Side-Channel Evaluation on Protected

Implementations of Several NIST LWC Finalists

Dawu Gu, Pei Cao, Yuhang Ji, Xiangjun Lu, Shipei Qu, Tengfei Wang,
Chi Zhang, Hongyi Zhang, Xiaolin Zhang (sorted alphabetically by last name)
Cryptology and Computer Security Laboratory (LoCCS)

School of Electronic Information and Electrical Engineering

Shanghai Jiao Tong University
Shanghai, China
August 12, 2022
On the Side Channel Leakage Assessment of
First-Order Masked GIFT-COFB
Xiangjun Lu1 , Shipei Qu1 , Tengfei Wang1 , Pei Cao1
School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong
University,
Shanghai, China

Introduction

1.1

Background

GIFT-COFB is an Authenticated Encryption with Associated Data (AEAD) scheme,

based on the GIFT lightweight block cipher and the COFB lightweight AEAD operating
mode[BCI+ 20]. It has been selected as one of the finalists in the NIST lightweight
cryptography standardization process. The side channel analysis of the native
GIFTCOFB is carried out in [HBB20], while its mask-protected implementation has not
yet
been explored.
In power side-channel analysis, the attacker tries to recover secret information
from the
hardware running the cryptographic algorithm by recording the power consumption
traces.
In order to protect cryptographic algorithms from such attacks, it is often
implemented
with boolean masks to hide the real secret information.
In this report, we will perform a side-channel leakage assessment against GIFTCOFB
with first-order boolean masking in both software and hardware implementations.
The collected power traces are going through leakage detection and attack attempts
to
investigate the performance of the power side-channel resilience of GIFT-COFB.

1.2

Our Work and Results Overview

Our work in this report and the results of the side-channel leakage assessment on
firstorder
masked GIFT-COFB can be summarized as follows.
• We collected two trace sets from the given software and hardware implementations
of GIFT-COFB on an MCU and a side-channel attack evaluation board.
• We performed Welch’s t-test [BCD+ 13] and ‰2 -test [MRSS18] to evaluate the power
leakage of GIFT-COFB. We tried to recover the private keys of GIFT-COFB by
correlational power attack (CPA).
• ‰2 -test applied on the power traces from the given hardware implementations
shows
a slight potential power leakage from the input nonce. However, such leakage is
missing in Welch’s t-tests or ‰2 -test on software implementations.
• CPA attack cannot recover the private key bytes under the given implementations.
2

On the Side Channel Leakage Assessment of First-Order Masked GIFT-COFB

Assessment Strategy

Our assessment strategy on the given GIFT-COFB implementations can be summarized

as the following three phases:
1. Analysis of the target
The initial phase of GIFT-COFB is shown in Figure 1. We consider the known-
plaintext
attack scenario, which is a common assumption in side-channel attacks. Then we take
the
first block encryption component as the target of the attack, which is a GIFT-128
cipher.

Figure 1: Analysis target

Next, we choose the output of SubCells operation in the second round as the
intermediate value. The reason for choosing this intermediate value is that it has
both a direct
correspondence with the round key and a high degree of non-linearity.
Let’s take the notation in the GIFT-COFB specification[BCI+ 20]. Specifically, the
128-bit secret key is loaded into the key state KS partitioned into 8 16-bit words:
S

W0
W W2
KS = W
U W4
W6

Î
Î
Î
Î

T
S
W1
b127
W b95
W3 X
XΩW
U b63
W5 V
W7
b31

···
···
···
···

b112
b80
b48
b16
And the cipher state S is expressed as 4 32-bit
S
T
S
S0
b124 · · ·
W S1 X
W b125 · · ·
X
W
S=W
U S2 V Ω U b126 · · ·
S3
b127 · · ·

Î
Î
Î
Î

b111
b79
b47
b15

···
···
···
···

b98
b66
b34
b2

segments:
b8
b9
b10
b11

b4
b5
b6
b7

T
b0
b1 X
X
b2 V
b3

b97
b65
b33
b1
T
b96
b64 X
X
b32 V
b0

(1)

(2)

Suppose the cipher state before the AddRoundKey operation in the first round is
Õ
Õ
Õ
Õ
{S0 , S1 , S2 , S3 }, which can be derived from the nonce N . Then AddRoundKey will
update
the cipher state with the round key and constant in the first round:
ÕÕ

ÕÕ

ÕÕ

S0 Ω S0
S1 Ω S1 ü W6 ||W7 ,
S2 Ω S2 ü W2 ||W3 ,

S3 Ω S3 ü 0x80000001
ÕÕ

(3)

In order to perform side channel attacks such as CPA, we must be able to compute
the corresponding intermediate value from parts of the key we guessed. In typical
sidechannel attacks (e.g. AES), one byte is often guessed and another byte is
obtained as an
ÕÕ
intermediate value. However, this strategy does not work for the GIFT-128, because
S1
ÕÕ
and S2 affects multiple bytes in the output of the second round’s SubCells:
Xiangjun Lu, Shipei Qu, Tengfei Wang, Pei Cao

1 ÕÕ
2
ÕÕ
ÕÕ
S1 Ω S1 ü S0 &S2
1
2
ÕÕ
ÕÕ
S0 Ω S0 ü S1 &S3
S2 Ω S2 ü (S0 | S1 )
ÕÕ
ÕÕ

S3 Ω S3 ü S 2

(4)

S1 Ω S1 ü S3
S3 Ω≥ S3

S2 Ω S2 ü (S0 &S1 )

{S0 , S1 , S2 , S3 } Ω {S3 , S1 , S2 , S0 }
Noting that the bit position of each byte does not change, so we can solve this
problem
ÕÕ
ÕÕ
by guessing 1 byte in S1 and 1 byte in S2 , and calculate the corresponding 1 byte
in the
result. For example, if we choose the last byte of the output S3 as the
intermediate value,
the calculation can be expressed as:
S3 [0] Ω S0 [0] ü
ÕÕ

11

1 ÕÕ
22
2
ÕÕ
ÕÕ
ÕÕ
S1 [0] ü S0 [0]&S2 [0] &S3 [0]

where the index 0 indicates the position of the byte, Si can be obtained from Eq. 1
(2
bytes from W2,6 /W3,7 is guessed). Based on the same principle, we can also use
bit-level
intermediate values, which can help to verify the leakage of side-channels more
quickly.
2. Side-channel leakage detection
Next, we applied TVLA (Test Vector Leakage Assessment) to determine whether the
collected power traces had noticeable plaintext or intermediate value leaks.
Specifically,
the main techniques used here are Welch’s t-test and ‰2 test. They can roughly
locate
where in the traces the power leakage occurred.
3. Key recovery attack evaluation
Note that if there is power leakage detected in Phase 2, we can apply CPA here to
reveal half of the key (W2,3,6,7 ). The other half of the master key needs to
attack the third
round of SubCells with the same strategy based on the success of the first half of
the key.

ÕÕ

Experimental Setup

In this section, we will describe the details of power traces acquisition process.

3.1

Overall Procedure

The procedure of out power trace collection experiments is presented in Figure 2.

As shown in the figure, we first need to download the firmware which including the
implementation of GIFT-COFB and our custom communication protocol into the device
under evaluation. Then we connect the device to the host computer through a USB
serial
port so that we can invoke the cipher and record its input and output. Meanwhile,
we use
a high-precision electromagnetic probe to capture the electromagnetic power emitted
from
the device chip. The captured power is then transmitted to the oscilloscope to
generate
and display the waveform of electronic signals. With the help of the oscilloscope,
we can
acquire enough raw power traces of protected GIFT-COFB in the host computer for
later
assessment.
4

On the Side Channel Leakage Assessment of First-Order Masked GIFT-COFB

Figure 2: Overall procedure of power trace collection

3.2

Experimental Setting

3.2.1

Experimental environments

The details of devices and analyzing suites used for GIFT-COFB are presented in
Table 1.
Table 1: Details of experimental environments
Items
Details
Target MCU
STM32F303RCT6
Hardware platform
Target evaluation board
Saseabo-giii(Kintex-7)
High Precision EM probe Langer RF-U 5-2
Measuring tools
Oscilloscope
Pico 3203D, LeCroy 610Zi
Sampling rate for MCU
125 MHz
Sampling parameters
Sampling rate for FPGA 500 MHz
Random source
standard C library
rand(), srand() in stdlib.h
Type

We assign GPIO_12 of STM32F303RCT6 (CN9 of Saseabo-gii) as the pin sending the

trigger signals. The given software and hardware implementations of GIFT-COFB will
be
tested on STM32F303RCT6 and Saseabo-giii, respectively.
3.2.2

Input and output of GIFT-COFB

For the experiments of power trace collection on software implementation, the input
of GIFT-COFB encryption consists of three parts: a 16-byte nonce, 16-byte
associated
data and 16-byte plaintext. The output consists of 16-byte ciphertext and a 16-byte
authenticated tag. For the hardware implementation, it requires the input to be
already
masked data and thus twice as long as the original ones. The 16-byte encryption key
is
fixed throughout the collection. The specific information about the fixed input is
shown
in 2. All the fixed value are directly copied from the official test vectors
provided in the
implementer’s code repository.
According to the analysis in 2, changing either the input nonce N or plaintext will
change the intermediate values. Here we choose to alter the nonce in each
encryption.
Then the intermediate values will change under the same key, thereby generating
different
but related power consumption patterns. This allows us to perform CPA and other
tests.
Xiangjun Lu, Shipei Qu, Tengfei Wang, Pei Cao

Implementation
Software

Hardware(masked)

3.2.3

Table 2: Input details of GIFT-COFB

Fixed Input
Value
Master key
000102030405060708090A0B0C0D0E0F
Plaintext
000102030405060708090A0B0C0D0E0F
Associated data 000102030405060708090A0B0C0D0E0F
B54F97F73F0716B75845D3D652C015A7
Master key
FEA43B246C15EA6E619601E3FACC42A7
Plaintext
C5F8D832CBF8D832
Associated data A25D267C615D267C

Trigger setting

Apart from the equipment mentioned in 2, another probe attached to the oscilloscope
can
receive trigger signals to help us locate the timing when GIFT-COFB is executed.
Thus,
we need to modify the original GIFT-COFB implementations so that they can control
the
corresponding pins of the device to send trigger signals to the oscilloscope.
For the software implementation, the codes to control the pin and send the trigger
signals
are inserted into prior and after the call to the first call to
giftb128_encrypt_block, as
shown in Figure 3.

Figure 3: Code snippet to set triggers in the software implementation

For the hardware implementation, we use a passive way to set the trigger signal,
i.e.
the algorithm will block until we supply a high level to a certain pin. The trigger
is set as
an external signal that enables the hardware to start executing the algorithm by
pulling
up for 1 clock cycle. This signal is also connected to the oscilloscope as a
trigger control
for the trace acquisition.

Description of Collected Raw Traces

We collected two sets of power traces, (S) and (H). (S) is acquired from the given
software
GIFT-COFB implementations under settings described in Section 3, and (H) is from
the
hardware implementation. Their basic information is presented in Table 3.
Item
Trace set ID
Rounds contained
No. of traces
No. of points per trace
Precision
Sampling time

Table 3
Software Implementation
S
40
20,000
8,000
≠215 ≥ 215
5h

Hardware Implementation
H
7
1,000,000
10,000
≠27 ≥ 27
12h
6

On the Side Channel Leakage Assessment of First-Order Masked GIFT-COFB

The sample plots of trace set (S) and (H) are presented in Figure 4. As seen from
Figure 4a, we can easily distinguish the rounds in GIFT-128 encryption from (H).

(a) (S)

(b) (H)

Figure 4: Sample graph of trace set (S) and (H)

Then we can perform different tests mentioned in Section 2 on them to evaluate the
power leakage of the given implementations.

Main Result

5.1

Welch’s t-test

Welch’s t-test is a statistical hypothesis test used to compare the means of two
groups,
especially when the two groups have unequal sample sizes and variances. In terms of
side-channel analysis, we can divide the power traces into two groups according to
the
difference in intermediate values. More precisely, when the master key is fixed, we
can
divide the power traces of GIFT-COFB by the following two cases.
• Case(I): The last bit of the first byte of the input nonce is 0 or 1.
• Case(II): The last bit of the first byte of the intermediate value is 0 or 1.

(a) (S)

(b) (H)

Figure 5: Welch’s t-test results of (S) and (H) (divided by Case (I))
The test results are shown in Figure 5 and Figure 6. We can see from the figure
that
the results failed to reach the threshold of the Welch’s t-test for either the
software or
the hardware implementation, suggesting that no significant leakage information can
be
detected using this test approach.
Xiangjun Lu, Shipei Qu, Tengfei Wang, Pei Cao

(a) (S)

(b) (H)

Figure 6: Welch’s t-test results of (S) and (H) (divided by Case (II))

5.2

‰2 -test

‰2 -test is another statistical hypothesis test to determine whether there is a

significant
difference between the expected and observed frequencies, which is a natural
complement
to Welch’s t-test for black box leakage detection, especially in the case of
higher-order
masked implementations. It can also test the null hypothesis of independence of a
pair of
random variables. Therefore, like t-test, we divide the power traces by the
following two
cases and observe their statistical differences.
• Case(I): The last bit of the first byte of the input nonce is 0 or 1.
• Case(II): The last bit of the first byte of the intermediate value is 0 or 1.

(a) (S)

(b) (H)

Figure 7: ‰2 -test results of (S) and (H) (divided by Case (I))

The test results are shown in Figure 7 and Figure 8. We can see from the figure
that
the results failed to reach the confidence level of the‰2 -test in 7a, but there is
slight power
leakage detected from (H) in Figure 7b when the traces are divided by nonce.
However,
when the traces are divided according to the intermediate values, ‰2 -test cannot
find
statistically significant differences of two trace groups.

5.3

Correlational power attack (CPA)

CPA is an efficient side-channel analysis method to reveal the secret from power
leakage
of a cryptographic device. According to the analysis in Section 2, we will guess 1
bit (or 1
8

On the Side Channel Leakage Assessment of First-Order Masked GIFT-COFB

(a) (S)

(b) (H)

Figure 8: ‰2 -test results of (S) and (H) (divided by Case (II))

byte, using more computational resources) from two different subkeys W2,6 /W3,7 at
a time
and compute the corresponding intermediate value. Taking the bit model for example,
we
can get a sequence of bits from the calculation of intermediate value. The correct
guess
will exhibit the greatest level of correlation between the bit sequence and real
power trace,
which indicates the correct subkey bit.
Table 4: CPA guess result of key bits in (S)

Target bit index

Target bit value (W2||W3)
Target bit value (W6||W7)
Real key rank(/4)
Best guess
Real key
Target bit index
Target bit value (W2||W3)
Target bit value (W6||W7)
Real key rank(/4)
Best guess
Real key

0
0
0
3
01
00
16
0
0
2
10
00

1
0
0
2
10
00
17
0
0
3
11
00
2
0
0
3
01
00
18
0
0
1
00
00

3
0
0
3
10
00
19
0
0
3
01
00

4
0
1
4
00
01
20
0
1
4
10
01

5
1
1
3
00
11
21
1
1
4
10
11

6
0
0
1
00
00
22
1
1
3
10
11

7
0
0
3
11
00
23
0
0
1
00
00

8
0
0
1
00
00
24
0
0
4
10
00

9
0
0
1
00
00
25
0
0
1
00
00

10
0
0
2
01
00
26
0
0
1
00
00

Table 5: CPA guess result of key bits in (H)

Target bit index
Target bit value (W2||W3)
Target bit value (W6||W7)
Real key rank
Best guess
Real key
Target bit index
Target bit value (W2||W3)
Target bit value (W6||W7)
Real key rank
Best guess
Real key

0
1
0
4
11
10
16
0
0
1
00
00

1
1
1
2
01
11
17
0
1
2
11
01

2
0
0
3
11
00
18
0
0
1
00
00

3
0
1
2
11
01
19
1
1
2
10
11

4
1
1
4
10
11
20
1
1
1
11
11

5
1
1
3
00
11
21
0
0
2
01
00

6
0
1
3
10
01
22
0
0
3
11
00

7
0
1
1
01
01
23
1
1
1
11
11
8
1
1
2
00
11
24
1
1
1
11
11

9
0
1
2
10
11
25
0
1
2
10
01

10
1
1
4
01
11
26
0
0
2
01
00

11
0
0
4
10
00
27
0
0
2
01
00

12
0
1
2
00
01
28
0
1
1
01
01

13
1
1
4
00
11
29
1
1
2
01
11

14
0
0
1
00
00
30
1
1
3
00
11

15
1
1
1
11
11
31
1
1
1
11
11

11
0
0
4
10
00
27
0
1
1
01
01

12
0
1
1
01
01
28
1
1
3
00
11

13
1
1
3
10
11
29
1
1
3
10
11

14
0
0
1
00
00
30
1
0
3
01
10

15
1
0
1
01
01
31
1
1
2
01
11

For trace set (S), we perform CPA on W2,6 and W3,7 , including half of all key bits
of
GIFT-128. The CPA guess results for each bit is presented in Table 4.
Note that we are guessing 2 bits of 2 different subkeys each time, hence the
guessed
bits and real key bits are expressed as (W 2||W 3)[i]||(W6 ||W7 )[i], where i
indicates the bit
location from the lowest. In the result above, the average ranking of the correct
key is
2.3125, which is similar to the theoretical result of 2.5 for any random guess.
Furthermore,
Xiangjun Lu, Shipei Qu, Tengfei Wang, Pei Cao

the success rate of key guessing over all bits is 34.375%, which is a slight
increase compared
to the random guess of 25%, but still far from restoring the real master key.
For trace set (H), we have the following CPA results in Table 5.
The hardware implementation results are similar to the previous ones overall. The
average rank order of correct keys in the correlation results is 2.1875, and the
percentage
of correct guessed keys is 28.125%. In general, CPA fails to perform effective
attacks on
the given software and hardware implementations.

References
[BCD+ 13] Georg T. Becker, Jim Cooper, Elizabeth K. DeMulder, Gilbert Goodwill,
Joshua Jaffe, Gary Kenworthy, T. Kouzminov, Andrew J. Leiserson, Mark E.
Marson, Pankaj Rohatgi, and Sami Saab. Test vector leakage assessment ( tvla
) methodology in practice. 2013.
[BCI+ 20] Subhadeep Banik, Avik Chakraborti, Akiko Inoue, Tetsu Iwata, Kazuhiko
Minematsu, Mridul Nandi, Thomas Peyrin, Yu Sasaki, Siang Meng Sim, and
Yosuke Todo. Gift-cofb. Cryptology ePrint Archive, Paper 2020/738, 2020.
https://eprint.iacr.org/2020/738.
[HBB20]

Xiaolu Hou, Jakub Breier, and Shivam Bhasin. Dnfa: Differential no-fault
analysis of bit permutation based ciphers assisted by side-channel. Cryptology
ePrint Archive, Paper 2020/1554, 2020. https://eprint.iacr.org/2020/
1554.

[MRSS18] Amir Moradi, Bastian Richter, Tobias Schneider, and François-Xavier

Standaert.
Leakage detection with the x2-test. IACR Transactions on Cryptographic
Hardware and Embedded Systems, 2018(1):209–237, Feb. 2018.