eprint.iacr.org will be offline for approximately an hour for routine maintenance at 11pm UTC on Tuesday, April 16. We lost some data between April 12 and April 14, and some authors have been notified that they need to resubmit their papers.

Paper 2016/793

Side-Channel Analysis of Keymill

Christoph Dobraunig, Maria Eichlseder, Thomas Korak, and Florian Mendel


One prominent countermeasure against side-channel attacks, especially differential power analysis (DPA), is fresh re-keying. In such schemes, the so-called re-keying function takes the burden of protecting a cryptographic primitive against DPA. To ensure the security of the scheme against side-channel analysis, the used re-keying function has to withstand both simple power analysis (SPA) and differential power analysis (DPA). Recently, at SAC 2016, Keymill---a side-channel resilient key generator (or re-keying function)---has been proposed, which is claimed to be inherently secure against side-channel attacks. In this work, however, we present a DPA attack on Keymill, which is based on the dynamic power consumption of a digital circuit that is tied to the $0\rightarrow1$ and $1\rightarrow0$ switches of its logical gates. Hence, the power consumption of the shift-registers used in Keymill depends on the $0\rightarrow1$ and $1\rightarrow0$ switches of its internal state. This information is sufficient to obtain the internal differential pattern (up to a small number of bits, which have to be brute-forced) of the 4 shift-registers of Keymill after the nonce (or $IV$) has been absorbed. This leads to a practical key-recovery attack on Keymill.

Note: This version is a minor revision correcting Figure 5.

Available format(s)
Publication info
Published elsewhere. Minor revision. COSADE 2017
side-channel analysisfresh re-keyingdifferential power analysis
Contact author(s)
christoph dobraunig @ iaik tugraz at
2017-08-17: last of 4 revisions
2016-08-20: received
See all versions
Short URL
Creative Commons Attribution


      author = {Christoph Dobraunig and Maria Eichlseder and Thomas Korak and Florian Mendel},
      title = {Side-Channel Analysis of Keymill},
      howpublished = {Cryptology ePrint Archive, Paper 2016/793},
      year = {2016},
      note = {\url{https://eprint.iacr.org/2016/793}},
      url = {https://eprint.iacr.org/2016/793}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.