Skip to main content

Cache vs. key-dependency: Side channeling an implementation of pilsung


Daniel Genkin, Romain Poussier, Rui Qi Sim, Yuval Yarom and Yuanjing Zhao

University of Michigan


Nanyang Technological University

University of Adelaide

The University of Adelaide


Over the past two decades, cache attacks have been identified as a threat to the security of cipher implementations. These attacks recover secret information by combining observations of the victim cache accesses with the knowledge of the internal structure of the cipher. So far, cache attacks have been applied to ciphers that have fixed state transformations, leaving open the question of whether using secret, key-dependent transformations enhances the security against such attacks. In this paper we investigate this question. We look at an implementation of the North Korean cipher Pilsung, as reverse-engineered by Kryptos Logic. Like AES, Pilsung is a permutation-substitution cipher, but unlike AES, both the substitution and the permutation steps in Pilsung depend on the key, and are not known to the attacker. We analyze Pilsung and design a cache-based attack. We improve the state of the art by developing techniques for reversing secret-dependent transformations. Our attack, which requires an average of eight minutes on a typical laptop computer, demonstrates that secret transformations do not necessarily protect ciphers against side channel attacks.

BibTeX Entry

    month            = nov,
    pages            = {231-255},
    issue            = {1},
    journal          = {IACR Transactions on Cryptographic Hardware and Embedded Systems},
    volume           = {2020},
    publisher        = {Ruhr-University of Bochum},
    author           = {Genkin, Daniel and Poussier, Romain and Sim, Rui Qi and Yarom, Yuval and Zhao, Yuanjing},
    title            = {Cache vs. Key-Dependency: Side Channeling an Implementation of Pilsung},
    year             = {2019},
    date             = {2019-11-19}