**Exploiting Collisions in Addition Chain-based Exponentiation Algorithms Using a Single Trace**

*Neil Hanley and HeeSeok Kim and Michael Tunstall*

**Abstract: **Public key cryptographic algorithms are typically based on group exponentiation algorithms where the exponent is private. A collision attack is typically where an adversary seeks to determine whether two operations in an exponentiation have the same input. In this paper we extend this to an adversary who seeks to determine whether the output of one operation is used as the input to another. We describe implementations of these attacks to a 192-bit scalar multiplication over an elliptic curve that only require a single power consumption trace to succeed with a high probability. Moreover, our attacks do not require any knowledge of the input to the exponentiation algorithm. These attacks would therefore be applicable to algorithms such as EC-DSA, where an exponent is ephemeral, or to implementations where an exponent is blinded. Moreover, we define attacks against exponentiation algorithms that are considered to be resistant to collision attacks and prove that collision attacks are applicable to all addition chain-based exponentiation algorithms. Hence, we demonstrate that a side-channel resistant implementation of a group exponentiation algorithm will require countermeasures that introduce enough noise such that an attack is not practical.

**Category / Keywords: **Side channel analysis, exponentiation, smart card security

**Date: **received 22 Aug 2012, last revised 18 Dec 2013

**Contact author: **mike tunstall at yahoo co uk

**Available format(s): **PDF | BibTeX Citation

**Note: **Updated results.

**Version: **20131219:014811 (All versions of this report)

**Short URL: **ia.cr/2012/485

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]