Side channel analysis of cryptographic software via early-terminating multiplications

Johann Groszschaedl, Elisabeth Oswald, Daniel Page, Michael Tunstall

Research output: Chapter in Book/Report/Conference proceedingConference Contribution (Conference Proceeding)


The design of embedded processors demands a careful trade-off between many conflicting objectives such as performance, silicon area and power consumption. Often, arrival at such a trade-off ignores the issue of security; in the worst case, a processor itself can cause otherwise secure software to leak information through so-called micro-architectural side-channels. In this paper we show that early-terminating integer multipliers found in many embedded processors (e.g., ARM7TDMI) represent an instance of this problem. The early-termination mechanism causes differences in the latency of multiply instructions depending on the magnitude of the operands (e.g., up to three clock cycles on an ARM7TDMI processor), which are observable via variations in execution time and power consumption. Exploiting the early-termination mechanism makes Simple Power Analysis (SPA) attacks relatively straightforward to mount, and may even allow one to attack implementations with integrated countermeasures that would not leak any information when executed on a processor with a constant-latency multiplier. We describe a number of case studies, including both public-key (RSA, ECIES) and secret-key algorithms (RC6, AES), to demonstrate the threat posed by early-terminating multipliers; in one such attack on AES, we were able the extract the entire key using just eight power traces.
Translated title of the contributionSide Channel Analysis of Cryptographic Software via Early-Terminating Multiplications
Original languageEnglish
Title of host publicationInternational Conference on Information Security and Cryptology - ICISC 2009
PublisherSpringer Berlin Heidelberg
Publication statusPublished - 2009


Dive into the research topics of 'Side channel analysis of cryptographic software via early-terminating multiplications'. Together they form a unique fingerprint.

Cite this