Pincering SKINNY by Exploiting Slow Diffusion
Lightweight cryptography is an emerging field where designers are testing the limits of symmetric cryptography. We investigate the resistance against sidechannel attacks of a new class of lighter blockciphers, which use a classic substitution–permutation network with slow diffusion and many rounds....
Main Authors: | , |
---|---|
Format: | Article |
Language: | English |
Published: |
Ruhr-Universität Bochum
2023-08-01
|
Series: | Transactions on Cryptographic Hardware and Embedded Systems |
Subjects: | |
Online Access: | https://tches.iacr.org/index.php/TCHES/article/view/11173 |
_version_ | 1797718831883354112 |
---|---|
author | Nicolas Costes Martijn Stam |
author_facet | Nicolas Costes Martijn Stam |
author_sort | Nicolas Costes |
collection | DOAJ |
description |
Lightweight cryptography is an emerging field where designers are testing the limits of symmetric cryptography. We investigate the resistance against sidechannel attacks of a new class of lighter blockciphers, which use a classic substitution–permutation network with slow diffusion and many rounds.
Among these ciphers, we focus on SKINNY, a primitive used up to the final round ofNIST’s recent lightweight standardisation effort. We show that the lack of diffusion in the key scheduler allows an attacker to combine leakage from the first and the last rounds, effectively pincering its target. Furthermore, the slow diffusion used by its partial key-absorption and linear layers enable, on both sides, to target S-Boxes from several rounds deep.
As some of these S-boxes leak on the same part of the key, full key recovery exploiting all leakage requires a clever combining strategy. We introduce the use of cluster graph inference (an established tool from probabilistic graphical model theory) to enhance both unprofiled or profiled differential power analysis, enabling us to handle
the increase of S-Boxes with their intertwined leakage.
We evaluate the strength of our attack both in the Hamming weight model and against two implementations running on an STM32F303 ARM Cortex-M4 hosted on a ChipWhisperer target board, showing that our attack reduces the number of traces required to attack SKINNY by a factor of around 2.75.
|
first_indexed | 2024-03-12T08:55:55Z |
format | Article |
id | doaj.art-8e3d0ec63958492abbe0dc8e421209f4 |
institution | Directory Open Access Journal |
issn | 2569-2925 |
language | English |
last_indexed | 2024-03-12T08:55:55Z |
publishDate | 2023-08-01 |
publisher | Ruhr-Universität Bochum |
record_format | Article |
series | Transactions on Cryptographic Hardware and Embedded Systems |
spelling | doaj.art-8e3d0ec63958492abbe0dc8e421209f42023-09-02T16:01:04ZengRuhr-Universität BochumTransactions on Cryptographic Hardware and Embedded Systems2569-29252023-08-012023410.46586/tches.v2023.i4.460-492Pincering SKINNY by Exploiting Slow DiffusionNicolas Costes0Martijn Stam1Simula UiB, Bergen, NorwaySimula UiB, Bergen, Norway Lightweight cryptography is an emerging field where designers are testing the limits of symmetric cryptography. We investigate the resistance against sidechannel attacks of a new class of lighter blockciphers, which use a classic substitution–permutation network with slow diffusion and many rounds. Among these ciphers, we focus on SKINNY, a primitive used up to the final round ofNIST’s recent lightweight standardisation effort. We show that the lack of diffusion in the key scheduler allows an attacker to combine leakage from the first and the last rounds, effectively pincering its target. Furthermore, the slow diffusion used by its partial key-absorption and linear layers enable, on both sides, to target S-Boxes from several rounds deep. As some of these S-boxes leak on the same part of the key, full key recovery exploiting all leakage requires a clever combining strategy. We introduce the use of cluster graph inference (an established tool from probabilistic graphical model theory) to enhance both unprofiled or profiled differential power analysis, enabling us to handle the increase of S-Boxes with their intertwined leakage. We evaluate the strength of our attack both in the Hamming weight model and against two implementations running on an STM32F303 ARM Cortex-M4 hosted on a ChipWhisperer target board, showing that our attack reduces the number of traces required to attack SKINNY by a factor of around 2.75. https://tches.iacr.org/index.php/TCHES/article/view/11173Lightweight CryptographySKINNYBelief PropagationDifferential Power AnalysisCluster Graphs |
spellingShingle | Nicolas Costes Martijn Stam Pincering SKINNY by Exploiting Slow Diffusion Transactions on Cryptographic Hardware and Embedded Systems Lightweight Cryptography SKINNY Belief Propagation Differential Power Analysis Cluster Graphs |
title | Pincering SKINNY by Exploiting Slow Diffusion |
title_full | Pincering SKINNY by Exploiting Slow Diffusion |
title_fullStr | Pincering SKINNY by Exploiting Slow Diffusion |
title_full_unstemmed | Pincering SKINNY by Exploiting Slow Diffusion |
title_short | Pincering SKINNY by Exploiting Slow Diffusion |
title_sort | pincering skinny by exploiting slow diffusion |
topic | Lightweight Cryptography SKINNY Belief Propagation Differential Power Analysis Cluster Graphs |
url | https://tches.iacr.org/index.php/TCHES/article/view/11173 |
work_keys_str_mv | AT nicolascostes pinceringskinnybyexploitingslowdiffusion AT martijnstam pinceringskinnybyexploitingslowdiffusion |