Paper 2017/1257

A first-order chosen-plaintext DPA attack on the third round of DES

Oscar Reparaz and Benedikt Gierlichs


DPA attacks usually exhibit a "divide-and-conquer" property: the adversary needs to enumerate only a small space of the key (a key sub-space) when performing the DPA attack. This is achieved trivially in the outer rounds of a cryptographic implementation since intermediates depend on only few key bits. In the inner rounds, however, intermediates depend on too many key bits to make DPA practical or even to pose an advantage over cryptanalysis. For this reason, DPA countermeasures may be deployed only to outer rounds if performance or efficiency are critical. This paper shows a DPA attack exploiting leakage from the third round of a Feistel cipher, such as DES. We require the ability of fixing inputs, but we do not place any special restriction on the leakage model. The complexity of the attack is that of two to three DPA attacks on the first round of DES plus some minimal differential cryptanalysis.

Available format(s)
Publication info
Published elsewhere. MINOR revision.CARDIS 2017
side-channel attackDPAcountermeasureDES
Contact author(s)
oscar reparaz @ esat kuleuven be
2017-12-30: received
Short URL
Creative Commons Attribution


      author = {Oscar Reparaz and Benedikt Gierlichs},
      title = {A first-order chosen-plaintext DPA attack on the third round of DES},
      howpublished = {Cryptology ePrint Archive, Paper 2017/1257},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.