A Compact Implementation of Salsa20 and Its Power Analysis Vulnerabilities

In this article, we present a compact implementation of the Salsa20 stream cipher that is targeted towards lightweight cryptographic devices such as radio-frequency identification (RFID) tags. The Salsa20 stream cipher, ann addition-rotation-XOR (ARX) cipher, is used for high-security cryptography in NEON instruction sets embedded in ARM Cortex A8 CPU core-based tablets and smartphones. The existing literature shows that although classical cryptanalysis has been effective on reduced rounds of Salsa20, the stream cipher is immune to software side-channel attacks such as branch timing and cache timing attacks. To the best of our knowledge, this work is the first to perform hardware power analysis attacks, where we evaluate the resistance of all eight keywords in the proposed compact implementation of Salsa20. Our technique targets the three subrounds of the first round of the implemented Salsa20. The correlation power analysis (CPA) attack has an attack complexity of 2(19). Based on extensive experiments on a compact implementation of Salsa20, we demonstrate that all these keywords can be recovered within 20,000 queries on Salsa20. The attacks show a varying resilience of the key words against CPA that has not yet been observed in any stream or block cipher in the present literature. This makes the architecture of this stream cipher interesting from the side-channel analysis perspective. Also, we propose a lightweight countermeasure that mitigates the leakage in the power traces as shown in the results of Welch's t-test statistics. The hardware area overhead of the proposed countermeasure is only 14% and is designed with compact implementation in mind.