Single-Trace Side-Channel Attacks on Scalar Multiplications with Precomputations

Kimmo Järvinen, Josep Balasch

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review


Single-trace side-channel attacks are a serious threat to elliptic curve cryptography in practice because they can break also cryptosystems where scalars are nonces (e.g., ECDSA). Previously it was believed that single-trace attacks can be avoided by using scalar multiplication algorithms with regular patterns of operations but recently we have learned that they can be broken with correlation tests to decide whether different operations share common operands. In this work, we extend these attacks to scalar multiplication algorithms with precomputations. We show that many algorithms are vulnerable to our attack which correlates measurements with precomputed values. We also show that successful attacks are possible even without knowledge of precomputed values by using clustering instead of correlations. We provide extensive evidence for the feasibility of the attacks with simulations and experiments with an 8-bit AVR. Finally, we discuss the effectiveness of certain countermeasures against our attacks.
Original languageEnglish
Title of host publicationSmart Card Research and Advanced Applications
Subtitle of host publication15th International Conference, CARDIS 2016 Cannes, France, November 7–9, 2016, Revised Selected Papers
EditorsKerstin Lemke-Rust, Michael Tunstall
ISBN (Electronic)978-3-319-54669-8
Publication statusPublished - 2017
MoE publication typeA4 Article in a conference publication
EventSmart Card Research and Advanced Application Conference
- Cannes, France
Duration: 7 Nov 20169 Nov 2016

Publication series

NameLecture Notes in Computer Science
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


ConferenceSmart Card Research and Advanced Application Conference
Abbreviated titleCARDIS

Fingerprint Dive into the research topics of 'Single-Trace Side-Channel Attacks on Scalar Multiplications with Precomputations'. Together they form a unique fingerprint.

Cite this