Method for Detecting Vulnerability to Doubling Attacks

  • Chong Hee Kim
  • Jean-Jacques Quisquater
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5308)


The doubling attack by Fouque and Valette and its analogue, the relative doubling attack, by Yen et al. are a new kind of simple power analysis that can be applied to a binary double-and-add algorithm in a scalar multiplication (or a multiply-and-square algorithm in a modular exponentiation). The doubling attack is very powerful because it requires just two queries to the device to find the secret key. The original doubling attack broke the binary double-and-add always algorithm and the relative doubling attack succeeded in breaking the Montgomery ladder. Fouque and Valette told that the doubling attack was applicable only to downward algorithms, i.e., “left-to-right” implementations of a binary modular exponentiation and recommended to use upward “right-to-left” implementations. On the contrary, Yen et al. proposed a new downward algorithm and asserted that it was secure against doubling attacks. This kind of controversy comes from the lack of analysis of the fundamentals of the doubling attacks. Therefore we analyze the characteristic of the doubling attack and propose a method to easily test a given algorithm’s security against doubling attacks. Furthermore, we show Yen et al.’s scheme is still vulnerable to the doubling attack.


Doubling attack relative doubling attack modular exponentiation simple power analysis (SPA) smart card 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    PKCS # 1, v2.1, RSA Cryptogrpaphy Standards (January 5, 2001),
  2. 2.
    Bellare, M., Rogaway, P.: Optimal asymmetric encrption padding - How to encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  3. 3.
    Blömer, J., May, A.: New partial key exposure attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Coron, J.: Resistance against differential power analysis for elliptic curve. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  5. 5.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logatihms. IEEE Transactions on Information Theory (4), 469–472 (1985)Google Scholar
  6. 6.
    Fouque, P.-A., Valette, F.: The doubling attack - why upwards is better than downwards. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 269–280. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Giraud, C.: Fault resistant RSA implementation. In: Breveglieri, L., Koren, I. (eds.) Second Workshop on Fault Diagnosis and Tolerance in Cryptography – FDTC 2005, pp. 142–151 (2005)Google Scholar
  8. 8.
    Giraud, C.: An RSA implementation resistant to fault attacks and to simple power analysis. IEEE Transactions on computers 55(9), 1116–1120 (2006); An earlier version appears in [7]CrossRefGoogle Scholar
  9. 9.
    Gordon, D.: A survey of fast exponentiation methods. Journal of Algorithms 27, 129–146 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Joye, M., Yen, S.-M.: The montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Kocher, P.: Timing attacks on implementations of Diffie-Hellman, RSA, DSA and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  12. 12.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  13. 13.
    Lu, C.-C., Tseng, S.-Y., Huang, S.-K.: A secure modular exponential algorithm resists to power, timing, C safe error and M safe error attacks. In: 19th International Conference on Advanced Information Networking and Applications (AINA 2005), vol. 2, pp. 151–154 (2005)Google Scholar
  14. 14.
    Rivest, A.S.R.L., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Yen, S.-M., Ko, L.-C., Moon, S., Ha, J.: Relative doubling attack against Montgomery Ladder. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 117–128. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Yen, S.-M., Lu, C.-C., Tseng, S.-Y.: Method for protecting public key schemes from timing, power, and fault attacks. U.S. Patent Number US2004/0125950 A1 (July 2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Chong Hee Kim
    • 1
  • Jean-Jacques Quisquater
    • 1
  1. 1.UCL Crypto GroupUniversité Catholique de Louvain, BelgiumLouvain-la-NeuveBelgium

Personalised recommendations