Abstract
This paper describes the method adopted by the winning attack proposal to the first edition of the DPA contest. Two original ideas allowed to efficiently recover the secret key of a hardware implementation of the DES function. The first one was to consider full 56-bit guesses on the whole key (instead of only 6, 8, or even 12 or 16 bits that are usually used) to optimally exploit the side-channel leakage. We used a maximum likelihood based distinguisher fitted to the hardware characteristics of the leakage (32-bit register Hamming distance model). The second original idea was to design a smart sampling of the key space in order to find the correct key without requiring to exhaust a substantial proportion of the \(2^{56}\) keys. We adopted a hill climbing heuristic approach using a likelihood based objective function, combined with a clever candidate update function that takes into account the main specificities of the DES key schedule.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The Data Encryption Standard (DES) has been the most commonly used block cipher function from 1977 when it has been standardized [8] to 2001 when it has been replaced by the Advanced Encryption Standard (AES). While it is now obsolete in its original version, it is worth noticing that it is still widely used as 3-DES notably for banking transactions.
- 2.
See the web page of the DPA contest: www.dpacontest.org.
- 3.
From an application point of view, the key is actually handled as an 8-byte array so that bits of the key are numbered from 1 to 64 (\(k_1\) to \(k_8\) for the first byte, up to \(k_{57}\) to \(k_{64}\) for the last one). From a cryptographic point of view, all 8 least significant bits (whose indices are multiples of eight) are unused so that the cryptographic key is actually made of the 56 following bits: \(\{k_1,\ldots ,k_7\} \cup \{k_9,\ldots ,k_{15}\} \cup \ldots \cup \{k_{57},\ldots ,k_{63}\}\).
- 4.
\(K_A = \{k_{1}, k_{2}, k_{3}, k_{9}, k_{10}, k_{11}, k_{17}, k_{18}, k_{19}, k_{25}, k_{26}, k_{27}, k_{33}, k_{34}, k_{35}, k_{36}, k_{41}, k_{42}, k_{43}, k_{44}, k_{49}, k_{50}, k_{51}, k_{52}, k_{57}, k_{58}, k_{59}, k_{60}\}\),\(K_B = \{k_{4}, k_{5}, k_{6}, k_{7}, k_{12}, k_{13}, k_{14}, k_{15}, k_{20}, k_{21}, k_{22}, k_{23}, k_{28}, k_{29}, k_{30}, k_{31}, k_{37}, k_{38}, k_{39}, k_{45}, k_{46}, k_{47}, k_{53}, k_{54}, k_{55}, k_{61}, k_{62}, k_{63}\}\).
- 5.
This can be expected since the electrical activity when computing each round is not supposed to depend on the round number.
- 6.
The number of key candidates considered to find \(K'\) in the neighborhood of \(K^{(i-1)}\) is equal to \(2.8.2^6.2^4 = 2^{14}\). The number of key candidates considered to find \(K^{(i)}\) in the neighborhood of \(K'\) is equal to \(2.2^8 = 2^{9}\). In both cases, the computation of the local exhaustive search is not expensive.
- 7.
Practical experiments whose results are described in Sect. 5 seem to confirm this behavior.
- 8.
We only consider our submissions to the so-called Representative Order category which has been declared the official category by the organizers of the contest. Contrarily to the Fixed Order category, in the official representative order category the participants cannot choose in advance the set of traces used in the attack.
- 9.
These three variants A, B and C correspond to submitted program files named “dpa_contest.representative.1.c”, “dpa_contest.representative.4.c” and “dpa_contest.representative.3.c”, respectively.
- 10.
Here “successful” means that the best terminating key \(K^{(\mathrm {end})}\) (the one with the smallest score among all considered sequences) matches the correct key.
- 11.
The initial set had 30 traces for the runs of methods A and B, and 35 traces for the runs of method C.
References
Boussaiïd, I., Lepagnot, J., Siarry, P.: A survey on optimization metaheuristics. Inf. Sci. 237, 82–117 (2013)
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)
Bévan, R., Knudsen, E.W.: Ways to enhance differential power analysis. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 327–342. Springer, Heidelberg (2003)
Guilley, S., Hoogvorst, P., Pacalet, R.: A fast pipelined multi-mode DES architecture operating in IP representation. Integr. VLSI J. 40(4), 479–489 (2007)
Hertz, A., Widmer, M.: Guidelines for the use of meta-heuristics in combinatorial optimization. Eur. J. Oper. Res. 151, 247–252 (2003)
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)
Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Investigations of power analysis attacks on smartcards. In: USENIX Workshop on Smartcard Technology, pp. 151–162 (1999)
National Bureau of Standards. Data Encryption Standard. Federal Information Processing Standard #46 (1977)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Clavier, C., Rebaine, D. (2016). A Heuristic Approach to Assist Side Channel Analysis of the Data Encryption Standard. In: Ryan, P., Naccache, D., Quisquater, JJ. (eds) The New Codebreakers. Lecture Notes in Computer Science(), vol 9100. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49301-4_22
Download citation
DOI: https://doi.org/10.1007/978-3-662-49301-4_22
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-49300-7
Online ISBN: 978-3-662-49301-4
eBook Packages: Computer ScienceComputer Science (R0)