New single-trace side-channel attacks on a specific class of Elgamal cryptosystem

The so-called $N - 1$N−1 attack is one of the most important order-2 element attacks, as it requires a non-adaptive chosen ciphertext which is considered as a more realistic attack model compared to adaptive chosen ciphertext scenario. To protect the implementation against $N - 1$N−1 attack, several literatures propose the simplest solution, i.e. ‘block the special message $N - 1$N−1’. In this study, the authors conduct an in-depth research on the $N - 1$N−1 attack based on the SMA and Montgomery ladder (ML) algorithms. They show that despite the unaccepted ciphertext $N - 1$N−1 countermeasure, other types of $N - 1$N−1 attacks are applicable to specific classes of Elgamal cryptosystems. They propose new chosen-message power-analysis attacks with order-4 elements which utilise a chosen ciphertext c such that $c^2 = - 1\bmod p$c2=−1modp where p is the prime number used as a modulus in Elgamal. Such a ciphertext can be found simply when $p \equiv 1\bmod 4$p≡1mod4. They demonstrate that ML and SMA algorithms are subjected to the new $N - 1$N−1-type attack by utilising a different ciphertext. They implement the proposed attacks on the TARGET Board of the ChipWhisperer CW1173 and the proposed experiments validate the feasibility and effectiveness of the attacks by using only a single power trace.