International Association
for Cryptologic Research

The Feistel-SP structure is a commonly adopted structure in symmetric cryptography with many practical instances. Differential power analysis (DPA) has proven to be effective against these ciphers with compact implementations within these years. However, the applications of DPA on Feistel-SP ciphers with loop hardware implementations are more complicated and less evaluated in literature, mainly due to the relatively large size (32-bit or more) of the whole round key which often results in complex relations with the targeted intermediate variable. \\\\

In this paper, we propose a practical chosen message power analysis method on Feistel-SP ciphers with loop hardware implementations. The essence of the new method lies in the delicate selection of the plaintext set in a chosen message manner. Thus, the input space of the plaintext in our method is decreased from $2^{32}$ or more to $2^8$ or less, which is suitable for practical power analysis. Moreover, we show that the whitening key at the first or last round can be easily revealed with our method, thus leading to the full exposure of the master key thanks to the relations between whitening keys and the master key in many practical ciphers. In order to further manifest the validity of the new method, we carry extensive experiments on two ISO standardized and widely deployed ciphers CLEFIA and Camellia with loop implementations on FPGA, and the master keys are recovered as expected.