best case:CryptoMiniSat needs to run times In the worst caseCryptoMiniSat needs to run times
19Recover AES keys using MaxSAT solvers2013-7-2620Deal with two kinds of constraintsHard constraints: must be satisfiedSoft constraints: may be unsatisfiedMaxSAT solverTry to satisfy all hard constraints and the maximum number of soft constraints
20Recover AES keys using MaxSAT solvers2013-7-2621
Realistic assumptionSome bits flip from 0 to 1Not all 1s in the key schedule are correct...1Flip from 0 to 1All 1s in the key schedule are treated as soft constraints
All bit-relations are treated as hard constraints
Maximum No. of satisfied soft constraints+ assignment of all bitsunsatifiedWhat is XOR?MaxSAT solverinputoutput21Recover AES keys using MaxSAT solvers2013-7-2622Convert XOR to clausesDirect conversion:n variables 2n-1 clausesCut-up conversion: Cut long formula into shorter ones
(Bi Bj Bk ) (Bi Bj Bk ) (Bi Bj Bk ) (Bi Bj Bk )
direct conversion22Comparison2013-7-2623Recover AES key schedule in the presence of reverse flipping errorsSAT solverMaxSAT solverTreat 1s asHard constraintsSoft constraintsNeed to run a solver multiple times for solving an instance?YesNoSupport XOR natively?YesNo
51,440 clauses and XOR formulas for representing bit-relations372,240 clauses for representing bit-relations23Outline2013-7-2624Cold Boot AttackAdvanced Encryption Standard (AES)Recover AES key ScheduleUsing SAT solversUsing MaxSAT solversComparisonExperimentConclusion24Experiment(1/4)2013-7-2625SolverSAT: CryptoMiniSatMaxSAT: Pwbo2.0 Better than Akmaxsat, WMaxSatz, QMaxSAT, QMaxSAT-g2, WPM1, PM2
EnvironmentCore i5-2540 @ 2.6GHz / 8GB25Experiment (2/4)2013-7-2626Decay factor (%)CryptoMiniSat (s)Pwbo2.0 (s)3045.80.9434028.4670.9565019.6651.1686026.5241.56070225.37912.53272678.45226.782741004.161231.610761116.353296.415Setting (real situation)Decay factor (probability of 10): 30%-76%Probability of flipping 0 to 1: 0.1%Number of instances for each decay factor: 100
ResultMaxSAT is superior to SAT approachAmong100 instances, the average of No. of instances with 0, 1, 2 reverse flipping errors is 50, 36, 14, respectively26Experiment (3/4)2013-7-2627Decay factor (%)CryptoMiniSat (s)Pwbo2.0 (s)302.0451.037401.3101.088501.9711.345605.0262.2527043.53214.9457247.60328.35474280.825161.74076480.101384.348SettingDecay factor (probability of 10): 30%-76%Number of reverse flipping errors (0 1): 1Number of instances for each decay factor: 100ResultThe superiority of MaxSAT is not obvious when the number of reverse flipping errors is 127Experiment (4/4)2013-7-2628Decay factor (%)CryptoMiniSat (s)Pwbo2.0 (s)30198.6381.46440162.2491.56250224.6892.18460329.6214.676703047.82147.725724909.565245.1777414715.6072160.648SettingDecay factor (probability of 10): 30%-74%Number of reverse flipping errors (0 1): 2Number of instances for each decay factor: 40ResultMaxSAT is far superior to SAT when the number of reverse flipping errors is 228Outline2013-7-2629Cold Boot AttackAdvanced Encryption Standard (AES)Recover AES key ScheduleUsing SAT solversUsing MaxSAT solversComparisonExperimentConclusion29Conclusion2013-7-2630Recover AES key schedule in the presence of reverse flipping errorsSAT solver: Treat all 1s as hard constraintsRun the solver repeatedly until it outputs SATCryptoMiniSat: support XOR nativelyMaxSAT solver: Treat all 1s as soft constraintsSolver needs to run only one timeDo no support XOR nativelySuperior to the SAT approach302013-7-2631The endThanks for your attention31