Cryptology ePrint Archive: Report 2017/1257

A first-order chosen-plaintext DPA attack on the third round of DES

Oscar Reparaz and Benedikt Gierlichs

Abstract: DPA attacks usually exhibit a "divide-and-conquer" property: the adversary needs to enumerate only a small space of the key (a key sub-space) when performing the DPA attack. This is achieved trivially in the outer rounds of a cryptographic implementation since intermediates depend on only few key bits. In the inner rounds, however, intermediates depend on too many key bits to make DPA practical or even to pose an advantage over cryptanalysis. For this reason, DPA countermeasures may be deployed only to outer rounds if performance or efficiency are critical. This paper shows a DPA attack exploiting leakage from the third round of a Feistel cipher, such as DES. We require the ability of fixing inputs, but we do not place any special restriction on the leakage model. The complexity of the attack is that of two to three DPA attacks on the first round of DES plus some minimal differential cryptanalysis.

Category / Keywords: implementation / side-channel attack, DPA, countermeasure, DES

Original Publication (with minor differences): CARDIS 2017

Date: received 29 Dec 2017

Contact author: oscar reparaz at esat kuleuven be

Available format(s): PDF | BibTeX Citation

Version: 20171230:184200 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]