DES with any reduced masked rounds is not secure against side-channel attacks

The literature offers several efficient masking methods for providing resistance to side-channel attacks against iterative block ciphers, such as Data Encryption Standard (DES) and Advanced Encryption Standard (AES). One of the proposed methods is to apply independent masks to each of the first and last few rounds. However, at the workshops on Selected Areas in Cryptography (SAC) 2006 and Cryptographic Hardware and Embedded System (CHES) 2007, Handschuh-Preneel and Biryukov-Khovratovich showed that DES and AES with such reduced masked rounds are still vulnerable to side-channel attacks combined with block cipher cryptanalysis. Specifically, Handschuh and Preneel presented differential based side-channel attacks on DES with the first 4 rounds masked, and Biryukov and Khovratovich presented impossible and multiset collision based side-channel attacks on AES with the first 2, 3 and 4 rounds masked. More recently, Kim and Hong showed that AES-192 and AES-256 with the first 5 rounds masked are also vulnerable to side-channel attacks based on the meet-in-the-middle technique. In this paper, we focus on the security of DES with reduced masked rounds against side-channel attacks; we propose differential based side-channel attacks on DES with the first 5, 6 and 7 rounds masked: they require 2(17.4), 2(24), 2(35.5) chosen plaintexts with associate power traces and collision measurements, correspondingly. Our attacks are the first known side-channel attacks on DES with the first 5, 6 and 7 rounds masked: our attack results show that DES with any reduced masked rounds is not secure against side-channel attacks, i.e., in order for DES to be resistant to side-channel attacks, entire rounds should be masked. (C) 2010 Elsevier Ltd. All rights reserved.