International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Paper: Single-Trace Attacks on Keccak

Authors:
Matthias J. Kannwischer , Radboud University, Nijmegen, The Netherlands
Peter Pessl , Graz University of Technology, Austria
Robert Primas , Graz University of Technology, Austria
Download:
DOI: 10.13154/tches.v2020.i3.243-268
URL: https://tches.iacr.org/index.php/TCHES/article/view/8590
Search ePrint
Search Google
Presentation: Slides
Abstract: Since its selection as the winner of the SHA-3 competition, Keccak, with all its variants, has found a large number of applications. It is, for instance, a common building block in schemes submitted to NIST’s post-quantum cryptography project. In many of these applications, Keccak processes ephemeral secrets. In such a setting, side-channel adversaries are limited to a single observation, meaning that differential attacks are inherently prevented. If, however, such a single trace of Keccak can already be sufficient for key recovery has so far been unknown. In this paper, we change the above by presenting the first single-trace attack targeting Keccak. Our method is based on soft-analytical side-channel attacks and, thus, combines template matching with message passing in a graphical model of the attacked algorithm. As a straight-forward model of Keccak does not yield satisfactory results, we describe several optimizations for the modeling and the message-passing algorithm. Their combination allows attaining high attack performance in terms of both success rate as well as computational runtime. We evaluate our attack assuming generic software (microcontroller) targets and thus use simulations in the generic noisy Hamming-weight leakage model. Hence, we assume relatively modest profiling capabilities of the adversary. Nonetheless, the attack can reliably recover secrets in a large number of evaluated scenarios at realistic noise levels. Consequently, we demonstrate the need for countermeasures even in settings where DPA is not a threat.
Video from TCHES 2020
BibTeX
@article{tches-2020-30391,
  title={Single-Trace Attacks on Keccak},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2020, Issue 3},
  pages={243-268},
  url={https://tches.iacr.org/index.php/TCHES/article/view/8590},
  doi={10.13154/tches.v2020.i3.243-268},
  author={Matthias J. Kannwischer and Peter Pessl and Robert Primas},
  year=2020
}