On The Security of the DeKaRT Primitive
DeKaRT primitives are key-dependent reversible circuits presented at CHES 2003. According to the author, the circuits described are suitable for data scrambling but also as building blocks for block ciphers. Data scrambling of internal links and memories on smart card chips is intended for protecting data against probing attacks. In this paper, we analyze the DeKaRT primitive using linear cryptanalysis. We show that despite its key-dependent behavior, DeKaRT still has strongly linear structures, that can be exploited even under the particular hypothesis that only one bit of the ciphertexts is available to the attacker (as it is the case in the context of probing attacks), and using very few plaintext-ciphertext pairs.
The attack methodology we describe could be applied to other data scrambling primitives exhibiting highly biased linear relations.
KeywordsSmart Card Probing Attacks Data Scrambling Linear Cryptanalysis
- J.D. Golic, DeKaRT: A New Paradigm for Key-Dependent Reversible Circuits, Proceedings of CHES 2003, Lecture Notes in Computer Science, vol. 2779, pp. 98–112, 2003.Google Scholar
- R. Anderson and M. Kuhn, Tamper resistance-a Cautionary Note, second USENIX Workshop on Electronic Commerce Proceedings, pp. 1–11, Oakland, California, November 1996.Google Scholar
- O. Kemmerling and M. Kuhn, Design principles for Tamper-Resistant Smartcard Processors, USENIX Workshop on Smartcard Technology, Chicago, Illinois, USA, May 1999.Google Scholar
- A. Biryukov, C. De Canniere, M. Quisquater, On Multiple Linear Approximations, Available at http://eprint.iacr.org/,2004/057.