On Randomized Addition-Subtraction Chains to Counteract Differential Power Attacks

  • Anton Kargl
  • Götz Wiesend
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3269)


Since the work of Coron ([Co99]) we are aware of Differential Power Analysis (DPA) as a tool used by attackers of elliptic curve cryptosystems. In 2003 Ebeid and Hasan proposed a new defense in the spirit of earlier work by Oswald/Aigner and Ha/Moon. Their algorithm produces a random representation of the key in binary signed digits. This representation translates into an addition-subtraction chain for the computation of multiplication by the key (on the elliptic curve). The security rests on the fact, that addition and subtraction are indistinguishable from a power analysis viewpoint. We introduce an attack on this new defense under the assumption that SPA is possible: The attacker has a method to detect the presence of an addition or subtraction at a particular bit position of the addition-subtraction chain, while he needs not to be able to discriminate between these. We make the embedded system execute a number N (may be as few as 100) of instances of the cryptoalgorithm with the secret key. For each bit of the key we record a statistic on the occurence of a nonzero digit at this position in the (internal) binary signed digits representation of the key. If the number N of executions is large enough, the statistic can be used to estimate the respective probability (for a nonzero digit of the random binray signed digits representation of the key at this particular position). These probabilities in turn allow to deduce the secret key.

We then propose a second algorithm along the lines given by Ebeid and Hasan, which however, processes the bits in the other direction. One of us suggested that probabilistic switching between the two algorithms might provide better security. A closer analysis showed that exploiting the correlations between the power traces makes it possible to isolate a sufficient majority of executions of a particular one of the algorithms and to mount the attack.


side channel attacks DPA binary signed digits 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [Bl99]
    Blake, I., Seroussi, G., Smart, N.P.: Elliptic Curves in Cryptography. Cambridge University Press, Cambridge (1999)zbMATHGoogle Scholar
  2. [Co99]
    Coron, J.S.: Resistance Against Differential Power Analysis for Elliptic Curve Cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  3. [Dh98]
    Dhem, J.F., Koeune, F., Leroux, P.-A., Mestre, P., Quisquater, J.J., Willems, J.L.: A practical implementation of the Timing Attack. In: Schneier, B., Quisquater, J.-J. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 175–190. Springer, Heidelberg (2000)Google Scholar
  4. [Eb03]
    Ebeid, N., Hasan, M.A.: Analysis of DPA Countermeasures Based on Randomizing the Binary Algorithm. Technical Report CORR 2003-14, Centre for Applied Cryptography Research, University of Waterloo, CanadaGoogle Scholar
  5. [Eb04]
    Ebeid, N., Hasan, M.A.: On Randomizing Private Keys to Counteract DPA Attacks. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 58–72. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. [Ga01]
    Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic Analysis: Concrete Results. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 251–261. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. [Ga00]
    Gaudry, P., Hess, F., Smart, N.P.: Contructive and Destructive Facets Of Weil Descent On Elliptic Curves. J. of Cryptology 15, 19–46 (2000)CrossRefMathSciNetGoogle Scholar
  8. [Ha02]
    Ha, J., Moon, S.: Randomized signed-scalar multiplication of ECC to resist power attacks. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 551–563. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. [Ka03]
    Karlof, C., Wagner, D.: Hidden Markov Model Analysis. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 17–34. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. [Ko87]
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comp. 45, 203–209 (1987)MathSciNetCrossRefGoogle Scholar
  11. [Ko96]
    Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  12. [Ko99]
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  13. [Me93]
    Menezes, A.J.: Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, Dordrecht (1993)zbMATHGoogle Scholar
  14. [Me01]
    Menezes, A.J., Qu, M.: Analysis of the Descent Attack of Gaudry, Hess and Smart. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 308–318. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. [Me99]
    Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Power Analysis Attacks of Modular Exponentiation in Smartcards. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 144–157. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  16. [Mi86]
    Miller, V.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  17. [Ok00]
    Okeya, K., Sakurai, K.: Power analysis breaks elliptic curve cryptosystems even secure against timing attacks. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 178–190. Springer, Heidelberg (2000)Google Scholar
  18. [Ok02]
    Okeya, K., Sakurai, K.: On Insecurity of the Side Channel Attack Countermeasure using Addition-Subtraction Chains under Distinguishability between Addition and Doubling. In: Batten, L.M., Seberry, J. (eds.) ACISP 2002. LNCS, vol. 2384, pp. 420–435. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  19. [Ok03]
    Okeya, K., Han, D.: Side Channel Attack on Ha-Moon’s Countermeasure of Randomized Signed Scalar Multiplication. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 334–348. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. [Os01]
    Oswald, E., Aigner, M.: Randomized addition-subtraction chains as a countermeasure against power attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 39–50. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. [Sc00]
    Schindler, W.: A Timing Attack against RSA with Chinese Remainder Theorem. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 109–124. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  22. [Sm99]
    Smart, N.P.: The Discrete Logarithm Problem On Elliptic Curves Of Trace One. J. of Cryptology 12, 193–196 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  23. [Wa03]
    Walter, C.: Longer Keys may facilitate Side Channel Attacks. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 42–57. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. [Wi99]
    Wiener, M.J., Zuccherato, R.J.: Faster attacks on elliptic curve cryptosystems. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 190–200. Springer, Heidelberg (1999)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Anton Kargl
    • 1
  • Götz Wiesend
    • 2
  1. 1.AGE Elektronik GmbHSauerlachGermany
  2. 2.Mathematisches Institut der Universität ErlangenGermany

Personalised recommendations