Cryptology ePrint Archive: Report 2020/371

Single-Trace Attacks on Keccak

Matthias J. Kannwischer and Peter Pessl and Robert Primas

Abstract: Since its selection as the winner of the SHA-3 competition, Keccak, with all its variants, has found a large number of applications. It is, for instance, a common building block in schemes submitted to NIST's post-quantum cryptography project. In many of these applications, Keccak processes ephemeral secrets. In such a setting, side-channel adversaries are limited to a single observation, meaning that differential attacks are inherently prevented. If, however, such a single trace of Keccak can already be sufficient for key recovery has so far been unknown.

In this paper, we change the above by presenting the first single-trace attack targeting Keccak. Our method is based on soft-analytical side-channel attacks and, thus, combines template matching with message passing in a graphical model of the attacked algorithm. As a straight-forward model of Keccak does not yield satisfactory results, we describe several optimizations for the modeling and the message-passing algorithm. Their combination allows attaining high attack performance in terms of both success rate as well as computational runtime.

We evaluate our attack assuming generic software (microcontroller) targets and thus use simulations in the generic noisy Hamming-weight leakage model. Hence, we assume relatively modest profiling capabilities of the adversary. Nonetheless, the attack can reliably recover secrets in a large number of evaluated scenarios at realistic noise levels. Consequently, we demonstrate the need for countermeasures even in settings where DPA is not a threat.

Category / Keywords: implementation / Keccak, side-channel attacks, power analysis, single-trace attacks, belief propagation, post-quantum cryptography

Original Publication (in the same form): IACR-CHES-2020

Date: received 31 Mar 2020

Contact author: matthias at kannwischer eu, peter@pessl cc, rprimas@gmail com

Available format(s): PDF | BibTeX Citation

Version: 20200402:122738 (All versions of this report)

Short URL: ia.cr/2020/371


[ Cryptology ePrint archive ]