As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com.

Extending AES-128 Attacks to AES-256

From ChipWhisperer Wiki
Revision as of 04:32, 21 June 2016 by Gdeon (Talk | contribs) (Added page)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Many of the tutorials in this wiki discuss attacks on AES-128 encryption. It turns out that its big brother, AES-256, can be attacked by extending the same attacks. This page discusses AES-256 and how to reuse an AES-128 attack to obtain the key.

The AES-256 Algorithm

In AES-128, we used the following steps to encrypt 16 bytes of plaintext:

  1. Use a 16 byte key to generate a key schedule, which is 176 bytes long (11 words made up of 16 bytes).
  2. Put the 16 bytes of plaintext into a 4x4 state matrix.
  3. Combine the first word of the key schedule with the state.
  4. Apply 10 rounds of transformations to the state, involving the key schedule.
  5. Retrieve 16 bytes of ciphertext from the state matrix.

The transformations involve several functions which mix together the bytes of the state. These functions are SubBytes(), MixColumns(), and ShiftRows().

AES-256 is not much different from AES-128. The encryption process is:

  1. Use a 32 byte key to generate a key schedule, which is 240 bytes long (15 words made up of 16 bytes).
  2. Put the 16 bytes of plaintext into a 4x4 state matrix.
  3. Combine the first word of the key schedule with the state.
  4. Apply 14 rounds of transformations to the state, involving the key schedule.
  5. Retrieve 16 bytes of ciphertext from the state matrix.

Notice that most of this algorithm is the same. Earlier, we could attack a target by examining the output of a substitution box; since AES-256 uses these same S-boxes, we should have no problem finding a sensitive point to attack.

The following code is an example of the AES-256 decryption algorithm, written by Ilya O. Levin:

aes_addRoundKey_cpy(buf, ctx->deckey, ctx->key);
aes_shiftRows_inv(buf);
aes_subBytes_inv(buf);

for (i = 14, rcon = 0x80; --i;)
{
    if( ( i & 1 ) )
    {
        aes_expandDecKey(ctx->key, &rcon);
        aes_addRoundKey(buf, &ctx->key[16]);
    }
    else aes_addRoundKey(buf, ctx->key);
    aes_mixColumns_inv(buf);
    aes_shiftRows_inv(buf);
    aes_subBytes_inv(buf);
}
aes_addRoundKey( buf, ctx->key);

Note that this implementation chooses to expand the key during the decryption process. This order of events isn't a big deal to us - the subBytes() operation will still be visible in a power trace.


Attacking AES-256 Decryption

Attacking Round Key 14

Attacking Round Key 13

Recovering the Full Key