Template attack on SPA and FA resistant implementation of Montgomery ladder

Template attack on SPA and FA resistant implementation of Montgomery ladder

For access to this article, please select a purchase option:

Buy article PDF
(plus tax if applicable)
Buy Knowledge Pack
10 articles for £75.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Your details
Why are you recommending this title?
Select reason:
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

Hardware implementations of the well-known Rivest–Shamir–Adleman (RSA) algorithm have been shown to be vulnerable to power and fault analysis (FA) attacks. To implement protected designs of RSA-Chinese remainder theorem in embedded devices, like smart cards or RFIDs, the one needs to find solutions which require less computations as well as incurs low storage overheads. One such efficient scheme was proposed by Joye et al. in CHES'02 and it was claimed to be secure against both simple power analysis (SPA) and FA attacks. In this study, the authors demonstrate a template attack (TA) against Joye's countermeasure and show that the scheme can be broken with a low number of power traces. In addition, the authors report the experimental results of the proposed attack against an implementation of Joye's scheme on a Xilinx Microblaze soft-core processor of SASEBO-W standard side-channel analysis board. The authors used least squares support vector machine (LS-SVM) based binary classifiers to analyse the collected power traces. The authors also describe the potential threat posed by cache timing attacks on Joye's ladder in presence of a concurrently running spy process and outline a probable countermeasure to the posed attacks.


    1. 1)
      • 1. Burmester, M., De Medeiros, B., Motta, R.: ‘Robust, anonymous rfid authentication with constant key-lookup’. Proc. of the 2008 ACM Symp. on Information, Computer and Communications Security, ACM, 2008, pp. 283291.
    2. 2)
      • 2. Kocher, P., Jaffe, J., Jun, B.: ‘Differential power analysis’. CRYPTO, 1999, pp. 388397.
    3. 3)
      • 3. Gandolfi, K., Mourtel, C., Olivier, F.: ‘Electromagnetic analysis: Concrete results’. Cryptographic Hardware and Embedded Systems-CHES 2001, 2001, pp. 251261.
    4. 4)
      • 4. Kocher, P.: ‘Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems’. CRYPTO, 1996, pp. 104113.
    5. 5)
      • 5. Montgomery, P.L.: ‘Speeding the pollard and elliptic curve methods of factorization’, Math. Comput., 1987, 48, (177), pp. 243264.
    6. 6)
      • 6. Bhattacharya, S., Mukhopadhyay, D.: ‘Who watches the watchmen?: Utilizing performance monitors for compromising keys of RSA on intel platforms’. Cryptographic Hardware and Embedded Systems-CHES 2015, 2015, pp. 248266.
    7. 7)
      • 7. Joye, M., Yen, S.-M.: ‘The Montgomery powering ladder’. Cryptographic Hardware and Embedded Systems-CHES 2002, 2003, pp. 291302.
    8. 8)
      • 8. Mukhopadhyay, D., Chakraborty, R.S.: ‘Hardware security: Design, threats, and safeguards’ (CRC Press, 2014).
    9. 9)
      • 9. Chakraborty, A., Mukhopadhyay, D.: ‘A practical template attack on mickey-128 2.0 using pso generated ivs and ls-svm’. 29th International Conf. on VLSI Design and 15th International Conf. on Embedded Systems (VLSID), 2016, pp. 529534.
    10. 10)
      • 10. Brabanter, K., Karsmakers, P., Alzate, C., et al: ‘LS-SVMlab Toolbox User's Guide version 1.8.
    11. 11)
      • 11. Chari, S., Rao, J.R., Rohatgi, P.: ‘Template attacks’. Cryptographic Hardware and Embedded Systems-CHES 2002, 2003, pp. 1328.
    12. 12)
      • 12. Hospodar, G., Mulder, E.D., Gierlichs, B., et al: ‘Least squares support vector machines for side-channel analysis’, Center for Advanced Security Research Darmstadt, 2011, pp. 99104.
    13. 13)
      • 13. Lerman, L., Bontempi, G., Markowitch, O.: ‘Side channel attack: an approach based on machine learning’. CASED, 2011, pp. 2941.
    14. 14)
      • 14. Bartkewitz, T., Lemke-Rust, K.: ‘Efficient template attacks based on probabilistic multi-class support vector machines’ (Springer, 2013).
    15. 15)
      • 15. Lerman, L., Medeiros, S.F., Veshchikov, N., et al: ‘Semi-supervised template attack’. Constructive Side-Channel Analysis and Secure Design – 4th Int. Workshop, COSADE 2013, Paris, France, March 6–8, 2013, Revised Selected Papers, (LNCSLNCS: 7864), pp. 184199.
    16. 16)
      • 16. Chakraborty, A., Mazumdar, B., Mukhopadhyay, D.: ‘A practical dpa on grain v1 using ls-svm’. IEEE Int. Symp. on Hardware-Oriented Security and Trust (HOST). 2015.
    17. 17)
      • 17. Gülmezoglu, B., Inci, M.S., Apecechea, G.I., et al: ‘A faster and more realistic flush+reload attack on AES’. Constructive Side-Channel Analysis and Secure Design – 6th Int. Workshop, COSADE 2015, Berlin, Germany, (LNCS: 9064), April 13–14, 2015. Revised Selected Papers, pp. 111126.
    18. 18)
      • 18. Suykens, J.A.K, Vandewalle, J. :‘Least squares support vector machine classifiers’, Neural processing letters, 1999, 9(3), pp. 293300.
    19. 19)
      • 19. Whitnall, C., Oswald, E.: ‘Robust profiling for dpa-style attacks’. Cryptographic Hardware and Embedded Systems-CHES 2015, Springer, 2015, pp. 321.
    20. 20)
      • 20. Yarom, Y., Falkner, K.: ‘FLUSH + RELOAD: A high resolution, low noise, L3 cache side-channel attack’, Proc. of the 23rd USENIX Security Symposium, USENIX Association, 2014, pp. 719732.

Related content

This is a required field
Please enter a valid email address