Aerospace and Electronic Systems - August 2019 - 40

Ensuring Cybersecure Telemetry and Telecommand in Small Satellites: Recent Trends and Empirical Propositions
Table 5.

Results of Differential-Linear Cryptanalysis of Selected Ciphers
Algorithm

L/D

No. of rounds

No. of operations required

AES-128 [62]

D

7

2106 CP, time complexity of 2110:2 , memory
complexity of 294:2 and data complexity of 2106:2
(uses improved impossible differential)

IDEA-128 [63]

L, D

3

0.75 Â244 (+ 1.5 Â229 for additional two
subkeys) (229 CP, 249 addition modulo;
additional 233 XOR operations)

PRESENT-80 (reduced
round variant) [64]

D

16

264 CP; 265 memory accesses; 232 6-bit
counters; 224 hash cells

PRESENT-80 (reduced
round variant) [65]

L

25

264 CP; 262:4 data complexity / CP; 265 time
complexity

PRESENT-80 [42]

L, D

31

223 CP; 284 KP/ciphertext

DES-56 [66]

L, D

16, 10

247 CP, data complexity less than 255 (D) and
243 KP (L) and 243

L stands for linear cryptanalysis, D standards for differential cryptanalysis, CP stands for chosen plaintext, KP stands for known plaintext.

Table 5 shows the computational complexities
involved in differential-linear cryptanalysis of selected
ciphers. For RSA, we cannot consider either differential
or linear cryptanalysis and instead, consider partial key
exposure attack, where attackers are able to construct the
entire private key d given k=4 least significant bits of d,
where k is the length of the modulus of the product of two
prime numbers, n [59]. Takayasu and Kunihiro [60]
showed that it is possible to extract the key given
d < N 0:5625 and d < N 0:368 using most MSBs and LSBs
(most and least significant bits, respectively), fully covering the Boneh-Durfee bound of d < N 0:292 . Blomer and
May [61] showed that the L3 time on a 500 MHz workstation to crack the private key is as low as 72 min and 50 h
for ðN; eÞ = (1000, 550) and (1000, 500) for known MSB
and LSB, respectively.
Side-channel attacks (implementation attacks) are carried out based on information leaked from the implementation of a cryptosystem [67]. Examples of side-channel
attacks include cache attacks, timing attacks, differentialfault attacks, and power and electromagnetic analysis
attacks.
Skalicky and Cui [68] proposed a cache collision timing attack that requires only 215 encryptions with 50 random keys in the first and last round to recover the secret
key due to the use of lookup tables in AES, which is meant
to increase the throughput of AES. Bonneau and Mironov
[69] further reduced the number of encryptions to 213 via
expanded final round attack that takes advantage of all
cache collisions. Tsunoo et al. [70] proposed a cache
attack on DES, requiring 223 plaintexts and 224 calculations with a success rate of > 90%. A vulnerability in the
key-scheduling process was identified by Kim [71], which
40

allows differential-fault attack to induce two faulty ciphertexts in the 8th round of AES-128 (one-byte fault model),
suggesting the last three rounds of AES to be protected.
Differential-fault attacks have also been known to be
effective against IDEA, extracting 93 out of 128 key bits
by inducing only ten faults [72], thanks to the weak keys.
Rivain [73] showed that the secret key of DES could be
broken by inducing faults at the end of rounds 9-12;
around 105 faults at the end of round 9 can recover the
round key with 99% confidence. Banerjee et al. [74]
showed how the secret key of AES-128 could be extracted
in less than 3 h by collecting and processing 500 plaintext
and evaluating correlation values through power analysis
of processor's power consumption during encryption,
whereas multiple techniques to maximize and extract such
side-channel information from smartcards equipped with
DES via power analysis have been shown to be effective
by Messerges et al. [75]. Yang et al. [76] proposed a side
channel cube attack on PRESENT, requiring 215 chosen
plaintexts and 232 encryptions for a 1-bit leak in the third
round due to the existence of nonrandom polynomials
after few rounds.
Timing, differential-fault and power attacks have been
proposed on RSA. Factorization of the public key of RSA
is the first attack to consider [77], and Schindler [78] proposed an efficient timing attack enabling factorization of
the modulus even if the Chinese Remainder Theorem
(CRT) and Montgomery's algorithm is used to evaluate
the public key. Aumuller et al. [79] proved the feasibility
of the classical Bellcore fault attack on unprotected microcontroller-based RSA cryptosystems (such as smartcards)
using CRT. However, Fournaris [80] proposed a fault and
power attack resistant RSA cryptosystem by using an

IEEE A&E SYSTEMS MAGAZINE

AUGUST 2019
Aerospace and Electronic Systems - August 2019

Table of Contents for the Digital Edition of Aerospace and Electronic Systems - August 2019
