A Combined Timing and Power Attack

  • Werner Schindler
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2274)


In [9]Walter and Thompson introduced a new side-channel attack on the secret exponents of modular exponentiations which uses techniques from timing attacks to exploit specific information gained by a power attack. Walter and Thompson assumed that the attacked device uses a particular table method combined with Montgomery’s algorithm. In the present paper their attack is optimized and generalized. For 2- bit tables this leads to a reduction of the necessary sample size to 20 per cent. The original attack cannot be applied if 4-bit tables are used,a case of particular practical interest,whereas the optimized attack gets by with 500 measurements. The optimized version can straightforwardly be adapted to other table methods,other multiplication algorithms and inexact timings. Moreover,it is shown that the countermeasures proposed in [9] do not prevent the optimized attack if unsuitable parameters are chosen.


Timing attack power attack Mon tgomery’s algorithm 


  1. 1.
    J.-F. Dhem, F. Koeune, P.-A. Leroux, P.-A. Mestré, J.-J. Quisquater, J.-L. Willems: A Practical Implementation of the Timing Attack. In: J.-J. Quisquater and B. Schneier (eds.): Smart Card — Research and Applications. Lecture Notes in Computer Science 1820, Berlin, Springer (2000), 175–191.Google Scholar
  2. 2.
    P. Kocher: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS and Other Systems. In: N. Koblitz (ed.): Advances in Cryptology — Crypto’ 96, Lecture Notes in Computer Science 1109. Springer, Heidelberg (1996), 104–113.CrossRefGoogle Scholar
  3. 3.
    K. Gandol., C. Mourtel, F. Olivier: Electromagnetic Analysis: Concrete Results. In: Ç.K. Koç, D. Naccache, C. Paar (eds.): Cryptographic Hardware and Embedded Systems — CHES 2001, Springer, Lecture Notes in Computer Science 2162, Berlin (2001), 251–261.CrossRefGoogle Scholar
  4. 4.
    P. Kocher, J. Jaffe, B. Jub: Differential Power Analysis. In: M. Wiener (ed.): Advances in Cryptology — Crypto’ 99. Lecture Notes in Computer Science 1666, Berlin, Springer (1999), 388–397.Google Scholar
  5. 5.
    A.J. Menezes, P. C. van Oorschot, S.C. Vanstone: Handbook of Applied Cryptography, Boca Raton, CRC Press (1997).zbMATHGoogle Scholar
  6. 6.
    P.L. Montgomery: Modular Multiplication without Trial Division, Math. Comp. 44, no. 170, 519–521 (April 1985).zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    W. Schindler: Optimized Timing Attacks against Public Key Cryptosystems. To appear in Statistics & Decisions.Google Scholar
  8. 8.
    W. Schindler: A Timing Attack against RSA with the Chinese Remainder Theorem. In: Ç.K. Koç, C. Paar (eds.): Cryptographic Hardware and Embedded Systems — CHES 2000, Springer, Lecture Notes in Computer Science 1965, Berlin (2000), 110–125.CrossRefGoogle Scholar
  9. 9.
    C.D. Walter, S. Thompson: Distinguishing Exponent Digits by Observing Modular Subtractions. In: D. Naccache (ed.): Topics in Cryptology — CT-RSA 2001, Springer, Lecture Notes in Computer Science 2020, Berlin (2000), 192–207.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Werner Schindler
    • 1
  1. 1.Bundesamt für Sicherheit in der Informationstechnik (BSI)BonnGermany

Personalised recommendations