Repository logo

Single-trace fragment template attack on a 32-bit implementation of Keccak

Accepted version


Conference Object

Change log


Template attacks model side-channel leakage information using Gaussian multivariate distributions. They have been quite successful in directly reconstructing individual bits of 8-bit parallel buses and registers from power traces. However, extending their use directly to larger word sizes, such as 32-bit buses, becomes impractical. Here we show that it is possible to use an LDA-based stochastic model to independently build templates for just byte fragments of such a word, to predict the exact values of its four member bytes, instead of only overall Hamming weights. We demonstrate this technique to reconstruct the arbitrary-length inputs of SHA3-512 and some other Keccak sponge functions implemented on a 32-bit Cortex-M4 device. The quality of these templates was high enough such that remaining errors in their predictions could be eliminated via belief propagation on a factor-graph network (SASCA). In our experiments, we already reliably recovered SHA3-512 inputs up to 719 bytes long (10 invocations of the permutation), and reconstructing even longer inputs should be just a matter of making longer recordings.



Journal Title

Conference Name

20th Smart Card Research and Advanced Application Conference (CARDIS 2021)

Journal ISSN

Volume Title


Cambridge Trust and the Ministry of Education, Taiwan