LNCS 9813

Benedikt Gierlichs
Axel Y. Poschmann (Eds.)

Cryptographic Hardware
and Embedded Systems –
CHES 2016
18th International Conference
Santa Barbara, CA, USA, August 17–19, 2016
Proceedings

123


Lecture Notes in Computer Science
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zürich, Switzerland

John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany

9813


More information about this series at />

Benedikt Gierlichs Axel Y. Poschmann (Eds.)
•

Cryptographic Hardware
and Embedded Systems –
CHES 2016
18th International Conference
Santa Barbara, CA, USA, August 17–19, 2016
Proceedings


123


Editors
Benedikt Gierlichs
KU Leuven
Leuven
Belgium

Axel Y. Poschmann
NXP Semiconductors Germany GmbH
Hamburg
Germany

ISSN 0302-9743
ISSN 1611-3349 (electronic)
Lecture Notes in Computer Science
ISBN 978-3-662-53139-6
ISBN 978-3-662-53140-2 (eBook)
DOI 10.1007/978-3-662-53140-2
Library of Congress Control Number: 2016946628
LNCS Sublibrary: SL4 – Security and Cryptology
© International Association for Cryptologic Research 2016
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant

protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made.
Printed on acid-free paper
This Springer imprint is published by Springer Nature
The registered company is Springer-Verlag GmbH Berlin Heidelberg


Preface

The 18th Conference on Cryptographic Hardware and Embedded Systems (CHES
2016) was held at the University of California at Santa Barbara, California, USA,
August 17–19, 2016. The conference was sponsored by the International Association
for Cryptologic Research and—after 2010 and 2013—it was the third time that CHES
was co-located with CRYPTO.
CHES 2016 received a record 148 submissions. Each paper was anonymously
reviewed by at least four Program Committee members in a double-blind peer-review
process. Submissions co-authored by PC members received at least five reviews. With
the help of 210 external reviewers our 47 Program Committee members wrote an
impressive total of 623 reviews. This year CHES continued the policy that submissions
needed to closely match the final versions published by Springer in length and format.
Additionally, we implemented a new paper submission policy whereby authors needed
to indicate conflicts of interest with Program Committee members. This mutual indication process led to the upfront identification of roughly five times more conflicts of
interest, and, consequently, to a more fair and smooth review process. The Program
Committee selected 30 papers for publication in these proceedings, corresponding to a
20% acceptance rate.
Several papers were nominated for the CHES 2016 best paper award. After voting,
the Program Committee gave the award to Differential Computation Analysis: Hiding

Your White-Box Designs Is Not Enough by Joppe W. Bos, Charles Hubain, Wil
Michiels, and Philippe Teuwen. The runners-up were Cache Attacks Enable Bulk Key
Recovery on the Cloud by Mehmet S. Inci, Berk Gulmezoglu, Gorka Irazoqui, Thomas
Eisenbarth, and Berk Sunar, and Software Implementation of Koblitz Curves Over
Quadratic Fields by Thomaz Oliveira, Julio López, Francisco Rodríguez-Henríquez.
All three were invited to submit extended versions to the Journal of Cryptology.
The technical program was completed by a panel discussion that provided valuable
feedback to the academic and industrial communities, and by an excellent invited talk
(jointly with CRYPTO 2016) by Paul Kocher from Cryptography Research, a Division
of Rambus.
As a continued tradition, CHES 2016 also featured a poster session and we are very
grateful to Billy Bob Brumley for chairing this aspect of the program. In addition, two
tutorials were given on the day preceding the conference: one by Victor Lomné on
Common Criteria Certification of a Smartcard: A Technical Overview and one by
Yuval Yarom on Micro-Architectural Side-Channel Attacks. For the second time a
CHES challenge was organized. We are very grateful to Ryad Benadjila, Emmanuel
Prouff, and Adrian Thillard for chairing the challenge selection process, and to Colin
O’Flynn for running the CHES 2016 challenge.
The review process was a challenging and time-consuming task. We sincerely thank
the Program Committee members as well as their external reviewers for the hard work
and many hours spent reviewing, assessing, and discussing. The submission process,


VI

Preface

the review process, and the editing of the final proceedings were greatly simplified by
the software written by Shai Halevi and we thank him for his kind and immediate
support throughout the whole process.

We would also like to thank the General Chairs, Çetin Kaya Koç and Erkay Savaş,
local organizers Sally Vito and Whitney Morris (of UCSB Conference Services), Juan
Manuel Escalante, who designed the CHES 2016 memorabilia, and the webmaster,
Thomas Eisenbarth. Our thanks also go out to Matt Robshaw and Jonathan Katz, the
Program Chairs of CRYPTO 2016, for the successful collaboration and alignment
of the programs of CHES and CRYPTO. We are very grateful for the financial support
received from our many generous sponsors.
Finally, among the numerous people that contributed to the success of CHES 2016,
above all others are the authors who submitted their research papers to the conference.
Without them, this conference would not exist. We enjoyed chairing the Program
Committee and we hope you will enjoy these proceedings.
June 2016

Benedikt Gierlichs
Axel Y. Poschmann


CHES 2016

18th Conference on Cryptographic Hardware
and Embedded Systems
Santa Barbara, California, USA
August 17–19, 2016
Sponsored by the International Association for Cryptologic Research

General Chairs
Çetin Kaya Koç
Erkay Savaş

University of California at Santa Barbara, USA

Sabanci University, Turkey

Program Chairs
Benedikt Gierlichs
Axel Y. Poschmann

KU Leuven, Belgium
NXP Semiconductors, Germany

Program Committee
Josep Balasch
Lejla Batina
Daniel J. Bernstein
Guido Bertoni
Chen-Mou Cheng
Hermann Drexler
Orr Dunkelman
Junfeng Fan
Sebastian Faust
Viktor Fischer
Wieland Fischer
Henri Gilbert
Christophe Giraud
Daniel Holcomb
Naofumi Homma
Michael Hutter
Kimmo Järvinen
Marc Joye
Lars R. Knudsen
Kerstin Lemke-Rust

Tancrède Lepoint

KU Leuven, Belgium
Radboud University, The Netherlands
University of Illinois at Chicago, USA and Technische
Universiteit Eindhoven, The Netherlands
STMicroelectronics, Italy
National Taiwan University, Taiwan
Giesecke & Devrient, Germany
University of Haifa, Israel
Open Security Research, China
Ruhr-Universität Bochum, Germany
Jean Monnet University Saint-Etienne, France
Infineon Technologies, Germany
ANSSI, France
Oberthur Technologies, France
University of Massachusetts Amherst, USA
Tohoku University, Japan
Cryptography Research, USA
Aalto University, Finland
Technicolor, France
Technical University of Denmark, Denmark
Bonn-Rhein-Sieg University of Applied Sciences,
Germany
CryptoExperts, France


VIII

CHES 2016


Yang Li
Roel Maes
Mitsuru Matsui
Marcel Medwed
Amir Moradi
Debdeep
Mukhopadhyay
Elke De Mulder
David Naccache
Elisabeth Oswald
Daniel Page
Thomas Peyrin
Emmanuel Prouff
Francesco Regazzoni
Matthieu Rivain
Alexander Schlösser
Sergei Skorobogatov
Meltem Sönmez Turan
Marc Stöttinger
Berk Sunar
Hugues Thiebeauld
Olivier Thomas
Mehdi Tibouchi
Steve Trimberger
Ingrid Verbauwhede
Andre Weimerskirch
Brecht Wyseur

Nanjing University of Aeronautics and Astronautics, China

Intrinsic-ID, The Netherlands
Mitsubishi Electric, Japan
NXP Semiconductors, Austria
Ruhr-Universität Bochum, Germany
Indian Institute of Technology Kharagpur, India
Cryptography Research, USA
École normale supérieure, France
University of Bristol, UK
University of Bristol, UK
Nanyang Technological University, Singapore
Safran Identity & Security, France
ALaRI, Lugano, Switzerland
CryptoExperts, France
NXP Semiconductors, Germany
University of Cambridge, UK
NIST, USA
Continental Teves, Germany
Worcester Polytechnic Institute, USA
eshard, France
Texplained, France
NTT Secure Platform Laboratories, Japan
Xilinx, USA
KU Leuven, Belgium
University of Michigan, USA
NAGRA, Switzerland

External Reviewers
Martin R. Albrecht
Guilherme Almeida
Gilles Van Assche

Jean-Philippe Aumasson
Aydin Aysu
Reza Azarderakhsh
Florian Bache
Thomas Baignères
Subhadeep Banik
Guillaume Barbu
Guy Barwell
Alberto Battistello
Sven Bauer
Georg T. Becker
Steffen Becker

Sonia Belaïd
Ryad Benadjila
Florent Bernard
Régis Bevan
Shivam Bhasin
Sarani Bhattacharya
Russ Bielawski
Begül Bilgin
Markus Bockes
Joppe Bos
Lilian Bossuet
Claudio Bozzato
Jakub Breier
Billy Bob Brumley
Samuel Burri

Martin Butkus

Rodrigo Portella do Canto
Claude Carlet
Pierre-Louis Cayrel
Gizem Selcan Cetin
Thomas Chabrier
Rajat Subhra Chakraborty
Ayantika Chatterjee
Urbi Chatterjee
Ricardo Chaves
Chien-Ning Chen
Cong Chen
Abdelkarim Cherkaoui
Jean-Michel Cioranesco
Ruan de Clercq


CHES 2016

Thomas De Cnudde
Brice Colombier
Jean-Sébastien Coron
Guillaume Dabosville
Joan Daemen
Wei Dai
Poulami Das
Nicolas Debande
Jeroen Delvaux
Jintai Ding
Yarkin Doroz
Emmanuelle Dottax

Baris Ege
Thomas Eisenbarth
Guangjun Fan
Claudio Favi
Peter Felber
Magnus Gausdal Find
Matthieu Finiasz
Daisuke Fujimoto
Georges Gagnerot
Adriano Gaibotti
Jake Longo Galea
Benoit Gerard
Cezary Glowacz
Gilbert Goodwill
Louis Goubin
Aurélien Greuet
Vincent Grosso
Daniel Gruss
Frank K. Gürkaynak
Mike Hamburg
Ghaith Hammouri
Bill Hass
Wei He
Annelie Heuser
Lars Hoffmann
Yuan-Che Hsu
Ilia Iliashenko
Gorka Irazoki
Dirmanto Jap
Eliane Jaulmes

Tommi Junttila
Elif Bilge Kavun

Osnat Keren
Mehran Mozaffari
Kermani
Ilya Kizhvatov
Patrick Klapper
Miroslav Knezevic
Markus Kuhn
Tanja Lange
Sam Lauzon
Jenwei Lee
Gaëtan Leurent
Wen-Ding Li
Zhe Liu
Zheng Liu
Susanne Lohmann
Cuauhtemoc Mancillas
Lopez
Atul Luykx
Pieter Maene
Houssem Maghrebi
Cedric Marchand
Daniel Martin
Marco Martinoli
Daniel Masny
Pedro Maat Massolino
Luke Mather
Sanu Mathew

Ingo von Maurich
Silvia Mella
Filippo Melzani
Bart Mennink
Rafael Misoczki
Nicolas Moro
Zakari Najm
Ousmane Ndiaye
Ventzislav Nikov
Tobias Nink
Tobias Oder
Brisbane Ovilla
Erdinc Ozturk
Clara Paglialonga
Paolo Palmieri
Louiza Papachristodoulou
Kostas Papagiannopoulos

IX

Sikhar Patranabis
Sylvain Pelissier
Hervé Pelletier
Jan Pelzl
Bo-Yuan Peng
Peter Pessl
Antonio de la Piedra
Thomas Prest
Christian Pilato
Gilles Piret

Thomas Plos
Ilia Polian
Thomas Pöppelmann
Frédéric de Portzamparc
Jürgen Pulkus
Christof Rempel
Joost Renes
Oscar Reparaz
Thomas Ricosset
Lionel Riviere
Molka ben Romdhane
Franck Rondepierre
Debapriya Basu Roy
Sujoy Sinha Roy
Markku-Juhani
O. Saarinen
Durga Prasad Sahoo
Kazuo Sakiyama
Peter Samarin
Fabrizio De Santis
Pascal Sasdrich
Falk Schellenberg
Werner Schindler
Tobias Schneider
Okan Seker
Hwajeong Seo
Siang Meng Sim
Daniel Smith-Tone
Martijn Stam
Francois-Xavier Standaert

Takeshi Sugawara
Ruggero Susella
Daisuke Suzuki
Pawel Swierczynski


X

CHES 2016

Junko Takahashi
Ming Tang
Cihangir Tezcan
Loïc Thierry
Adrian Thillard
Elena Trichina
Toyohiro Tsurumaru
Yu-Hsiu Tung
Michael Tunstall
Rei Ueno
Thomas Unterluggauer
Praveen Kumar Vadnala

Felipe Valencia
Kerem Varici
Frederik Vercauteren
Vincent Verneuil
Karine Villegas
Jo Vliegen
Pim Vullers

An Wang
Erich Wenger
Mario Werner
Carolyn Whitnall
Alexander Wild

Antoine Wurcker
Mingfu Xue
Bohan Yang
Ville Yli-Maeyry
Mandel Yu
Shih-Chun Yu
Rina Zeitoun
Fan Zhang
Hailong Zhang
Zhenfei Zhang
Xinjie Zhao
Yongbin Zhou


Contents

Side Channel Analysis
Correlated Extra-Reductions Defeat Blinded Regular Exponentiation . . . . . . .
Margaux Dugardin, Sylvain Guilley, Jean-Luc Danger, Zakaria Najm,
and Olivier Rioul
Horizontal Side-Channel Attacks and Countermeasures on the ISW
Masking Scheme. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Alberto Battistello, Jean-Sébastien Coron, Emmanuel Prouff,
and Rina Zeitoun

Towards Easy Leakage Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
François Durvaux, François-Xavier Standaert,
and Santos Merino Del Pozo
Simple Key Enumeration (and Rank Estimation) Using Histograms:
An Integrated Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Romain Poussier, François-Xavier Standaert, and Vincent Grosso

3

23

40

61

Automotive Security
Physical Layer Group Key Agreement for Automotive Controller Area
Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Shalabh Jain and Jorge Guajardo

85

– vatiCAN – Vetted, Authenticated CAN Bus . . . . . . . . . . . . . . . . . . . . . .
Stefan Nürnberger and Christian Rossow

106

Invasive Attacks
Mitigating SAT Attack on Logic Locking . . . . . . . . . . . . . . . . . . . . . . . . .
Yang Xie and Ankur Srivastava


127

No Place to Hide: Contactless Probing of Secret Data on FPGAs . . . . . . . . .
Heiko Lohrke, Shahin Tajik, Christian Boit, and Jean-Pierre Seifert

147

Side Channel Countermeasures I
Strong 8-bit Sboxes with Efficient Masking in Hardware . . . . . . . . . . . . . . .
Erik Boss, Vincent Grosso, Tim Güneysu, Gregor Leander,
Amir Moradi, and Tobias Schneider

171


XII

Contents

Masking AES with d þ 1 Shares in Hardware . . . . . . . . . . . . . . . . . . . . . .
Thomas De Cnudde, Oscar Reparaz, Begül Bilgin, Svetla Nikova,
Ventzislav Nikov, and Vincent Rijmen

194

New Directions
Differential Computation Analysis: Hiding Your White-Box Designs is Not
Enough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Joppe W. Bos, Charles Hubain, Wil Michiels, and Philippe Teuwen


215

Antikernel: A Decentralized Secure Hardware-Software Operating System
Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Andrew Zonenberg and Bülent Yener

237

Software Implementations
Software Implementation of Koblitz Curves over Quadratic Fields . . . . . . . .
Thomaz Oliveira, Julio López, and Francisco Rodríguez-Henríquez

259

QcBits: Constant-Time Small-Key Code-Based Cryptography . . . . . . . . . . . .
Tung Chou

280

lKummer: Efficient Hyperelliptic Signatures and Key Exchange
on Microcontrollers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Joost Renes, Peter Schwabe, Benjamin Smith, and Lejla Batina

301

Cache Attacks
Flush, Gauss, and Reload – A Cache Attack on the BLISS Lattice-Based
Signature Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Leon Groot Bruinderink, Andreas Hülsing, Tanja Lange,

and Yuval Yarom

323

CacheBleed: A Timing Attack on OpenSSL Constant Time RSA . . . . . . . . .
Yuval Yarom, Daniel Genkin, and Nadia Heninger

346

Cache Attacks Enable Bulk Key Recovery on the Cloud . . . . . . . . . . . . . . .
Mehmet Sinan İnci, Berk Gulmezoglu, Gorka Irazoqui,
Thomas Eisenbarth, and Berk Sunar

368

Physical Unclonable Functions
Strong Machine Learning Attack Against PUFs with No Mathematical
Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fatemeh Ganji, Shahin Tajik, Fabian Fäßler, and Jean-Pierre Seifert

391


Contents

Efficient Fuzzy Extraction of PUF-Induced Secrets: Theory and
Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jeroen Delvaux, Dawu Gu, Ingrid Verbauwhede, Matthias Hiller,
and Meng-Day (Mandel) Yu
Run-Time Accessible DRAM PUFs in Commodity Devices . . . . . . . . . . . . .

Wenjie Xiong, André Schaller, Nikolaos A. Anagnostopoulos,
Muhammad Umair Saleem, Sebastian Gabmeyer, Stefan Katzenbeisser,
and Jakub Szefer

XIII

412

432

Side Channel Countermeasures II
On the Multiplicative Complexity of Boolean Functions and Bitsliced
Higher-Order Masking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dahmun Goudarzi and Matthieu Rivain

457

Reducing the Number of Non-linear Multiplications in Masking Schemes . . .
Jürgen Pulkus and Srinivas Vivek

479

Faster Evaluation of SBoxes via Common Shares . . . . . . . . . . . . . . . . . . . .
Jean-Sébastien Coron, Aurélien Greuet, Emmanuel Prouff,
and Rina Zeitoun

498

Hardware Implementations
FourQ on FPGA: New Hardware Speed Records for Elliptic Curve

Cryptography over Large Prime Characteristic Fields. . . . . . . . . . . . . . . . . .
Kimmo Järvinen, Andrea Miele, Reza Azarderakhsh, and Patrick Longa
A High Throughput/Gate AES Hardware Architecture by Compressing
Encryption and Decryption Datapaths — Toward Efficient CBC-Mode
Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rei Ueno, Sumio Morioka, Naofumi Homma, and Takafumi Aoki
Efficient High-Speed WPA2 Brute Force Attacks Using Scalable Low-Cost
FPGA Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Markus Kammerstetter, Markus Muellner, Daniel Burian,
Christian Kudera, and Wolfgang Kastner

517

538

559

Fault Attacks
ENCOUNTER: On Breaking the Nonce Barrier in Differential Fault Analysis
with a Case-Study on PAEQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dhiman Saha and Dipanwita Roy Chowdhury

581


XIV

Contents

Curious Case of Rowhammer: Flipping Secret Exponent Bits Using Timing

Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sarani Bhattacharya and Debdeep Mukhopadhyay
A Design Methodology for Stealthy Parametric Trojans and Its Application
to Bug Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Samaneh Ghandali, Georg T. Becker, Daniel Holcomb,
and Christof Paar
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

602

625

649


Side Channel Analysis


Correlated Extra-Reductions Defeat Blinded
Regular Exponentiation
Margaux Dugardin1,2(B) , Sylvain Guilley2,3 , Jean-Luc Danger2,3 ,
Zakaria Najm4 , and Olivier Rioul2,5
1

2

5

CESTI, Thales Communications and Security, 31000 Toulouse, France
LTCI, CNRS, T´el´ecom ParisTech, Universit´e Paris-Saclay, 75013 Paris, France

{margaux.dugardin,sylvain.guilley,jean-luc.danger,
olivier.rioul}@telecom-paristech.fr
3
Secure-IC SAS, 35510 Cesson-S´evign´e, France
{sylvain.guilley,jean-luc.danger}@secure-ic.com
4
ST-Microelectronics, 13790 Rousset, France

CMAP, Ecole Polytechnique, Universit´e Paris-Saclay, 91128 Palaiseau, France


Abstract. Walter and Thomson (CT-RSA ’01) and Schindler (PKC
’02) have shown that extra-reductions allow to break RSA-CRT even
with message blinding. Indeed, the extra-reduction probability depends
on the type of operation (square, multiply, or multiply with a constant).
Regular exponentiation schemes can be regarded as protections since the
operation sequence does not depend on the secret.
In this article, we show that there exists a strong negative correlation
between extra-reductions of two consecutive operations, provided that
the first feeds the second. This allows to mount successful attacks even
against blinded asymmetrical computations with a regular exponentiation algorithm, such as Square-and-Multiply Always or Montgomery
Ladder. We investigate various attack strategies depending on the context—known or unknown modulus, known or unknown extra-reduction
detection probability, etc.—and implement them on two devices: a single
core ARM Cortex-M4 and a dual core ARM Cortex M0-M4.
Keywords: Side-channel analysis
cation · Extra-reduction leakage
exponentiation

1


·

·

Montgomery modular multipliMessage blinding · Regular

Introduction

State of the Art of Timing Attacks. Any cryptographic algorithm in an embedded system is vulnerable to side-channel attacks. Timing attacks on the RSA
Straightforward Method (RSA-SFM) were pioneered by Kocher [12]. The attack
consists in building “templates” whose distributions are compared to that of the
response. It is required that the cryptographic parameters be known since the
attack is profiled.
c International Association for Cryptologic Research 2016
B. Gierlichs and A.Y. Poschmann (Eds.): CHES 2016, LNCS 9813, pp. 3–22, 2016.
DOI: 10.1007/978-3-662-53140-2 1


4

M. Dugardin et al.

Schindler [16] extended timing attacks to RSA with Chinese Remainder Theorem (RSA-CRT) using chosen messages. This attack exploits a conditional
extra-reduction at the end of modular multiplications. Schindler and co-authors
carried out numerous improvements [1, 2, 17–20] in the case where the exponentiation uses windows or exponent randomization.
Walter and Thompson [21] remarked that even when data is blinded, the
distribution of extra-reductions is different for a square and for a multiply. They
assumed that side-channel measurements such as power or timing during exponentiation are sufficiently clean to detect the presence or absence of an extrareduction at each individual operation. Schindler [17] improved this attack by
also distinguishing multiplications by a constant from squarings and multiplications by non-fixed parameters.
Today’s Solutions. In order to protect the implementation from the above

attacks, a first solution consists in exponent randomization on top of message blinding. Such a protection, however, is sensitive to carry leakage [9] and
amenable to other attacks like simple power analysis [7] (SPA). A second solution relies on regular exponentiation like Square-and-Multiply-Always (SMA, see
Algorithm 1) or Montgomery Ladder (ML, see Algorithm 2). Both algorithms
consist in a square and a multiply operation in each iteration i, yielding no
leakage to SPA.
Algorithm 1. Square and Multiply Algorithm 2. Montgomery Ladder
Always Left-to-Right
Left-to-Right
Input: m, k = (kl kl−1 . . . k0 )2 , p (kl = 1)
Output: mk mod p
1: R0 ← 1
2: R1 ← m
3: for i = l − 1 downto 0 do
Si
4:
R1 ← R1 × R1 mod p
5:
Rki ← R1 × m mod p
Mi
6: end for
7: return R1

Input: m, k = (kl kl−1 . . . k0 )2 , p (kl = 1)
Output: mk mod p
1: R0 ← m
FS
2: R1 ← R0 × R0 mod p
3: for i = l − 1 downto 0 do
Mi
4:

R¬ki ← R0 × R1 mod p
5:
Rki ← Rki × Rki mod p
Si
6: end for
7: return R0

Contributions of This Paper. We show that despite message blinding and regular
exponentiation, it is still possible for an attacker to take advantage of extrareductions: A new bias is found, namely a strong negative correlation between
the extra-reduction of two consecutive operations. As shown in this paper, the
bias can be easily leveraged to recover which registers are written to (at line 5 of
Algorithm 1 or at lines 4 and 5 of Algorithm 2) which eventually leads to retrieve
the secret key. The advantages of this method are the following:
– messages are unknown; this captures general situations such as RSA with
OAEP or PSS padding and RSA input blinding [11, Sect. 10];
– RSA parameters can be unknown; hence RSA-CRT is also vulnerable;


Correlated Extra-Reductions Defeat Blinded Regular Exponentiation

5

– all binary exponentiation algorithms are vulnerable, even the regular ones like
Square and Multiply Always, Montgomery Ladder, etc.;
– our attack can also be applied to Elliptic Curve Cryptography (ECC).
From a mathematical viewpoint, we also provide a comprehensive framework for
studying the joint probabilities of extra-reductions in a sequence of multiplies
and squares.
Related Works. The “horizontal/vertical” side-channel attacks against blinded
exponentiation described in [6, 10, 24] also use the dependency between the

input/output of operands in square and multiply algorithms. Such attacks
exploit the vertical amplitude of the signal during the time duration. Our
work is thus complementary to these ideas since it considers a novel horizontal exploitable bias.
Outline. The rest of the paper is organized as follows1 . Section 2 recalls known
biases induced by extra-reductions in modular multiplication algorithms such
as the Montgomery modular multiplication. Our contribution starts at Sect. 3,
where the theoretical rationale for the strong negative correlation between extrareductions of two chained operations is presented. Section 4 shows how this bias
can be turned into a key recovery attack. Experimental validations for synthetic
and practical traces are in Sect. 5. Section 6 concludes.

2

State of the Art of Extra-Reductions Probabilities

This section reviews known results about extra-reductions and their probability
distributions. The results can be adapted easily to Barrett reduction or multiplication followed by reduction using the extended Euclid algorithm.
2.1

Montgomery Modular Multiplication: Definitions and Notations

Given two integers a and b, the classical modular multiplication a × b mod p
computes the multiplication a × b followed by the modular reduction by p.
Montgomery Modular Multiplication (MMM) transforms a and b into special
representations known as their Montgomery forms.
Definition 1 (Montgomery Transformation [14]). For any prime modulus p, the Montgomery form of a ∈ Fp is φ(a) = a × R mod p for some constant
R greater than and co-prime with p.
In order to ease the computation, R is usually chosen as the smallest power
of two greater than p, that is R = 2 log2 (p) . Using the Montgomery form of
integers, modular multiplications used in modular exponentiation algorithms
(recall Algorithms 1 and 2) can be carried out using the Montgomery Modular

Multiplication (MMM):
1

A complete version containing auxiliary information is available in [8].


6

M. Dugardin et al.

Definition 2 Montgomery Modular Multiplication [14]). Let φ(a) and
φ(b) two elements of Fp in Montgomery form. The MMM of φ(a) and φ(b) is
φ(a) × φ(b) × R−1 mod p.
Algorithm 3 below shows that the MMM can be implemented in two steps: (i )
compute D = φ(a) × φ(b), then (ii ) reduce D using Montgomery reduction which
returns φ(c). In Algorithm 3, the pair (R−1 , v) is such that RR−1 − vp = 1.

Algorithm 3. Montgomery Reduction (Algorithm 14.32 of [13])
Input: D = φ(a) × φ(b)
Output: φ(c) = φ(a) × φ(b) × R−1 mod p
1: m ← (D mod R) × v mod R
2: U ← (D + m × p) ÷ R
3: if U ≥ p then
4:
C ←U −p
5: else
6:
C←U
7: end if
8: return C


Invariant: 0 ≤ U < 2p
Extra-reduction

Definition 3 (Extra-Reduction). In Algorithm 3, when the intermediate
value U is greater than p, a subtraction named eXtra-reduction occurs so as
to have a result C of the Montgomery multiplication between 0 and p − 1. We
set X = 1 in the presence of the eXtra-reduction, and X = 0 in its absence.
Most software implementations of modular arithmetic for large numbers
(such as OpenSSL and mbedTLS) use the MMM, where there is a final extrareduction. In mbedTLS, this extra-reduction is compensated. However, as shown
below in Sect. 5.2, an attacker is still able in practice to detect using some sidechannel which branch has been used (either line 4 or 6 of Algorithm 3).
2.2

A Bias to Differentiate a Multiply from a Square

Proposition 1 (Probability of Extra-Reduction in a Multiply and
a Square Operation [16, Lemma 1]). Assuming uniform distribution of
operands, the probabilities of an extra-reduction in a multiply XMi and in a
square XSi at iteration i are
P(XMi = 1) =

p
4R

and

P(XSi = 1) =

p
.

3R

(1)

We note that extra-reductions are 33 % more likely when the operation is a
p
∈] 12 , 1[. This allows
square than when it is a multiply, irrespective of the ratio R
one to break unprotected exponentiation algorithms.


Correlated Extra-Reductions Defeat Blinded Regular Exponentiation

3

7

A Bias to Test the Dependency of Operations

3.1

Principle of Correlated Extra-Reductions

In regular exponentiation algorithms, differentiating a multiply from a square
does not allow SPA to distinguish the value of the exponent bits. Indeed, at
every iteration i (l − 1 ≥ i > 0 where i is decremented after each iteration),
multiply and square operations are carried out unconditionally. However, the
input value of each operation depends on the current exponent bit value ki .
Figure 1 illustrates the dependence or independence between the input/output
values of multiplication Mi and the input value of the following square Si−1 as a

function of the bit value ki during the SMA algorithm (Algorithm 1). Intuitively,
when the output of Mi is equal to the input of Si−1 , we can expect that the
extra-reductions in both operation are strongly correlated.

kl−1 = 1

kl−2 = 0

kl−3 = 1
Ml−2 =

Sl−1

Ml−1
Ml−1

Sl−2

Ml−2
Sl−2

kl−4 = 1

Sl−3
Sl−3

Ml−3
Ml−3

Sl−4


Ml−4
Sl−4

Fig. 1. Comparison between the output value of multiplication with the input of
the following square in the Square-and-Multiply-Always exponentiation algorithm
(Algorithm 1).

For the ML algorithm (Algorithm 2), the Mi and Si−1 operations depends
directly on the two consecutive key bit values ki and ki−1 . If the bit value ki−1
and its previous bit value ki are different then the output of multiplication
Mi and the input of square Si−1 are equal and yield strongly correlated extrareductions; in the opposite case they yield uncorrelated extra-reductions.
Definition 4 (Guess Notation). Let Gi be the “guess’ Boolean random variable defined to be True (T) if the output of an operation at iteration i is equal
to the input of the next operation at iteration i − 1, and False (F) otherwise.
Also let XMi be a random variable corresponding to the eXtra-reduction of the
MMM multiplication at iteration i and XSi−1 be a random variable corresponding
to the eXtra-reduction during the MMM square at iteration (i − 1).
Then P(XMi , XSi−1 |Gi = T ) is their joint probability when the output
value of the multiplication is equal to the input value of the square, and
P(XMi , XSi−1 |Gi = F ) is their joint probability when the output value of the
multiplication is not equal to the input value of the square.


8

M. Dugardin et al.

Table 1. Example of probabilities of eXtra-reduction XMi of multiply operation and
XSi−1 of square operation knowing the Boolean value Gi for RSA-1024-p. The first line
(correct guess) is applicable for both SMA and ML.

(xMi , xSi−1 )

(0,0)

P(xMi , xSi−1 |Gi = T )

0.541575 0.191615 0.258276 0.008532

(1,0)

(0,1)

(1,1)

P(xMi , xSi−1 |Gi = F ) for SMA 0.612756 0.120158 0.186803 0.080281
P(xMi , xSi−1 |Gi = F ) for ML

0.586105 0.147246 0.213521 0.053128

The guess value Gi is linked to the key value depending on the regular exponentiation algorithm. For SMA and for a bit ki , an attacker is able to estimate
ˆ M , XS ). This probability can be used to find the bit ki
the probabilities P(X
i
i−1
as illustrated in Fig. 1 and explained in Sect. 4 below. For ML, Gi depends on
two consecutive key bits as explained also in Sect. 4.
We have estimated the joint probabilities P(XMi , XSi−1 |Gi ) using 1.000.000
random values for both SMA and ML algorithms and the example RSA-1024-p
defined in [8, Sect. 2.2] for this modulus for which the ratio p/R
0.800907.

The values of the obtained probabilities are shown in Table 1.
It is important to notice that for each (xMi , xSi−1 ) ∈ {0, 1}2 , the conditional joint probabilities are distinct: P(XMi = xMi , XSi−1 = xSi−1 |Gi = F ) =
P(XMi = xMi , XSi−1 = xSi−1 |Gi = T ). Also for Gi = F in ML, it can be observed
p
p
× 3R
= P(XMi )×P(XSi−1 ), which is consistent with
that P(XMi , XSi−1 |Gi ) = 4R
the fact the two operations XMi and XSi−1 should be independent since they
are completely unrelated.
It should be emphasized that the leakage identified in Table 1 is fairly large,
since the Pearson correlations ρ of the two randoms variables are2 :
ρ(XMi , XSi−1 |Gi = T ) ≈ −0.2535,
ρ(XMi , XSi−1 |Gi = F ) ≈ +0.1510 in SMA,
ρ(XMi , XSi−1 |Gi = F ) ≈ −0.0017 in ML.

(2)
(3)
(4)

To the best of our knowledge, such correlations have not been observed previously. A few observations are in order:
– when a square follows a multiply, and if there has been an extra-reduction
in the multiplication, the result should be short, hence there is less chance
for an extra-reduction to occur in the following square. This accounts for the
negative correlation ρ(XMi , XSi−1 |Gi = T );
– from Fig. 1 iteration i = l − 2 where ki = 0, we can see that one input of
the multiplication Mi equals the input of the following squaring Si−1 . Since a
square and a multiplication share a common operand, provided it is sufficiently
large, both operations are likely to have an extra-reduction at the same time,
which accounts for the positive correlation ρ(XMi , XSi−1 |Gi = F ) for SMA;

2

ρ(XM , XS
) =
i
i−1

Cov(XM ,XS
)
i
i−1 =
σX
σ
Mi XSi−1

P(XM =1,XS
=1)−(P(XM =1)×P(XS
=1))
i
i−1
i
i−1
.
P(XM =1)(1−P(XM =1)) P(XS
=1)(1−P(XS
=1))
i
i−1
i
i−1



Correlated Extra-Reductions Defeat Blinded Regular Exponentiation

9

– when a square and a multiply handle independent data, the extra-reductions
are clearly also independent of each other, which explains the small value of
ρ(XMi , XSi−1 |Gi = F ) for ML.
As explained next, when extra-reductions can be detected reliably, the data-flow
can be analyzed accurately thereby defeating regular exponentiation protections.
3.2

Methodology to Analyze the Bias

In order to estimate the probability P(XMi , XSi−1 |Gi ), we first determine the
distribution of the output value after one MMM (following the method described
by Sato et al. [15]) and then compute the joint probability for each case.
Let A, B be two independent random variables uniformly distributed in [0, p[
(represented in Montgomery form); let C be equal to the MMM product of A and
B and U corresponds to the MMM product of A and B before eXtra-reduction
(if any). Variables C and U coincide with that of Algorithm 3. As a matter
of fact, an attacker cannot observe values, only extra-reductions which occur
during Montgomery reduction (at line 4 of Algorithm 3). We use notations P for
probabilities and f for probability density functions (p.d.f.’s).
Figure 2 shows histograms for C and U obtained from one million simulations;
the binning consists of 100 bins of the interval [0, 2p[. It can be observed that
– the p.d.f. of C is uniform on [0, p[;
– the p.d.f. of U is a piecewise continuous function composed of a strictly increasing part, a constant part and a strictly decreasing part;
– the two conditional p.d.f.’s of C knowing XMi ∈ {0, 1} (resp. XSi ∈ {0, 1})

are not uniform;
– for c ∈ [0, p[, one has f (C = c) = f (U = c) + f (U = c + p) by definition of U ;
– the maximum value of U is p + p2 /R, which is strictly smaller than 2p.

0.07

0.07

f(C)
f(C|XM=0)
f(C|XM=1)
f(U=u)
Theory for mult (Thm. 1)

0.06
0.05
0.04

XM=0

0.05
0.04

XM=1

0.03

0.03

0.02


0.02

0.01

0.01

0
0

2

p /R

p

R

f(C)
f(C|XS=0)
f(C|XS=1)
f(U=u)
Theory for square (Thm. 1)

0.06

2
p+p /R 2p

XS=0


0
0

2

p /R

XS=1

p

R

2
p+p /R 2p

Fig. 2. Distribution of the output value of Montgomery multiplication (left) and square
(right) for RSA-1024-p.


10

M. Dugardin et al.

Recall that we use the Montgomery reduction described in Algorithm 3, where
the reduction modulo p is carried out after every multiplication. This is also
the case in [16, 17], but not in [20, 21] where the multiplicands lie in [0, R[. To
complement those works, we now derive a closed-form expression of the output
distribution of the Montgomery multiplication product and square (not found

in [16, 17]).
3.3

Mathematical Derivations

This subsection provides a mathematical justification of the biases observed in
Table 1. In particular, it shows that such biases hold for all values of p and
R = 2 log2 (p) . Our closed-form expressions are derived as limits in distribution
when p → +∞ that we shall write as approximations.
Theorem 1 (P.d.f. of MMM Before Extra-Reduction3 ). Asymptotically
when modulus p is large, the result of a Montgomery multiplication before the
final extra-reduction (at line 2 of Algorithm 3) have piecewise p.d.f. given by
⎧
2
Ru
⎪
1 − ln( Ru
if 0 ≤ u ≤ pR ;
⎪
3
2 )
p
p
⎪
⎪
⎪
2
⎨1
if pR ≤ u ≤ p;
(5)

fU (u) = p R(u−p)
2
⎪
⎪ p1 − p3
1 − ln( R(u−p)
)
if p ≤ u ≤ p + pR ;
2
⎪
p
⎪
⎪
⎩0
otherwise.
The corresponding p.d.f. for the square is also in four pieces with the same
√ intervals for u, and differs only from the multiplication in that it is equal to Ru/p2
2
2
when 0 ≤ u ≤ pR , and 1/p − R(u − p)/p2 when p ≤ u ≤ p + pR .
The theoretical values of Theorem 1 nicely superimpose with experimentally
estimated p.d.f.’s as shown in Fig. 2.
Theorem 2 (Joint Probability of Extra-Reduction in Multiplication
Followed by a Square [see Footnote 3]). The following joint probabilities
do not depend on the iteration index i, where l − 1 ≥ i > 0.
When Gi = T :
P(XMi , XSi−1 ) XSi−1 = 0
XMi = 0
XMi = 1

3


7 p
12 R
p
1
− 48
4R

1−

Proof of this theorem is given in [8].

1
48
p 4
R

+

p 4
R

XSi−1 = 1
p
3R
1
48

1
48

p 4
R

−

p 4
R


Correlated Extra-Reductions Defeat Blinded Regular Exponentiation

11

When Gi = F in SMA:
P(XMi , XSi−1 ) XSi−1 = 0
7 p
+ 18
12 R
p
p 2
− 18 R
4R

XMi = 0

1−

XMi = 1

XSi−1 = 1


p 2
R

p 2
R

p
− 18
3R
1 p 2
8 R

When Gi = F in ML:
P(XMi , XSi−1 ) XSi−1 = 0
7 p
1
1 − 12
+ 12
R
p
p 2
1
− 12 R
4R

XMi = 0
XMi = 1

XSi−1 = 1


p 2
R

p
1
− 12
3R
p 2
1
12 R

p 2
R

It can be easily checked that Theorem 2 accurately matches experimental
probability estimations given in Table 1.
Corollary 1. The corresponding correlation coefficients are
p4
48R4

ρ(XMi , XSi−1 |Gi = T ) =

p
4R

1−

−


p
4R

p2
12R2
p
3R

1−

p
3R

1−

p
3R

p2
24R2

ρ(XMi , XSi−1 |Gi = F ) =

p
4R

1−

p
4R


p
3R

,

in SMA,

ρ(XMi , XSi−1 |Gi = F ) = 0 in ML.

Correlation between XM and XS
i
i-1

0.3
0.2

P-256

RSA-1024-q
RSA-1024-p

brainpoolP256

RSA-1024-n

r1

Proof. Apply Pearson’s correlation definition on the results of Theorem 2.


Guess = True
Guess = False (SMA)
Guess = False (ML)

0.1
0
-0.1
-0.2
-0.3
1/2

3/4
Ratio p/R

Fig. 3. Pearson’s correlation between XMi and XSi−1 .

1