Cryptography and Communications

, Volume 7, Issue 1, pp 71–90 | Cite as

The distributions of individual bits in the output of multiplicative operations

  • Michael Tunstall
  • Marc Joye


A difference-of-means test applied to acquisitions of the instantaneous power consumption has been shown to be a suitable means of distinguishing a multiplication from a squaring operation over the integers. This has been attributed to the difference in expected Hamming weight of the output of these operations but few details are present in the literature. In this paper we define how this difference occurs and show that, somewhat surprisingly, a difference can, for some moduli, still be observed after a modular reduction. Moreover, we show that this difference leads to a practical attack under reasonable assumptions where a modulus is blinded. The presented attack goes beyond the cryptographic primitive and applies to concrete provably secure implementations, including RSA-PSS for signature generation or RSA-OAEP for encryption that uses side-channel countermeasures.


Side-channel analysis Exponentiation algorithms 



The authors would like to thank the anonymous referees for their detailed and perceptive comments. The work described in this paper has also been supported in part the European Commission through the ICT Programme under Contract ICT-2007-216676 ECRYPT II and the EPSRC via grant EP/I005226/1.


  1. 1.
    Akishita, T., Takagi, T.: Power analysis to ECC using differential power between multiplication and squaring. In: Domingo-Ferrer, J., Posegga, J., Schreckling D. (eds.) CARDIS 2006, LNCS, vol. 3928, pp. 151–164. Springer (2006)Google Scholar
  2. 2.
    Amiel, F., Feix, B., Tunstall, M., Whelan, C., Marnane, W.P.: Distinguishing multiplications from squaring operations. In: Youm, H., Yung, M. (eds.) SAC 2008, LNCS, vol. 5932, pp. 148–162. Springer (2009)Google Scholar
  3. 3.
    Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal and vertical side-channel analysis against secure RSA implementations. In: Dawson, E. (ed.) CT-RSA 2013, LNCS, vol. 7779, pp. 1–17. Springer (2013)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Optimal asymmetric encryption — how to encrypt with RSA. In: Santis, A.D. (ed.) EUROCRYPT ’94, LNCS, vol. 950, pp. 92–111. Springer (1994)Google Scholar
  5. 5.
    Bellare, M., Rogaway, P.: The exact security of digital signatures: How to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT ’96, LNCS, vol. 1070, pp. 399–416. Springer (1996)Google Scholar
  6. 6.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.J. (eds.) CHES 2004, LNCS, vol. 3156, pp. 16–29. Springer (2004)Google Scholar
  7. 7.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, Jr., Koç, C.K., Paar C. (eds.) CHES 2002, LNCS, vol. 2523, pp. 13–28. Springer (2002)Google Scholar
  8. 8.
    Clavier, C., Feix, B., Gagnerot, G., Giraud, C., Roussellet, M., Verneuil, V.: ROSETTA for single trace analysis. In: Galbratih, S., Nandi M. (eds.) INDOCRYPT 2012, LNCS, vol. 7668, pp. 140–155. Springer (2012)Google Scholar
  9. 9.
    Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010, LNCS, vol. 6476, pp. 46–61. Springer (2010)Google Scholar
  10. 10.
    Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Square always exponentiation. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011, LNCS, vol. 7107, pp. 40–57. Springer (2011)Google Scholar
  11. 11.
    Coron, J.S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, C.K., Paar C. (eds.) CHES 1999, LNCS, vol. 1717, pp. 292–302. Springer (1999)Google Scholar
  12. 12.
    Dupaquis, V., Venelli, A.: Redundant modular reduction algorithms. In: Prouff, E. (ed.) CARDIS 2011, LNCS, vol. 7079, pp. 102–114. Springer (2011)Google Scholar
  13. 13.
    Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual information analysis. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008, LNCS, vol. 5154, pp. 426–442. Springer (2008)Google Scholar
  14. 14.
    Hanley, N., Tunstall, M., Marnane, W.P.: Using templates to distinguish multiplications from squaring operations. Int. J. Inf. Secur. 10 (4), 255–266 (2011)CrossRefGoogle Scholar
  15. 15.
    Joye, M.: Highly regular right-to-left algorithms for scalar multiplication. In: Paillier, P., Verbauwhede I. (eds.) CHES 2007, LNCS, vol. 4727, pp. 135–147. Springer (2007)Google Scholar
  16. 16.
    Joye, M., Yen, S.M.: The Montgomery powering ladder. In: Kaliski, Jr., Koç, Ç.K., Paar, C. (eds.) CHES 2002, LNCS, vol. 2523, pp. 291–302. Springer (2003)Google Scholar
  17. 17.
    Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO ’96, LNCS, vol. 1109, pp. 104–113. Springer (1996)Google Scholar
  18. 18.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed.) CRYPTO ’99, LNCS, vol. 1666, pp. 388–397. Springer (1999)Google Scholar
  19. 19.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks — Revealing the Secrets of Smart Cards. Springer, Berlin (2007)zbMATHGoogle Scholar
  20. 20.
    Montgomery, P.: Modular multiplication without trial division. Math. Comput. 44, 519–521 (1985)CrossRefzbMATHGoogle Scholar
  21. 21.
    Montgomery, P.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48 (177), 243–264 (1987)CrossRefzbMATHGoogle Scholar
  22. 22.
    National Institute of Standards and Technology (NIST): recommended elliptic curves for federal government use. In the appendix of FIPS 186-3, available from, (2009)
  23. 23.
    Oswald, E., Aigner, M.: Randomized addition-subtraction chains as a countermeasure against power attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001, LNCS, vol. 2162, pp. 39–50. Springer (2001)Google Scholar
  24. 24.
    Parhami, B.: Computer Arithmetic. Oxford University Press, London (2000)Google Scholar
  25. 25.
    Rivest, R., Shamir, A., Adleman, L.M.: Method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21 (2), 120–126 (1978)CrossRefzbMATHMathSciNetGoogle Scholar
  26. 26.
    Smart, N., Oswald, E., Page, D.: Randomised representations. IET Proc. Inf. Secur. 2 (2), 19–27 (2008)CrossRefGoogle Scholar
  27. 27.
    Stinson, D.: Some baby-step giant-step algorithms for the low Hamming weight discrete logarithm problem. Math. Comput. 71 (237), 379–391 (2002)CrossRefzbMATHMathSciNetGoogle Scholar
  28. 28.
    Teske, E.: New algorithms for finite abelian groups. Ph.D. thesis, Technische Universität Darmstadt (1998)Google Scholar
  29. 29.
    Whitnall, C., Oswald, E., Mather, L.: An exploration of the Kolmogorov-Smirnov test as a competitor to mutual information analysis. In: Prouff, E. (ed.) CARDIS 2011, LNCS, vol. 7079, pp. 234–251. Springer (2011)Google Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  1. 1.Cryptography Research Inc.San FranciscoUSA
  2. 2.TechnicolorCesson-Sévigné CedexFrance

Personalised recommendations