Cryptology ePrint Archive: Report 2019/1448

Investigating Profiled Side-Channel Attacks Against the DES Key Schedule

Johann Heyszl and Katja Miller and Florian Unterstein and Marc Schink and Alexander Wagner and Horst Gieser and Sven Freud and Tobias Damm and Dominik Klein and Dennis Kügler

Abstract: Recent publications describe profiled side-channel attacks (SCAs) against the DES key-schedule of a “commercially available security controller”. They report a significant reduction of the average remaining entropy of cryptographic keys after the attack, with large, key-dependent variations and results as low as a few bits using only a single attack trace. Unfortunately, they leave important questions unanswered: Is the reported wide distribution of results plausible? Are the results device-specific or more general? What is the impact on the security of 3-key triple DES? In this contribution, we systematically answer those and several other questions. We also analyze two commercial security controllers reproducing reported results, while explaining details of algorithmic choices. We verified the overall reduction and large variations in single DES key security levels (49.4 bit mean and 0.9 % of keys < 40 bit) and observe a fraction of keys with exceptionally low security levels, called weak keys. A simplified simulation of device leakage shows that the distribution of security levels is predictable to some extend given a leakage model. We generalize results to other leakage models by attacking the hardware DES accelerator of a general purpose microcontroller. We conclude that weaker keys are mainly caused by switching noise, which is always present in template attacks on any key-schedule, regardless of the algorithm and implementation. Further, we describe a sound approach to estimate 3-key triple-DES security levels from empirical single DES results and find that the impact on the security of 3-key triple-DES is limited (96.1 bit mean and 0.24 % of key-triples < 80 bit).

Category / Keywords: implementation / DES, SCA, side-channel attack, templates

Date: received 13 Dec 2019, last revised 15 Apr 2020

Contact author: Dominik Klein at bsi bund de

Available format(s): PDF | BibTeX Citation

Version: 20200415:114717 (All versions of this report)

Short URL: ia.cr/2019/1448


[ Cryptology ePrint archive ]