Cryptology ePrint Archive: Report 2018/219

On Side-Channel Vulnerabilities of Bit Permutations: Key Recovery and Reverse Engineering

Jakub Breier and Dirmanto Jap and Xiaolu Hou and Shivam Bhasin

Abstract: Lightweight block ciphers rely on simple operations to allow compact implementation. Thanks to its efficiency, bit permutation has emerged as an optimal choice for state-wise diffusion. It can be implemented by simple wiring or shifts. However, as recently shown by Spectre and Meltdown attacks, efficiency and security often go against each other.

In this work, we show how bit permutations introduce a side-channel vulnerability that can be exploited to extract the secret key from the cipher. Such vulnerabilities are specific to bit permutations and do not occur in other state-wise diffusion alternatives. We propose Side-Channel Assisted Differential-Plaintext Attack (SCADPA) which targets this vulnerability in bit permutation operation. SCADPA is experimentally demonstrated on PRESENT-80 on an 8-bit microcontroller, with the best case key recovery in 17 encryptions. The attack is then extended to latest bit-permutation based cipher GIFT, allowing full key recovery in 36 encryptions. We also propose and experimentally verify an automatic threshold method which can be easily applied to SCADPA, allowing automation of the attack. Moreover, SCADPA on bit permutations has other applications. Application for reverse engineering secret sboxes in PRESENT-like proprietary ciphers is shown. We also highlight a special case, where fixing one vulnerability opens another one. This is shown by applying SCADPA on some assembly level fault attack countermeasures, rendering it less secure than unprotected implementations. Lastly, we also provide several different attack scenarios, such as targeting different encryption modes.

Category / Keywords: secret-key cryptography / side-channel analysis, differential plaintext attack, SCADPA, bit permutations

Date: received 22 Feb 2018

Contact author: jbreier at ntu edu sg

Available format(s): PDF | BibTeX Citation

Version: 20180226:195755 (All versions of this report)

Short URL: ia.cr/2018/219


[ Cryptology ePrint archive ]