Practical Second-Order CPA Attack on Ascon with Proper Selection Function
摘要
Ascon has recently been selected by the National Institute of Standards and Technology (NIST) as the lightweight cryptography standard. Consequently, it is utilized in a multitude of environments and devices. In this study, we examine the potential vulnerability of Ascon software implementations to Correlation Power Analysis (CPA) attacks. First, we conduct a comprehensive analysis of different approaches from the literature for choosing the selection function used to compute intermediate values in a CPA attack. Through both theoretical explanation and experimental validation, we demonstrate how these choices influence the success of the attack. Second, leveraging insights from our analysis, we present, to the best of our knowledge, the first successful and practical second-order CPA attack on a masked software implementation provided by the Ascon team running on a 32-bit microcontroller. Our results show that the full 128-bit key can be recovered in 4.7 h through the analysis of 360,000 traces on classical laptop.