Research Article  Open Access
Qi Zhang, An Wang, Yongchuan Niu, Ning Shang, Rixin Xu, Guoshuang Zhang, Liehuang Zhu, "SideChannel Attacks and Countermeasures for IdentityBased Cryptographic Algorithm SM9", Security and Communication Networks, vol. 2018, Article ID 9701756, 14 pages, 2018. https://doi.org/10.1155/2018/9701756
SideChannel Attacks and Countermeasures for IdentityBased Cryptographic Algorithm SM9
Abstract
Identitybased cryptographic algorithm SM9, which has become the main part of the ISO/IEC 148883/AMD1 standard in November 2017, employs the identities of users to generate publicprivate key pairs. Without the support of digital certificate, it has been applied for cloud computing, cyberphysical system, Internet of Things, and so on. In this paper, the implementation of SM9 algorithm and its Simple Power Attack (SPA) are discussed. Then, we present template attack and fault attack on SPAresistant SM9. Our experiments have proved that if attackers try the template attack on an 8bit microcontrol unit, the secret key can be revealed by enabling the device to execute one time. Fault attack even allows the attackers to obtain the 256bit key of SM9 by performing the algorithm twice and analyzing the two different results. Accordingly, some countermeasures to resist the three kinds of attacks above are given.
1. Introduction
With the development of integrated circuit and communication technology, smart devices are not only widely spread in our daily life with the proliferation of Internet of things, but also extensively used in the global IT environments and critical infrastructures. Security becomes a critical issue since attacks on these devices may directly harm the consumers. Several papers [1–4] have studied related security and wireless issues.
IdentityBased Cryptography (IBC) which applies user identity as the public key was proposed by Shamir in 1984 [5] to reduce the complexity of key and certificate management. Developed by the Commercial Cryptography Administration of China in 2016, SM9 [6] has become the most typical identitybased cryptographic algorithm in China. Compared with traditional cryptographic algorithms, SM9 not only omits the exchange of digital certificates and public key processes, but also simplifies the deployment and management of the security systems. Because of its usability and simplicity, SM9 has been employed as the standard for commercial cryptography in China. Its digital signature algorithm has become an international standard as the main part of the ISO/IEC 148883/AMD1 in November 2017 [7] too. It is also adopted to secure various systems and scenarios like Email [8], cloud storage, intelligent devices [9], industrial control, online communications, mobile payment, and so on.
As described in [10] by Kocher et al. in 1999, it has been proved that even though mathematical characteristics can guarantee the security of cryptographic algorithms in theory, their implementation may suffer from SideChannel Attack (SCA). SCA allows attackers to reveal secrets by analyzing the side information of an attacked device which is running a cryptographic algorithm, such as power consumption, electromagnetic radiation, and execution time. Because of the low cost and high efficiency, SCA has successfully cracked lots of devices which run DES [11], AES [12], RSA [13], and ECC [14]. Despite SM9 algorithm being secure in cryptography theory, whether it is against SCA is still a matter of concern.
At present, the three main SCA techniques are Simple Power Attack (SPA), template attack, and fault attack. Due to the versatility and operability, they have been studied in depth and used to crack various cryptographic algorithms. SPA [15] exploits one trace to reconstruct the sequence of operations during the secret computation and derive information about the secrets from this sequence. As a special power analysis, template attack [16] makes a better use of all information present in each sample. And it is hence the strongest form of SCA possible in an information theoretic sense given the few samples that are available. Fault attack, as another main branch of SCA, often injects errors into cryptographic computation processes and identifies the secret key by analyzing the mathematical and statistical properties of wrong calculation results. Proposed by Biham and Shamir in [17], the fault attack on RSA has become a milestone for the security of public key cryptographic devices.
In this paper, we show that SCA does have a practical threat to the implementation of SM9. We propose the above three kinds of SCA attacks on SM9 algorithm. After this, some corresponding countermeasures are also introduced. The main contributions of this paper are as follows.
A SPA attack on SM9 algorithm is proposed. And we also introduce some countermeasures to resist SPA.
Different from general Elliptic Curve Digital Signature Algorithm (ECDSA), the key is a point on elliptic curves rather than a scalar in scalar multiplication for SM9 algorithm. According to this feature, a template attack is presented for SPAresistant SM9 implementation and several countermeasures are provided.
We propose a fault attack and conduct experiments to prove that software implementation of SM9 algorithm is vulnerable to this scheme. And then, some corresponding countermeasures are also presented.
This paper is organized as follows. In Section 2, the summarization of SM9 algorithm and its implementation are introduced. We give the basic idea of SPA on SM9 in detail and put forward some countermeasures in Section 3. Then, in Section 4, a template attack is provided to attack the protected SM9 which can resist SPA and the corresponding countermeasures are also given. In Section 5, a fault attack for SPAresistant SM9 algorithm is presented and several countermeasures are introduced against this scheme. Finally, we conclude this paper in Section 6.
2. The Preliminaries
2.1. SM9 Digital Signature Generation Algorithm
SM9 digital signature algorithm usually assumes a scenario where Alice communicates with Bob. Alice generates the signature of message by SM9 digital signature generation algorithm for authentication and sends them to Bob. Bob validates the received message and its signature with signature verification algorithm to ensure the authenticity and integrity of this digital signature.
In order to express clearly, we give the meanings of letters as follows. The signature private key of Alice denoted as is provided by Key Generation Center (KGC). Group and group are addition cyclic groups of order and their generators are denoted as and , respectively. Group is a multiplicative cyclic group with order . Let denote the bilinear pairs mapping function from to . KGC generates a random number as the signature master private key and computes as the master public key. is wellknown, and is kept secretly by KGC. A cryptographic hash function is denoted as .
Algorithm 1 shows SM9 digital signature generation algorithm. At the beginning of the signature process, system parameters are provided as a part of inputs to make this algorithm work.

2.2. The Implementation of SM9 Digital Signature Algorithm
2.2.1. Scalar Multiplication
Scalar multiplication is the most important part in elliptic curve cryptography algorithm and its fast implementation is an inevitable demand of practical applications. As shown in Algorithm 1, scalar multiplication is directly related to the signature private key in SM9 digital signature generation algorithm.
The operation of adding a point to itself for times is called scalar multiplication and is denoted as . For decades, many methods have been proposed to implement this operation and the most common is binary algorithm. There are two ways to implement scalar multiplication, lefttoright and righttoleft. And the former is shown in Algorithm 2 and the special point is called the point at infinity. In the following sections, we assume that scalar multiplication is executed with the lefttoright binary algorithm.

In Algorithm 2, point doubling is executed times. In probability, the count of 1 in a scalar integer is close to , so point addition is executed nearly times. Let represent point addition and represent point doubling; the operation quantity of binary method is approximately .
2.2.2. Point Addition and Point Doubling
An elliptic curve is a set of points in which . denotes a finite field. The set of points on an elliptic curve, together with a special point called the point at infinity, can be equipped with an Abelian group structure by addition operation. An elliptic curve over can be expressed as the form of Weierstrass equation:where . If prime number and , the Weierstrass equation can be transformed towith .
For prime number and , let be a point. The inverse of is and is a second point with . Point addition can be calculated as with
The operation of is called point addition if . And it is called point doubling if . Obviously, point addition differs from point doubling in the form of formula.
2.2.3. Montgomery Modular Multiplication
Given a modulus and two integers and of size in base , with and , Montgomery modular multiplication algorithm [18] computes:
Montgomery modular multiplication algorithm is shown in Algorithm 3. Its essence is to combine and by traditional multiplication method. As described in line 2 to line 8, is unknown at first. With obtaining calculated by , each can be calculated too. Finally, can be derived. can be computed by alternating all and and adding up to . Figure 1 illustrates the intuitive graphical representation of CIOS modular multiplication [19, 20].

2.3. Power Analysis Attack
In SPA [15], attackers directly observe power consumption for a single execution of target operation without any statistical methods. As a special power analysis, template attack [16] generally consists of the following three phases. The first is template building phase, and attackers build templates to characterize devices by executing a sequence of instructions on fixed data. Next, it allows attackers to match the templates to the power consumption traces of devices in template matching phase. Finally, attackers can do some analysis and derive secret information during offline searching phase.
Hamming weight model proposed in [10, 21] analyzes the correlation between power consumption and the register switching from one state to the other. It is generally assumed that power consumption depends on the number of bits switching from 0 to 1 or 1 to 0 within the corresponding time. For bit register, binary data is coded as with or ; its Hamming weight is the number of bits set to 1. Considering a chip as a large set of elementary electrical components, its power consumption contains not only the state changes but also other variables’ consumption, such as offsets, time dependent components, and noise. Therefore, the basic model for the data dependency can be described as , where is a constant and indicates the other consumption.
2.4. Fault Attack
Fault attack [17] allows attackers to disturb cryptographic devices by physical methods to make them run in wrong states. Due to the injected fault, the devices perform some operations in modified environment and produce incorrect results. Combining with the algorithm in the devices, some knowledge related to the secret key could be gained from the results. Because of the lower cost, simple operation, and obvious effect, fault attack has become one of the most concerned SCA techniques.
Faults in devices can be made for a variety of reasons. In general, variations in normal working conditions can be injecting faults into a system effectively. For example, changing supply voltage or clock frequency can disrupt execution process and cause the processor to skip some instructions or change its output. Exposing devices in the temperatures outside its operational range usually makes random modifications to the memory. It is also possible to inject faults more accurately by using the inherent photoelectric effects of electric circuits. Under the exposure of photons, devices can produce induced currents and disrupt normal operations. In fact, lasers can make faults more precise in terms of target area and injection time. Also, faults can be injected in packaged circuits without removing the packaging by Xrays and ion beams.
2.5. Problem Formulation
Different from the general ECDSA and SM2 algorithm, the secret key in scalar multiplication is the point on elliptic curves rather than the scalar for SM9 algorithm. The scalar of the classical ECC and SM2 is a secret and the point is known, while the scalar and the point are both unknown in SM9. Therefore, the attack methods of the two are fundamentally different. In this paper, we focus on this issue to present template attack described in Section 4 and fault attack described in Section 5 which are only applied to SM9.
3. Simple Power Attack and Countermeasures on SM9
3.1. Simple Power Attack on SM9
In this paper, we focus the computation of scalar multiplication to apply our SPA attack which is described in line 8 of Algorithm 1.
Our SPA attack against SM9 recovers by observing the differences in power consumption caused by the difference operations for bit 1 and bit 0. As described in Algorithm 2, it always performs a point doubling operation whether the bit is 0 or 1. And an extra point addition will be performed if the bit is 1. Because of the differences between sidechannel pattern of doubling and that of addition, attackers can easily reveal from a single power trace. As and are both known, can be calculated by the formula .
Attackers can also perform SPA attack on as shown in line 3 of Algorithm 1. The SPA attack on modular exponentiation is similar to that of scalar multiplication. Employing the different power consumption by manipulating 1 and 0 can derive the exponent . The lengths of , , and are 256 bits so that can be obtained by the formula . According to the scheme described above, attackers can also restore the secret key .
3.2. Countermeasures against Simple Power Attack
Based on our SPA attack, we can draw a conclusion that and are equally important in the security of SM9 digital signature algorithm. It is necessary to deploy some countermeasures on and against SPA attack.
There are five ways [22, 23] against SPA scheme for in SM9 digital signature algorithm. In addition, countermeasures to protect the exponent should be implemented. We would not repeat the descriptions about the methods for here as they are similar to that of . We also can refer to the SPA countermeasures of RSA [13] for against SPA attack.
In conclusion, the five ways are as follows.
(1) Indistinguishable Point Operation Formulae. Indistinguishable Point Operation Formulae (IPOF) try to eliminate the difference between point addition and point doubling. The usage of unified formulae for point doubling and addition is a special case of IPOF. However, even when unified formulae are in use, the implementation of the underlying arithmetic, especially the operations with conditional instructions, may still reveal the type of the point operation (addition or doubling).
(2) DoubleandAddAlways Algorithm. The doubleandaddalways algorithm ensures that the sequence of operations during a scalar multiplication is independent of the scalar by inserting dummy point additions. However, due to the use of dummy operations, it makes the time complexity doubled and may cause safeerror fault attack.
(3) Atomic Block Algorithm. Instead of making the group operations indistinguishable, one can rewrite them as sequences of sidechannel atomic blocks that are indistinguishable for SPA attack. If dummy atomic blocks are added, then this countermeasure may enable safeerror attack.
(4) Montgomery Ladder Method. Because the intermediate values are stored in registers randomly in Montgomery ladder method, the Hamming weight of secret information would not leak out to attackers.
(5) Random Splitting and . There are two different ways to split and . Here we take as an example and also should be protected by the same principle. One is to transform to where is a random integer and do scalar multiplication by the formula:Another is to convert to and where is a 256bit random value. The formula is
4. Template Attack and Countermeasures on SM9
4.1. Template Attack on SM9
The template attack proposed in this paper reveals in the case that both and are unknown. As shown in Section 2, the first step of scalar multiplication performs a point doubling operation. And needs to be calculated by where and represent the coordinate and coordinate of . We focus this computation to perform our template attack. For ease of description, we use (256bit) to replace in Formula (8) and () denotes one byte of .
Assume that SM9 digital signature algorithm is executed on an 8bit microcontroller, and the power consumption of intermediate values in the calculation process of CIOS modular multiplication algorithm can be acquired. We give the letters meanings as follows. is the coordinate of . And and are the power consumption traces with the high 8bit and low 8bit of the intermediate value (, ). The template with Hamming weight from 0 to 8 is denoted as and Match is a method to reflect the degree of and . and denote the Hamming weight of high 8bit and low 8bit of , respectively.
As shown in Figure 2, there are three phases in our template attack. Firstly, in the template building phase, we focus on the operation (, ) and calculate the Hamming weight of high 8bit and low 8bit of as the target of template. We build templates of Hamming weight to characterize devices. Next, we match the templates to the power consumption traces of devices with the match function to obtain and in template matching phase. Finally, two searching operations are carried out during offline searching phase and the secret key can be derived by analysis.
Algorithm 4 shows our template attack. There are two searching operations used to narrow the range of candidates in offline searching phase. The first is shown in offline searching phase from the line 1 to the line 6. For each (), we traverse from 0 to 255, and add satisfying and to set where candidates of are stored. The second searching is based on , as demonstrated in line 7 to the line 14. For each element in () and each element in (), we calculate the high 8bit and low 8bit Hamming weight of . Selecting and with the conditions of and and adding them in set , consists of many pairs and represents the correspondence between and . The pair means that if so . Next, the possible values of can be obtained. It is necessary to validate whether they are the points of the elliptic curve. Finally, the secret key can be recovered.

4.2. Template Attack Experiments on SM9
We present concrete experiments on sidechannel traces captured from a real device. We implemented the Montgomery modular multiplication algorithm and focused on a single precision multiplication power consumption on AT89S52 8bit microcontroller. Traces were acquired on a Lecroy WaveRunner oscilloscope with a sampling rate of 10 GS/s. In our experiments, the parameters and of are shown in Table 1.

The templates of Hamming weight from 0 to 8 built in our attack are illustrated in Figures 3 and 4.
During our template attack, the power consumption of intermediate values in the calculation process of CIOS modular multiplication algorithm is acquired. Figure 5 shows the (blackline) and (darkgrayline) which are the power consumption traces with the high 8bit and low 8bit of . The Match applied in our attack is least square method to reflect the distance of and . Hence, and were revealed which were equal to 6 and 4, respectively. For each from 0 to 31, and can be recovered by the steps described above.
Then, the first searching phase is performed. For each from 0 to 31, we traverse from 0 to 255 and calculate high 8bit and low 8bit Hamming weight of . Selecting with the conditions of and and adding to set , the set where candidates of are stored is given as shown in Table 2.

And then, the second searching phase is carried out. For each element in () and each element in (), we calculate the high 8bit and low 8bit Hamming weight of . Select and with the conditions of and and adding them in set . consists of many pairs and represents the correspondence between and . Next, the possible values of can be obtained. The result of offline searching phase is shown in Figures 6 and 7. Finally, the value of is 93DE051D 62BF718F F5ED0704 487D01D6 E1E40869 09DC3280 E8C4E481 7C66DDDD and it is validated to be correct. And can be revealed successfully. The experiments have proved that our attack works well. If attackers employ the template attack on an 8bit microcontrol unit, the key often can be obtained just by analyzing algorithm procedure of one message.
4.3. Countermeasures Against Template Attack
There are four ways [23, 24] to resist the template attack presented above.
(1) Base Point Blinding. This method is to select a random point and convert to . The value of is computed first and the known value is subtracted at the end of scalar multiplication to ensure its correctness. The and are stored secretly in the cryptographic devices and updated at each iteration.
(2) Random Projective Coordinates. Let denote the mapping value of in the Jacobian coordinates where and . Point is considered to be the same as point where is a random number. For different , is not the same. The random variable can be updated in every execution or after each doubling or addition. Attackers could not accurately gain the values of and , so this method does resist the attack.
(3) Random EC Isomorphism. Based on the isomorphism of elliptic curves, we transform scalar multiplication algorithm to another stochastic mapping domain. A random isomorphism curve is generated and is mapped to which is on . The calculation of is on rather than . Finally, we should map to and get . As can not be estimated, this method can resist the template attack.
(4) Random Field Isomorphism. This method makes use of isomorphisms between fields. To compute , it first randomly chooses a field to through isomorphism and then computesIt means that is used to represent and is calculated on . Finally we need to transform to . The value of is hidden in this method so as to resist the above attack.
Figures 8 and 9 show the templates of Hamming weight from 0 to 8 after applying some countermeasures.
5. Fault Attack and Countermeasures on SM9
5.1. Fault Attack on SM9
Base point is one of the system parameters in scalar multiplication, and it is determined by protocols. So we inject a singlebit fault on base point to recover the secret key. Two assumptions are made before the fault attack on SM9 is performed. One hypothesis is that attackers can inject a fault on at an unknown location during the moments of error detection and signature computation. Let denote the fault key. Another assumption is that the injected fault causes a bit value to flip from 0 to 1.
Figure 10 illustrates the flowchart of fault attack on SM9. As an example, we performed the fault attack on . The correct signature for message is calculated by the formula . Then, a singlebit fault is injected to the coordinate of and the fault key is denoted as . The wrong signature for message is calculated by the formula . Obviously, and are on , while and are on . As and are both known, and can be calculated. So we have
Then, (11) can be gained:
Let ; (11) is equal toBecause only one bit is different between and , (12) can be expressed aswhere . And represents the location of the different bit.
Convert (13) into the following form:
For each from 0 to 255, its corresponding equation like (14) can be obtained. All values of satisfying this equation are calculated by mathematical methods and added to set . If is an empty set, that means the fault position corresponding to this equation is incorrect. Otherwise, the fault position is correct and we need to validate each for getting the real . It is worth noting that as long as is correct, the equation must have solutions. Once the is derived, the value of can be calculated correctly.
Obviously, if the fault is injected into the coordinate of , the above fault attack is still performed validly. And our fault attack also has the ability to break the SPAresistant SM9 implementation.
To sum up the above, the fault attack algorithm is shown in Algorithm 5.

Remark 1. In the above attack, we assume that the injected fault causes a bit to flip from 0 to 1. As we all know, common faults are singlebit flipping fault, singlebit constant fault, and multibits fault. In fact, no matter which fault is injected, as long as , the above attack can be performed. If , for singlebit constant fault, we can think of it as a singlebit flipping fault. For multibits fault, the only difference is that multi should be searched. We believe that using mathematical methods to solve this issue is not a difficult task.
5.2. Fault Attack Experiments on SM9
Assume that the elliptic curve used in our experiments is . The is a prime number, and means the order of group . The denotes a point of , and the scalar is denoted as . is computed by . Let denote the fault point, and the wrong signature of message is computed by the formula . The experiment parameters are listed in Table 3. We can see that the fault location is equal to 1.

We conduct some experiments with the attack in Algorithm 5, and the intermediate values of SM9 digital signature algorithm are shown in Table 4. When , the equation has two solutions that may be the correct . Let and denote the two solutions, and , , , and denote the corresponding calculated by . Comparing with Table 3, and are the correct coordinate and coordinate of , so the fault attack also shows its feasibility. Usually, attackers can reveal the 256bit by enabling the device to execute twice and comparing the two different results by our fault attack.

5.3. Countermeasures against Fault Attack
We introduce three countermeasures against the above fault attack [25–27]; they are as follows.
(1) Point Validation. This method verifies if a point lies on the specified curve or not. It should be performed before and after scalar multiplication. If the point or result does not belong to the original curve, no output should be given. It is an effective countermeasure against our fault attack.
(2) Curve Integrity Check. The curve integrity check is to detect faults on curve parameters. Before starting an SM9 algorithm the curve parameters are read from the memory and verified using an error detecting code (i.e., cyclic redundancy check) before the algorithm execution. It is an effective method to prevent the fault attack above.
(3) Coherence Check. A coherence check verifies the intermediate or final results with respect to a valid pattern. Randomly coding the intermediate variables such as scalar, base point, and curve parameters is a most common operation.
(4) Combined Curve Check. This method uses a reference curve to detect faults. It makes use of two curves: a reference curve and a combined curve that is defined over the ring . In order to compute on curve , it first generates a combined point from and (with prime order). Two scalar multiplications are then performed: on and on . If no error occurred, and () will be equal. Otherwise, the one of the results is faulty and the results should be aborted. It is also an effective countermeasure against the fault attack presented in this paper.
(5) Security Curve Selection. Using the NIST curves [28] with the fragile twin curves should be avoided.
6. Conclusion
In this paper, we propose SPA attack, template attack, and fault attack on SM9 algorithm. After this, some corresponding countermeasures are also introduced. We also conduct some experiments to prove the validity of these attacks. Although this paper mainly studies SCA attacks of SM9 digital signature algorithm, we have reason to believe that these schemes are equally effective for SM9 encryption algorithm.
Overall, a security SM9 digital signature algorithm implementation should pay attention to these points shown in Table 5. And we also provide the overhead to deploy these countermeasures as a reference guidance for the SM9 algorithm security implementation [27].

Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
Acknowledgments
This work is supported by Beijing Natural Science Foundation (no. 4162053), the National Cryptography Development Fund (no. MMJJ20170201), the Foundation of Science and Technology on Information Assurance Laboratory, and Beijing Institute of Technology Research Fund Program for Young Scholars.
References
 X. Hei, X. Du, J. Wu, and F. Hu, “Defending resource depletion attacks on implantable medical devices,” in Proceedings of the of IEEE GLOBECOM, MIA, FL, USA, 2010. View at: Publisher Site  Google Scholar
 X. Du, Y. Xiao, M. Guizani, and H.H. Chen, An Effective Key Management Scheme for Heterogeneous Sensor Networks, Ad Hoc Networks, vol. 5, Elsevier, 2007. View at: Publisher Site
 X. J. Du, M. Guizani, Y. Xiao, and H.H. Chen, “Transactions papers a routingdriven Elliptic Curve Cryptography based key management scheme for Heterogeneous Sensor Networks,” IEEE Transactions on Wireless Communications, vol. 8, no. 3, pp. 1223–1229, 2009. View at: Publisher Site  Google Scholar
 X. Du, M. Guizani, Y. Xiao, and H.H. Chen, “Secure and efficient time synchronization in heterogeneous sensor networks,” IEEE Transactions on Vehicular Technology, vol. 57, no. 4, pp. 2387–2394, 2008. View at: Publisher Site  Google Scholar
 A. Shamir, Identitybased cryptosystems and signature schemes Crypto, vol. 84, 1984.
 F. Yuan and Z. Cheng, “Overview on SM9 IdentityBased Cryptographic Algorithm,” Journal of Information Security Research, 2016. View at: Google Scholar
 ISO/IEC 148883:2016 DAmd 1, Information technology  Security techniques  Digital signatures with appendix, Part 3: Discrete logarithm based mechanisms, https://www.iso.org/standard/70631.html.
 Z. Cheng, Email security system, 2016, https://www.olymtech.net/products/application/mailclient.html.
 M. Zhang, X. Du, and K. Nygard, “Improving Coverage Performance in Sensor Networks by Using Mobile Sensors,” in Proceedings of the IEEE MILCOM, Atlantic City, NJ, USA, 2005. View at: Publisher Site  Google Scholar
 P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Advances in Cryptology, pp. 388–397, Springer, 1999. View at: Publisher Site  Google Scholar
 B. Yang, K. Wu, and R. Karri, “Scan based side channel attack on dedicated hardware implementations of data encryption standard Test Conference,” in Proceedings of the ITC International IEEE, pp. 339–344, USA, October 2004. View at: Google Scholar
 E. Oswald, A sidechannel analysis resistant description of the AES Sbox International Workshop on Fast Software Encryption, Springe, Berlin, Heidelberg, Germany, 2005. View at: MathSciNet
 Y. Yarom and K. Falkner, FLUSH+ RELOAD: A High Resolution, Low Noise, L3 Cache SideChannel Attack USENIX Security Symposium, 2014.
 T. Izu and T. Takagi, A fast parallel elliptic curve multiplication resistant against side channel attacks Public Key Cryptography, 2002. View at: Publisher Site
 S. Mangard, A simple poweranalysis (SPA) attack on implementations of the AES key expansion International Conference on Information Security and Cryptology, vol. 2587 of Springer, Berlin, Heidelberg, Germany, 2003. View at: Publisher Site  MathSciNet
 S. Chari, J. R. Rao, and P. Rohatgi, Template attacks International Workshop on Cryptographic Hardware and Embedded Systems, Springer, Berlin, Heidelberg, Germany, 2003. View at: Publisher Site
 E. Biham and A. Shamir, “Differential fault analysis of secret key cryptosystems,” in Advances in CryptologyCRYPTO’97, pp. 513–525, 1997. View at: Publisher Site  Google Scholar
 P. L. Montgomery, “Modular multiplication without trial division,” Mathematics of Computation, vol. 44, no. 170, pp. 519–521, 1985. View at: Publisher Site  Google Scholar  MathSciNet
 Ç. K. Koç, T. Acar, and B. S. Kaliski, “Analyzing and comparing montgomery multiplication algorithms,” IEEE Micro, vol. 16, no. 3, pp. 26–33, 1996. View at: Publisher Site  Google Scholar
 M. McLoone, C. McIvor, and J. V. McCanny, “Coarsely integrated operand scanning (CIOS) architecture for highspeed Montgomery modular multiplication FieldProgrammable Technology,” in Proceedings of the IEEE International Conference, pp. 185–191, December 2004. View at: Google Scholar
 E. Brier, C. Clavier, and F. Olivier, Correlation Power Analysis with a Leakage Model International Workshop on Cryptographic Hardware and Embedded Systems, Springer, Berlin, Heidelberg, Germany, 2004. View at: Publisher Site
 L. Goubin and J. Patarin, DES and Differential Power Analysis the Duplication Method Cryptographic Hardware and Embedded Systems, Springer, Berlin, Heidelberg, Germany, 1999. View at: Publisher Site
 P.Y. Liardet and N. P. Smart, Preventing SPA/DPA in ECC systems using the Jacobi form International Workshop on Cryptographic Hardware and Embedded Systems, Springer, Berlin, Heidelberg, Germany, 2001. View at: Publisher Site  MathSciNet
 J. Cheol Ha and S. Jae Moon, Randomized SignedScalar Multiplication of ECC to Resist Power Attacks CHES, 2003. View at: Publisher Site
 J.W. Lee, S.C. Chung, H.C. Chang, and C.Y. Lee, An Efficient Countermeasure against Correlation PowerAnalysis Attacks with Randomized Montgomery Operations for DFECC Processor CHES, 2012. View at: Publisher Site
 A. Barenghi, L. Breveglieri, I. Koren, and D. Naccache, “Fault injection attacks on cryptographic devices: Theory, practice, and countermeasures,” Proceedings of the IEEE, vol. 100, no. 11, pp. 3056–3076, 2012. View at: Publisher Site  Google Scholar
 J. Fan and I. Verbauwhede, “An Updated Survey on Secure ECC Implementations: Attacks, Countermeasures and Cost,” in Cryptography and security, vol. 6805, pp. 265–282, 2012. View at: Google Scholar
 M. Brown, D. Hankerson, J. Lpez, and A. Menezes, “Software implementation of the NIST elliptic curves over prime fields,” Topics in CryptologylCTRSA, vol. 2001, pp. 250–265, 2001. View at: Publisher Site  Google Scholar  MathSciNet
Copyright
Copyright © 2018 Qi Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.