Butterfly-Attack on Skein’s Modular Addition

  • Michael Zohner
  • Michael Kasper
  • Marc Stöttinger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7275)


At the cutting edge of todays security research and development, the SHA-3 contest evaluates a new successor of SHA-2 for secure hashing operations. One of the finalists is the SHA-3 candidate Skein. Like many other cryptographic primitives Skein utilizes arithmetic operations, for instance modular addition. In this paper we introduce a new method of performing a DPA on modular addition of arbitrary length. We will give an overview over side channel analysis of modular addition, followed by problems occurring when dealing with large operand sizes of 32 bits and more. To overcome these problems, we suggest a new method, called the Butterfly-Attack to exploit the leakage of modular additions. Real world application is being shown by applying our new approach to Skein-MAC, enabling us to forge legitimate MACs using Skein.


side-channel SHA-3 Skein Butterfly-Attack modular addition 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    AVR ATMega2561 product site,
  3. 3.
    Skein submission to the final round of the SHA-3 contest,
  4. 4.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash Functions Based on Block Ciphers: A Synthetic Approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994), Google Scholar
  5. 5.
    Benoît, O., Peyrin, T.: Side-channel analysis of six SHA-3 candidates. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 140–157. Springer, Heidelberg (2010), CrossRefGoogle Scholar
  6. 6.
    Bevan, R., Knudsen, E.: Ways to Enhance Differential Power Analysis. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 327–342. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Krawczyk, H., Bellare, M., Canetti, R.: Rfc 2104 - hmac: Keyed-hashing for message authentication. Tech. rep., IEEE (1997),
  8. 8.
    Lemke, K., Schramm, K., Paar, C.: DPA on n-Bit Sized Boolean and Arithmetic Operations and Its Application to IDEA, RC6, and the HMAC-Construction. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 205–219. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Ferguson, N., Lucks, S., Schneier, B., et al.: The skein hash function family. Submission to NIST, Round 3 (2010),
  10. 10.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  11. 11.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards (2007)Google Scholar
  12. 12.
    Zohner, M., Kasper, M., Stöttinger, M.: Side channel analysis of the sha-3 finalists. In: Design, Automation & Test in Europe, DATE (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Michael Zohner
    • 1
    • 3
  • Michael Kasper
    • 2
    • 3
  • Marc Stöttinger
    • 1
    • 3
  1. 1.Integrated Circuits and Systems LabTechnische Universität DarmstadtDarmstadtGermany
  2. 2.Fraunhofer Institute for Secure Information Technology (SIT)DarmstadtGermany
  3. 3.Center for Advanced Security Research Darmstadt (CASED)DarmstadtGermany

Personalised recommendations