Side channel cryptanalysis of product ciphers

  • John Kelsey
  • Bruce Schneier
  • David Wagner
  • Chris Hall
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1485)


Building on the work of Kocher [Koc96], we introduce the notion of side-channel cryptanalysis: cryptanalysis using implementation data. We discuss the notion of side-channel attacks and the vulnerabilities they introduce, demonstrate side-channel attacks against three product ciphers—timing attack against IDEA, processor-flag attack against RC5, and Hamming weight attack against DES—and then generalize our research to other cryptosystems.


side channels cryptanalysis timing attacks product ciphers 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [Ada97]
    C. Adams, “Constructing Symmetric Ciphers Using the CAST Design Procedure”, Designs, Codes and Cryptography, v.12, n.3, Nov 1997, pp. 71–104.Google Scholar
  2. [And95]
    R. Anderson, “On Fibonacci Keystream Generators,“ Fast Software Encryption, 2nd International Workshop Proceedings, Springer-Verlag, 1995, pp. 346–352.Google Scholar
  3. [Bel96]
    S. Bellovin, “Problem Areas for the IP Security Protocols,“ Proceedings of the Sixth Usenix Unix Security Symposium, Jul 1996, pp. 1–16.Google Scholar
  4. [DES81]
    ANSI X3.92, “American National Standard for Data Encryption Algorithm (DEA),“ American National Standards Institute, 1981.Google Scholar
  5. [BS91]
    E. Biham and A. Shamir, “Differential Cryptanalysis of DES-like Cryptosystems,“ Journal of Cryptology, Vol. 4, No. 1, 1991, pp. 3–72.MATHMathSciNetCrossRefGoogle Scholar
  6. [BS93]
    E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, 1993.Google Scholar
  7. [Bih94]
    E. Biham, “New Types of Cryptanalytic Attacks Using Related Keys,“ Journal of Cryptology, v. 7, n. 4, 1994, pp. 229–246.MATHCrossRefGoogle Scholar
  8. [BS97]
    E. Biham and A. Shamir, “Differential Fault Analysis of Secret Key CryptoSystems,“ Advances in Cryptology—CRYPTO ’97 Proceedings, Springer-Verlag, 1997, pp. 513–525.Google Scholar
  9. [BBS86]
    L. Blum, M. Blum, and M. Shub, “A Simple Unpredictable Pseudo-Random Number Generator,“ SIAM Journal of Computing, v. 15, n. 2, 1986, pp. 364–383.MATHMathSciNetCrossRefGoogle Scholar
  10. [BDL97]
    D. Boneh, R.A. Demillo, R.J. Lipton, “On the Importance of Checking Cryptographic Protocols for Faults,“ Advances in Cryptology — EUROCRYPT ’97 Proceedings, Springer-Verlag, 1997, pp. 37–51.Google Scholar
  11. [CG88]
    W.G. Chambers and D. Gollmann, “Generatirs for Sequences with Near-Maximal Linear Equivalence,“ IEE Proceedings, v. 135, pt. E, n. 1, Jan 1988, pp. 331–343.MathSciNetGoogle Scholar
  12. [CKM94]
    D. Coppersmith, H. Krawczyk, and Y. Mansour, “The Shinking Generator,“ Advances in Cryptology—CRYPTO ’93 Proceedings, Springer-Verlag, 1994, pp. 22–39.Google Scholar
  13. [HGS97]
    C. Hall, I. Goldberg, B. Schneier, “Reaction Attacks Against Several Public-Key Cryptosystems,“ 1998, in preparation.Google Scholar
  14. [Kah67]
    D. Kahn, The Codebreakers, The MacMillan Company, 1967.Google Scholar
  15. [KSW96]
    J. Kelsey, B. Schneier, and D. Wagner, “Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES,“ Advances in Cryptology — CRYPTO ’96 Proceedings, Springer-Verlag, 1996, pp. 237–251.Google Scholar
  16. [KSW97]
    J. Kelsey, B. Schneier, and D. Wagner, “Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA,“ Information and Communications Security, First International Conference Proceedings, Springer-Verlag, 1997, pp. 203–207.Google Scholar
  17. [Koc96]
    P. Kocher, “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,“ Advances in Cryptology—CRYPTO ’96 Proceedings, Springer-Verlag, 1996, pp. 104–113.Google Scholar
  18. [Koc98]
    P. Kocher, personal communication, 1998.Google Scholar
  19. [LM90]
    X Lai, J.L. Massey, “A Proposal for a New Block Encryption Standard,“ Advances in Cryptology—EUROCRYPT ’90 Proceedings, Springer-Verlag, pp. 389–404.Google Scholar
  20. [LMM91]
    X. Lai, J.L. Massey, and S. Murphy, “Markov Ciphers and Differential Cryptanalysis,“ Advances in Cryptology—EUROCRYPT ’91 Proceedings, Springer-Verlag, pp. 17–38.Google Scholar
  21. [Mat93]
    M. Matsui, “Linear Cryptanalysis Method for DES Cipher,“ Advances in Cryptology—EUROCRYPT ’93 Proceedings, Springer-Verlag, 1994, pp. 386–397.Google Scholar
  22. [MS94]
    W. Meier and O. Steffelbach, “The Self-Shrinking Generator,“ Communications and Cryptography: Two Sides of One Tapestry, R.E. Blahut et al, eds., Kluwer Academic Publishers, 1994, pp. 287–295.Google Scholar
  23. [Mer91]
    R. Merkle, “A Fast Software Encryption Function,“ Advances in Cryptology—CRYPTO ’90 Proceedings, Springer-Verlag, 1991, pp. 476–501.Google Scholar
  24. [Sch94]
    B. Schneier, “Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish),“ Fast Software Encryption, Cambridge Security Workshop Proceedings, Springer-Verlag, 1994, pp. 191–204.Google Scholar
  25. [Sch96]
    B. Schneier, Applied Cryptography, 2nd Edition, John Wiley & Sons, 1996.Google Scholar
  26. [vEc85]
    W. van Eck, “Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk,“ Computers & Security, v. 4, 1985, pp. 269–286.CrossRefGoogle Scholar
  27. [Wri87]
    P. Wright, Spycatcher, Viking Penguin Inc., 1987.Google Scholar
  28. [XHW94]
    S.B. Xu, D.K. He, and X.M. Wang, “An Implementation of the GSM General Data Encryption Algorithm A5,“ CHIANCRYPT ’94, 11–15 Nov 1994, pp. 287–291.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • John Kelsey
    • 1
  • Bruce Schneier
    • 1
  • David Wagner
    • 2
  • Chris Hall
    • 1
  1. 1.Counterpane SystemsMinneapolis
  2. 2.U.C. at BerkeleyBerkeley

Personalised recommendations