In this paper, we target a specific bit permutation vulnerability in the block cipher GIFT that allows the attacker to mount a key recovery attack. We present a novel SCA methodology called DCSCA - Differential Ciphertext SCA, which follows principles of differential fault analysis, but instead of the usage of faults, it utilizes SCA and statistical distribution of intermediate values. We simulate the attack on a publicly available bitslice implementation of GIFT, showing the practicality of the attack. We further show the application of the attack on GIFT-based AEAD schemes (GIFT-COFB, ESTATE, HYENA, and SUNDAE-GIFT) proposed for the NIST LWC competition. DCSCA can recover the master key with $2^{13.39}$ AEAD sessions, assuming 32 encryptions per session.
Category / Keywords: secret-key cryptography / side-channel attacks, bit permutations, GIFT, AEAD Original Publication (in the same form): Design, Automation and Test in Europe Conference (DATE) - 2021 Date: received 12 Dec 2020, last revised 13 Dec 2020 Contact author: jbreier at jbreier com Available format(s): PDF | BibTeX Citation Version: 20201213:195935 (All versions of this report) Short URL: ia.cr/2020/1554