Power Analysis Attacks of Modular Exponentiation in Smartcards

  • Thomas S. Messerges
  • Ezzy A. Dabbish
  • Robert H. Sloan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1717)


Three new types of power analysis attacks against smartcard implementations of modular exponentiation algorithms are described. The first attack requires an adversary to exponentiate many random messages with a known and a secret exponent. The second attack assumes that the adversary can make the smartcard exponentiate using exponents of his own choosing. The last attack assumes the adversary knows the modulus and the exponentiation algorithm being used in the hardware. Experiments show that these attacks are successful. Potential countermeasures are suggested.


Power Signal Advance Encryption Standard Modular Multiplication Modular Exponentiation Power Bias 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    P. Kocher, J. Jaffe, and B. Jun, “Introduction to Differential Power Analysis and Related Attacks,”, 1998.
  2. 2.
    T. S. Messerges, E. A. Dabbish and R. H. Sloan, “Investigations of Power Analysis Attacks on Smartcards,” Proceedings of USENIX Workshop on Smartcard Technology, May 1999, pp. 151–61.Google Scholar
  3. 3.
    P. Kocher, “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,” in Proceedings of Advances in Cryptology-CRYPTO ’96, Springer-Verlag, 1996, pp. 104–13.Google Scholar
  4. 4.
    J. F. Dhem, F. Koeune, P. A. Leroux, P. Mestré, J. J. Quisquater and J.L. Willems,“APractical Implementation of the Timing Attack,” in Proceedings of CARDIS 1998, Sept. 1998.Google Scholar
  5. 5.
    D. Boneh and R. A. Demillo and R. J. Lipton, “On the Importance of Checking Cryptographic Protocols for Faults,” in Proceedings of Advances in Cryptology-Eurocrypt ’97, Springer-Verlag, 1997, pp. 37–51.Google Scholar
  6. 6.
    E. Biham and A. Shamir, “Differential Fault Analysis of Secret Key Cryptosystems,” in Proceedings of Advances in Cryptology-CRYPTO ’97, Springer-Verlag, 1997, pp. 513–25.Google Scholar
  7. 7.
    W. van Eck, “Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk,” Computers and Security, v. 4, 1985, pp. 269–86.CrossRefGoogle Scholar
  8. 8.
    J. Kelsey, B. Schneier, D. Wagner, and C. Hall, “Side Channel Cryptanalysis of Product Ciphers,” in Proceedings of ESORICS ’98, Springer-Verlag, September 1998, pp. 97–110.Google Scholar
  9. 9.
    ANSI X. 392, “American National Standard for Data Encryption Algorithm (DEA),” American Standards Institute, 1981.Google Scholar
  10. 10.
    J. Daemen, V. Rijmen, “Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals,” Second Advanced Encryption Standard (AES) Candidate Conference,, March 1999.
  11. 11.
    E. Biham, A. Shamir, “Power Analysis of the Key Scheduling of the AES Candidates,” Second Advanced Encryption Standard (AES) Candidate Conference, encryption/aes/round1/conf2/aes2conf.htm, March 1999.
  12. 12.
    S. Chari, C. Jutla, J.R. Rao, P. Rohatgi, “A Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards,” Second Advanced Encryption Standard (AES) Candidate Conference,, March 1999.
  13. 13.
    R. L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Comm. ACM, vol. 21, 1978, pp. 120–126.zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    N. Koblitz, “Elliptic Curve Cryptosystems,” Mathematics of Computation, vol.48, 1987, pp. 203–9.zbMATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    V. S. Miller, “Uses of Elliptic Curves in Cryptography,” in Proceedings of Advances in Cryptology-CRYPTO ’85, Springer-Verlag, 1986, pp. 417–26.Google Scholar
  16. 16.
    E. F. Brickel, “A Survey of Hardware Implementations of RSA,” in Proceedings of Advances in Cryptology-CRYPTO ’89, Springer-Verlag, 1990, pp. 368–70.Google Scholar
  17. 17.
    A. Selby and C. Mitchel, “Algorithms for Software Implementations of RSA,” IEE Proceedings, vol. 136E, 1989, pp. 166–70.Google Scholar
  18. 18.
    S. E. Eldridge and C. D. Walter, “Hardware Implementations of Montgomery’s Modular Multiplication Algorithm,” IEEE Transactions on Computers, vol.42, No.6, June 1993, pp.693–9.CrossRefGoogle Scholar
  19. 19.
    S. R. Dussé and B. S. Kaliski Jr., “A Cryptographic Library for the Motorola 56000,”in Proceedings of Advances in Cryptology-Eurocrypt ’90, Springer-Verlag, 1991, pp. 230–44.Google Scholar
  20. 20.
    G. Monier, “Method for the Implementation of Modular Multiplication According to the Montgomery Method,” United States Patent, No. 5,745, 398, April 28, 1998.Google Scholar
  21. 21.
    C. D. Gressel, D. Hendel, I. Dror, I. Hadad and B. Arazi, “Compact Microelectronic Device for Performing Modular Multiplication and Exponentiation over Large Numbers,” United States Patent, No. 5,742,530, April 21, 1998.Google Scholar
  22. 22.
    P. L. Montgomery, “Modular MultiplicationWithout Trial Division,” Mathematics of Computation, vol. 44, 1985, pp. 519–21.zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    ISO7816, “Identification Cards-Integrated Circuit(s) Cards with Contacts,” International Organization for Standardization.Google Scholar
  24. 24.
    D. Chaum, “Blind Signatures for Untraceable Payments,” in Proceedings of Advances in Cryptology-CRYPTO ’82, Plenum Press, 1983, pp. 199–203.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Thomas S. Messerges
    • 1
  • Ezzy A. Dabbish
    • 1
  • Robert H. Sloan
    • 2
  1. 1.Motorola LabsMotorolaSchaumburg
  2. 2.Dept. of EE and Computer ScienceUniversity of Illinois at ChicagoChicago

Personalised recommendations