Paper 2022/471
Breaking Masked Implementations of the Clyde-Cipher by Means of Side-Channel Analysis - A Report on the CHES Challenge Side-Channel Contest 2020
Abstract
In this paper we present our solution to the CHES Challenge 2020, the task of which it was to break masked hardware respective software implementations of the lightweight cipher Clyde by means of side-channel analysis. We target the secret cipher state after processing of the first $S$-box layer. Using the provided trace data we obtain a strongly biased posterior distribution for the secret-shared cipher state at the targeted point; this enables us to see exploitable biases even before the secret sharing based masking. These biases on the unshared state can be evaluated one $S$-box at a time and combined across traces, which enables us to recover likely key hypotheses $S$-box by $S$-box. In order to see the shared cipher state, we employ a deep neural network similar to the one used by Gohr, Jacob and Schindler to solve the CHES 2018 AES challenge. We modify their architecture to predict the exact bit sequence of the secret-shared cipher state. We find that convergence of training on this task is unsatisfying with the standard encoding of the shared cipher state and therefore introduce a different encoding of the prediction target, which we call the scattershot encoding. In order to further investigate how exactly the scattershot encoding helps to solve the task at hand, we construct a simple synthetic task where convergence problems very similar to those we observed in our side-channel task appear with the naive target data encoding but disappear with the scattershot encoding. We complete our analysis by showing results that we obtained with a classical method (as opposed to an AI-based method), namely the stochastic approach, that we generalize for this purpose first to the setting of shared keys. We show that the neural network draws on a much broader set of features, which may partially explain why the neural-network based approach massively outperforms the stochastic approach. On the other hand, the stochastic approach provides insights into properties of the implementation, in particular the observation that the $S$-boxes behave very different regarding the easiness respective hardness of their prediction.
Metadata
- Available format(s)
- Category
- Implementation
- Publication info
- A minor revision of an IACR publication in TCHES 2022
- Keywords
- Lightweight cryptography Clyde-cipher Side-channel analysis Countermeasures Masking Secret-sharing ISW-Multiplication Deep neural network Residual neural network Stochastic approach CHES Challenge 2020
- Contact author(s)
-
aron gohr @ gmail com
Friederike laus @ bsi bund de
Werner Schindler @ bsi bund de - History
- 2022-08-16: revised
- 2022-04-22: received
- See all versions
- Short URL
- https://ia.cr/2022/471
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/471, author = {Aron Gohr and Friederike Laus and Werner Schindler}, title = {Breaking Masked Implementations of the Clyde-Cipher by Means of Side-Channel Analysis - A Report on the {CHES} Challenge Side-Channel Contest 2020}, howpublished = {Cryptology {ePrint} Archive, Paper 2022/471}, year = {2022}, url = {https://eprint.iacr.org/2022/471} }