DPA on the third round of a Feistel
Straight DPA attacks target the outer rounds of a cipher: either the first one (if you know the input) or the last one (if you know the output). In a Feistel construction, you can easily DPA the second round. Things are messier if you want to target inner rounds.
Here we describe a simple, cute DPA attack on the third round output of a Feistel. There are much more advanced attacks that target fourth and even deeper rounds of a Feistel; this attack is on the other hand very simple (just assumes DPA works, no fancy leakage assumptions) and very fun. The full details are in our paper:
A first-order chosen-plaintext DPA attack on the third round of DES
O. Reparaz, B. Gierlichs
CARDIS 2017
On the left you have the three first rounds of a Feistel. In the case of DES, the 64-bit input is placed into two 32-bit words \((L_0,R_0)\) and then we crank the cipher. In the following, we assume we only get side-channel leakage from \((L_3,R_3)\). This is a good approximation to what happens if the first two rounds are well protected (for example, by masking).
Step 1. Step 1 consists of a DPA attack targeting \(L_3\) with chosen input: vary \(L_0\) and fix \(R_0\). When you craft your inputs like this, you’re deactivating the first round. The first round output stays constant, so in the expression \(L_1=L_0 \oplus F_{k_1}(R_0)\) the \(F_{k_1}(R_0)\) term is unknown but constant.
We target leakage from \(L_3\) to recover \(k_1\oplus F_{k_0}(R_0)\). (We’re ignoring the expansion function to make the explanation easier.) Since it is a Feistel, diffusion only affects half of the state per round. So using leakage corresponding to input of round 4 we can recover second round subkey. So far we recovered the second round subkey \(k_1\) plus an unknown offset \(F_{k_0}(R_0)\). We have no idea about this offset \(F_{k_1}(R_0)\). All we know is that it’s a constant.
Step 2. To untangle the two terms, we perform a super basic key-recovery differential attack on 1-round of a Feistel. The basic idea is that the output difference \(\Delta = F_{k_0}(R_0) \oplus F_{k_0}(R_0')\) after one round leaks an awful lot information on the key \(k_0\). So we repeat step 1 (picking a different fixed \(R'_0\)) to collect an extra \(k_2 \oplus F_{k_1}(R_0')\), derive the differential \(\Delta\) (the \(k_2\) term cancels out) and then recover the key \(k_0\). We need to collect a few (2 or 3) different \(\Delta\) (by repeating step 1 a few times). From here on, everything falls down. You recover \(k_0\), then you can plug it to solve for \(k_1\) and you’re basically done, since you recovered two consecutive round keys and you can invert the key schedule.
Proof of concept. We implemented this attack end-to-end. The details are https://eprint.iacr.org/2017/1257.pdf. We exploit leakage only from the third round and perform the simple differential attack yielding just 4 candidates for \(k_0\).