Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SNOW-SCA: ML-assisted Side-Channel Attack on SNOW-V

Harshit Saurabh, Anupam Golder, Samarth Shivakumar Titti, Suparna Kundu, Chaoyun Li, Angshuman Karmakar, Debayan Das

TL;DR

This work reveals a practical power side-channel vulnerability in SNOW-V, a 5G stream cipher candidate, by combining known-key correlation, CPA, and a machine-learning-based LDA classifier to recover a 256-bit secret key on a Cortex-M4. The attack isolates leakage to the LFSR update, reduces key-search to per-byte CPA, and resolves ghost peaks with LDA, achieving key recovery with fewer than 50 traces in measurements and 100% LSB accuracy with under 200 traces in training. Incremental byte-wise recovery enables full key reconstruction, and the authors propose effective countermeasures, notably Boolean masking, which yields strong resilience, while constant-time measures alone are insufficient. The findings underscore the importance of both software-level resistant design and circuit-level defenses for SCA resilience in next-generation mobile standards.

Abstract

This paper presents SNOW-SCA, the first power side-channel analysis (SCA) attack of a 5G mobile communication security standard candidate, SNOW-V, running on a 32-bit ARM Cortex-M4 microcontroller. First, we perform a generic known-key correlation (KKC) analysis to identify the leakage points. Next, a correlation power analysis (CPA) attack is performed, which reduces the attack complexity to two key guesses for each key byte. The correct secret key is then uniquely identified utilizing linear discriminant analysis (LDA). The profiled SCA attack with LDA achieves 100% accuracy after training with $<200$ traces, which means the attack succeeds with just a single trace. Overall, using the \textit{combined CPA and LDA attack} model, the correct secret key byte is recovered with <50 traces collected using the ChipWhisperer platform. The entire 256-bit secret key of SNOW-V can be recovered incrementally using the proposed SCA attack. Finally, we suggest low-overhead countermeasures that can be used to prevent these SCA attacks.

SNOW-SCA: ML-assisted Side-Channel Attack on SNOW-V

TL;DR

This work reveals a practical power side-channel vulnerability in SNOW-V, a 5G stream cipher candidate, by combining known-key correlation, CPA, and a machine-learning-based LDA classifier to recover a 256-bit secret key on a Cortex-M4. The attack isolates leakage to the LFSR update, reduces key-search to per-byte CPA, and resolves ghost peaks with LDA, achieving key recovery with fewer than 50 traces in measurements and 100% LSB accuracy with under 200 traces in training. Incremental byte-wise recovery enables full key reconstruction, and the authors propose effective countermeasures, notably Boolean masking, which yields strong resilience, while constant-time measures alone are insufficient. The findings underscore the importance of both software-level resistant design and circuit-level defenses for SCA resilience in next-generation mobile standards.

Abstract

This paper presents SNOW-SCA, the first power side-channel analysis (SCA) attack of a 5G mobile communication security standard candidate, SNOW-V, running on a 32-bit ARM Cortex-M4 microcontroller. First, we perform a generic known-key correlation (KKC) analysis to identify the leakage points. Next, a correlation power analysis (CPA) attack is performed, which reduces the attack complexity to two key guesses for each key byte. The correct secret key is then uniquely identified utilizing linear discriminant analysis (LDA). The profiled SCA attack with LDA achieves 100% accuracy after training with traces, which means the attack succeeds with just a single trace. Overall, using the \textit{combined CPA and LDA attack} model, the correct secret key byte is recovered with <50 traces collected using the ChipWhisperer platform. The entire 256-bit secret key of SNOW-V can be recovered incrementally using the proposed SCA attack. Finally, we suggest low-overhead countermeasures that can be used to prevent these SCA attacks.
Paper Structure (31 sections, 2 equations, 14 figures)

This paper contains 31 sections, 2 equations, 14 figures.

Table of Contents

  1. Introduction
  2. Motivation
  3. Contribution
  4. Paper Organization
  5. Background and Related Works
  6. 5G Security & Beyond
  7. Why SNOW-V?
  8. Architecture of SNOW-V
  9. LFSR
  10. FSM
  11. Initialization Phase
  12. Keystream Generation Phase
  13. State-of-the-art SNOW-V Implementation
  14. Side-Channel Analysis on Stream Ciphers
  15. SNOW-SCA: Attack Methodology
  16. ...and 16 more sections

Figures (14)

  • Figure 1: (a) Possible Side channel attacks on a Cryptographic device during encryption (b) Comparison b/w AES-256 and SNOW-V on performance based on the size of input plaintext ekdahl_new_2019.
  • Figure 2: Architecture of SNOW-V, the upper part is the two LFSRs of 512 bits, and the lower part is the FSM consisting of 3 registers and AES round core ekdahl_new_2019.
  • Figure 3: Flowchart for the SNOW-SCA attack methodology
  • Figure 4: Fixed-vs-random TVLA on the measured SNOW-V traces: (a) TVLA for 1K traces across time samples (b) Incremental TVLA showing that the $|t|$-value cross the threshold of 4.5 with $<10$ traces.
  • Figure 5: (a) Analyzing the 4-bit, 6-bit, 8-bit, and 16-bit models for comparison (b) Considering the measured 8-bit model because it reduces the complexity from $2^{16}$ to $2^8$ and exhibits noticeable correlation, particularly when compared to the 4-bit and 6-bit models.
  • ...and 9 more figures