Examining the practical side channel resilience of ARX-boxes

Implementations of ARX ciphers are hoped to have some intrinsic side channel resilience owing to the specific choice of cipher components: modular addition (A), rotation (R) and exclusive-or (X). Previous work has contributed to this understanding by developing theory regarding the side channel resilience of components (pioneered by the early works of Prouff) as well as some more recent practical investigations by Biryukov et al. that focused on lightweight cipher constructions. We add to this work by specifically studying ARX-boxes both mathematically as well as practically. Our results show that previous works' reliance on the simplistic assumption that intermediates independently leak (their Hamming weight) has led to the incorrect conclusion that the modular addition is necessarily the best target and that ARX constructions are therefore harder to attack in practice: we show that on an ARM M0, the best practical target is the exclusive or and attacks succeed with only tens of traces.

[1]  Debdeep Mukhopadhyay,et al.  A Practical Fault Attack on ARX-Like Ciphers with a Case Study on ChaCha20 , 2017, 2017 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[2]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[3]  Harsha Ganegoda,et al.  Breaking Speck cryptosystem using correlation power analysis attack , 2017 .

[4]  Alex Biryukov,et al.  State of the Art in Lightweight Symmetric Cryptography , 2017, IACR Cryptol. ePrint Arch..

[5]  Alex Biryukov,et al.  Design Strategies for ARX with Provable Bounds: Sparx and LAX , 2016, ASIACRYPT.

[6]  Shoji Miyaguchi,et al.  FEAL - Fast Data Encipherment Algorithm , 1988, Systems and Computers in Japan.

[7]  Jason Smith,et al.  The SIMON and SPECK lightweight block ciphers , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[8]  Alex Biryukov,et al.  Correlation Power Analysis of Lightweight Block Ciphers: From Theory to Practice , 2016, ACNS.

[9]  Emmanuel Prouff,et al.  DPA Attacks and S-Boxes , 2005, FSE.

[10]  Stefan Mangard,et al.  Hardware Countermeasures against DPA ? A Statistical Analysis of Their Effectiveness , 2004, CT-RSA.

[11]  Marc Stöttinger,et al.  Butterfly-Attack on Skein's Modular Addition , 2012, COSADE.

[12]  Thomas Peyrin,et al.  Side-Channel Analysis of Six SHA-3 Candidates , 2010, CHES.

[13]  Adam Langley,et al.  ChaCha20 and Poly1305 for IETF Protocols , 2018, RFC.

[14]  Stefan Lucks,et al.  The Skein Hash Function Family , 2009 .