Improving recent side-channel attacks against the DES key schedule

Journal of Cryptographic Engineering ◽

10.1007/s13389-021-00279-2 ◽

2021 ◽

Author(s):

Andreas Wiemers ◽

Johannes Mittmann

Keyword(s):

Measurement Data ◽

Continuous Model ◽

Data Encryption ◽

Side Channel ◽

Channel Measurements ◽

Side Channel Attacks ◽

Enumeration Algorithm ◽

Leakage Model ◽

Key Schedule ◽

Lattice Point Enumeration

AbstractRecent publications consider side-channel attacks against the key schedule of the Data Encryption Standard (DES). These publications identify a leakage model depending on the XOR of register values in the DES key schedule. Building on this leakage model, we first revisit a discrete model which assumes that the Hamming distances between subsequent round keys leak without error. We analyze this model formally and provide theoretical explanations for observations made in previous works. Next we examine a continuous model which considers more points of interest and also takes noise into account. The model gives rise to an evaluation function for key candidates and an associated notion of key ranking. We develop an algorithm for enumerating key candidates up to a desired rank which is based on the Fincke–Pohst lattice point enumeration algorithm. We derive information-theoretic bounds and estimates for the remaining entropy and compare them with our experimental results. We apply our attack to side-channel measurements of a security controller. Using our enumeration algorithm we are able to significantly improve the results reported previously for the same measurement data.

Download Full-text

Combined Fault and Side-Channel Attacks on the AES Key Schedule

2012 Workshop on Fault Diagnosis and Tolerance in Cryptography ◽

10.1109/fdtc.2012.10 ◽

2012 ◽

Cited By ~ 10

Author(s):

Francois Dassance ◽

Alexandre Venelli

Keyword(s):

Side Channel ◽

Side Channel Attacks ◽

Key Schedule

Download Full-text

Investigating Profiled Side-Channel Attacks Against the DES Key Schedule

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2020.i3.22-72 ◽

2020 ◽

pp. 22-72

Author(s):

Johann Heyszl ◽

Katja Miller ◽

Florian Unterstein ◽

Marc Schink ◽

Alexander Wagner ◽

...

Keyword(s):

Wide Distribution ◽

General Purpose ◽

Side Channel ◽

Side Channel Attacks ◽

Key Schedule ◽

Weak Keys ◽

Security Levels ◽

Single Trace ◽

Specific Implementation ◽

The Impact

Recent publications describe profiled single trace side-channel attacks (SCAs) against the DES key-schedule of a “commercially available security controller”. They report a significant reduction of the average remaining entropy of cryptographic keys after the attack, with surprisingly large, key-dependent variations of attack results, and individual cases with remaining key entropies as low as a few bits. Unfortunately, they leave important questions unanswered: Are the reported wide distributions of results plausible - can this be explained? Are the results device-specific or more generally applicable to other devices? What is the actual impact on the security of 3-key triple DES? We systematically answer those and several other questions by analyzing two commercial security controllers and a general purpose microcontroller. We observe a significant overall reduction and, importantly, also observe a large key-dependent variation in single DES key security levels, i.e. 49.4 bit mean and 0.9 % of keys < 40 bit (first investigated security controller; other results similar). We also observe a small fraction of keys with exceptionally low security levels that can be called weak keys. It is unclear, whether a device’s side-channel security should be assessed based on such rare weak key outliers. We generalize results to other leakage models by attacking the hardware DES accelerator of a general purpose microcontroller exhibiting a different leakage model. A highly simplified leakage simulation also confirms the wide distribution and shows that security levels are predictable to some extent. Through extensive investigations we find that the actual weakness of keys mainly stems from the specific switching noise they cause. Based on our investigations we expect that widely distributed results and weak outliers should be expected for all profiled attacks against (insufficiently protected) key-schedules, regardless of the algorithm and specific implementation. Finally, we describe a sound approach to estimate actual 3-key triple-DES security levels from empirical single DES results and find that the impact on the security of 3-key triple-DES is limited, i.e. 96.1 bit mean and 0.24 % of key-triples < 80 bit for the same security controller.

Download Full-text

A Bounded-Space Near-Optimal Key Enumeration Algorithm for Multi-subkey Side-Channel Attacks

Topics in Cryptology – CT-RSA 2017 - Lecture Notes in Computer Science ◽

10.1007/978-3-319-52153-4_18 ◽

2017 ◽

pp. 311-327 ◽

Cited By ~ 10

Author(s):

Liron David ◽

Avishai Wool

Keyword(s):

Side Channel ◽

Side Channel Attacks ◽

Enumeration Algorithm ◽

Bounded Space

Download Full-text

An Optimal Key Enumeration Algorithm and Its Application to Side-Channel Attacks

Selected Areas in Cryptography - Lecture Notes in Computer Science ◽

10.1007/978-3-642-35999-6_25 ◽

2013 ◽

pp. 390-406 ◽

Cited By ~ 58

Author(s):

Nicolas Veyrat-Charvillon ◽

Benoît Gérard ◽

Mathieu Renauld ◽

François-Xavier Standaert

Keyword(s):

Side Channel ◽

Side Channel Attacks ◽

Enumeration Algorithm

Download Full-text

A Strict Key Enumeration Algorithm for Dependent Score Lists of Side-Channel Attacks

Smart Card Research and Advanced Applications - Lecture Notes in Computer Science ◽

10.1007/978-3-319-75208-2_4 ◽

2018 ◽

pp. 51-69 ◽

Cited By ~ 3

Author(s):

Yang Li ◽

Shuang Wang ◽

Zhibin Wang ◽

Jian Wang

Keyword(s):

Side Channel ◽

Side Channel Attacks ◽

Enumeration Algorithm

Download Full-text

Strengthening Sequential Side-Channel Attacks Through Change Detection

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2020.i3.1-21 ◽

2020 ◽

pp. 1-21

Author(s):

Luca Frittoli ◽

Matteo Bocchi ◽

Silvia Mella ◽

Diego Carrera ◽

Beatrice Rossi ◽

...

Keyword(s):

Change Detection ◽

Computing Time ◽

Side Channel ◽

Channel Measurements ◽

Success Rates ◽

Secret Key ◽

Side Channel Attacks ◽

Sequential Structure ◽

Timing Attack ◽

Alternative Solutions

The sequential structure of some side-channel attacks makes them subject to error propagation, i.e. when an error occurs during the recovery of some part of a secret key, all the following guesses might as well be chosen randomly. We propose a methodology that strengthens sequential attacks by automatically identifying and correcting errors. The core ingredient of our methodology is a change-detection test that monitors the distribution of the distinguisher values used to reconstruct the secret key. Our methodology includes an error-correction procedure that can cope both with false positives of the change-detection test, and inaccuracies of the estimated location of the wrong key guess. The proposed methodology is general and can be included in several attacks. As meaningful examples, we conduct two different side-channel attacks against RSA-2048: an horizontal power-analysis attack based on correlation and a vertical timing attack. Our experiments show that, in all the considered cases, strengthened attacks outperforms their original counterparts and alternative solutions that are based on thresholds. In particular, strengthened attacks achieve high success rates even when the side-channel measurements are noisy or limited in number, without prohibitively increasing the computing time.

Download Full-text