Side Channel Analysis of a Lightweight Block Cipher

Abstract

Internet of Things (IoT) devices aid in attaining greater energy-efficiency, accuracy, speed, and quicker design cycles in comparison with normal computing devices. As the usage of such devices grows, so do the information sharing and storage related security concerns. To address this issue, NSA introduced Lightweight Cryptography (LWC) back in 2013, with the release of Simon and Speck family of block ciphers. In 2015 these ciphers were suggested to be standardized by ISO/ IEC. However, lack of a proper security rationale ended up in their removal from the ISO/ IEC consideration in 2018. Alongside, many cryptanalytic attacks, one of the major threats against lightweight block ciphers are Side Channel Attacks. Since, NIST specified SCA protection as one of the major selection criteria for LWC Standardization process, the field of SCA on lightweight block ciphers has been actively explored. The basic aim of this thesis is to study the effect of correlation power-based side channel attack on the lightweight block cipher Simon (128/128 bits) to perform partial 64-bit key recovery. We begin with the implementation of Simon on Kintex-7 FPGA (Sakura-x)/ Virtex 5 (Sakura-G). Next, this implementation was used to encrypt 3000 random plaintexts and a fixed key and 3000 power traces were recorded with the help of Rigol DS1102-E Oscilloscope and specialized power analysis probe (SMA-BNC). However, due to oscilloscope limitations, only 1004 out of 3000 turned out to be useful for analysis. Next step was to identify a leakage point in Round 1 of Simon for both Hamming Distance Model (HDM) and Hamming Weight Model (HWM) and performing key recovery for sub key sizes 2, 4 and 8 bits. As a result, we were able to recover 16 - 28 bits of the partial round key k[0] using a 2-bit sub key based correlated bit pair HW model using 11 different trace sets of size 100 – 1004. During our analysis, we used the correlated bit pairs of sub keys in order to confirm the results of key bits having maximum correlation. Furthermore, to minimize the error in results, that appears due to noise we apply two filters: Low Pass Filter (LPF) and Moving Average Filter (MAF). With MAF, the key bit recovery rate for 1004 traces improved to 29 bits and error reduced to 6 bits from 7 bits. On the other hand, using LPF, 31 bits of key were recovered and error reduced down to 4 bits. This suggests that noise factor from the power traces can be removed/ minimized using specialized pre and post processing filters.