Investigating Profiled Side-Channel Attacks Against the DES Key Schedule

Abstract: Recent publications describe profiled single trace side-channel attacks (SCAs) against the DES key-schedule of a “commercially available security controller”. They report a significant reduction of the average remaining entropy of cryptographic keys after the attack, with surprisingly large, key-dependent variations of attack results, and individual cases with remaining key entropies as low as a few bits. Unfortunately, they leave important questions unanswered: Are the reported wide distributions of results p… Show more

“…The authors of [7] provided us with their measurement data. The provided data set consists of a profiling set and an attack set.…”

“…We consider variations of the leakage models identified in previous works [7,8,[14][15][16][17]. The models assume that the keydependent leakage originates from updates (c i+1 , d i+1 ) ← (c i , d i ) of the Cand D-registers and/or updates k i+1 ← k i of the round-key register for i ∈ [15].…”

“…As a natural approach one might try to find the values of the Cand D-register separately. In the publication [7], for instance, the authors discuss a template attack on even smaller parts of the Cand D-registers. Here we want to clarify that this reduces the amount of mutual information significantly.…”

“…Publications by Wagner et al [8,[14][15][16][17] attempt side-channel attacks against the key schedule of the Data Encryption Standard (DES), which are further investigated in [7]. They conduct template attacks against several microcontrollers and demonstrate that the entropy of the 56-bit DES keys can be reduced to 48 bits on average in their experimental setting.…”

“…We apply our attack to side-channel measurements provided by the authors of [7]. The measurements are obtained from an implementation without countermeasures.…”

Improving recent side-channel attacks against the DES key schedule

“…The authors of [7] provided us with their measurement data. The provided data set consists of a profiling set and an attack set.…”

“…We consider variations of the leakage models identified in previous works [7,8,[14][15][16][17]. The models assume that the keydependent leakage originates from updates (c i+1 , d i+1 ) ← (c i , d i ) of the Cand D-registers and/or updates k i+1 ← k i of the round-key register for i ∈ [15].…”

“…As a natural approach one might try to find the values of the Cand D-register separately. In the publication [7], for instance, the authors discuss a template attack on even smaller parts of the Cand D-registers. Here we want to clarify that this reduces the amount of mutual information significantly.…”

“…Publications by Wagner et al [8,[14][15][16][17] attempt side-channel attacks against the key schedule of the Data Encryption Standard (DES), which are further investigated in [7]. They conduct template attacks against several microcontrollers and demonstrate that the entropy of the 56-bit DES keys can be reduced to 48 bits on average in their experimental setting.…”

“…We apply our attack to side-channel measurements provided by the authors of [7]. The measurements are obtained from an implementation without countermeasures.…”

Improving recent side-channel attacks against the DES key schedule

Faulting Winternitz One-Time Signatures to Forge LMS, XMSS, or $$\text {SPHINCS}^{+}$$ Signatures

A Secure Key Expansion Algorithm for Present