SNOW-SCA: ML-assisted Side-Channel Attack on SNOW-V
This work exposes a critical security flaw in a 5G candidate standard, enabling practical attacks on mobile communications, though it is incremental as it applies known methods to a new target.
This paper tackles the vulnerability of the SNOW-V 5G security standard to side-channel attacks by demonstrating a power analysis attack that recovers the 256-bit secret key with high efficiency, achieving 100% accuracy using less than 200 traces and recovering key bytes with under 50 traces.
This paper presents SNOW-SCA, the first power side-channel analysis (SCA) attack of a 5G mobile communication security standard candidate, SNOW-V, running on a 32-bit ARM Cortex-M4 microcontroller. First, we perform a generic known-key correlation (KKC) analysis to identify the leakage points. Next, a correlation power analysis (CPA) attack is performed, which reduces the attack complexity to two key guesses for each key byte. The correct secret key is then uniquely identified utilizing linear discriminant analysis (LDA). The profiled SCA attack with LDA achieves 100% accuracy after training with $<200$ traces, which means the attack succeeds with just a single trace. Overall, using the \textit{combined CPA and LDA attack} model, the correct secret key byte is recovered with <50 traces collected using the ChipWhisperer platform. The entire 256-bit secret key of SNOW-V can be recovered incrementally using the proposed SCA attack. Finally, we suggest low-overhead countermeasures that can be used to prevent these SCA attacks.