SlideShare a Scribd company logo

Scan Based Side Channel Attack on Data Encryption Standard

L
Lei Hsiung

My summary of the paper "Scan Based Side-Channel Attack on Data Encryption Standard" by Yang et al. This work was published in IACR 2004. https://hsiung.cc/posts/yang-scan-based-side-channel-attack-on-des/

Technology
1 of 24
Download to read offline
Scan Based Side Channel Attack on Data Encryption Standard IACR’04 Bo Yang, Kaijie Wu, Ramesh Karri ECE Dept., Polytechnic University, Brooklyn. (Currently NYU Tandon)
Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 2
Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 3
Scan Based Side Channel Attack on Data Encryption Standard Introduction • Cryptographic algorithms – Application-Specific Integrated Circuits (ASIC) – Cryptographic Coprocessors • Scan-based tests – Validate the function of a hardware system at fabrication time and in field. – High fault coverage, test pattern generation and signature analysis w/o additional hardware. (cp. built-in self test (BIST)) 4
Scan Based Side Channel Attack on Data Encryption Standard Introduction • Scan-based tests – Constructs several Scan Chains (SCs) in a chip by tying together internal registers and flip flops and connecting them to the JTAG. – During test synthesis • SCs are inserted by synthesis tool. – During chip packaging • SCs are connected to external JTAG interface pins to provide on-chip debugging and maintenance in field, or left unbound. 5
Scan Based Side Channel Attack on Data Encryption Standard Introduction • Scan-based tests – However, unbound scan chains can still be accessed by breaking the package open. 6
Scan Based Side Channel Attack on Data Encryption Standard Introduction • Data Encryption Standard – DES is a symmetric encryption algorithm developed in the 1970s by IBM. – Encrypts 64-bit data blocks under the control of a 56-bit user key. – DES decryption is the inverse of DES encryption and uses the same user key. 7
Scan Based Side Channel Attack on Data Encryption Standard Introduction • Data Encryption Standard 8
Scan Based Side Channel Attack on Data Encryption Standard Introduction • Contributions – Show that scan chains can be used to discover the secret keys stored in a cryptographic device. – The approach is simple yet general and powerful and can be adapted to any cryptographic implementation on ASICs or FPGAs or general microprocessors. 9
Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 10
Assumptions • Know the DES algorithm. • Have access to high level timing diagrams. • Do not know the exact number of registers used. • Round keys are stored in a secure RAM/ROM. • Round key registers are not included in the scan chain. • Do not know the structure of the scan chain. 11
Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 12
Scan Based Side Channel Attack on Data Encryption Standard Methodology • Step 1. Determine Scan Chain Structure • Step 2. Recover DES Round Key • Step 3. Recover DES User Key 13
Scan Based Side Channel Attack on Data Encryption Standard Methodology • Switch the DES circuit between normal mode and test mode. 1. Reset to normal mode -> Load a known plaintext into input register. 2. Switch to test mode -> Scan out the bit stream, pattern 1. 3. Switch to normal mode -> Load the plaintext into L or R registers. 4. Switch to test mode -> Scan out the bit stream, pattern 2. 5. Repeat steps 1 to 3 using a plaintext that is different from the first plaintext in only one-bit position. Save the pattern 3 and pattern 4. 14 Step 1. Determine Scan Chain Structure
Scan Based Side Channel Attack on Data Encryption Standard Methodology • Know the location of L and R registers in the scan chain → Break DES algorithm! 15 Step 2. Recover DES Round Key  L1 = R0 ‚ R1 = L0 ⨁ d ƒ d = permutation(c) „ a = Expand(r) … b = a ⨁ K1 † c = S_box(b) d d L1 L0 R0 R1 r a a c c b b K1
Scan Based Side Channel Attack on Data Encryption Standard Methodology • Reverse the S-box (Substitution Box) – Each S-box compresses the 6-bit input into a 4-bit output. 16 Step 2. Recover DES Round Key (000110)2, (001111)2, (100010)2 or (101101)2 (001110)2, (000111)2, (101010)2 or (100101)2 c2=8 c2=8 c2=4 c2=6 (010111)2 (111100)2 c3=11 c3=5 K148K143 K147K146K145K144
Scan Based Side Channel Attack on Data Encryption Standard Methodology • Each round key contains 48 bits of the 56-bit user key. • By analysis of the DES round key generation algorithm, we only need to recover round keys K1, K2, and K3 to derive the user key. 17 Step 3. Recover DES User Key
Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 18
Scan Based Side Channel Attack on Data Encryption Standard Discussion 19 • Attack Complexity Analysis – 198 clock cycles to scan-out the first bit stream. – 198 clock cycles to locate one flip flop in the input register. • Total 38016 cycles to determine the entire scan chain. – 397 clock cycles for every input plaintext to reach R0, L0, R1 and L1. • Total 3561 cycles to discover round keys K1, K2 and K3. – Overall, 41775 clock cycles are required to discover the user key.
Scan Based Side Channel Attack on Data Encryption Standard Discussion 20 • Attack Complexity Analysis – 198 clock cycles to scan-out the first bit stream. • 1 cycle for normal operation + 197 cycles for scan operations – 198 clock cycles to locate one flip flop in the input register. • Total 38016 (=192×198) cycles to determine the entire scan chain. – 397 clock cycles for every input plaintext to reach R0, L0, R1 and L1. • 2 cycles for normal operation + 197 cycles for scan operation + 1 cycle for normal operation + 197 cycles for scan operation • 1191 cycles (397×3) to discover round key K1. • 1185 cycles to discover round keys K2 and K3.
Scan Based Side Channel Attack on Data Encryption Standard Discussion 21 • Extension to a pipelined DES architecture – 16-stage pipeline will have 17 pairs: (L0, R0) … (L16, R16). – L0 and R0 can be located first. – L1 and R1 can be located by observing that L1= R0 and R1=L0⊕f (R0, K1). – If we only change the lowest bit in L0, L1 remains unchanged, then the lowest bit in R1 will switch because f (R0, K1) remains unchanged. – Similarly, we can locate all flip-flops. – Hence, we can recover round key K1, K2 and K3.
Scan Based Side Channel Attack on Data Encryption Standard Discussion 22 • Characteristics of crypto algorithms on hardware – Data-driven: different plaintexts, but the control logic performs the same action. – Avalanche effect: One-bit difference in a round will translate into several bit changes in the next round. • This determines the clock cycle when the plaintext is loaded into the input plaintext register and the L, R registers.
Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 23
Scan Based Side Channel Attack on Data Encryption Standard Conclusions • Several side-channel attacks have been proposed. • Show that scan chains and scan-based tests are a potent side- channel. • Propose an attack using only 3 plaintexts to break DES. 24

Recommended

RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5guestff64339
 
CNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersCNIT 141 5. Stream Ciphers
CNIT 141 5. Stream Ciphers
Sam Bowne
 
An effective RC4 Stream Cipher
An effective RC4 Stream CipherAn effective RC4 Stream Cipher
An effective RC4 Stream Cipher
Tharindu Weerasinghe
 
OpenFlow Data Center - A case Study by Pica8
OpenFlow Data Center - A case Study by Pica8OpenFlow Data Center - A case Study by Pica8
OpenFlow Data Center - A case Study by Pica8
nvirters
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream Ciphers
Sam Bowne
 
ThesisPresentation_Upd
ThesisPresentation_UpdThesisPresentation_Upd
ThesisPresentation_UpdAshraf ElSharif
 
Pushing a camel through the eye of a needle
Pushing a camel through the eye of a needlePushing a camel through the eye of a needle
Pushing a camel through the eye of a needle
SensePost
 
IPSec VPN
IPSec VPNIPSec VPN
IPSec VPN
NetProtocol Xpert
 

Recommended

RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5guestff64339
 
CNIT 141 5. Stream Ciphers
CNIT 141 5. Stream CiphersCNIT 141 5. Stream Ciphers
CNIT 141 5. Stream Ciphers
Sam Bowne
 
An effective RC4 Stream Cipher
An effective RC4 Stream CipherAn effective RC4 Stream Cipher
An effective RC4 Stream Cipher
Tharindu Weerasinghe
 
OpenFlow Data Center - A case Study by Pica8
OpenFlow Data Center - A case Study by Pica8OpenFlow Data Center - A case Study by Pica8
OpenFlow Data Center - A case Study by Pica8
nvirters
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream Ciphers
Sam Bowne
 
ThesisPresentation_Upd
ThesisPresentation_UpdThesisPresentation_Upd
ThesisPresentation_UpdAshraf ElSharif
 
Pushing a camel through the eye of a needle
Pushing a camel through the eye of a needlePushing a camel through the eye of a needle
Pushing a camel through the eye of a needle
SensePost
 
IPSec VPN
IPSec VPNIPSec VPN
IPSec VPN
NetProtocol Xpert
 
Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysis
Riscure
 
High Performance Flow Matching Architecture for Openflow Data Plane
High Performance Flow Matching Architecture for Openflow Data PlaneHigh Performance Flow Matching Architecture for Openflow Data Plane
High Performance Flow Matching Architecture for Openflow Data Plane
Mahesh Dananjaya
 
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
Victor Asanza
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gpon
laonap166
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
PROIDEA
 
Cef based switching
Cef based switchingCef based switching
Cef based switching
Israel Umana
 
Snug 2014 China
Snug 2014 ChinaSnug 2014 China
Snug 2014 Chinajaseel_abdulla
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
RISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentor
RISC-V International
 
Vpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tếVpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tế
laonap166
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route Validity
APNIC
 
Implementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelImplementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernel
Olivier Bonaventure
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering Oopsies
Anne Nicolas
 
Routing basics/CEF
Routing basics/CEFRouting basics/CEF
Routing basics/CEF
Dmitry Figol
 
8051 micro controller
8051 micro controller8051 micro controller
8051 micro controller
Poojith Chowdhary
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Kentaro Ebisawa
 
icd_lrs_may2_00_ATE_Hyb.
icd_lrs_may2_00_ATE_Hyb.icd_lrs_may2_00_ATE_Hyb.
icd_lrs_may2_00_ATE_Hyb.Laird Snowden
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
Thomas Graf
 
Os detection with arp
Os detection with arpOs detection with arp
Os detection with arpDavid Clark
 
Overview on Cryptography and Network Security
Overview on Cryptography and Network SecurityOverview on Cryptography and Network Security
Overview on Cryptography and Network Security
Dr. Rupa Ch
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 

More Related Content

What's hot

Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysis
Riscure
 
High Performance Flow Matching Architecture for Openflow Data Plane
High Performance Flow Matching Architecture for Openflow Data PlaneHigh Performance Flow Matching Architecture for Openflow Data Plane
High Performance Flow Matching Architecture for Openflow Data Plane
Mahesh Dananjaya
 
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
Victor Asanza
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gpon
laonap166
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
PROIDEA
 
Cef based switching
Cef based switchingCef based switching
Cef based switching
Israel Umana
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
Sam Bowne
 
RISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentor
RISC-V International
 
Vpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tếVpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tế
laonap166
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route Validity
APNIC
 
Implementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelImplementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernel
Olivier Bonaventure
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering Oopsies
Anne Nicolas
 
Routing basics/CEF
Routing basics/CEFRouting basics/CEF
Routing basics/CEF
Dmitry Figol
 
8051 micro controller
8051 micro controller8051 micro controller
8051 micro controller
Poojith Chowdhary
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Kentaro Ebisawa
 
icd_lrs_may2_00_ATE_Hyb.
icd_lrs_may2_00_ATE_Hyb.icd_lrs_may2_00_ATE_Hyb.
icd_lrs_may2_00_ATE_Hyb.Laird Snowden
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
Thomas Graf
 
Os detection with arp
Os detection with arpOs detection with arp
Os detection with arpDavid Clark
 

What's hot (20)

Lowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysis
 
High Performance Flow Matching Architecture for Openflow Data Plane
High Performance Flow Matching Architecture for Openflow Data PlaneHigh Performance Flow Matching Architecture for Openflow Data Plane
High Performance Flow Matching Architecture for Openflow Data Plane
 
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
⭐⭐⭐⭐⭐ CHARLA FIEC: Monitoring of system memory usage embedded in #FPGA
 
Triển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gponTriển khai vpn client to site qua router gpon
Triển khai vpn client to site qua router gpon
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentation
 
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPKrzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SP
 
Cef based switching
Cef based switchingCef based switching
Cef based switching
 
Snug 2014 China
Snug 2014 ChinaSnug 2014 China
Snug 2014 China
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
RISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentorRISC-V 30907 summit 2020 joint picocom_mentor
RISC-V 30907 summit 2020 joint picocom_mentor
 
Vpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tếVpn site to site 2 asa qua gpon ftth thực tế
Vpn site to site 2 asa qua gpon ftth thực tế
 
ThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route ValidityThaiNOG Day 2021: Thailand's Route Validity
ThaiNOG Day 2021: Thailand's Route Validity
 
Implementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernelImplementing IPv6 Segment Routing in the Linux kernel
Implementing IPv6 Segment Routing in the Linux kernel
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering Oopsies
 
Routing basics/CEF
Routing basics/CEFRouting basics/CEF
Routing basics/CEF
 
8051 micro controller
8051 micro controller8051 micro controller
8051 micro controller
 
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
Zebra SRv6 CLI on Linux Dataplane (ENOG#49)
 
icd_lrs_may2_00_ATE_Hyb.
icd_lrs_may2_00_ATE_Hyb.icd_lrs_may2_00_ATE_Hyb.
icd_lrs_may2_00_ATE_Hyb.
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
 
Os detection with arp
Os detection with arpOs detection with arp
Os detection with arp
 

Similar to Scan Based Side Channel Attack on Data Encryption Standard

Overview on Cryptography and Network Security
Overview on Cryptography and Network SecurityOverview on Cryptography and Network Security
Overview on Cryptography and Network Security
Dr. Rupa Ch
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Smit_Patel_Layout_Design_Resume_Final
Smit_Patel_Layout_Design_Resume_FinalSmit_Patel_Layout_Design_Resume_Final
Smit_Patel_Layout_Design_Resume_FinalSMIT A. PATEL
 
osdi23_slides_lo_v2.pdf
osdi23_slides_lo_v2.pdfosdi23_slides_lo_v2.pdf
osdi23_slides_lo_v2.pdf
gmdvmk
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
my.Light weight cryptography.2023.pptx
my.Light weight cryptography.2023.pptxmy.Light weight cryptography.2023.pptx
my.Light weight cryptography.2023.pptx
halosidiq1
 
Tamper Detection & Discrimination in Passive RFID Systems using Steganography
Tamper Detection & Discrimination in Passive RFID Systems using SteganographyTamper Detection & Discrimination in Passive RFID Systems using Steganography
Tamper Detection & Discrimination in Passive RFID Systems using SteganographyManishgant A Padmanabhan
 
Wpmc2004 phy protection
Wpmc2004 phy protectionWpmc2004 phy protection
Wpmc2004 phy protectionArpan Pal
 
Flip flop& RAM ROM
Flip flop& RAM ROMFlip flop& RAM ROM
Flip flop& RAM ROMBala Ganesh
 
Block Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptxBlock Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptx
HodaAhmedBekhitAhmed
 
Cryptography_additive_cipher.pptx
Cryptography_additive_cipher.pptxCryptography_additive_cipher.pptx
Cryptography_additive_cipher.pptx
Shivaprasad787526
 
sequencea.ppt
sequencea.pptsequencea.ppt
sequencea.ppt
olusolaogunyewo1
 
Analysis of Cryptographic Algorithms
Analysis of Cryptographic AlgorithmsAnalysis of Cryptographic Algorithms
Analysis of Cryptographic Algorithms
ijsrd.com
 
Brkdct 3101
Brkdct 3101Brkdct 3101
Brkdct 3101
Nguyen Van Linh
 
PERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUES
PERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUESPERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUES
PERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUES
IRJET Journal
 
EFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHM
EFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHMEFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHM
EFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHM
AJAL A J
 
Random access scan
Random access scan Random access scan
Random access scan
Harish Peta
 

Similar to Scan Based Side Channel Attack on Data Encryption Standard (20)

Overview on Cryptography and Network Security
Overview on Cryptography and Network SecurityOverview on Cryptography and Network Security
Overview on Cryptography and Network Security
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Smit_Patel_Layout_Design_Resume_Final
Smit_Patel_Layout_Design_Resume_FinalSmit_Patel_Layout_Design_Resume_Final
Smit_Patel_Layout_Design_Resume_Final
 
osdi23_slides_lo_v2.pdf
osdi23_slides_lo_v2.pdfosdi23_slides_lo_v2.pdf
osdi23_slides_lo_v2.pdf
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
IDEA.ppt
IDEA.pptIDEA.ppt
IDEA.ppt
 
20141105 asfws-norx-slides
20141105 asfws-norx-slides20141105 asfws-norx-slides
20141105 asfws-norx-slides
 
my.Light weight cryptography.2023.pptx
my.Light weight cryptography.2023.pptxmy.Light weight cryptography.2023.pptx
my.Light weight cryptography.2023.pptx
 
Tamper Detection & Discrimination in Passive RFID Systems using Steganography
Tamper Detection & Discrimination in Passive RFID Systems using SteganographyTamper Detection & Discrimination in Passive RFID Systems using Steganography
Tamper Detection & Discrimination in Passive RFID Systems using Steganography
 
Raptor codes
Raptor codesRaptor codes
Raptor codes
 
Wpmc2004 phy protection
Wpmc2004 phy protectionWpmc2004 phy protection
Wpmc2004 phy protection
 
Flip flop& RAM ROM
Flip flop& RAM ROMFlip flop& RAM ROM
Flip flop& RAM ROM
 
Block Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptxBlock Cipher.cryptography_miu_year5.pptx
Block Cipher.cryptography_miu_year5.pptx
 
Cryptography_additive_cipher.pptx
Cryptography_additive_cipher.pptxCryptography_additive_cipher.pptx
Cryptography_additive_cipher.pptx
 
sequencea.ppt
sequencea.pptsequencea.ppt
sequencea.ppt
 
Analysis of Cryptographic Algorithms
Analysis of Cryptographic AlgorithmsAnalysis of Cryptographic Algorithms
Analysis of Cryptographic Algorithms
 
Brkdct 3101
Brkdct 3101Brkdct 3101
Brkdct 3101
 
PERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUES
PERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUESPERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUES
PERFORMANCE ANALYSIS OF D-FLIP FLOP USING CMOS, GDI, DSTC TECHNIQUES
 
EFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHM
EFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHMEFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHM
EFFICIENT VLSI IMPLEMENTATION OF THE BLOCK CIPHER RIJNDAEL ALGORITHM
 
Random access scan
Random access scan Random access scan
Random access scan
 

Recently uploaded

How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 

Recently uploaded (20)

How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 

Scan Based Side Channel Attack on Data Encryption Standard

  • 1. Scan Based Side Channel Attack on Data Encryption Standard IACR’04 Bo Yang, Kaijie Wu, Ramesh Karri ECE Dept., Polytechnic University, Brooklyn. (Currently NYU Tandon)
  • 2. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 2
  • 3. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 3
  • 4. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Cryptographic algorithms – Application-Specific Integrated Circuits (ASIC) – Cryptographic Coprocessors • Scan-based tests – Validate the function of a hardware system at fabrication time and in field. – High fault coverage, test pattern generation and signature analysis w/o additional hardware. (cp. built-in self test (BIST)) 4
  • 5. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Scan-based tests – Constructs several Scan Chains (SCs) in a chip by tying together internal registers and flip flops and connecting them to the JTAG. – During test synthesis • SCs are inserted by synthesis tool. – During chip packaging • SCs are connected to external JTAG interface pins to provide on-chip debugging and maintenance in field, or left unbound. 5
  • 6. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Scan-based tests – However, unbound scan chains can still be accessed by breaking the package open. 6
  • 7. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Data Encryption Standard – DES is a symmetric encryption algorithm developed in the 1970s by IBM. – Encrypts 64-bit data blocks under the control of a 56-bit user key. – DES decryption is the inverse of DES encryption and uses the same user key. 7
  • 8. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Data Encryption Standard 8
  • 9. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Contributions – Show that scan chains can be used to discover the secret keys stored in a cryptographic device. – The approach is simple yet general and powerful and can be adapted to any cryptographic implementation on ASICs or FPGAs or general microprocessors. 9
  • 10. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 10
  • 11. Assumptions • Know the DES algorithm. • Have access to high level timing diagrams. • Do not know the exact number of registers used. • Round keys are stored in a secure RAM/ROM. • Round key registers are not included in the scan chain. • Do not know the structure of the scan chain. 11
  • 12. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 12
  • 13. Scan Based Side Channel Attack on Data Encryption Standard Methodology • Step 1. Determine Scan Chain Structure • Step 2. Recover DES Round Key • Step 3. Recover DES User Key 13
  • 14. Scan Based Side Channel Attack on Data Encryption Standard Methodology • Switch the DES circuit between normal mode and test mode. 1. Reset to normal mode -> Load a known plaintext into input register. 2. Switch to test mode -> Scan out the bit stream, pattern 1. 3. Switch to normal mode -> Load the plaintext into L or R registers. 4. Switch to test mode -> Scan out the bit stream, pattern 2. 5. Repeat steps 1 to 3 using a plaintext that is different from the first plaintext in only one-bit position. Save the pattern 3 and pattern 4. 14 Step 1. Determine Scan Chain Structure
  • 15. Scan Based Side Channel Attack on Data Encryption Standard Methodology • Know the location of L and R registers in the scan chain → Break DES algorithm! 15 Step 2. Recover DES Round Key  L1 = R0 ‚ R1 = L0 ⨁ d ƒ d = permutation(c) „ a = Expand(r) … b = a ⨁ K1 † c = S_box(b) d d L1 L0 R0 R1 r a a c c b b K1
  • 16. Scan Based Side Channel Attack on Data Encryption Standard Methodology • Reverse the S-box (Substitution Box) – Each S-box compresses the 6-bit input into a 4-bit output. 16 Step 2. Recover DES Round Key (000110)2, (001111)2, (100010)2 or (101101)2 (001110)2, (000111)2, (101010)2 or (100101)2 c2=8 c2=8 c2=4 c2=6 (010111)2 (111100)2 c3=11 c3=5 K148K143 K147K146K145K144
  • 17. Scan Based Side Channel Attack on Data Encryption Standard Methodology • Each round key contains 48 bits of the 56-bit user key. • By analysis of the DES round key generation algorithm, we only need to recover round keys K1, K2, and K3 to derive the user key. 17 Step 3. Recover DES User Key
  • 18. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 18
  • 19. Scan Based Side Channel Attack on Data Encryption Standard Discussion 19 • Attack Complexity Analysis – 198 clock cycles to scan-out the first bit stream. – 198 clock cycles to locate one flip flop in the input register. • Total 38016 cycles to determine the entire scan chain. – 397 clock cycles for every input plaintext to reach R0, L0, R1 and L1. • Total 3561 cycles to discover round keys K1, K2 and K3. – Overall, 41775 clock cycles are required to discover the user key.
  • 20. Scan Based Side Channel Attack on Data Encryption Standard Discussion 20 • Attack Complexity Analysis – 198 clock cycles to scan-out the first bit stream. • 1 cycle for normal operation + 197 cycles for scan operations – 198 clock cycles to locate one flip flop in the input register. • Total 38016 (=192×198) cycles to determine the entire scan chain. – 397 clock cycles for every input plaintext to reach R0, L0, R1 and L1. • 2 cycles for normal operation + 197 cycles for scan operation + 1 cycle for normal operation + 197 cycles for scan operation • 1191 cycles (397×3) to discover round key K1. • 1185 cycles to discover round keys K2 and K3.
  • 21. Scan Based Side Channel Attack on Data Encryption Standard Discussion 21 • Extension to a pipelined DES architecture – 16-stage pipeline will have 17 pairs: (L0, R0) … (L16, R16). – L0 and R0 can be located first. – L1 and R1 can be located by observing that L1= R0 and R1=L0⊕f (R0, K1). – If we only change the lowest bit in L0, L1 remains unchanged, then the lowest bit in R1 will switch because f (R0, K1) remains unchanged. – Similarly, we can locate all flip-flops. – Hence, we can recover round key K1, K2 and K3.
  • 22. Scan Based Side Channel Attack on Data Encryption Standard Discussion 22 • Characteristics of crypto algorithms on hardware – Data-driven: different plaintexts, but the control logic performs the same action. – Avalanche effect: One-bit difference in a round will translate into several bit changes in the next round. • This determines the clock cycle when the plaintext is loaded into the input plaintext register and the L, R registers.
  • 23. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 23
  • 24. Scan Based Side Channel Attack on Data Encryption Standard Conclusions • Several side-channel attacks have been proposed. • Show that scan chains and scan-based tests are a potent side- channel. • Propose an attack using only 3 plaintexts to break DES. 24