Attacking embedded ECC implementations through cmov side channels

Lukasz Chmielewski, Erick Nascimento, David Oswald, Peter Schwabe

Research output: Chapter in Book/Report/Conference proceedingConference contribution

13 Citations (Scopus)
534 Downloads (Pure)


Side-channel attacks against implementations of elliptic-curve cryptography have been extensively studied in the literature and a large tool-set of countermeasures is available to thwart different attacks in different contexts. The current state of the art in attacks and countermeasures is nicely summarized in multiple survey papers, the most recent one by Danger et al [21]. However, any combination of those countermeasures is ineffective against attacks that require only a single trace and directly target a conditional move (cmov) – an operation that is at the very foundation of all scalar-multiplication algorithms. This operation can either be implemented through arithmetic operations on registers or through various different approaches that all boil down to loading from
or storing to a secret address. In this paper we demonstrate that such an attack is indeed possible for ECC software running on AVR ATmega microcontrollers, using a protected version of the popular µNaCl library as an example. For the targeted implementations, we are able to recover 99.6% of the key bits for the arithmetic approach and 95.3% of the key bits for the approach based on secret addresses, with confidence levels 76.1% and 78.8%, respectively. All publicly available ECC software for the AVR that we are aware of uses one of the two approaches and is thus in principle vulnerable to our attack.
Original languageEnglish
Title of host publicationSelected Areas in Cryptography – SAC 2016
Subtitle of host publication23rd International Conference, St. John's, NL, Canada, August 10-12, 2016, Revised Selected Papers
EditorsRoberto Avanzi , Howard Heys
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Number of pages22
ISBN (Electronic)9783319694535
ISBN (Print)9783319694528
Publication statusE-pub ahead of print - 20 Oct 2017
Event23rd Conference on Selected Areas in Cryptography (SAC 2016) - St. John's, Newfoundland and Labrador, Canada
Duration: 10 Aug 201612 Aug 2016

Publication series

NameLecture Notes in Computer Science
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference23rd Conference on Selected Areas in Cryptography (SAC 2016)
CitySt. John's, Newfoundland and Labrador


  • ECC
  • Montgomery ladder
  • Power Analysis
  • AVR
  • Conditional move


Dive into the research topics of 'Attacking embedded ECC implementations through cmov side channels'. Together they form a unique fingerprint.

Cite this