A Combined Timing and Power Attack
In Walter and Thompson introduced a new side-channel attack on the secret exponents of modular exponentiations which uses techniques from timing attacks to exploit specific information gained by a power attack. Walter and Thompson assumed that the attacked device uses a particular table method combined with Montgomery’s algorithm. In the present paper their attack is optimized and generalized. For 2- bit tables this leads to a reduction of the necessary sample size to 20 per cent. The original attack cannot be applied if 4-bit tables are used,a case of particular practical interest,whereas the optimized attack gets by with 500 measurements. The optimized version can straightforwardly be adapted to other table methods,other multiplication algorithms and inexact timings. Moreover,it is shown that the countermeasures proposed in  do not prevent the optimized attack if unsuitable parameters are chosen.
KeywordsTiming attack power attack Mon tgomery’s algorithm
- 1.J.-F. Dhem, F. Koeune, P.-A. Leroux, P.-A. Mestré, J.-J. Quisquater, J.-L. Willems: A Practical Implementation of the Timing Attack. In: J.-J. Quisquater and B. Schneier (eds.): Smart Card — Research and Applications. Lecture Notes in Computer Science 1820, Berlin, Springer (2000), 175–191.Google Scholar
- 4.P. Kocher, J. Jaffe, B. Jub: Differential Power Analysis. In: M. Wiener (ed.): Advances in Cryptology — Crypto’ 99. Lecture Notes in Computer Science 1666, Berlin, Springer (1999), 388–397.Google Scholar
- 7.W. Schindler: Optimized Timing Attacks against Public Key Cryptosystems. To appear in Statistics & Decisions.Google Scholar