Exploring the Resilience of Some Lightweight Ciphers Against Profiled Single Trace Attacks

Banciu, Valentina; Oswald, Elisabeth; Whitnall, Carolyn

doi:10.1007/978-3-319-21476-4_4

Cited by 5 publications

(3 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Nonlinearity (NL) of the components of the modular addition (selection functions ϕ4 and ϕ5 from Table 2). By nonlinearity of a component of an (n, m) function F , we mean the nonlinearity of F computed for a fixed vector v ∈ F m * 2 as in Equation (1). "Number" denotes how many components have the given nonlinearity NL, "Proportion (%)" is the proportion of the given nonlinearity NL with respect to the nonlinearity of all components of F .…”

Section: Selection Functionmentioning

confidence: 99%

“…In particular, the study of the SCA-resistance of software implementations of lightweight ciphers did not keep pace with the high number of new proposals. In [1], the resilience of the AES and three lightweight block ciphers that share some characteristics (namely KLEIN, LED, and PRESENT) is investigated against profiled singletrace attacks. Unprotected hardware implementations of Simon and LED were analyzed with respect to DPA in [34].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Correlation Power Analysis of Lightweight Block Ciphers: From Theory to Practice

Biryukov

Dinu

Großschädl

2016

Applied Cryptography and Network Security

View full text Add to dashboard Cite

Abstract. Side-Channel Analysis (SCA) represents a serious threat to the security of millions of smart devices that form part of the so-called Internet of Things (IoT). Choosing the "right" cryptographic primitive for the IoT is a highly challenging task due to the resource constraints of IoT devices and the variety of primitives. An important criterion to assess the suitability of a lightweight cipher with respect to SCA is the amount of leakage available to an adversary. In this paper, we analyze the efficiency of different selection functions that are commonly used in Correlation Power Analysis (CPA) attacks on symmetric primitives. To this end, we attacked implementations of the lightweight block ciphers AES, Fantomas, LBlock, Piccolo, PRINCE, RC5, Simon, and Speck on an 8-bit AVR processor. By exploring the relation between the nonlinearity of the studied selection functions and the measured leakages, we discovered some imperfections when using nonlinearity to quantify the resilience against CPA. Then, we applied these findings in an evaluation of the "intrinsic" CPA-resistance of unprotected implementations of the eight mentioned ciphers. We show that certain implementation aspects can influence the leakage level and try to explain why. Our results shed new light on the resilience of basic operations executed by these ciphers against CPA and help to bridge the gap between theory and practice.

show abstract

Section: Selection Functionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Correlation Power Analysis of Lightweight Block Ciphers: From Theory to Practice

Biryukov

Dinu

Großschädl

2016

Applied Cryptography and Network Security

View full text Add to dashboard Cite

show abstract

“…Several works have already examined the strength of lightweight ciphers against SCA and highlighted some of their exciting features. Banciu et al [BOW15] investigate three ciphers (PRESENT, LED and KLEIN) and compare them to AES using pragmatic simple power analysis [Man03] (essentially key enumeration exploiting leakage from a single trace). They notice that the lighter diffusion in the round function and especially the key schedule leads to more powerful attacks, as it leads to more intermediate variables whose leakage can be effectively exploited in a key enumeration effort.…”

Section: Related Workmentioning

confidence: 99%

Pincering SKINNY by Exploiting Slow Diffusion

Costes,

Stam

2023

TCHES

View full text Add to dashboard Cite

Lightweight cryptography is an emerging field where designers are testing the limits of symmetric cryptography. We investigate the resistance against sidechannel attacks of a new class of lighter blockciphers, which use a classic substitution–permutation network with slow diffusion and many rounds.Among these ciphers, we focus on SKINNY, a primitive used up to the final round ofNIST’s recent lightweight standardisation effort. We show that the lack of diffusion in the key scheduler allows an attacker to combine leakage from the first and the last rounds, effectively pincering its target. Furthermore, the slow diffusion used by its partial key-absorption and linear layers enable, on both sides, to target S-Boxes from several rounds deep.As some of these S-boxes leak on the same part of the key, full key recovery exploiting all leakage requires a clever combining strategy. We introduce the use of cluster graph inference (an established tool from probabilistic graphical model theory) to enhance both unprofiled or profiled differential power analysis, enabling us to handlethe increase of S-Boxes with their intertwined leakage.We evaluate the strength of our attack both in the Hamming weight model and against two implementations running on an STM32F303 ARM Cortex-M4 hosted on a ChipWhisperer target board, showing that our attack reduces the number of traces required to attack SKINNY by a factor of around 2.75.

show abstract