Dismantling Real-World ECC with Horizontal and Vertical Template Attacks

  • Margaux DugardinEmail author
  • Louiza Papachristodoulou
  • Zakaria Najm
  • Lejla Batina
  • Jean-Luc Danger
  • Sylvain Guilley
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9689)


Recent side-channel attacks on elliptic curve algorithms have shown that the security of these cryptosystems is a matter of serious concern. The development of techniques in the area of Template Attacks makes it feasible to extract a 256-bit secret key with only 257 traces. This paper enhances the applicability of this attack by exploiting both the horizontal leakage of the carry propagation during the finite field multiplication, and the vertical leakage of the input data. As a further contribution, our method provides detection and auto-correction of possible errors that may occur during the key recovery. These enhancements come at the cost of extra traces, while still providing a practical attack. Finally, we show that the elliptic curve algorithms developed for PolarSSL, and consequently mbedTLS, running on an ARM STM32F4 platform is completely vulnerable, when used without any modifications or countermeasures.


Side-channel analysis Horizontal leakage Vertical leakage Scalar multiplication Brainpool curves NIST curves mbedTLS 



The authors would like to thank the anonymous reviewers for their useful comments that improved the quality of the paper. Moreover, the first author would like to thank Jean-Christophe Courrège and Carine Therond for useful comments on an earlier version of this work.

Supplementary material


  1. 1.
    ANSI-X9.62. Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA) (1998)Google Scholar
  2. 2.
    ANSI-X9.63. Public Key Cryptography for The Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography (1998)Google Scholar
  3. 3.
    Batina, L., Chmielewski, L., Papachristodoulou, L., Schwabe, P., Tunstall, M.: Online template attacks. In: Proceedings of Progress in Cryptology - INDOCRYpPT –15th International Conference on Cryptology in India, New Delhi, India, 14–17 December, pp. 21–36 (2014)Google Scholar
  4. 4.
    Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal collision correlation attack on elliptic curves. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 553–570. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J., Lange, T.: Explicit formulas database.
  6. 6.
    Cryptographic Key Implementation BlueKryptGoogle Scholar
  7. 7.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  8. 8.
    BSI: RFC(5639)-Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation. Technical report, Bundesamt für Sicherheit in der Informationstechnik (BSI) (2010)Google Scholar
  9. 9.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: 4th International Workshop on Cryptographic Hardware and Embedded Systems - CHES, Redwood Shores, CA, USA, August 13–15, Revised Papers, pp. 13–28 (2002)Google Scholar
  10. 10.
    Clavier, C., Feix, B., Gagnerot, G., Giraud, C., Roussellet, M., Verneuil, V.: ROSETTA for single trace analysis. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 140–155. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  11. 11.
    Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  12. 12.
    Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 51–65. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  13. 13.
    Coron, J.S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  14. 14.
    Fouque, P.A., Valette, F.: The Doubling Attack – Why Upwards Is Better than Downwards. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 269–280. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Homma, N., Miyamoto, A., Aoki, T., Satoh, A., Shamir, A.: Collision-based power analysis of modular exponentiation using chosen-message pairs. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 15–29. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Hutter, M., Schwabe, P.: NaCl on 8-Bit AVR microcontrollers. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 156–172. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  17. 17.
    Blake, I.F., Seroussi, G., Smart, N.P.: Advances in Elliptic Curve Cryptography, vol. 317. Cambridge University Press, Cambridge (1999)CrossRefzbMATHGoogle Scholar
  18. 18.
    Riscure InspectorGoogle Scholar
  19. 19.
    Joye, M.: Elliptic curve cryptosystems and side channel analysis. ST J. Syst. Res. 4, 17–21 (2003)Google Scholar
  20. 20.
    Joye, M., Tymen, C.: Protections against differential analysis for elliptic curve cryptography. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 377–390. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. 21.
    Joye, M., Yen, S.-M.: The montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. 22.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  24. 24.
    ARM mbed. Polarssl version 1.3.7.
  25. 25.
    ST Microelectronics: RM0090 Reference Manual. DocID018909 Rev 8 (2014)Google Scholar
  26. 26.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  27. 27.
    De Mulder, E., Buysschaert, P., Berna Örs, S., Delmotte, P., Preneel, B., Vandenbosch, G., Verbauwhede, I.: Electromagnetic analysis attack on an FPGA Implementation of an elliptic curve cryptosystem. In: IEEE International Conference on Computer as a Tool, Belgrade, Serbia & Montenegro, November 2005, pp. 1879–1882 (2005). doi: 10.1109/EURCON.2005.1630348,
  28. 28.
    NIST: FIPS publication 186–4 - Digital Signature standard (DSS). Technical report, National Institute of Standards and Technology (NIST), July 2013Google Scholar
  29. 29.
    Rechberger, C., Oswald, E.: Practical template attacks. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 440–456. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  30. 30.
    Rivain, M.: Fast and regular algorithms for scalar multiplication over elliptic curves. IACR Cryptology ePrint Archive, 2011:338 (2011)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Margaux Dugardin
    • 1
    • 2
    Email author
  • Louiza Papachristodoulou
    • 3
  • Zakaria Najm
    • 1
  • Lejla Batina
    • 3
  • Jean-Luc Danger
    • 1
  • Sylvain Guilley
    • 1
  1. 1.COMELECTELECOM ParisTechParisFrance
  2. 2.Thales Communications & Security, CESTIToulouseFrance
  3. 3.Digital Security GroupRadboud University NijmegenNijmegenThe Netherlands

Personalised recommendations