Preventing Distinguishability between Multiplication and Squaring Operations

Alkistis Aikaterini Sigourou; Ievgen Kabin; Peter Langendoerfer; Zoya Dyka

arxiv: 2604.26536 · v1 · submitted 2026-04-29 · 💻 cs.CR

Preventing Distinguishability between Multiplication and Squaring Operations

Alkistis Aikaterini Sigourou , Zoya Dyka , Peter Langendoerfer , Ievgen Kabin This is my paper

Pith reviewed 2026-05-07 12:58 UTC · model grok-4.3

classification 💻 cs.CR

keywords side-channel analysiselliptic curve cryptographyscalar multiplicationpower consumptionmitigation techniquesfield arithmeticbinary method

0 comments

The pith

Energy differences in field multipliers let attackers distinguish multiplications from squarings during elliptic curve scalar multiplication, regardless of the multiplier design.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines a side-channel vulnerability in elliptic curve cryptosystems where binary scalar multiplication leaks information through varying energy use in the field multiplier. When the multiplier receives two different operands it behaves differently than when it receives the same operand twice for squaring. This difference appears no matter which multiplication algorithm is implemented inside the multiplier. The authors describe and test two hardware mitigations to remove this leak: one that redirects data and one that reloads the bus. If successful these changes would allow the continued use of efficient binary methods without switching to more complex uniform patterns.

Core claim

Scalar multiplication kP remains susceptible to simple side-channel analysis because field multipliers consume different energy when passing two different or two identical operands. This vulnerability arises independent of the multiplication method used. Two mitigation techniques were implemented and analysed: data redirection and bus reloading.

What carries the argument

Data redirection and bus reloading, two hardware techniques applied to field multipliers to eliminate distinguishable power consumption between multiplication and squaring operations.

Load-bearing premise

The two mitigation techniques eliminate the distinguishability without creating new side-channel leaks or adding unacceptable performance overhead.

What would settle it

Performing power trace measurements on an implementation using the proposed mitigations and checking whether an attacker can still distinguish multiplication from squaring based on energy consumption patterns.

Figures

Figures reproduced from arXiv: 2604.26536 by Alkistis Aikaterini Sigourou, Ievgen Kabin, Peter Langendoerfer, Zoya Dyka.

**Figure 1.** Figure 1: The distinguishability in the power trace of regular multiplication and squaring of finite field elements; includes field multiplication: schematic representation In the first clock cycle of both operations, the Controller addresses the register for the first multiplicand and sends it to the field multiplier through a multiplexer. During multiplication, the two multiplicands are distinct, requiring address… view at source ↗

**Figure 3.** Figure 3: Mitigating multiplication–squaring distinguishability via bus “reloading”; includes field multiplication: schematic representation A promising strategy that can be used in various ways to countermeasure a broad spectrum of physical attacks, including localised fault injection attacks, can be flexible, dynamically reconfigurable redundancy [10]. ACKNOWLEDGEMENT This work was funded by EU Project CTIS4NIS, … view at source ↗

**Figure 2.** Figure 2: Mitigating multiplication–squaring distinguishability via data-flow redirection; includes field multiplication: schematic representation. Another approach is dummy register usage, in which the first multiplicand is simultaneously stored in a dummy register while being transferred to the multiplier. In the case of a squaring operation, the second multiplicand is then read from this dummy register. Consequen… view at source ↗

read the original abstract

Scalar multiplication kP is a critical operation in Elliptic Curve Cryptosystems (ECC), often targeted by Side-Channel Analysis (SCA). Despite strategies based on atomic patterns to enhance security, the binary kP algorithms remain susceptible to simple SCA due to energy consumption variations in field multipliers during passing two different or two identical operands. This vulnerability arises independent of the multiplication method used. We implemented and analysed two mitigation techniques: one involving data redirection and another focusing on bus reloading.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Paper flags a persistent SCA leak in ECC multipliers and suggests fixes, but lacks any results to back the claims.

read the letter

The paper's core message is that the distinguishability between multiplication and squaring in field arithmetic for elliptic curve crypto creates a side-channel leak that does not depend on the particular multiplication method chosen. The authors implemented two mitigations using data redirection and bus reloading to address it. What is actually new here is the specific combination of these two techniques applied to this operand-dependent energy difference in the context of atomic pattern protected scalar multiplication. The prior literature on atomic patterns apparently left this vector open, so targeting it directly is the incremental step. The paper does well in clearly stating the problem and offering simple, implementable hardware changes that could apply to constrained devices without altering the algorithm level. The soft spots are in the evidence. The description stops after saying the techniques were implemented and analyzed, with no details on the analysis results, such as reduced distinguishability in traces, attack success rates, area or power overhead, or verification that no new leaks were created. The independence claim would benefit from being shown across different multiplier implementations. This is the kind of paper for hardware security practitioners and embedded crypto developers who deal with side-channel threats in practice. They might get value from the mitigation concepts if they can fill in the experimental gaps themselves. I would not recommend sending it for peer review in its current state, since the central claims about the mitigations' effectiveness rest on assertions rather than presented data. With the full results included, it could be worth referee attention for the community working on these devices.

Referee Report

2 major / 0 minor

Summary. The manuscript claims that scalar multiplication kP in elliptic curve cryptosystems remains vulnerable to simple side-channel analysis due to energy consumption variations in field multipliers when processing two different operands versus two identical operands. It asserts that this distinguishability vulnerability between multiplication and squaring arises independently of the specific multiplication method employed. The authors report implementing and analyzing two mitigation techniques—one based on data redirection and the other on bus reloading—to eliminate the leakage.

Significance. If the independence claim and the effectiveness of the mitigations hold under experimental scrutiny, the work could offer a practical defense for binary kP algorithms that complements atomic-pattern strategies. However, the absence of any quantitative validation (attack success rates, trace distinguishability metrics, or overhead measurements) means the result remains an unevidenced assertion rather than a demonstrated improvement. No machine-checked proofs, reproducible artifacts, or falsifiable predictions are evident from the provided text.

major comments (2)

[Abstract] Abstract: the central claims rest on the statements that the vulnerability 'arises independent of the multiplication method used' and that the two mitigations 'were implemented and analysed,' yet the text supplies no experimental data, waveforms, success rates, correlation metrics, or baseline comparisons to support either assertion.
[Abstract] The manuscript provides no description of the experimental setup, the specific multipliers tested to establish independence, the side-channel acquisition method, or any quantitative evaluation of whether the mitigations introduce new leakage or implementation errors.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the careful and constructive review of our manuscript on preventing distinguishability between multiplication and squaring in ECC scalar multiplication. We agree that the current text does not supply the quantitative experimental evidence or setup details needed to fully substantiate the claims of independence and mitigation effectiveness. We will revise the manuscript accordingly to include these elements, strengthening the work as a practical complement to atomic-pattern defenses. We respond to each major comment below.

read point-by-point responses

Referee: [Abstract] Abstract: the central claims rest on the statements that the vulnerability 'arises independent of the multiplication method used' and that the two mitigations 'were implemented and analysed,' yet the text supplies no experimental data, waveforms, success rates, correlation metrics, or baseline comparisons to support either assertion.

Authors: The claim of independence is grounded in the observation that the leakage originates at the operand-loading stage of any field multiplier: energy consumption differs when loading two distinct operands (multiplication) versus two identical operands (squaring), before the internal arithmetic begins. This structural property holds irrespective of the multiplier algorithm (schoolbook, Karatsuba, Montgomery, etc.). We acknowledge, however, that the manuscript provides no supporting experimental data, waveforms, success rates, correlation metrics, or baseline comparisons. In the revised version we will add these, including power traces demonstrating distinguishability across multiple multiplier implementations, attack success rates before mitigation, and quantitative metrics (e.g., Pearson correlation or t-test values) showing elimination of the leakage after applying data redirection and bus reloading. revision: yes
Referee: [Abstract] The manuscript provides no description of the experimental setup, the specific multipliers tested to establish independence, the side-channel acquisition method, or any quantitative evaluation of whether the mitigations introduce new leakage or implementation errors.

Authors: The current manuscript text indeed omits a detailed experimental section. The concepts of data redirection (rerouting operands through a consistent bus path to equalize loading patterns) and bus reloading (periodic dummy reloads to mask operand differences) are described at a high level, but without hardware specifics or evaluation results. In the revision we will insert a dedicated experimental section that specifies: the target platform and field multipliers tested (e.g., 256-bit and 512-bit variants of standard and Karatsuba multipliers to confirm independence), side-channel acquisition setup (oscilloscope model, sampling rate, probe location on the power rail), and quantitative leakage assessments (including post-mitigation t-test results and checks confirming no new distinguishable patterns or functional errors are introduced). revision: yes

Circularity Check

0 steps flagged

No circularity; experimental claims rest on implementation results, not self-referential derivations

full rationale

The paper is an experimental mitigation study in side-channel analysis for ECC. It asserts that a distinguishability vulnerability exists independently of the multiplication method and that two implemented techniques (data redirection, bus reloading) address it. No equations, fitted parameters, predictions, or derivation chains appear in the abstract or description. Claims are grounded in implementation and analysis rather than quantities defined by the paper itself or self-citation chains that reduce to inputs by construction. This matches the default non-circular case for implementation-focused work.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

No mathematical axioms, free parameters, or invented entities are invoked; the paper is an applied hardware-security study whose claims rest on experimental implementation rather than on unproven premises or new postulated objects.

pith-pipeline@v0.9.0 · 5378 in / 1121 out tokens · 61398 ms · 2026-05-07T12:58:19.100335+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

11 extracted references · 11 canonical work pages

[1]

Speeding the Pollard and elliptic curve methods of factorization,

P. L. Montgomery, “Speeding the Pollard and elliptic curve methods of factorization,” Math. Comput., vol. 48, no. 177, pp. 243 –264, 1987, doi: 10.1090/S0025-5718-1987-0866113-7

work page doi:10.1090/s0025-5718-1987-0866113-7 1987
[2]

D. R. Hankerson, A. J. Menezes, S. A. Vanstone, D. Hankerson, A. Menezes, and S. Vanstone, Guide to elliptic curve cryptography . Berlin, Heidelberg: Springer-Verlag, 2003

work page 2003
[3]

Low -cost solutions for preventing simple side -channel analysis: side- channel atomicity,

B. Chevallier-Mames, M. Ciet, and M. Joye, “Low -cost solutions for preventing simple side -channel analysis: side- channel atomicity,” IEEE Trans. Compu t., vol. 53, no. 6, pp. 760– 768, Jun. 2004, doi: 10.1109/TC.2004.13

work page doi:10.1109/tc.2004.13 2004
[4]

Accelerating the Scalar Multiplication on Elliptic Curve Cryptosystems Over Prime Fields,

P. Longa, “Accelerating the Scalar Multiplication on Elliptic Curve Cryptosystems Over Prime Fields,” 2007

work page 2007
[5]

Atomicity Improvement for Elliptic Curve Scalar Multiplication,

C. Giraud and V. Verneuil, “Atomicity Improvement for Elliptic Curve Scalar Multiplication,” in Smart Card Research and Advanced Application, vol. 6035, D. Gollmann, J. -L. Lanet, and J. Iguchi- Cartigny, Eds., in L NCS, vol. 6035. ,: Springer Berlin Heidelberg, 2010, pp. 80–101. doi: 10.1007/978-3-642-12510-2_7

work page doi:10.1007/978-3-642-12510-2_7 2010
[6]

Revisiting Atomic Patterns for Scalar Multiplications on Elliptic Curves,

F. Rondepierre, “Revisiting Atomic Patterns for Scalar Multiplications on Elliptic Curves,” in Smart Card Research and Advanced Applications, A. Francillon and P. Rohatgi, Eds., in L NCS. Cham: Springer International Publishing, 2014, pp. 171 –186. doi: 10.1007/978-3-319-08302-5_12

work page doi:10.1007/978-3-319-08302-5_12 2014
[7]

Randomized Addressing Countermeasures are Inefficient Against Address -Bit SCA,

I. Kabin, Z. Dyka, and P. Langendoerfer, “Randomized Addressing Countermeasures are Inefficient Against Address -Bit SCA,” in 2023 IEEE CSR , Venice, Italy: IEEE, Jul. 2023, pp. 580 –585. doi: 10.1109/CSR57506.2023.10224968

work page doi:10.1109/csr57506.2023.10224968 2023
[8]

Distinguishability between Multiplication and Squaring Operations: a New Marker,

A. A. Sigou rou, Z. Dyka, P. Langendoerfer, and I. Kabin, “Distinguishability between Multiplication and Squaring Operations: a New Marker,” presented at the 3rd Workshop on Nano Security: From Nano-Electronics to Secure Systems (NanoSec’25), [Online]. Available: http s://spp-nanosecurity.uni- stuttgart.de/documents/nanosec25/Distinguishability-between- M...

work page
[9]

Atomic P atterns: Field Operation Distinguishability on Cryptographic ASICs,

A. A. Sigourou, Z. Dyka, P. Langendoerfer, and I. Kabin, “Atomic P atterns: Field Operation Distinguishability on Cryptographic ASICs,” in 2025 IEEE International Conference on Cyber Security and Resilience (CSR), Chania, Crete, Greece: IEEE, Aug. 2025, pp. 990 –

work page 2025
[10]

doi: 10.1109/CSR64739.2025.11130154

work page doi:10.1109/csr64739.2025.11130154 2025
[11]

Cryptographic hardware accelerator with dynamic reconfigurable redundancy,

Z. Dyka, I. Kabin, A. A. Sigourou, and P. Langendoerfer, “Cryptographic hardware accelerator with dynamic reconfigurable redundancy,” EP 4 625 234 A1, Jan. 10, 2025 [Online]. Available: https://data.epo.org/publication- server/document/pdf/4625234/A1/2025-10-01

work page arXiv 2025

[1] [1]

Speeding the Pollard and elliptic curve methods of factorization,

P. L. Montgomery, “Speeding the Pollard and elliptic curve methods of factorization,” Math. Comput., vol. 48, no. 177, pp. 243 –264, 1987, doi: 10.1090/S0025-5718-1987-0866113-7

work page doi:10.1090/s0025-5718-1987-0866113-7 1987

[2] [2]

D. R. Hankerson, A. J. Menezes, S. A. Vanstone, D. Hankerson, A. Menezes, and S. Vanstone, Guide to elliptic curve cryptography . Berlin, Heidelberg: Springer-Verlag, 2003

work page 2003

[3] [3]

Low -cost solutions for preventing simple side -channel analysis: side- channel atomicity,

B. Chevallier-Mames, M. Ciet, and M. Joye, “Low -cost solutions for preventing simple side -channel analysis: side- channel atomicity,” IEEE Trans. Compu t., vol. 53, no. 6, pp. 760– 768, Jun. 2004, doi: 10.1109/TC.2004.13

work page doi:10.1109/tc.2004.13 2004

[4] [4]

Accelerating the Scalar Multiplication on Elliptic Curve Cryptosystems Over Prime Fields,

P. Longa, “Accelerating the Scalar Multiplication on Elliptic Curve Cryptosystems Over Prime Fields,” 2007

work page 2007

[5] [5]

Atomicity Improvement for Elliptic Curve Scalar Multiplication,

C. Giraud and V. Verneuil, “Atomicity Improvement for Elliptic Curve Scalar Multiplication,” in Smart Card Research and Advanced Application, vol. 6035, D. Gollmann, J. -L. Lanet, and J. Iguchi- Cartigny, Eds., in L NCS, vol. 6035. ,: Springer Berlin Heidelberg, 2010, pp. 80–101. doi: 10.1007/978-3-642-12510-2_7

work page doi:10.1007/978-3-642-12510-2_7 2010

[6] [6]

Revisiting Atomic Patterns for Scalar Multiplications on Elliptic Curves,

F. Rondepierre, “Revisiting Atomic Patterns for Scalar Multiplications on Elliptic Curves,” in Smart Card Research and Advanced Applications, A. Francillon and P. Rohatgi, Eds., in L NCS. Cham: Springer International Publishing, 2014, pp. 171 –186. doi: 10.1007/978-3-319-08302-5_12

work page doi:10.1007/978-3-319-08302-5_12 2014

[7] [7]

Randomized Addressing Countermeasures are Inefficient Against Address -Bit SCA,

I. Kabin, Z. Dyka, and P. Langendoerfer, “Randomized Addressing Countermeasures are Inefficient Against Address -Bit SCA,” in 2023 IEEE CSR , Venice, Italy: IEEE, Jul. 2023, pp. 580 –585. doi: 10.1109/CSR57506.2023.10224968

work page doi:10.1109/csr57506.2023.10224968 2023

[8] [8]

Distinguishability between Multiplication and Squaring Operations: a New Marker,

A. A. Sigou rou, Z. Dyka, P. Langendoerfer, and I. Kabin, “Distinguishability between Multiplication and Squaring Operations: a New Marker,” presented at the 3rd Workshop on Nano Security: From Nano-Electronics to Secure Systems (NanoSec’25), [Online]. Available: http s://spp-nanosecurity.uni- stuttgart.de/documents/nanosec25/Distinguishability-between- M...

work page

[9] [9]

Atomic P atterns: Field Operation Distinguishability on Cryptographic ASICs,

A. A. Sigourou, Z. Dyka, P. Langendoerfer, and I. Kabin, “Atomic P atterns: Field Operation Distinguishability on Cryptographic ASICs,” in 2025 IEEE International Conference on Cyber Security and Resilience (CSR), Chania, Crete, Greece: IEEE, Aug. 2025, pp. 990 –

work page 2025

[10] [10]

doi: 10.1109/CSR64739.2025.11130154

work page doi:10.1109/csr64739.2025.11130154 2025

[11] [11]

Cryptographic hardware accelerator with dynamic reconfigurable redundancy,

Z. Dyka, I. Kabin, A. A. Sigourou, and P. Langendoerfer, “Cryptographic hardware accelerator with dynamic reconfigurable redundancy,” EP 4 625 234 A1, Jan. 10, 2025 [Online]. Available: https://data.epo.org/publication- server/document/pdf/4625234/A1/2025-10-01

work page arXiv 2025