International Association for Cryptologic Research

International Association
for Cryptologic Research


Cache vs. Key-Dependency: Side Channeling an Implementation of Pilsung

Daniel Genkin , University of Michigan
Romain Poussier , Nanyang Technological University
Rui Qi Sim , University of Adelaide
Yuval Yarom , University of Adelaide; Data61
Yuanjing Zhao , University of Adelaide
DOI: 10.13154/tches.v2020.i1.231-255
Search ePrint
Search Google
Presentation: Slides
Abstract: Over the past two decades, cache attacks have been identified as a threat to the security of cipher implementations. These attacks recover secret information by combining observations of the victim cache accesses with the knowledge of the internal structure of the cipher. So far, cache attacks have been applied to ciphers that have fixed state transformations, leaving open the question of whether using secret, key-dependent transformations enhances the security against such attacks. In this paper we investigate this question. We look at an implementation of the North Korean cipher Pilsung, as reverse-engineered by Kryptos Logic. Like AES, Pilsung is a permutation-substitution cipher, but unlike AES, both the substitution and the permutation steps in Pilsung depend on the key, and are not known to the attacker. We analyze Pilsung and design a cache-based attack. We improve the state of the art by developing techniques for reversing secret-dependent transformations. Our attack, which requires an average of eight minutes on a typical laptop computer, demonstrates that secret transformations do not necessarily protect ciphers against side channel attacks.
Video from TCHES 2019
  title={Cache vs. Key-Dependency: Side Channeling an Implementation of Pilsung},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universit├Ąt Bochum},
  volume={2020, Issue 1},
  author={Daniel Genkin and Romain Poussier and Rui Qi Sim and Yuval Yarom and Yuanjing Zhao},