Exact SASCA (ExSASCA) Cryptanalysis

• Exact SASCA (ExSASCA) is a side-channel cryptanalysis method that leverages knowledge compilation and probabilistic circuits to compute exact key marginals for AES-128.
• It replaces approximate loopy belief propagation with provably exact computations, achieving over a 31 percentage point improvement in top-1 key recovery accuracy.
• The approach compiles complex factors into tractable PSDD circuits, enabling efficient marginalization and robust performance even under degraded leakage conditions.

Exact SASCA (ExSASCA) is a methodology for side-channel cryptanalysis that delivers exact probabilistic inference over cryptographic keys by leveraging knowledge compilation and tractable probabilistic circuits. Originally designed as an enhancement over the state-of-the-art soft analytical side-channel attack (SASCA), ExSASCA replaces SASCA’s approximate and non-guaranteed loopy belief propagation with provably exact and efficient computations, specifically targeting cryptosystems such as AES-128, the most widely deployed block cipher. In experimental settings, ExSASCA demonstrates a substantial increase in key recovery success rate—over 31 percentage points in top-1 accuracy—at near-equivalent computational cost to SASCA, and several orders of magnitude faster than exhaustive enumeration (Wedenig et al., 23 Jan 2025).

1. Side-Channel Attack Scenario and Model

ExSASCA operates within the “template attack + logical-probabilistic inference” paradigm for AES-128. The secret key is structured as $K = (k_1,\dots,k_{16}),\, k_i \in \{0,\dots,255\}$ with known plaintext $P = (p_1, \dots, p_{16})$. The attacker observes a side-channel leakage trace $\ell \in \mathbb{R}^d$ (e.g., power traces). Intermediate byte-valued state variables post-AddRoundKey, SubBytes, and MixColumns are collectively denoted as $\mathbf{v}$.

During the profiling phase, for each intermediate variable $v$, a likelihood model is constructed:

$$p(\ell \mid v) = \mathcal{N}(\ell; \mu_v, \Sigma_v), \quad v \in \{0, \dots, 255\}.$$

For each attack instance, under a uniform prior, the attacker computes a posterior belief

$$p(v \mid \ell) = \frac{p(\ell \mid v)}{\sum_{v'} p(\ell \mid v')},$$

serving as a local “soft guess” for each $v$. These local beliefs form the input to the subsequent logical-probabilistic inference.

2. Probabilistic Structure of SASCA and ExSASCA

SASCA models the joint distribution over key, state, and observed trace via a factor graph, where factors encode AES algorithmic constraints:

• AddRoundKey: $\mathbb{I}[y_i = k_i \oplus p_i]$ for each byte
• SubBytes: $\mathbb{I}[x_i = S(y_i)]$ for S-box substitution
• MixColumns: $P = (p_1, \dots, p_{16})$0 if the MixColumns equation is satisfied.

The joint posterior is

$P = (p_1, \dots, p_{16})$1

The marginal over the key involves summing out all intermediate states:

$P = (p_1, \dots, p_{16})$2

SASCA typically estimates these marginals using loopy belief propagation (LBP) across the highly loopy AES factor graph. However, LBP lacks guarantees in convergence and inference quality, particularly because of the cycles induced by MixColumns.

3. Knowledge Compilation and Probabilistic Circuits

ExSASCA’s central innovation is the use of knowledge compilation—specifically, probabilistic sentential decision diagrams (PSDDs)—to obtain exact messages from complex, high-arity factors in the factor graph. Collapsing each MixColumns column into a “black-box” factor $P = (p_1, \dots, p_{16})$3, the remaining structure forms a tree, enabling exact inference via standard belief propagation, contingent on one’s ability to compute:

$P = (p_1, \dots, p_{16})$4

for each relevant variable $P = (p_1, \dots, p_{16})$5. Direct evaluation is intractable due to exponential domain size ($P = (p_1, \dots, p_{16})$6), but compiling $P = (p_1, \dots, p_{16})$7 into a PSDD yields a tractable circuit for efficient marginalization, multiplication (conditioning), and MPE queries, each scaling polynomially or linearly in circuit size.

4. Circuit Construction and Inference Techniques

The MixColumns factor is encoded as a conjunctive normal form (CNF) over 168 bit-variables (21 bytes × 8 bits) with 648 clauses. Compilation proceeds in stages:

• Bottom-up dynamic vtree search to build a sentential decision diagram (SDD), yielding ≈19,000 nodes.
• Conversion from SDD to PSDD to obtain a probability circuit $P = (p_1, \dots, p_{16})$8, with uniform distribution over MixColumns' feasible assignments.
• For each local belief $P = (p_1, \dots, p_{16})$9, extraction and compilation into a byte-level PSDD, possibly pruned to enforce sparsity.
• All PSDDs share a global vtree, enabling efficient circuit product operations and rapid marginalization.

In the “dense” regime, where beliefs are widely supported, a single large SDD with 2,560 byte-indicator variables per column is built, supporting bulk weighted model counting (WMC). This approach scales to circuits of ≈20 million nodes with compilation times of ∼7 hours per column on commodity hardware.

5. Algorithmic Workflow and Complexity

A high-level pseudocode outline for ExSASCA attacking a single MixColumns column is as follows:

$v$0

Computational costs per trace:

• SASCA (loopy BP): $\ell \in \mathbb{R}^d$0–$\ell \in \mathbb{R}^d$1 ms.
• ExSASCA sparse: $\ell \in \mathbb{R}^d$2–$\ell \in \mathbb{R}^d$3 ms.
• ExSASCA dense: a few seconds.
• Enumeration: $\ell \in \mathbb{R}^d$4 ms (for $\ell \in \mathbb{R}^d$5 candidates).

The product circuit's size grows as $\ell \in \mathbb{R}^d$6 for at most $\ell \in \mathbb{R}^d$7 nonzero values per belief, with inference time $\ell \in \mathbb{R}^d$8, where $\ell \in \mathbb{R}^d$9 is circuit size for each MixColumns column in the sparse case.

6. Experimental Evaluation on AES-128

Empirical results on 131,072 traces collected from an ARM STM32F415 implementation (across 512 keys × 256 plaintexts) confirm ExSASCA’s advantages. Success rates (top-1 key recovery) on validation data illustrate the accuracy advantage:

ε	SASCA (50 iters)	ExSASCA+MAR	ExSASCA+MPE
10⁻²	32.34%	57.36%	57.51%
10⁻⁸	33.81%	67.37%	67.60%
0	33.76%	67.37%	67.61%

Key findings:

• ExSASCA demonstrates ≈31 percentage points improvement over SASCA.
• Pruning with ε = 10⁻⁸ has negligible impact on accuracy compared to dense evaluation.
• Under increasing corruption towards uniform beliefs ($\mathbf{v}$0), ExSASCA maintains ≈20% success even as SASCA collapses to chance.

This suggests superior robustness of ExSASCA under reduced information.

7. Theoretical Guarantees and Computational Bounds

Upon collapsing MixColumns into independent high-arity factors, the resulting factor graph becomes a tree, guaranteeing that standard belief propagation recovers exact marginals (see Koller & Friedman, 2009). Properties of PSDDs utilized by ExSASCA include:

• Summation (marginalization): $\mathbf{v}$1
• Multiplication: $\mathbf{v}$2 for circuits of sizes $\mathbf{v}$3
• MPE: $\mathbf{v}$4

In the sparse regime, each product grows by $\mathbf{v}$5 with inference time $\mathbf{v}$6, versus $\mathbf{v}$7 for exhaustive enumeration. For the dense WMC approach (single circuit per MixColumns column), two passes over circuits of size ≈20 million nodes (forward for WMC, backward for differentiation) answer all four message queries in $\mathbf{v}$8 million) operations—yielding ≈6× fewer operations than direct enumeration over all $\mathbf{v}$9 assignments.

A plausible implication is that ExSASCA’s techniques can extend to similarly structured ciphers or side-channel models, provided large-factor knowledge compilation remains tractable. For vanilla AES, sparse pruning yields SASCA-level runtime with substantially improved accuracy; in high-entropy or leakage-protected settings, ExSASCA's dense mode retains computational tractability and marked superiority over both SASCA and exhaustive search (Wedenig et al., 23 Jan 2025).