Paper 2016/793

Side-Channel Analysis of Keymill

Christoph Dobraunig, Maria Eichlseder, Thomas Korak, and Florian Mendel


One prominent countermeasure against side-channel attacks, especially differential power analysis (DPA), is fresh re-keying. In such schemes, the so-called re-keying function takes the burden of protecting a cryptographic primitive against DPA. To ensure the security of the scheme against side-channel analysis, the used re-keying function has to withstand both simple power analysis (SPA) and differential power analysis (DPA). Recently, at SAC 2016, Keymill---a side-channel resilient key generator (or re-keying function)---has been proposed, which is claimed to be inherently secure against side-channel attacks. In this work, however, we present a DPA attack on Keymill, which is based on the dynamic power consumption of a digital circuit that is tied to the $0\rightarrow1$ and $1\rightarrow0$ switches of its logical gates. Hence, the power consumption of the shift-registers used in Keymill depends on the $0\rightarrow1$ and $1\rightarrow0$ switches of its internal state. This information is sufficient to obtain the internal differential pattern (up to a small number of bits, which have to be brute-forced) of the 4 shift-registers of Keymill after the nonce (or $IV$) has been absorbed. This leads to a practical key-recovery attack on Keymill.

Note: This version is a minor revision correcting Figure 5.

Available format(s)
Publication info
Published elsewhere. Minor revision. COSADE 2017
side-channel analysisfresh re-keyingdifferential power analysis
Contact author(s)
christoph dobraunig @ iaik tugraz at
2017-08-17: last of 4 revisions
2016-08-20: received
See all versions
Short URL
Creative Commons Attribution


      author = {Christoph Dobraunig and Maria Eichlseder and Thomas Korak and Florian Mendel},
      title = {Side-Channel Analysis of Keymill},
      howpublished = {Cryptology ePrint Archive, Paper 2016/793},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.