Figure 4: Difference for a correct guess on k
i+1
⊕ k
i
.
Figure 5: Difference for a wrong guess on k
i+1
⊕ k
i
.
In Fig. 4 and Fig. 5 we provide the ADPA obtained
for an RSA of size 1024 bits and using 4000 traces.
We can see the peak in Fig. 5 showing that the guess
g is not correct. There is no peak in Fig. 4 which
means that the guess is correct.
This experimentation shows that the proposed ap-
proach is effective to extract the whole key. This
means that Algorithm 3 does not provide the claimed
protection from ADPA. This attack works even if the
elements are blinded at the beginning of the expo-
nentiation, by either a randomized representation or
a multiplication with a random element.
5 CONCLUSION
In this paper we considered two exponentiation al-
gorithms (Algorithm 2 and 3) proposed in (Tunstall
et al., 2018) with randomized store and load in or-
der to counter-act address bit differential power anal-
ysis. We analyzed the security of these approaches,
and we showed that Algorithm 3 has a an important
ﬂaw. Indeed, the operation done in Step 3 of Algo-
rithm 3 is a square or multiplication depending on
the bit used for load and store randomization. With
a simulated power consumption we showed that we
can distinguish a square from a multiplication. This
means that the randomization of loads and stores in
Algorithm 3 is not effective anymore and an ADPA
can be conducted to recover the whole secret key with
a few thousand power traces.
REFERENCES
Bosselaers, A., Govaerts, R., and Vandewalle, J. (1993).
Comparison of Three Modular Reduction Functions.
In CRYPTO’93, volume 773 of LNCS, pages 175–186.
Clavier, C., Feix, B., Roussellet, M., and Verneuil, V.
(2010). Horizontal Correlation Analysis on Exponen-
tiation. In ICICS 2010, volume 6476 of LNCS, pages
46–61.
Coron, J.-S. (1999). Resistance against Differential Power
Analysis for Elliptic Curve Cryptosystems. In CHES
1999, pages 292–302.
Fouque, P. and Valette, F. (2003). The Doubling Attack –
Why Upwards Is Better than Downwards. In CHES
2003, pages 269–280.
Hanley, N., Tunstall, M., and Marnane, W. (2011). Using
templates to distinguish multiplications from squaring
operations. Int. J. Inf. Sec., 10(4):255–266.
Itoh, K., Izu, T., and Takenaka, M. (2003). Address-Bit Dif-
ferential Power Analysis of Cryptographic Schemes
OK-ECDH and OK-ECDSA. In CHES 2002, LNCS,
pages 129–143.
Izumi, M., Ikegami, J., Sakiyama, K., and Ohta, K. (2010).
Improved countermeasure against address-bit DPA for
ECC scalar multiplication. In DATE 2010, pages 981–
984.
Joye, M. and Yen, S. (2002). The Montgomery Powering
Ladder. In CHES 2002, volume 2523 of LNCS, pages
291–302.
Kocher, P. (1996). Timing Attacks on Implementations of
Difﬁe-Hellman, RSA, DSS, and Other Systems. In
CRYPTO ’96, volume 1109 of LNCS, pages 104–113.
Kocher, P. C., Jaffe, J., and Jun, B. (1999). Differential
Power Analysis. In CRYPTO’99, volume 1666 of
LNCS, pages 388–397.
Smart, N. P., Oswald, E., and Page, D. (2008). Randomised
representations. IET Inform. Security, 2(2):19–27.
Tunstall, M. and Joye, M. (2010). Coordinate Blinding over
Large Prime Fields. In CHES 2010, pages 443–455.
Tunstall, M., Papachristodoulou, L., and Papagiannopoulos,
K. (2018). Boolean Exponent Splitting. Technical
Report 2018/1226, IACR Cryptology ePrint Archive.
Yen, S., Ko, L., Moon, S., and Ha, J. (2006). Relative Dou-
bling Attack Against Montgomery Ladder. In ICISC
2005, LNCS, pages 117–128.
Address-bit Differential Power Analysis on Boolean Split Exponent Counter-measure
637