New single‐trace side‐channel attacks on a specific class of Elgamal cryptosystem

The so‐called N − 1 attack is one of the most important order‐2 element attacks, as it requires a non‐adaptive chosen ciphertext which is considered as a more realistic attack model compared to adaptive chosen ciphertext scenario. To protect the implementation against N − 1 attack, several literatures propose the simplest solution, i.e. ‘block the special message N − 1 ’. In this study, the authors conduct an in‐depth research on the N − 1 attack based on the SMA and Montgomery ladder (ML) algorithms. They show that despite the unaccepted ciphertext N − 1 countermeasure, other types of N − 1 attacks are applicable to specific classes of Elgamal cryptosystems. They propose new chosen‐message power‐analysis attacks with order‐4 elements which utilise a chosen ciphertext c such that c 2 = − 1 mod p where p is the prime number used as a modulus in Elgamal. Such a ciphertext can be found simply when p ≡ 1 mod 4 . They demonstrate that ML and SMA algorithms are subjected to the new N − 1 ‐type attack by utilising a different ciphertext. They implement the proposed attacks on the TARGET Board of the ChipWhisperer CW1173 and the proposed experiments validate the feasibility and effectiveness of the attacks by using only a single power trace.