Paper 2026/067

MALeak: Blind Side-Channel Key Recovery Exploiting Modular Addition Leakage in ARX-based Block Ciphers

Abstract

Side-channel analysis (SCA) can recover secret keys by exploiting physical leakages emitted during cryptographic computations. Most SCA techniques, however, require knowledge of the plaintext or ciphertext corresponding to each measured trace, which may be unavailable in realistic adversarial settings. Blind side-channel analysis (Blind SCA), first introduced in 2014, relaxes this requirement, but existing work has mainly targeted S-box nonlinearities. We present a systematic study of blind SCA targeting modular addition, the core nonlinear operation in ARX-based block ciphers, by leveraging key-dependent statistical characteristics arising from carry propagation. We introduce MALeak, a framework that models analysis targets as generalized key-dependent functions involving modular addition. We validate key recovery in simulation under varying noise levels and instantiate MALeak for HIGHT and SPECK by deriving cipher-specific attack procedures. We further evaluate the MALeak instantiations for HIGHT and SPECK on real power traces collected from an STM32F415 microcontroller (ARM Cortex-M4). Our results show that, given suitable points of interest (PoIs), MALeak can recover secret keys of ARX-based block ciphers without access to the corresponding plaintext or ciphertext.