On side channel vulnerabilities of bit permutations in cryptographic algorithms

Abstract

Lightweight block ciphers rely on simple operations to allow compact implementation. Thanks to its efficiency, bit permutation has emerged as an optimal choice for state-wise diffusion. It can be implemented by simple wiring in hardware or shifts in software. However, efficiency and security often go against each other. In this paper, we show how bit permutations introduce a side-channel vulnerability that can be exploited to extract the secret key from the cipher. Such vulnerabilities are specific to bit permutations and do not occur in other state-wise diffusion alternatives. We propose side-channel assisted differential-plaintext attack (SCADPA) which targets this vulnerability in the bit permutation operation. SCADPA is first experimentally demonstrated on PRESENT-80 on an 8-bit microcontroller, with the best case key recovery in 17 encryptions. In Addition, we adjust SCADPA to state-of-the-art bit sliced implementation from CHES'17 with experimental evaluation on a 32-bit microcontroller. The attack is then extended to latest bit-permutation-based cipher GIFT, allowing full key recovery in 36 encryptions. Application for reverse engineering of secret S-boxes in PRESENT-like proprietary ciphers is also shown.