Paper 2022/471

Breaking Masked Implementations of the Clyde-Cipher by Means of Side-Channel Analysis - A Report on the CHES Challenge Side-Channel Contest 2020

Aron Gohr, Friederike Laus, and Werner Schindler


In this paper we present our solution to the CHES Challenge 2020, the task of which it was to break masked hardware respective software implementations of the lightweight cipher Clyde by means of side-channel analysis. We target the secret cipher state after processing of the first Sbox layer. Using the provided trace data we obtain a strongly biased posterior distribution for the secret-shared cipher state at the targeted point; this enables us to see exploitable biases even before the secret sharing based masking. These biases on the unshared state can be evaluated one $S$-box at a time and combined across traces, which enables us to recover likely key hypotheses $S$-box by $S$-box. In order to see the shared cipher state, we employ a deep neural network similar to the one used by Gohr, Jacob and Schindler to solve the CHES 2018 AES challenge. We modify their architecture to predict the exact bit sequence of the secret-shared cipher state. We find that convergence of training on this task is unsatisfying with the standard encoding of the shared cipher state and therefore introduce a different encoding of the prediction target, which we call the scattershot encoding. In order to further investigate how exactly the scattershot encoding helps to solve the task at hand, we construct a simple synthetic task where convergence problems very similar to those we observed in our side-channel task appear with the naive target data encoding but disappear with the scattershot encoding. We complete our analysis by showing results that we obtained with a classical method (as opposed to an AI-based method), namely the stochastic approach, that we generalize for this purpose first to the setting of shared keys. We show that the neural network draws on a much broader set of features, which may partially explain why the neural-network based approach massively outperforms the stochastic approach. On the other hand, the stochastic approach provides insights into properties of the implementation, in particular the observation that the $S$-boxes behave very different regarding the easiness respective hardness of their prediction.

Available format(s)
Publication info
Preprint. Minor revision.
Lightweight cryptographyClyde-cipherSide-channel analysisCountermeasuresMaskingSecret-sharingISW-MultiplicationDeep neural networkResidual neural networkStochastic approachCHES Challenge 2020
Contact author(s)
Friederike Laus @ bsi bund de
2022-04-22: received
Short URL
Creative Commons Attribution


      author = {Aron Gohr and Friederike Laus and Werner Schindler},
      title = {Breaking Masked Implementations of the Clyde-Cipher by Means of Side-Channel Analysis - A Report on the CHES Challenge Side-Channel Contest 2020},
      howpublished = {Cryptology ePrint Archive, Paper 2022/471},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.