Side-Channel Analysis of Keymill
One prominent countermeasure against side-channel attacks, especially differential power analysis (DPA), is fresh re-keying. In such schemes, the so-called re-keying function takes the burden of protecting a cryptographic primitive against DPA. To ensure the security of the scheme against side-channel analysis, the re-keying function has to withstand both simple power analysis (SPA) and differential power analysis (DPA). Recently, at SAC 2016, Taha et al. proposed Keymill, a side-channel resilient key generator (or re-keying function), which is claimed to be inherently secure against side-channel attacks. In this work, however, we present a DPA attack on Keymill, which is based on the dynamic power consumption of a digital circuit that is tied to the \(0\rightarrow 1\) and \(1\rightarrow 0\) switches of its logical gates. Hence, the power consumption of the shift-registers used in Keymill depends on the \(0\rightarrow 1\) and \(1\rightarrow 0\) switches of its internal state. This information is sufficient to obtain the internal differential pattern (up to a small number of bits, which have to be brute-forced) of the 4 shift-registers of Keymill after the nonce has been absorbed. This leads to a practical key-recovery attack on Keymill.
KeywordsSide-channel analysis Fresh re-keying Differential power analysis
This work has been supported in part by the Austrian Science Fund (project P26494-N15) and by the Austrian Research Promotion Agency (FFG) under grant number 845589 (SCALAS).
- 4.Dziembowski, S., Faust, S., Herold, G., Journault, A., Masny, D., Standaert, F.-X.: Towards sound fresh re-keying with hard (physical) learning problems. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 272–301. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53008-5_10 CrossRefGoogle Scholar
- 5.Gammel, B.M., Göttfert, R., Kniffler, O.: Achterbahn-128/80. eSTREAM, ECRYPT Stream Cipher Project (2006)Google Scholar
- 8.Medwed, M., Petit, C., Regazzoni, F., Renauld, M., Standaert, F.-X.: Fresh re-keying II: securing multiple parties against side-channel and fault attacks. In: Prouff, E. (ed.) CARDIS 2011. LNCS, vol. 7079, pp. 115–132. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-27257-8_8 CrossRefGoogle Scholar
- 9.Medwed, M., Standaert, F.-X., Großschädl, J., Regazzoni, F.: Fresh re-keying: security against side-channel and fault attacks for low-cost devices. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 279–296. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-12678-9_17 CrossRefGoogle Scholar
- 13.Sakura-G - Side-Channel Evaluation Board. http://satoh.cs.uec.ac.jp/SAKURA/hardware/SAKURA-G.html, Accessed 28 Nov 2016
- 14.Taha, M., Reyhani-Masoleh, A., Schaumont, P.: Keymill: side-channel resilient key generator. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, Springer (2016), (to appear). eprint version. http://eprint.iacr.org/2016/710