Skip to main content

Full Key Recovery Side-Channel Attack Against Ephemeral SIKE on the Cortex-M4

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12910)


This paper describes the first practical single-trace side-channel power analysis of SIKE. While SIKE is a post-quantum key exchange, the scheme still relies on a secret elliptic curve scalar multiplication which involves a loop of a double-and-add procedure, of which each iteration depends on a single bit of the private key. The attack therefore exploits the nature of elliptic curve point addition formulas which require the same function to be executed multiple times. We show how a single trace of a loop iteration can be segmented into several power traces on which 32-bit words can be hypothesised based on the value of a single private key bit. This segmentation enables a classical correlation power analysis in an extend-and-prune approach. Further error-correction techniques based on depth-search are suggested. The attack is explicitly geared towards and experimentally verified on an STM32F3 featuring a Cortex-M4 microcontroller which runs the SIKEp434 implementation adapted to 32-bit ARM that is part of the official implementations of SIKE. We obtained a resounding 100% success rate recovering the full private key in each experiment. We argue that our attack defeats many countermeasures which were suggested in a previous power analysis of SIKE, and finally show that the well-known countermeasure of projective coordinate randomisation stops the attack with a negligible overhead.


  • Sike
  • Side-channel analysis
  • Correlation power analysis
  • Single-trace attack
  • Post-quantum key exchange
  • Isogeny-based cryptography

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-89915-8_11
  • Chapter length: 27 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-89915-8
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   79.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.


  1. 1.

    We refer to the official NAE-CW308 UFO datasheet to find the mentioned pins:

  2. 2.

    We refer to the official CW308T-STM32F3 datasheet to find the mentioned pins:


  1. Apon, D.: Passing the final checkpoint! NIST PQC 3rd round begins (2020).

  2. Aysu, A., Tobah, Y., Tiwari, M., Gerstlauer, A., Orshansky, M.: Horizontal side-channel vulnerabilities of post-quantum key exchange protocols. In: 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 81–88 (2018).

  3. Azarderakhsh, R., Jao, D., Kalach, K., Koziel, B., Leonardi, C.: Key compression for isogeny-based cryptosystems. Cryptology ePrint Archive, Report 2016/229 (2016).

  4. Azouaoui, M., Poussier, R., Standaert, F.-X.: Fast side-channel security evaluation of ECC implementations. In: Polian, I., Stöttinger, M. (eds.) COSADE 2019. LNCS, vol. 11421, pp. 25–42. Springer, Cham (2019).

    CrossRef  Google Scholar 

  5. Batina, L., Chmielewski, L., Papachristodoulou, L., Schwabe, P., Tunstall, M.: Online template attacks. J. Cryptogr. Eng. 9(1), 21–36 (2017).

    CrossRef  MATH  Google Scholar 

  6. Bos, J.W., Friedberger, S.J.: Arithmetic considerations for isogeny based cryptography. Cryptology ePrint Archive, Report 2018/376 (2018).

  7. Bos, J.W., Friedberger, S.J.: Faster modular arithmetic for isogeny based crypto on embedded devices. Cryptology ePrint Archive, Report 2018/792 (2018).

  8. Bos, J.W., Friedberger, S.J., Martinoli, M., Oswald, E., Stam, M.: Assessing the feasibility of single trace power analysis of Frodo. In: Cid, C., Jacobson, M., Jr. (eds.) SAC 2018. LNCS, vol. 11349, pp. 216–234. Springer, Cham (2018).

    CrossRef  Google Scholar 

  9. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004).

    CrossRef  Google Scholar 

  10. Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity. IEEE Trans. Comput. 53(6), 760–768 (2004).

    CrossRef  MATH  Google Scholar 

  11. Childs, A., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014).

    MathSciNet  CrossRef  MATH  Google Scholar 

  12. Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010).

    CrossRef  Google Scholar 

  13. Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999).

    CrossRef  Google Scholar 

  14. Corre, Y.L., Großschädl, J., Dinu, D.: Micro-architectural power simulator for leakage assessment of cryptographic software on ARM Cortex-M3 processors. Cryptology ePrint Archive, Report 2017/1253 (2017).

  15. Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. Cryptology ePrint Archive, Report 2016/413 (2016).

  16. Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006).

  17. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014).

  18. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. Cryptology ePrint Archive, Report 2011/506 (2011).

  19. Dugardin, M., Papachristodoulou, L., Najm, Z., Batina, L., Danger, J.-L., Guilley, S.: Dismantling real-world ECC with horizontal and vertical template attacks. In: Standaert, F.-X., Oswald, E. (eds.) COSADE 2016. LNCS, vol. 9689, pp. 88–108. Springer, Cham (2016).

    CrossRef  Google Scholar 

  20. Fan, J., Guo, X., De Mulder, E., Schaumont, P., Preneel, B., Verbauwhede, I.: State-of-the-art of secure ECC implementations: a survey on known side-channel attacks and countermeasures. In: 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 76–87 (2010).

  21. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999).

    CrossRef  Google Scholar 

  22. Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016).

    CrossRef  Google Scholar 

  23. Holdings, A.: Cortex-M4 specifications.

  24. NewAE Technology Inc.: SimpleSerial - ChipWhisperer Wiki (2017).

  25. NewAE Technology Inc.: CHIPWHISPERER | NewAE Technology (2021).

  26. NewAE Technology Inc.: GitHub - newaetech/chipwhisperer: ChipWhisperer - the complete open-source toolchain for side-channel power analysis and glitching attacks (2021).

  27. Jao, D., et al.: Supersingular isogeny key encapsulation (2017).

  28. Joye, M., Tymen, C.: Protections against differential analysis for elliptic curve cryptography — an algebraic approach —. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 377–390. Springer, Heidelberg (2001).

    CrossRef  Google Scholar 

  29. Kalai, G.: The argument against quantum computers (2019).

  30. Kannwischer, M.J., Pessl, P., Primas, R.: Single-trace attacks on Keccak. IACR Cryptol. ePrint Arch. 2020, 371 (2020).

  31. Kannwischer, M.J., Rijneveld, J., Schwabe, P., Stoffelen, K.: pqm4: testing and benchmarking NIST PQC on ARM Cortex-M4. In: Workshop Record of the Second PQC Standardization Conference (2019).

  32. Koziel, B., Azarderakhsh, R., Jao, D.: Side-channel attacks on quantum-resistant supersingular isogeny Diffie-Hellman. In: SAC (2017)

    Google Scholar 

  33. Kwiatkowski, K.: Towards post-quantum cryptography in TLS (2019).

  34. Langley, A.: Post-quantum confidentiality for TLS (2018).

  35. Leonardi, C.: A note on the ending elliptic curve in SIDH. Cryptology ePrint Archive, Report 2020/262 (2020).

  36. Medwed, M., Oswald, E.: Template attacks on ECDSA. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 14–27. Springer, Heidelberg (2009).

    CrossRef  Google Scholar 

  37. Montgomery, P.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48, 243–264 (1987)

    MathSciNet  CrossRef  Google Scholar 

  38. Moody, D.: Let’s get ready to rumble - The NIST PQC “competition” (2018).

  39. Moody, D.: Round 2 of the NIST PQC “competition” - What was NIST thinking? (2019).

  40. Paquin, C., Stebila, D., Tamvada, G.: Benchmarking post-quantum cryptography in TLS. Cryptology ePrint Archive, Report 2019/1447 (2019).

  41. Poussier, R., Zhou, Y., Standaert, F.-X.: A systematic approach to the side-channel analysis of ECC implementations with worst-case horizontal attacks. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 534–554. Springer, Cham (2017).

    CrossRef  Google Scholar 

  42. Primas, R., Pessl, P., Mangard, S.: Single-trace side-channel attacks on masked lattice-based encryption. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 513–533. Springer, Cham (2017).

    CrossRef  Google Scholar 

  43. Rostovtsev, A., Stolbunov, A.: A public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006).

  44. Seo, H., Anastasova, M., Jalali, A., Azarderakhsh, R.: Supersingular isogeny key encapsulation (SIKE) round 2 on ARM Cortex-M4. Cryptology ePrint Archive, Report 2020/410 (2020).

  45. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997).

    MathSciNet  CrossRef  MATH  Google Scholar 

  46. Sim, B., et al.: Single-trace attacks on message encoding in lattice-based KEMs. IEEE Access 8, 183175–183191 (2020).

    CrossRef  Google Scholar 

  47. Weibel, A.: Round 2 hybrid post-quantum TLS benchmarks (2020).

  48. Xavier, C., Hervé, P.: Improving the DPA attack using wavelet transform (2005).

  49. Zanon, G.H.M., Simplicio, M.A., Pereira, G.C.C.F., Doliskani, J., Barreto, P.S.L.M.: Faster isogeny-based compressed key agreement. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 248–268. Springer, Cham (2018).

    CrossRef  Google Scholar 

  50. Zhang, F., et al.: Side-channel analysis and countermeasure design on ARM-based quantum-resistant SIKE. IEEE Trans. Comput. 69(11), 1681–1693 (2020).

    MathSciNet  CrossRef  MATH  Google Scholar 

  51. Zhang, Z., Wu, L., Mu, Z., Zhang, X.: A novel template attack on WNAF algorithm of ECC. In: Tenth International Conference on Computational Intelligence and Security, CIS 2014, Kunming, Yunnan, China, 15–16 November 2014, pp. 671–675. IEEE Computer Society (2014).

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Novak Kaluđerović .

Editor information

Editors and Affiliations

A Appendix

A Appendix

We include the code of the xDBLADD, fp2mul_mont, fp2sqr_mont and mp_addfast functions from [44]. Minor changes, such as variable naming, have been made to the code in order to adapt it to the names used in this paper. The lines of code 3,6,7,8,9,10,11,15,16,17,18,19 and the mp_addfast (highlighted in red) correspond to the targeted instructions.

Fig. 5.
figure 5

xDBLADD, fp2mul_mont and fp2sqr_mont from [44].

Fig. 6.
figure 6

mp_addfast from [44].

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Genêt, A., de Guertechin, N.L., Kaluđerović, N. (2021). Full Key Recovery Side-Channel Attack Against Ephemeral SIKE on the Cortex-M4. In: Bhasin, S., De Santis, F. (eds) Constructive Side-Channel Analysis and Secure Design. COSADE 2021. Lecture Notes in Computer Science(), vol 12910. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-89914-1

  • Online ISBN: 978-3-030-89915-8

  • eBook Packages: Computer ScienceComputer Science (R0)