Séminaire R3S présenté par Mme Anna Guinet, le 29/05/2020 à 11h00

Anna Guinet, PhD candidate at Radboud University, former Télécom SudParis graduate

Date : vendredi 29 mai 2020, à 11h00
Où: par webconf sur https://webconf.imtbs-tsp.eu/frontend/mar-7hd-7hk

Titre : Investigating differential power analysis of the chi function

Vidéo du séminaire

Intervenante : Anna Guinet, doctorante à Radboud University (sous l’encadrement de Prof. Joan Daemen)
Bio : Anna Guinet is a PhD candidate at Radboud University, the Netherlands. She is studying side-channel attacks and symmetric cryptography. She was previously working on the resilience of Cyber-Physical Systems (CPSs), at Télécom SudParis. In 2017, she completed a Master’s Degree at Télécom SudParis, in telecommunication engineering, with a specialization in network and system security.


From credit cards to passports, many small devices perform cryptographic primitives
to exchange information with a third party or to store sensitive data. Differential power
analysis (DPA) exploits the dependence between the power consumption of such devices and the data processed by the cryptographic function that has been implemented. This presents a significant threat for devices which manipulate sensitive information.

We analyzed consequently in depth the security of a hardware implementation of the χ function used in cryptographic algorithms [2] [3] [4], against DPA, with simulations. We used the χ function in a fixed-length permutation. This permutation consists of several rounds which concatenate a linear layer and a non-linear one. The non-linear layer is composed of several χ mappings in parallel. We are interested in the bit values stored in the register after the first round of the permutation. This state is secret, it saves the output of the χ function and it depends on unknown values. In our case, the secret is a key Kadded to a message M. We explore to what extent an adversary is able to recover some key bits by knowing the message M and analyzing the power consumption of this register.

We modeled and simulated the corresponding power consumption according to an (M,
K) couple. We suppose that the power consumption comes entirely from the register. Earlier simulations already used this model on KECCAK’s χ function [1], but they focused on the power consumption of a single cell value of the register to retrieve two bits of the secret state after a single round. We extended this analysis by considering three cell values. We also optimized the attack by combining multiple simulations over a single cell at a time to retrieve two to five bits of the secret state. And we quantified the amount of effort that an adversary should put to retrieve the secret by determining the number of traces needed.

[1] Guido Bertoni, Joan Daemen, Nicolas Debande, Thanh-Ha Le, Michael Peeters, and Gilles Van Assche, Power analysis of hardware implementations protected with secret sharing, 2012 45th Annual IEEE/ACM International Symposium on Microarchitecture
Workshops, IEEE, 2012, pp. 9–16.
[2] Guido Bertoni, Joan Daemen, Michaël Peeters, and GV Assche, The keccak reference, Submission to NIST (Round 3) 13 (2011), 14–15.
[3] Joan Daemen, Seth Hoffert, Gilles Van Assche, and Ronny Van Keer, Xoodoo cookbook., IACR Cryptology ePrint Archive 2018 (2018), 767.
[4] Christoph Dobraunig, Maria Eichlseder, Florian Mendel, and Martin Schläffer, Ascon v1. 2, Submission to the CAESAR Competition (2016).