Power Analysis Attacks on the Customizable MK-3 Authenticated Encryption Algorithm

P. Fabinski (Rochester Inst. of Techn., USA), S. Farris, M. Kurdziel (L3Harris Techn., USA), M. Łukowiak, S. Radziszowski (Rochester Inst. of Techn., USA)

MK-3 is an authenticated encryption scheme based on the duplex sponge construction, suitable for both hardware and software, but whose design features are targeted specially for hardware implementations. MK-3 provides broad customization features, in the form of both factory customization and further field customization. The MK-3 scheme is a proprietary algorithm of L3Harris Technologies, formerly also proprietary of its original developer, Harris Corporation. The same security claims are valid for the original and all factory customizations, and for further algorithm customizations which can be easily adopted by the users. Extensive security analyses of the MK-3 scheme were performed in our previous work: classic cryptographic analysis including differential and linear attacks, cube attacks, and brute force attacks, as well as statistical analysis of bit positions and of ciphertexts. In this work we report on new extensive experiments involving Correlation Power Analysis (CPA), which is considered one of the most powerful general side-channel attack (SCA) techniques. Two CPA attacks on MK-3 were developed targeting different locations in the encryption: the first directly after the key absorption, and the second one after the S-boxes in the first round of IV absorption. In the first attack, under strong assumptions about attacker’s capability to collect traces, we can recover 128 of the 512 state bits in a physical test on an FPGA. The second attack builds up on top of the first one, but it assumes that the adversary can embed additional special registers after the S-boxes in order to make the attack feasible. Even under such ideal conditions, this attack can potentially reduce the brute-forcing difficulty only by an additional 88 to 194 bits. Overall, this gives the CPA attack no advantage over brute-forcing for the original 128-bit key. The previous and current results together ensure that the MK-3 encryption algorithm and its customized versions effectively conceal its plaintext input.