pith. sign in

arxiv: 2604.22429 · v1 · submitted 2026-04-24 · 💻 cs.CR

Horizontal SCA Attacks on Binary kP Algorithms using Chevallier-Mames Atomic Blocks

Gerald Isheanesu Matungamire , Alkistis Aikaterini Sigourou , Gerrit Schrock , Zoya Dyka , Peter Langendoerfer , Ievgen Kabin This is my paper

Pith reviewed 2026-05-08 11:36 UTC · model grok-4.3

classification 💻 cs.CR
keywords side-channel attackselliptic curve cryptographyscalar multiplicationatomic blockshorizontal attackssingle-trace SCAChevallier-Mames patterns
0
0 comments X

The pith

Binary scalar multiplication with Chevallier-Mames atomic blocks remains vulnerable to single-trace side-channel attacks

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tests whether atomic block patterns can prevent single-trace side-channel attacks on elliptic curve scalar multiplication, a basic operation in public-key cryptography. It builds software and hardware versions of the binary right-to-left and left-to-right algorithms that follow the Chevallier-Mames pattern, which groups field operations into identical-looking blocks. Horizontal analysis of power traces from these versions succeeds in recovering the secret scalar. The same attacks work even after projective coordinate randomization is added to the left-to-right version. Readers should care because many deployed elliptic-curve systems rely on this operation and on atomicity as a defense against easy-to-mount single-trace attacks.

Core claim

The authors demonstrate through software and hardware implementations that binary right-to-left and left-to-right kP algorithms, when implemented with Chevallier-Mames atomic block patterns, are still vulnerable to single-trace SCA attacks. The vulnerability remains true for the left-to-right kP algorithm with projective coordinate randomization.

What carries the argument

Chevallier-Mames atomic block patterns, which replace variable point operations in binary kP algorithms with fixed sequences of field multiplications, additions, and inversions intended to produce indistinguishable power traces.

If this is right

  • Single-trace horizontal attacks recover the scalar from both right-to-left and left-to-right versions protected by these atomic blocks.
  • Projective coordinate randomization does not remove the leakage for the left-to-right algorithm.
  • Both software and hardware realizations of the protected algorithms exhibit the vulnerability.
  • Implementations relying solely on Chevallier-Mames atomicity require additional countermeasures.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Other proposed atomic patterns for elliptic-curve operations may need similar horizontal-attack testing.
  • Combined use of atomic blocks with constant-time field arithmetic or masking could be checked for residual leakage.
  • The attack method could be applied to scalar multiplication on other curve models or with different coordinate systems.

Load-bearing premise

The authors' software and hardware implementations correctly follow the Chevallier-Mames atomic block specification and the observed leakage generalizes beyond their specific test setups.

What would settle it

Power traces collected from a new, independent implementation of the randomized left-to-right algorithm in which the horizontal analysis method used in the paper produces no usable correlation with the scalar bits.

Figures

Figures reproduced from arXiv: 2604.22429 by Alkistis Aikaterini Sigourou, Gerald Isheanesu Matungamire, Gerrit Schrock, Ievgen Kabin, Peter Langendoerfer, Zoya Dyka.

Figure 1
Figure 1. Figure 1: Measurements of EM trace on the back side of the microcontroller’s board: position and orientation of the EM probe are shown, zoomed in view at source ↗
Figure 3
Figure 3. Figure 3: shows a part of the oscilloscope’s waveform for FPGA measurement. The shown part corresponds to the execution of a PA and a PD. Each PA consists of 16 atomic blocks Δ1, …, Δ16; each PD consists of 10 atomic blocks Δ1, … , Δ10. To avoid the successful simple SCA attack, the shapes of all atomic blocks have to be very similar, but it is clearly visible that the shapes of the atomic blocks Δ1-Δ4 and Δ9 in the… view at source ↗
Figure 8
Figure 8. Figure 8: Distinguishability of PD and PA operations in the left-to-right kP algorithm with randomization of projective coordinates: a) - Pearson coefficients calculated for template and each 24 clock cycles long part of the measured trace; red dotted lines show the coefficients higher than 0.9; b) – labeled measured trace. The distinguishability of PD and PA operations using the marked correlation coefficients is d… view at source ↗
Figure 7
Figure 7. Figure 7: A part of each atom Δ3 (red lines), from all four PD operations, aligned; template is marked in black. Based on these observations, we decided to use the template for the calculation of Pearson coefficients for each 24 clock cycles long part of the measured trace to determine all very 1 It is the notation for kP algorithms based on [17]. Please note that the Montgomery ladder is known as resistant to timin… view at source ↗
read the original abstract

Scalar multiplication kP is the operation most frequently targeted in Elliptic Curve (EC) cryptosystems. To protect against single-trace Side-Channel Analysis (SCA) attacks, the atomicity principle and various atomic block patterns have been proposed in the past. In this work we use our software and hardware implementations to demonstrate that binary right-to left and left-to-right kP algorithms, when implemented with Chevallier-Mames atomic block patterns, are still vulnerable to single-trace SCA attacks. The vulnerability remains true for the left-to-right kP algorithm with projective coordinate randomization.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The paper claims that binary right-to-left and left-to-right kP (scalar multiplication) algorithms on elliptic curves remain vulnerable to single-trace horizontal SCA attacks even when implemented with Chevallier-Mames atomic block patterns. The authors support this via software and hardware implementations and further assert that the vulnerability holds for the left-to-right variant under projective coordinate randomization.

Significance. If the experimental evidence is made reproducible and quantitatively robust, the result would be significant for elliptic-curve cryptography: it would demonstrate that a well-known atomicity countermeasure fails to protect standard binary kP algorithms against horizontal single-trace attacks, thereby affecting the design of secure implementations in both software and hardware.

major comments (1)
  1. [Abstract and experimental description] The abstract states that software and hardware implementations were used to demonstrate the attacks, but the manuscript supplies no information on trace acquisition (platforms, sampling rates, number of traces collected), the precise statistical or correlation technique applied for the single-trace horizontal attack, or any success-rate metrics. Because the central claim is an empirical demonstration rather than a derivation, these missing details are load-bearing for assessing validity and reproducibility.
minor comments (1)
  1. Define all acronyms (SCA, kP, EC) on first use and ensure consistent notation for atomic blocks throughout.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the detailed review and constructive feedback. We agree that the experimental description requires substantial expansion to support reproducibility and will revise the manuscript accordingly.

read point-by-point responses

  1. Referee: [Abstract and experimental description] The abstract states that software and hardware implementations were used to demonstrate the attacks, but the manuscript supplies no information on trace acquisition (platforms, sampling rates, number of traces collected), the precise statistical or correlation technique applied for the single-trace horizontal attack, or any success-rate metrics. Because the central claim is an empirical demonstration rather than a derivation, these missing details are load-bearing for assessing validity and reproducibility.

    Authors: We agree that the current manuscript does not supply the requested experimental details. In the revised version we will add a dedicated experimental section that specifies: the hardware and software platforms used for trace collection, sampling rates and acquisition equipment, the total number of traces recorded per experiment, the exact statistical or correlation method applied to perform the single-trace horizontal attack (including any preprocessing steps), and quantitative success-rate figures (e.g., key-recovery rates over multiple scalar multiplications). These additions will directly address the reproducibility concern raised. revision: yes

Circularity Check

0 steps flagged

No significant circularity; experimental demonstration only

full rationale

The paper reports an empirical attack demonstration on binary kP algorithms using Chevallier-Mames atomic blocks, based on the authors' own software and hardware implementations. No derivation chain, equations, fitted parameters presented as predictions, or load-bearing self-citations appear in the provided material. The central claim rests on observed leakage traces rather than any reduction to inputs by construction, making the work self-contained as an experimental test.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on standard assumptions from side-channel analysis literature (power leakage models, atomic block definitions) and the correctness of the authors' implementations; no new entities or fitted parameters are introduced in the abstract.

axioms (1)
  • domain assumption Atomic block patterns can be implemented to enforce identical power profiles for different field operations.
    Invoked implicitly when claiming that Chevallier-Mames blocks should protect against single-trace attacks.

pith-pipeline@v0.9.0 · 5419 in / 1159 out tokens · 48528 ms · 2026-05-08T11:36:19.579013+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

34 extracted references · 34 canonical work pages

  1. [1]

    Low -cost solutions for preventing simple side -channel analysis: side- channel atomicity,

    B. Chevallier -Mames, M. Ciet, and M. Joye, ‘Low -cost solutions for preventing simple side-channel analysis: side-channel atomicity’, IEEE Trans.Comput. ,vol.53, no.6, pp.760–768,Jun.2004,doi: 10.1109/TC.2004.13

    work page doi:10.1109/tc.2004.13 2004

  2. [2]

    C. H. Gebotys, ‘Security -driven exploration of cryptography in DSP cores’, in Proceedings of the 15th international symposium on System Synthesis, in ISSS ’02. New York, NY, USA: Association for Computing Machinery, Oct. 2002, pp. 80–85. doi: 10.1145/581199.581218

    work page doi:10.1145/581199.581218 2002

  3. [3]

    Bauer, et al ‘Horizontal Collision Correlation Attack on Elliptic Curves’, in Selected Areas in Cryptography -- SAC 2013, vol

    A. Bauer, et al ‘Horizontal Collision Correlation Attack on Elliptic Curves’, in Selected Areas in Cryptography -- SAC 2013, vol. 8282, T. Lange, K. Lauter, and P. Lisoněk, Eds., in L NCS, vol. 8282, Springer 2014, pp. 553–570. doi: 10.1007/978-3-662-43414-7_28

    work page doi:10.1007/978-3-662-43414-7_28 2013

  4. [4]

    Kabin, et al

    I. Kabin, et al. , ‘Atomicity and Regularity Principles Do Not Ensure Full Resistance of ECC Designs against Single-Trace Attacks’, Sensors, vol. 22, no. 8, Art. no. 8, Jan. 2022, doi: 10.3390/s22083083

    work page doi:10.3390/s22083083 2022

  5. [5]

    A . A. Sigourou, Z. Dyka, P. Langendoerfer, and I. Kabin, ‘Atomic Patterns: Field Operation Distinguishability on Cryptographic ASICs’, in 2025 IEEE CSR, Chania, Crete, Greece: IEEE, Aug. 2025, pp. 990–995. doi: 10.1109/CSR64739.2025.11130154. [ 6] F. Rondepierre, ‘Revisiting Atomic Patterns for Scalar Multiplications on Elliptic Curves’, in Smart Card Re...

    work page doi:10.1109/csr64739.2025.11130154 2025

  6. [6]

    Lo nga, ‘Accelerating the Scalar Multiplication on Elliptic Curve Cryptosystems Over Prime Fields’, 2007

    P. Lo nga, ‘Accelerating the Scalar Multiplication on Elliptic Curve Cryptosystems Over Prime Fields’, 2007

    work page 2007

  7. [7]

    Schrock, et al

    G. Schrock, et al. , ‘Distinguishability of EC Point Doublings and Additions in Binary kP Implementations using Chevallier -Mames Atomic Blocks’, in 2025 IEEE EWDTS, Tbilisi, Georgia: IEEE, Dec. 2025, pp. 1–6. doi: 10.1109/EWDTS67441.2025.11303708

    work page doi:10.1109/ewdts67441.2025.11303708 2025

  8. [8]

    Available: https://www.ti.com/tool/LAUNCHXL-F28379D

    ‘LAUNCHXL-F28379D Development kit | TI.com’. Available: https://www.ti.com/tool/LAUNCHXL-F28379D

    work page

  9. [9]

    Flecc in C. (Sep. 07, 2022). Scilab. Institute of Information Security. [ Online]. Available: https://github.com/isec-tugraz/flecc_in_c

    work page 2022

  10. [10]

    ‘Digital Signature Standard (DSS)’, National Institute of Standards and Technology (U.S.), Washington, D.C., NIST FIPS 186-5, Feb. 2023. doi: 10.6028/NIST.FIPS.186-5

    work page doi:10.6028/nist.fips.186-5 2023

  11. [11]

    Coron, ‘Resistance Against Differential Power Analysis For Elliptic Curve Cryptosystems’, in CHES, Ç

    J.-S. Coron, ‘Resistance Against Differential Power Analysis For Elliptic Curve Cryptosystems’, in CHES, Ç. K. Koç and C. Paar, Eds., Berlin, Heidelberg: Springer,1999,pp.292–302.doi: 10.1007/3-540-48059-5_25

    work page doi:10.1007/3-540-48059-5_25 1999

  12. [12]

    Available: https://digilent.com/shop/arty-z7-zynq-7000-soc-development-board/

    ‘Arty Z7: Zynq -7000 SoC Development Board’, Digilent. Available: https://digilent.com/shop/arty-z7-zynq-7000-soc-development-board/

    work page

  13. [13]

    ‘Langer EMV - MFA-R 0.2-75, Near-Field Micro Probe 1 MHz up to 1 GHz’. Available: https://www.langer-emv.de/en/product/mfa-active-1mhz- up-to-6-ghz/32/mfa-r-0-2-75-near-field-micro-probe-1-mhz-up-to-1-ghz/854 [ 15] ‘Langer EMV - ICS 105 set, IC Scanner 4- Axis Positioning System’. Available: https://www.langer -emv.com/en/product/langer-scanner/41/ics- 10...

    work page

  14. [14]

    Kabi n, et al

    I. Kabi n, et al. , ‘Unified field multiplier for ECC: Inherent resistance against horizontal SCA attacks’, in 2018 13th DTIS, Taormina: IEEE, Apr. 2018, pp. 1–4. doi: 10.1109/DTIS.2018.8368560

    work page doi:10.1109/dtis.2018.8368560 2018

  15. [15]

    P. L. Montgomery, ‘Speeding the Pollard and elliptic curve methods of factorization’, Math. Comput., vol. 48, no. 177, pp. 243–264, 1987, doi: 10.1090/S0025-5718-1987-0866113-7

    work page doi:10.1090/s0025-5718-1987-0866113-7 1987

  16. [16]

    Fan, et al., ‘State-of-the-art of secure ECC implementations: a survey on known side -channel attacks and countermeasures’, in 201 0 HOST, Anaheim, CA, USA: IEEE, Jun

    J. Fan, et al., ‘State-of-the-art of secure ECC implementations: a survey on known side -channel attacks and countermeasures’, in 201 0 HOST, Anaheim, CA, USA: IEEE, Jun. 2010, pp. 76 –87. doi: 10.1109/HST.2010.5513110

    work page doi:10.1109/hst.2010.5513110 2010

  17. [17]

    Azouaoui, et al

    M. Azouaoui, et al. , ‘Fast Side -Channel Security Evaluation of ECC Implementations: Shortcut Formulas for Horizontal Side -Channel Attacks Against ECSM with the Montgo mery Ladder’, in Constructive Side-Channel Analysis and Secure Design, vol. 11421, I. Polian and M. Stöttinger, Eds., in L NCS, vol. 11421. , Cham: Springer International Publishing, 2019...

    work page doi:10.1007/978-3-030-16350-1_3 2019

  18. [18]

    Samotyja and K

    J. Samotyja and K. Lemke-Rust, ‘Practical Results of ECC Side Channel Countermeasures on an ARM Cortex M3 Processor’, in Proceedings of the 2016 ACM Workshop on Theory of Implementation Security, Vienna Austria: ACM, Oct. 2016, pp. 27–35. doi: 10.1145/2996366.2996371

    work page doi:10.1145/2996366.2996371 2016

  19. [19]

    Joye and S.-M

    M. Joye and S.-M. Yen, ‘The Montgomery Powering Ladder’, in CHES 2002, B. S. Kaliski, çetin K. Koç, and C. Paar, Eds., Berlin, Heidelberg: Springer, 2003, pp. 291–302. doi: 10.1007/3-5 40-36400-5_22

    work page doi:10.1007/3-5 2002

  20. [20]

    K. Itoh, T. Izu, and M. Takenaka, ‘Address -Bit Diff erential Power Analysis of Cryptographic Schemes OK -ECDH and OK -ECDSA’, in CHES 2002, vol. 2523, B. S. Kaliski, çetin K. Koç, and C. Paar, Eds., in LNCS, vol. 2523. , Springer Berlin Heidelberg, 2003, pp. 129–143. doi: 10.1007/3-540-36400-5_11

    work page doi:10.1007/3-540-36400-5_11 2002

  21. [21]

    Kabin, Z

    I. Kabin, Z. Dyka, D. Kreiser, and P. Langendoerfer, ‘Horizontal address- bit DPA against montgomery kP implementation’, in 2017 ReConFig, Cancun:IEEE, Dec.2017, pp.1–8.doi: 10.1109/RECONFIG.2017.8279800

    work page doi:10.1109/reconfig.2017.8279800 2017

  22. [22]

    A. A. Sigourou, I. Kabin, P. Langendörfer, N. Sklavos, and Z. Dyka , ‘ Successful Simple Side Channel Analysis: Vulnerability of an atomic pattern kP algorithm implemented with a constant time crypto library to simple electromagnetic analysis attacks’, in 2023 MECO, Jun. 2023, pp. 1–6. doi: 10.1109/MECO58584.2023.10154940

    work page doi:10.1109/meco58584.2023.10154940 2023

  23. [23]

    K. Itoh, T. Izu, and M. Takenaka, ‘A Practical Countermeasure against Address-Bit Differential Power Analysis’, in CHES 2003, C. D. Walter, Ç. K. Koç, and C. Paar, Eds., Berlin, Heidelberg: Springer, 2003, pp. 382–396. doi: 10.1007/978-3-540-45238-6_30

    work page doi:10.1007/978-3-540-45238-6_30 2003

  24. [24]

    Izumi, et al., ‘Improved countermeasure against Address-bit DPA for ECC scalar multiplication’, inDATE 2010, Dresden: IEEE, Mar

    M. Izumi, et al., ‘Improved countermeasure against Address-bit DPA for ECC scalar multiplication’, inDATE 2010, Dresden: IEEE, Mar. 2010, pp. 981–984. doi: 10.1109/DATE.2010.5456907

    work page doi:10.1109/date.2010.5456907 2010

  25. [25]

    Batina, et al., ‘Side-channel evaluation of FPGA implementations of binary Edwards curves’, in 2010 17th IEEE I CECS, Athens, Greece: IEEE, Dec

    L. Batina, et al., ‘Side-channel evaluation of FPGA implementations of binary Edwards curves’, in 2010 17th IEEE I CECS, Athens, Greece: IEEE, Dec. 2010, pp. 1248–

    work page 2010

  26. [26]

    doi: 10.1109/ICECS.2010.5724745

    work page doi:10.1109/icecs.2010.5724745 2010

  27. [27]

    Pirotte, J

    N. Pirotte, J. Vliegen, L. Batina, and N. Mentens, ‘Design of a Fully Balanced ASIC Coprocess or Implementing Complete Addition Formulas on Weierstrass Elliptic Curves’, in DSD 2018, Prague: IEEE , A ug. 2018, pp. 545–552. doi: 10.1109/DSD.2018.00095

    work page doi:10.1109/dsd.2018.00095 2018

  28. [28]

    Randomized Addressing Countermeasures are Inefficient Against Address -Bit SCA,

    I. Kabin, Z. Dyka, and P. Langendoerfer, ‘Randomized Addressing Countermeasures are Inefficient Against Address -Bit SCA’, in IEEE CSR 2023 , Venice, Italy: IEEE, Jul. 2023, pp. 580 –585. doi: 10.1109/CSR57506.2023.10224968

    work page doi:10.1109/csr57506.2023.10224968 2023

  29. [29]

    Kabin, et al

    I. Kabin, et al. , ‘Breaking a fully Balanced ASIC Coprocessor Implementing Complete Addition Formulas on Weierstrass Ellipt ic Curves’, in DSD 2020, Kranj, Slovenia: IEEE, Aug. 2020, pp. 270–276. doi: 10.1109/DSD51259.2020.00051

    work page doi:10.1109/dsd51259.2020.00051 2020

  30. [30]

    Kabin, ‘Horizontal address -bit SCA attacks against ECC and appropriate countermeasures’, BTU Cottbus - Senftenberg, 2023

    I. Kabin, ‘Horizontal address -bit SCA attacks against ECC and appropriate countermeasures’, BTU Cottbus - Senftenberg, 2023. doi: 10.26127/BTUOpen-6397

    work page doi:10.26127/btuopen-6397 2023

  31. [31]

    doi: 10.26127/BTUOpen-6836

    Sze Hei Li, ‘Distinguishability investigation on Longa’s atomic patterns when used as a basis for implementing elliptic curve scalar multiplication algorithms, Master’s Thesis’, BTU Cottbus - Senftenberg, 2024. doi: 10.26127/BTUOpen-6836

    work page doi:10.26127/btuopen-6836 2024

  32. [32]

    P. L. Doku, Investigation of the Distinguishability of Giraud -Verneuil Atomic Blocks, Master’s thesis. BTU Cottbus-Senftenberg, 2025. doi: https://opus4.kobv.de/opus4-btu/frontdoor/index/index/docId/7140

    work page 2025

  33. [33]

    Atomicity Improvement for Elliptic Curve Scalar Multiplication,

    C. Giraud and V. Verneuil, ‘Atomicity Improvement for Elliptic Curv e S calar Multiplication’, in Smart Card Research and Advanced Application, vol. 6035, D. Gollmann, J.-L. Lanet, and J. Iguchi-Cartigny, E ds., in LNCS, vol. 6035. Springer Berlin Heidelberg, 2010, pp. 80–101. doi: 10.1007/978-3-642-12510-2_7

    work page doi:10.1007/978-3-642-12510-2_7 2010

  34. [34]

    Longa and A

    P. Longa and A. Miri, ‘Fast and Flexible Elliptic Curve Point Arithmetic over Prime Fields’, IEEE Trans. Comput., vol. 57, no. 3, pp. 289 –302, Mar. 2008, doi: 10.1109/TC.2007.70815

    work page doi:10.1109/tc.2007.70815 2008