Secure Integrated Circuits And Systems 1st Edition Tim Gneysu

Secure Integrated Circuits And Systems 1st
Edition Tim Gneysu download
https://ebookbell.com/product/secure-integrated-circuits-and-
systems-1st-edition-tim-gneysu-4107386
Explore and download more ebooks at ebookbell.com

Here are some recommended products that we believe you will be
interested in. You can click the link to download.
Secure Integrated Circuits And Systems 1st Edition Ingrid Mr
Verbauwhede Ed
https://ebookbell.com/product/secure-integrated-circuits-and-
systems-1st-edition-ingrid-mr-verbauwhede-ed-1701852
Onchip Current Sensors For Reliable Secure And Lowpower Integrated
Circuits Rodrigo Possamai Bastos
https://ebookbell.com/product/onchip-current-sensors-for-reliable-
secure-and-lowpower-integrated-circuits-rodrigo-possamai-
bastos-35888172
Sonic Wall Secure Wireless Network Integrated Solutions Guide 1st
Edition Joe Levy
https://ebookbell.com/product/sonic-wall-secure-wireless-network-
integrated-solutions-guide-1st-edition-joe-levy-4562410
Integrated Security Technologies And Solutions Volume Ii Cisco
Security Solutions For Network Access Control Segmentation Context
Sharing Secure Connectivity And Virtualization 1st Edition Aaron
Woland
https://ebookbell.com/product/integrated-security-technologies-and-
solutions-volume-ii-cisco-security-solutions-for-network-access-
control-segmentation-context-sharing-secure-connectivity-and-
virtualization-1st-edition-aaron-woland-23542608

Learn Azure Sentinel Integrate Azure Security With Artificial
Intelligence To Build Secure Cloud Systems Richard Diver Gary Bushey
https://ebookbell.com/product/learn-azure-sentinel-integrate-azure-
security-with-artificial-intelligence-to-build-secure-cloud-systems-
richard-diver-gary-bushey-22738506
Handson Explainable Ai Xai With Python Interpret Visualize Explain And
Integrate Reliable Ai For Fair Secure And Trustworthy Ai Apps Denis
Rothman
https://ebookbell.com/product/handson-explainable-ai-xai-with-python-
interpret-visualize-explain-and-integrate-reliable-ai-for-fair-secure-
and-trustworthy-ai-apps-denis-rothman-11732104
Secure Automatic Dependent Surveillancebroadcast Systems Haomiao Yang
https://ebookbell.com/product/secure-automatic-dependent-
surveillancebroadcast-systems-haomiao-yang-44912546
Secure And Smart Internet Of Things Iot Using Blockchain And Ai Ahmed
Banafa
https://ebookbell.com/product/secure-and-smart-internet-of-things-iot-
using-blockchain-and-ai-ahmed-banafa-45148010
Secure And Smart Internet Of Things Iot Using Blockchain And
Artificial Intelligence Ai Ahmed Banafa
https://ebookbell.com/product/secure-and-smart-internet-of-things-iot-
using-blockchain-and-artificial-intelligence-ai-ahmed-banafa-45210540

Integrated Circuits and Systems
Series Editor
Anantha Chandrakasan, Massachusetts Institute of Technology
Cambridge, Massachusetts
For other titles published in this series, go to
http://www.springer.com/series/7236

Ingrid M.R. Verbauwhede
Editor
Secure Integrated Circuits
and Systems
123

Editor
Ingrid M.R. Verbauwhede
Department of Elektrotechniek (ESAT)
Katholieke Universiteit Leuven
COSIC Division
Kasteelpark Arenberg 10
3001 Leuven
Belgium
ingrid.verbauwhede@esat.kleuven.be
ISSN 1558-9412
ISBN 978-0-387-71827-9 e-ISBN 978-0-387-71829-3
DOI 10.1007/978-0-387-71829-3
Springer New York Dordrecht Heidelberg London
Library of Congress Control Number: 2009942092
c
Springer Science+Business Media, LLC 2010
All rights reserved. This work may not be translated or copied in whole or in part without the written
permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York,
NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in
connection with any form of information storage and retrieval, electronic adaptation, computer
software, or by similar or dissimilar methodology now known or hereafter developed is forbidden.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if
they are not identified as such, is not to be taken as an expression of opinion as to whether or not
they are subject to proprietary rights.
Printed on acid-free paper
Springer is part of Springer Science+Business Media (www.springer.com)

Preface
Security is as strong as the weakest link. The mathematical design and analysis
of cryptographic algorithms has evolved a lot over the last decades (ever since the
invention of public key cryptography at the end of the 1970s). The mathematical
strength of the cryptographic algorithms is now at such a level that the attacker will
choose the ‘implementation’ as the weak link in the chain. Many incidents have
been reported for hardware and software implementations. Even the human factor,
forgetting or using easy passwords, is often the weak link.
Weak implementations are becoming an even bigger problem as more and more
information processing moves to small portable embedded devices. These small
devices are cheap, lightweight, easy to carry around, and also easy to loose. The
need for embedded security is omnipresent in cell phones, PDA’s, medical devices,
automotive, consumer, smart cards, RFID tags, sensor nodes, and so on.
At the other end of the spectrum computations and storage of sensitive data move
from hard disks on our personal PCs to central servers and to the so-called clouds.
Also in these environments efficient and secure implementations are a necessity to
provide security and privacy.
The goal of this book, Secure Integrated Circuits and Systems, is to give the
integrated circuits and system designer an insight in the basics of security and cryp-
tography from the implementation viewpoint. This means that the designer should
aim at efficient implementations, i.e., optimizing power, area, throughput, as well as
secure implementations, i.e., implementations that resist attacks and more specifi-
cally side-channel attacks. This book therefore covers techniques both to improve
efficiency and to resist side-channel attacks.
The book consists of four major parts to introduce the topic. Part I gives the
basics. This includes an introduction to the basic arithmetic used in mostly public-
key algorithms and an introduction to side-channel attacks.
Part II describes basic building blocks of any cryptographic systems. When build-
ing a complex system, such as a system-on-chip, a designer will build, obtain, or
license intellectual property (IP) modules. The basic modules are symmetric key
algorithms, public key algorithms, and hash functions. Other building blocks are
random number generators, nonce generators, and physically uncloneable functions
(PUFs).
v

vi Preface
The aim of part III is to describe the design methods for secure design. Each link
in the chain has to be secure: this means that each part of the design process should
have security in mind. This has to be the case for back-end design from a register-
transfer level description down to layout. This also has to be the case for higher level
design: e.g., the GEZEL design environment promotes secure hardware/software
co-design.
Part IV is used to illustrate the topic by examples: security for RFID, end-point
security for FPGA’s, and securing flash memories.
Secure Integrated Circuits and Systems is written for any integrated circuit or
embedded systems designer who makes designs for ASIC’s, FPGA’s, small embed-
ded processors, and/or embedded systems. By no means, I claim that this book is
complete. It is only a start to get the designer going. And it is an attempt to bridge
the gap between the theoretical math of cryptography and the design issues to make
it possible in practice. I would like to thank the contributors of this book and the
people working in this field for their indirect contributions.
July 2009 Ingrid M.R. Verbauwhede

Contents
Part I Basics
1 Modular Integer Arithmetic for Public-Key Cryptography . . . . . . . . . 3
Tim Güneysu and Christof Paar
2 Introduction to Side-Channel Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
François-Xavier Standaert
Part II Cryptomodules and Arithmetic
3 Secret Key Crypto Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Guido Marco Bertoni and Filippo Melzani
4 Arithmetic for Public-Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . 63
Kazuo Sakiyama and Lejla Batina
5 Hardware Design for Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Yong Ki Lee, Miroslav Knežević, and Ingrid M.R. Verbauwhede
Part III Design Methods for Security
6 Random Number Generators for Integrated Circuits and FPGAs . . . 107
Berk Sunar and Dries Schellekens
7 Process Variations for Security: PUFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Roel Maes and Pim Tuyls
vii

viii Contents
Part IV Applications
8 Side-Channel Resistant Circuit Styles and Associated IC
Design Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Kris Tiri
9 Counteracting Power Analysis Attacks by Masking . . . . . . . . . . . . . . . . 159
Elisabeth Oswald and Stefan Mangard
10 Compact Public-Key Implementations for RFID and Sensor Nodes . . 179
Lejla Batina, Kazuo Sakiyama, and Ingrid M.R. Verbauwhede
11 Demonstrating End-Point Security in Embedded Systems . . . . . . . . . . 197
Patrick Schaumont, Eric Simpson, and Pengyuan Yu
12 From Secure Memories to Smart Card Security . . . . . . . . . . . . . . . . . . . 215
Helena Handschuh and Elena Trichina
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Contributors
Lejla Batina Katholieke Universiteit Leuven, Leuven-Heverlee, Belgium and
Radboud University Nijmegen, The Netherlands, lejla.batina@esat.kuleuven.be
Guido Marco Bertoni STMicroelectronics, Centro Direzionale Colleoni 20041
Agrate, Italy, guido.bertoni@st.com
Tim Güneysu Chair for Embedded Security, Ruhr University Bochum, Bochum,
Germany, gueneysu@crypto.rub.de
Helena Handschuh Katholieke Universiteit Leuven, ESAT/COSIC, Kasteelpark
Arenberg 10, B-3001 Leuven-Heverlee, helenahandschuh@yahoo.fr
Miroslav Knežević Katholieke Universiteit Leuven, ESAT/COSIC, Kasteelpark
Arenberg 10, B-3001 Leuven-Heverlee, Belgium,
miroslav.knezevic@esat.kuleuven.be
Yong Ki Lee University of California, Los Angeles, CA, USA; Electrical
Engineering, 420 Westwood Plaza, Los Angeles, CA 90095-1594, USA,
jfirst@ee.ucla.edu
Roel Maes Katholieke Universiteit Leuven, ESAT/COSIC, Kasteelpark Arenberg
10, B-3001 Leuven-Heverlee, Belgium, roel.maes@esat.kuleuven.be
Stefan Mangard Infineon Technologies AG, Security Innovation, Am Campeon
1-1285579 Neubiberg, Germany, stefan.mangard@infineon.com
Filippo Melzani STMicroelectronics, Centro Direzionale Colleoni 20041 Agrate,
Italy, filippo.melzani@st.com
Elisabeth Oswald Computer Science Department, University of Bristol, Merchant
Venturers Building, Woodland Road, Bristol, BS8 1UB, UK; Institute for Applied
Information Processing and Communication, Graz University of Technology,
Inffeldgasse 16a, 8010 Graz, Austria, elisabeth.oswald@bristol.ac.uk
Christof Paar Chair for Embedded Security, Ruhr University Bochum, Bochum,
Germany, christof.paar@rub.de
ix

x Contributors
Kazuo Sakiyama University of Electro-Communications, Tokyo, Japan,
saki@ice.uec.ac.jp
Patrick Schaumont ECE Department, Virginia Tech, Blacksburg, VA 24061,
USA, schaum@vt.edu
Dries Schellekens Katholieke Universiteit Leuven, ESAT/COSIC, Kasteelpark
Arenberg 10, B-3001 Leuven-Heverlee, Belgium,
dries.schellekens@esat.kuleuven.be
Eric Simpson ECE Department, Virginia Tech, Blacksburg, VA 24061, USA
François-Xavier Standaert UCL Crypto Group, Place du Levant 3, B-1348
Louvain-la-Neuve, Belgium, fstandae@uclouvain.be
Berk Sunar Electrical and Computer Engineering Department, Worcester
Polytechnic Institute, Worcester MA 01609–2280, USA, sunar@wpi.edu
Kris Tiri Work performed while at UCLA, kris.tiri@gmail.com
Elena Trichina Advanced System Technology ST Microelectronics Rousset,
France, elena.trichina@st.com
Pim Tuyls Intrinsic-ID, Eindhoven, The Netherlands, pim.tuyls@intrinsic-id.com
Ingrid M.R. Verbauwhede Katholieke Universiteit Leuven, ESAT/COSIC,
Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium,
ingrid.verbauwhede@esat.kuleuven.be
Pengyuan Yu ECE Department, Virginia Tech, Blacksburg, VA 24061, USA

Chapter 1
Modular Integer Arithmetic for Public-Key
Cryptography
Tim Güneysu and Christof Paar
For most of the century-old history of cryptography, symmetric-key (or private-key)
algorithms were used for data encryption. In private-key cryptography, the commu-
nicating parties share one secret key. For a given encryption function y = ek(x), the
corresponding decryption function must satisfy the condition: x = dk(y) = e−1
k (y),
where both functions use the same key k. Unfortunately, for confidential commu-
nication, the symmetric key k needs to be established between the parties before
they can exchange messages. This key exchange requires a separate secure channel.
Although symmetric algorithms can be used for establishing keys, e.g., in systems
like Kerberos [15], such systems do not scale very well and have single points of
failure. In 1976, Diffie and Hellman [12] as well as Merkle [32] invented a novel
branch of cryptography called public-key cryptography1
creating a new (and public
available) paradigm. The idea of public key cryptography was eagerly absorbed by
the scientific community and led to numerous commercial applications in the 1980s
and 1990s.
Public-key methods offer the advantage of elegant key agreement schemes with
which a secret key, e.g., for use with symmetric ciphers, can securely be established
over unsecure channels. In addition to solving the key management problem, the
other major application of PKC is digital signatures, with which non-repudiation of
messages exchanges can be achieved. In this context, recall that message authenti-
cation based on conventional symmetric means (e.g., message authentication codes)
allows all parties to create authenticators with the shared key, so that it is not pos-
sible to proof the origin of an authenticated message if one party is dishonest. To
enable all these new features, public-key cryptography has evolved into a major
T. Güneysu (B)
Chair for Embedded Security, Ruhr University Bochum, Bochum, Germany
e-mail: gueneysu@crypto.rub.de
1 According to [14], the discovery of public-key cryptography (PKC) in the intelligence commu-
nity is attributed to John H. Ellis in 1970. The discovery of the equivalent of the RSA cryptosys-
tem [38] is attributed to Clifford Cocks in 1973 while the equivalent of the Diffie–Hellman key
exchange was discovered by Malcolm J. Williamson, in 1974. However, it is believed that these
British scientists did not realize the practical implications of their discoveries at the time of their
publication (see, for example, [39, 11]).
I.M.R. Verbauwhede (ed.), Secure Integrated Circuits and Systems,
Integrated Circuits and Systems, DOI 10.1007/978-0-387-71829-3 1,
C
3

4 T. Güneysu and C. Paar
application area for seemingly specific mathematical topics from number theory
and algebra. Today, almost all PKC methods with practical relevance are based on
arithmetic in finite fields or finite rings. Public-key cryptography makes use of a
key pair PK = (kpub, ksec) consisting of a public component kpub that is distributed
among all communication partners and a secret part ksec for private use. Hence, PKC
is also referred to as asymmetric cryptography due to the utilization of different keys
for private and public usage.
Practical PK schemes are based on one-way trapdoor functions. PKC should
enable everyone to make use of a cryptographic service or operation involving the
public key kpub and the one-way function y = f (x, kpub) to protect a message x. The
message x can only be recovered using the inverse trapdoor function x = g(y, ksec),
which requires knowledge of the secret component ksec. One-way trapdoor functions
for PKC are selected from a set of hard mathematical problems augmented with a
trapdoor for easy recovery with special knowledge.2
One-way trapdoor functions
which are used in well-established cryptosystems are based on the following math-
ematical problems:
Integer factorization problem (FP): For a composite integer n =

pi consist-
ing of unknown primes pi , it is considered hard to retrieve pi when n (and
the primes pi ) are sufficiently large.
Discrete logarithm problem in finite fields (DLP): For an element a ∈ G and
b ∈ a, where G is the multiplicative group of a finite field and a the
subgroup generated by a, it is assumed to be hard to compute where b ≡ a
if a is sufficiently large.
Elliptic curve discrete logarithm problem (ECDLP): For an element a ∈ E and
b ∈ a, where E is an elliptic curve over a finite field and a the subgroup
generated by a, it is assumed to be hard to compute where b ≡ a
if a is
sufficiently large.
The definitions stated above give rise to the question of how a “sufficiently large”
module n or a subgroup a is defined. The security of given one-way trapdoor func-
tions must be directly related to the best known attacks. The more powerful an attack
is (in terms of time complexity) the longer a corresponding security parameter (e.g.,
the module n or subgroup a) must be chosen to achieve the desired level of pro-
tection. Currently, the FP is known to be most efficiently attacked with number field
sieve (NFS) methods. Related attacks are known for the DLP as well: index calculus
(IC) attacks on the DLP have a comparable complexity to NFS. Both attacks show a
subexponential time complexity of about C(n) = e(1.9229+o(1)) ln n1/3
ln(ln n)2/3
where n
is considered the module. In contrast, for the ECDLP, the best known computational
method possesses a time complexity of about C(n) =
√
πn/2 steps [37] if the curve
2 It is important to understand that NP-complete problems from computer science cannot be simply
converted for use with PKC since a one-way function for PKC must guarantee hardness in all cases
which is usually not the case for all NP-complete problems.

1 Modular Integer Arithmetic for Public-Key Cryptography 5
parameters have been chosen carefully. This algorithm is the Pollard’s Rho attack
for generic groups. Having those attack complexities at hand, we can compute the
required parameter lengths for PKC to achieve a comparable level of protection
with respect to a (secure) symmetric block cipher, where we assume that an exhaus-
tive key search on the key space is the best symmetric attack method. Roughly
speaking, a block cipher with |k| = 80 bit key space provides the same security
as |kFP,DLP| ≥ 1024 bit and kECDLP ≥ 160 bit. For more information about how to
select and to compare key sizes for different cryptographic applications, we refer
to [29]. Of course, the field of PKC is not limited to the one-way trapdoor functions
which we have mentioned above. With the rise of PKC in the last decades, there
have been several alternative proposals, e.g., based on codes [30] or lattices [19].
However, such alternative public-key systems are hardly used in practical systems
up to now. Thus, we will restrict ourselves in this chapter to schemes of practical
relevance. In particular, we will discuss the arithmetic required for schemes based
on FP, DLP, and ECDLP.
Up to now, we have briefly introduced the underlying mathematical problems
of PKC but we have not discussed how to actually build cryptosystems from them.
The most prominent example for employing the FP in cryptography is the RSA cryp-
tosystem proposed in 1978 [38]. Popular cryptographic protocols involving the DLP
are the Diffie–Hellman key exchange (DHKE) [12], the digital signature algorithm
(DSA)[1], and ElGamal encryption and signature scheme [13]. The main operation
of all of those schemes is the computation of a modular exponentiation ae
mod m
with n-bit multi-precision integers a, e, m ∈ Zm. Thus, integer exponentiation and
the underlying operations of modular multiplication and inversion in finite rings or
fields are crucial for modern PKC. Other applications of finite field arithmetic are
elliptic curve cryptosystems (ECC), introduced by Miller and Koblitz [34, 24], and
hyperelliptic curve cryptosystems (HECC), a generalization of elliptic curves intro-
duced by Koblitz in [25]. These schemes also require the availability of modular
additions and subtractions, but use shorter operands. We will discuss the mathemat-
ical background on finite field arithmetic and classes in Section 1.1 in more detail.
Since parameters used in cryptographic devices for PKC are very large, often
between 1024 and 4096 bit(!), the corresponding modular exponentiation is com-
putationally very challenging, especially if the target platform is constrained, e.g.,
a smart card processor. The time complexity of an n-bit modular exponentiation is
O(n3
), which corresponds to hundred of thousands operations on a typical CPU.
Modular multi-precision addition and subtraction as used in ECC/HECC is consid-
ered to have only a minor impact on the overall performance.3
Hence, the major
focus when realizing cryptosystems based on modular exponentiation like RSA or
DHKE is to use efficient implementations of the underlying modular arithmetic.
This significantly improves the performance of every top layer application or crypto
protocol which heavily relies on basic operations. The below figure depicts the
relationship and relevance of the different computational layer in a PKC. Note
3 Recall that the time complexity of n-bit addition or subtraction is only in O(n).

that ECC and HECC cryptosystems introduce, in addition to basic arithmetic and
exponentiation, another layer since computations over elliptic curve are based on
a specific group operation. For the group operation of ECC and HECC cryptosys-
tems we distinguish two cases: having two points P, Q ∈ E with P = ±Q we
denote the group operation as point addition P + Q, otherwise for P = Q a point
doubling 2P. Building an exponentiation unit for a public-key scheme such as
RSA or DSA can easily involve thousands of modular multiplications with 1024-bit
long or larger. This makes fully pipelined hardware architecture nearly impossible
even with today’s advanced IC technology. Hence, especially in hardware, many
degrees of freedom exist for implementing a PKC and it requires a careful choice
of suitable basic building blocks. Moreover, a developer is often faced with imple-
mentation constraints given by the target device. For instance, when designing for
a device like smart cards or a sensor node, tight restrictions in terms of minimal
energy consumption and area must be met. In this chapter we will not be able
to explicitly highlight all various possibilities to implement public-key primitives
for all possible situations, but we will give an outline how common architectures
with an optimal area–time product can be built. In this chapter we will introduce
arithmetic building blocks for implementing public key cryptosystems based on the
DLP and ECDLP problem and the underlying arithmetic for Fp and F2m . Since the
arithmetic operations required for RSA computations are similar to those for Fp
almost identical building blocks can be employed for this cryptosystem as well.
In Section 1.1, we will begin with general remarks on finite field operations and
their relevance in popular cryptosystems. Next, we will discuss building blocks for
modular addition, subtraction, multiplication, and inversion in prime fields Fp. We
will highlight Montgomery-based architectures as well as implementations using
fast reduction schemes based on generalized Mersenne primes. In Section 1.3, we
explain the usage of binary extension fields F2m and their advantages for hardware-
based cryptography. For these fields, we will highlight bit-wise and digit-wise
multipliers as well as a fast binary field inversion based on Itoh and Tsuijii’s
method.

1.1 Modular Arithmetic in Finite Fields
As mentioned in the introduction, many popular public-key cryptosystems rely on
modular arithmetic over finite fields. They need modular exponentiation operations
(DHKE, DSA, ElGamal) as well as sequences of field operations as in case for
ECC and HECC. In the following, we would like to highlight the mathematical
background of fields and their arithmetic.
From a mathematical point of view, a field is defined as a set F of elements with
a multiplication and addition operation which satisfy both the rules of associativity
and commutativity of addition and multiplication and the distributive law. For a
field, the existence of the additive and multiplicative identities are also required
as well as inverse operations like subtraction and (multiplicative) inversion com-
plementing the set of functions on F. Note that the inverse of the multiplication
is usually not considered as division for general fields and defined only on ele-
ments a ∈ F{0}. The following well-known sets of elements are examples for
(infinite) fields: Q, R, and C refer to the sets of rational, real, and complex numbers,
respectively. In applications in cryptography, however, fields with a finite number
of elements are needed. A straightforward construction of a finite field is to use
modular arithmetic of integers from the interval [0, p − 1] with a prime modulus
p. Operations for addition and multiplication will form groups over the sets Zp and
Z∗
p, respectively. Please note that in the multiplicative group Z∗
p the zero element is
always excluded since inversion for an element a = 0 is not defined. Prime fields
(or at least their multiplicative group Z∗
p) are used for constructing the DHKE, DSA,
and ElGamal encryption.
Finite fields are not limited to prime fields. By using these fields as a basis, we
can create an extension by introducing an m-dimensional vector space over Fp.
Combined with some further mathematical properties, these fields are denoted as
extension fields Fpm . Fields over Fpm have pm
elements and are typically repre-
sented by adjoining a variable X in polynomial representation. Using the special
case p = 2 will result in binary extension fields F2m : these fields are well suited for
hardware implementation since its elements can be efficiently written as bit vectors
of length m. Elements of F2 can be represented by the logical values 0 and 1 and
thus, elements of F2m can be simply represented as vectors of zeros and ones. For
example, assume the binary extension field F23 . This field consists of eight elements
which can be represented either in bit vector or polynomial notation. When we
add two elements A(X), B(X) over binary extension fields, the rules for polyno-
mial additions apply, i.e., we add all coefficients component-wise. Multiplication
C(X)= A(X) · B(X), however, requires not only polynomial multiplication but also
the module reduction of the product with an irreducible polynomial. We denote this
modular multiplication operation involving the irreducible field polynomial F(X) by
C(X) = A(X) · B(X) mod F(X).
Beside binary extension fields, there is another class of extension fields Fpm over
primes p 2. Until 1997 applications of fields Fpm for odd p were scarce in the
cryptographic literature. Even though binary fields are still by far the most popular
type of extension field, the more general fields Fpm have been treated in literature

Table 1.1 Vector and polynomial representation of field elements from the binary extension
field F23
Element Vector z = {0, 1}3
Polynomial Z(X)
#1 z0 = 000 Z0(X) = 0
#2 z1 = 001 Z1(X) = 1
#3 z2 = 010 Z2(X) = X
#4 z3 = 011 Z3(X) = X + 1
. . . . . . . . .
#7 z6 = 110 Z6(X) = X2
+ X
#8 z7 = 111 Z7(X) = X2
+ X + 1
since the late 1990s [33, 3, 27, 41, 4]. The more recent introduction of pairing-based
cryptographic schemes [8] gives also new relevance to such fields. Although there is
ongoing research on fields Fpm , e.g., with respect to HECC cryptosystems, we will
not focus on them due to their limited practical relevance.
As mentioned, all arithmetic in finite fields requires a reduction scheme, either
by a modulus p for prime fields or an irreducible polynomial F(X) for extension
fields. From an arithmetic point of view, this reduction step is usually very complex,
hence for many field types optimization have been developed. For prime fields,
Mersenne primes p = 2k
− 1 can be used to allow for a very efficient reduction
scheme. However, there are obviously only very few suitable Mersenne primes, and
in addition, they can pose security risks depending on the cryptosystem in question.
Hence, variants of Mersenne primes have been proposed which are widely used in
modern PKC: we distinguish pseudo Mersenne primes p = 2m
− c and generalized
Mersenne primes p = 2m
− 2n
± 2o
± · · · ± 1 [42], whereas the latter have more
practical relevance due to standardization [36] and complexity advantages.
Similarly, special extension fields have been proposed offering optimized reduc-
tion schemes on polynomials: examples are composite fields [18] and optimal exten-
sion fields [4] which introduce similar tricks for more efficient reduction. However,
both composite and optimal extension fields have limited practical relevance and
will not be highlighted in this chapter in further detail. An overview about classes
of finite fields with application in cryptography is shown in Fig. 1.1.
In this chapter we will mainly focus on building blocks for PCK involving finite
fields Fp for general primes and generalized Mersenne numbers, as well as on binary
extension fields. These have the most relevance in real-world applications and are
therefore of major interest. It should be noted that, although computationally more
complex in hardware, prime fields have a higher practical relevance than binary
extension fields. It is important to mention that the RSA cryptosystem actually does
not have a finite field as basic arithmetic structure. RSA computations are performed
in an integer ring Zn due to the composite modulus n = pq which is constructed from
two primes p, q. However, the fundamental arithmetic operations in integer rings

Fig. 1.1 Classes of finite fields for applications in cryptography
and prime fields show no difference so that we can use identical hardware archi-
tectures. There are many possibilities for implementing field operations in hard-
ware, which are not dependent on the field type. In general, we distinguish between
sequential and parallel implementations and algorithms. Parallel algorithms yield
the advantage of a high throughput with wide data paths at the cost of a large gate
count. Sequential algorithms tend to have smaller data paths by operating on small
portions (and even single bits only) of the operands, resulting in a longer execu-
tion time. Of course, there are combined approaches like digit-based circuits to
achieve the best trade-off between hardware requirements and high performance.
In fact, in practice, such combined architectures often yield optimum results. The
choice of selecting the appropriate implementation strategy heavily depends on
the development target platform and the corresponding constraints. For instance,
for area and cost-limited cryptography in smart cards the employment of small,
heavily sequential algorithms is preferred, whereas applications such as server-side
crypto accelerators require high-throughput solutions, leading to more parallelized
implementations.
1.2 Crypto Building Blocks for Fields Fp
In this section, we will outline efficient hardware architectures for performing addi-
tion, subtraction, multiplication, and inversion in fields Fp where p is a prime
p 2. Section 1.2.1 deals with integer adders which will be fundamental build-
ing blocks for the Fp multipliers presented in Section 1.2.2. Furthermore, some
cryptosystems like DSA and ElGamal require to find the multiplicative inverse to
a given element. Thus, we will address inversion circuits for fields Fp in hardware
as well.

1.2.1 Addition and Subtraction in Fp
In this section we will briefly introduce adders for unsigned integers as we will need
them for more complicated arithmetic operations such as multipliers. Furthermore,
we will discuss how to integrate those primitive adder units to implement efficient
modular addition and subtraction.
In the following, we will consider the addition of two n-bit integers X =
n−1
i=0 xi 2i
and Y =
n−1
i=0 yi 2i
with
X + Y = S = cout2n
+
n−1

i=0
si 2i
and si = xi + yi + cin
yielding a result bounded by (n +1) bit. We refer to X and Y as the inputs (and their
bits xi and yi as the input bits) and S as the sum (and its bits si for i = 0 · · · n − 1
as the sum bits).
Single-bit half-adders (HA) and full-adders (FA) known from computer engineer-
ing are the basic building blocks used to synthesize more complex adders. Hence,
each input bit xi and yi is combined, e.g., using a full-adder cell into a sum bit si
and a corresponding carry ci . In this chapter, we distinguish four different types
of adder cells for integer addition: carry ripple adders (CRA), carry look-ahead
adders (CLA), carry save adders (CSA), and carry delayed adders (CDA). Instead
of explaining the respective advantages of each adder type, we have assembled
the asymptotic complexities of each adder type into Table 1.2. This table can be
used by hardware developers for selecting the appropriate adder type according to
area and timing constraints. For further information, the interested reader is referred
to [28, 17].
Table 1.2 Asymptotic area and time complexities of different n-bit adders
Adder type Abbreviation Area Time
Carry ripple adder CRA O(n) O(n)
Carry look-ahead adder CLA O(n log n) O(log n)
Carry save adder CSA O(n) O(1)
Carry delayed adder CDA O(n) O(1)
Combining several single adder cells together allows for the implementation of
an n-bit adder block. Implementing an n-bit modular addition or subtraction A ±
B mod p based on this adder block, the result of an addition or subtraction has to be
reduced modulo p. Generally, in case of a modular addition X +Y mod p we check
whether the intermediate result fulfills X +Y ≥ p, and if this is the case, reduce
the result by subtracting the modulus p once. In the case of modular subtraction
X − Y mod p, we subtract first and check whether X − Y 0 and add the modulus
if applicable.

In hardware implementations, we can follow a different approach to achieve a
more regular architecture. Instead of testing if a result SADD = X + Y p or
SSUB = X − Y 0 has exceeded or undershot the interval [0, p − 1], respectively,
we always apply the reduction and then select the result accordingly using an output
multiplexer controlled by the corresponding carry bits Ci . A combined algorithm
for computing the modular sum or difference of two inputs A, B is given by Algo-
rithm 1. Please note that the corresponding operation is selected via a operation flag
f computing X − Y mod p when f =1 and X + Y mod p otherwise. Algorithm 1
can be implemented using two n-bit adder units comprising of CRA, CLA, and CDA
adder units. The use of CSA adders, however, would imply a recombination step of
the corresponding outputs C and S to be able to determine whether X + Y p or
X − Y 0.
Algorithm 1 Modular addition and subtraction
Input: X, Y, p with 0 ≤ X, Y p;
Operation flag f ∈ {0, 1} denotes a subtraction when f = 1 and addition otherwise
Output: u = X ± Y mod p
1: (C0, S0) = X + (−1) f
Y;
2: (C1, S1) = S0 + (−1)1− f
p;
3: if C f = 0 then
4: Return Sf ;
5: else
6: Return S1− f ;
7: end if
1.2.2 Multiplication in Fp
In this section, we will describe hardware architectures of two algorithmic concepts
for the modular multiplication over general prime fields. Modular multiplication in
Fp is the mathematical operation
Z = X · Y mod p
with X, Y, p ∈ Fp and X, Y p, where X and Y are called the operands and p
denotes the modulus. The most straightforward way to implement a modular mul-
tiplication would be a full multiplication with a subsequent division to determine
the remainder. However, this approach requires a wide data path and an expensive
multi-precision operation (recall that operands tend to have hundreds of bits). Thus,
other methods like the modular Montgomery multiplication and the interleaved
modular multiplication have been proposed allowing for a more area–time efficient
design. Since modular multiplication is usually one of the most complex operations
in cryptographic algorithms, we need to consider carefully which type of algorithm
to choose:

• Parallel algorithms: Most such algorithms are optimized for high throughput and
calculate the modular product with a time complexity of O(log p) [45]. Their dis-
advantage is a huge area complexity, resulting in an expensive hardware imple-
mentation. But many practical applications require low-cost solutions, especially
now where an increasing number of high-volume products require cryptographic
foundations (e.g., in consumer electronics).
• Sequential algorithms: The sequential algorithms of highest importance are the
classical modular multiplication [22], Barrett modular multiplication [5], inter-
leaved modular multiplication [7, 40], and modular Montgomery multiplica-
tion [35]. They operate on bits or chunks of input data sequentially which results
in longer runtimes but allows for an area-optimal implementation due to a small
data path.
A more efficient approach to conventional multiplication with a subsequent divi-
sion, Barrett has proposed an alternative based on three standard multiplications and
some additions. The disadvantage of this solution is the high time complexity of
three multiplications. During interleaved modular multiplication, the multiplication
and the calculation of the remainder of the division are interleaved. The advantage
is that the length of the intermediate result is only one or two bits larger than the
operands. The disadvantage is the use of subtractions in order to reduce the inter-
mediate results. An efficient implementation of an interleaved multiplication can be
found in [9].
Since the modular Montgomery multiplication is the most frequently used method
for modular multiplication, we will highlight it in more detail in this chapter.
The computation is done in Montgomery domain which is defined as a mapping
a → a · 2R
mod p for an element a ∈ Fp and an R with p 2R
. The Montgomery
domain allows for efficient reductions based on multiplication only. But prior to
computation, all input values must be transformed into Montgomery domain (and
converted back after the result has been computed), which adds some additional
complexity for pre- and postcomputation steps. As an advantage of this method,
we can save on costly reductions and replace them with divisions by 2 (bit shifts).
Given two factors X, Y in Montgomery coordinates, i.e., X̂ = X · 2R
mod p and
Ŷ = Y · 2R
mod p, a standard multiplication will compute Ẑ = X̂ · Ŷ = XY · 22R
.
Note that the result of this computation is neither in Montgomery nor in standard
domain and requires a correction. This has to be taken into account by a specialized
Montgomery multiplication computing X · Y · 2−R
mod p instead of X · Y mod p.
It is important to mention that the additional transformation steps for Mont-
gomery computations can be neglected as soon several repetitive modular multipli-
cation operations are involved, e.g., in case of a modular exponentiation. The results
of these partial multiplications are added successively from the least significant to
the most significant bit. In each iteration, we determine whether the intermediate
result is odd or even. For this purpose the least significant bit of the intermediate
result is inspected and, in case this bit is equal to “1,” the modulus is added to the
intermediate sum. This guarantees the sum always to be even. At the end of each
iteration, the intermediate result is divided by 2 what avoids a growing complexity

in the size of intermediate results. Algorithm 2 describes the Montgomery modular
multiplication.
Algorithm 2 Montgomery modular multiplication
Input: X, Y p 2n
, with 2k−1
p 2n
and p = 2t + 1, with t ∈ N.
Output: u = X · Y · 2−k
mod p.
k: number of bit in X,
xi : ith
bit of X
1: u = 0;
2: for i = 0; i n; i + + do
3: u = u + xi · Y
4: if u0 = 1 then
5: u = u + p;
6: end if
7: u = u div 2;
8: end for
9: if u ≥ p then
10: u = u − p;
11: end if
The algorithm requires two additions per loop iteration. By introducing redun-
dant representation it is possible to modify the algorithm for building a very efficient
architecture Montgomery multiplication involving CSA adders. This architecture is
shown in Fig. 1.2. The shown Montgomery architecture operates one bit of X per
clock cycle and hence has a time complexity is n where n is the number of bits of an
operand. Remember that CSA adders require 3 XOR, 2 AND, and 1 OR gate per adder
cell and are thus rather expensive in terms of hardware. The signal propagation is
Register C Register S
RAM
0
p
y
p+y
CSA
MUX
x
2 2
z1 z2
Fig. 1.2 Montgomery modular multiplication with one CSA

mainly determined by the CSA adder which can be implemented with a latency
of t = 2 XOR gates. For a detailed comparison of efficient hardware architectures
implementing Montgomery multiplication and interleaved multiplication we refer
the reader to [2].
1.2.3 Faster Reduction in Fp
Although the performance of the reduction step can be significantly improved with
Montgomery or interleaved multiplication architecture, a significant amount of time
and hardware is additionally required to implement the reduction step to transform
intermediate integer results to values from Fp. For this purpose, special primes have
been proposed by Solinas [42] allowing for a reduction scheme based on additions
and subtractions only. This approach has later been standardized by NIST [36], e.g.,
for use with ECC over prime and binary extension fields. Special primes pl with
fixed bit lengths l = {192, 224, 256, 384, 521} are part of the standard whereof p224
and p256 bits are probably the most relevant bit sizes for future implementations of
the next decades. In the following, we will exemplarily highlight p192 = 2192
−
264
− 1 since this is the most elementary reduction scheme. Consider a full-length
multiplication of two 192-bit integers A, B ∈ GFp192
resulting in a product C. Let
C = c52320
+ c42256
+ c32192
+ c22128
+ c1264
+ c0 (1.1)
be the 64-bit representation of C with a maximum bit length of log2(C) ≤ 384. We
can then reduce the higher powers of 2 in Eq. (1.1) using the congruences
2192
≡ 264
+ 1 mod p
2256
≡ 2128
+ 264
mod p
2320
≡ 2128
+ 264
+ 1 mod p
Next, we can rewrite c with
c = c5(2128
+ 264
+ 1) + c4(2128
+ 264
) +
c3(2128
+ 264
) + c22128
+ c1264
+ c0 mod p
whose monomials can be recombined into a few addition as shown in Algorithm 3.
Obviously, the entire reduction for p192 can be performed by three 192-bit additions
and a final reduction to make sure that z = z1 + z2 + z3 + z4 is in [0, p − 1].
Note that due to the inner structure of addends, Step 2 needs to operate on a number
0 z 3p192 where two subtraction of p192 might be involved to lift z back into
GFp192
.
Similarly to p192, this scheme can be applied for all other standardized general
Mersenne primes as specified in [36]. In the following, we present the reduction
algorithms for p224 and p256 due to their considerable relevance for the next years.

Algorithm 3 NIST reduction with p192 = 2192
− 264
− 1
Input: Double-sized integer c = (c5, . . . , c2, c1, c0) in base 264
and 0 ≥ c ≥ p2
192
Output: Single-sized integer c mod p192.
1: Concatenate ci to following 192-bit integers z j :
z1 = (c2, c1, c0), z2 = (0, c3, c3), z3 = (c4, c4, 0), z4 = (c5, c5, c5)
2: Compute (z1 + z2 + z3 + z4 mod p192)
According to Algorithm 4 the modular reduction for p224 can be performed with
two 224-bit subtractions and additions. Hence, these four consecutive operations
can lead to a potential over- and underflow in Step 2 of Algorithm 4 which needs
to be estimated in advance. With Z = z1 + z2 + z3 − z4 − z5, we can determine
the bounds −p Z p reducing the number of final correction steps to a single
addition or subtraction to compute Z mod p224.
− 296
+ 1
and 0 ≥ c ≥ p2
224
z1 = (c6, c5, c4, c3, c2, c1, c0), z2 = (c10, c9, c8, c7, 0, 0, 0),
z3 = (0, c13, c12, c11, 0, 0, 0), z4 = (0, 0, 0, 0, c13, c12, c11),
z5 = (c13, c12, c11, c10, c9, c8, c7)
2: Compute (z1 + z2 + z3 − z4 − z5 mod p224)
Algorithm 5 presents the modular reduction for p256 requiring two doublings,
four 256-bit subtractions, and four 256-bit additions. Based on the computation Z =
z1 + 2z2 + 2z3 + z4 + z5 − z6 − z7 − z8 − z9, a result Z can range from −3p
Z 4p what requires a significantly more costly over- and underflow handling of
Z mod p256 in hardware than for the case p224.
Since only chains of n bit additions and subtractions (and a small additional
implementation overhead due to a final reduction according to the potential over-
flow of Z) are required for this reductions scheme, it is significantly faster than
conventional reduction algorithms. This designates them as a popular choice for
ECC implementations.
1.2.4 Inversion in Fp
The field inversion is usually the most expensive operation in the multiplicative
group of a finite field Fp. This always calls for methods to avoid this type of opera-
tion as often as possible, e.g., in ECC computations, a projective coordinate system

− 2224
+ 2192
+ 296
− 1
and 0 ≥ c ≥ p2
256
z1 = (c7, c6, c5, c4, c3, c2, c1, c0), z2 = (c15, c14, c13, c12, c11, 0, 0, 0),
z3 = (0, c15, c14, c13, c12, 0, 0, 0), z4 = (c15, c14, 0, 0, 0, c10, c9, c8),
z5 = (c8, c13, c15, c14, c13, c11, c10, c9), z6 = (c10, c8, 0, 0, 0, c13, c12, c11),
z7 = (c11, c9, 0, 0, c15, c14, c13, c12), z8 = (c12, 0, c10, c9, c8, c15, c14, c13),
z9 = (c13, 0, c11, c10, c9, 0, c15, c14)
2: Compute (z1 + 2z2 + 2z3 + z4 + z5 − z6 − z7 − z8 − z9 mod p256)
can be used to replace required field inversions nearly completely by trading them
for a few multiplications.
In general, there are two ways to compute the inverse element X−1
to a given ele-
ment X ∈ GF(p) using the extended greatest common divisor (gcd) algorithm [31]
or, in case of constrained hardware area, an existing exponentiation circuit to com-
pute the X−1
using Fermat’s little theorem by X−1
≡ X p−2
mod p [26]. Because
we already introduced the domain of Montgomery coordinates with the modular
multiplication, we will present an inversion method that can handle Montgomery
transformed input. Please recall that an X̂ = X · 2R
in Montgomery domain repre-
sentation will be inverted to X−1
· 2−R
. This can be either corrected using another
multiplication or by adapting the inversion circuit accordingly. Kaliski has defined a
sequence of two algorithms for inverting elements: the almost Montgomery-inverse
algorithm computes for an element X a biased inverse X−1
2z
where z is a positive
but variable value. The second phase is used to correct the bias and restore the Mont-
gomery representation. In the following, we will explain the details of the Kaliski
inversion [10] without a final correction step (which is a repetition of bit shifts
and additions of p until the desired factor of 2R
is restored). The implementation
of the algorithm itself is expensive to implement in hardware since each iteration
requires two simultaneous n-bit subtractions and one n-bit addition to achieve min-
imal latency. Figure 1.3 depicts the schematic of the almost Montgomery inverse
algorithm consisting of three CLA adders, four n-bit registers, and corresponding
multiplexers.
1.3 Crypto Building Blocks for Fields F2m
Although prime fields have more relevance in common cryptography, binary exten-
sion fields F2m are often selected for hardware implementations [6] due to their
computation without carries. The arithmetic in extension fields not only simplifies
the general architecture but also reduces the area and issues with long signal prop-
agation paths due to the lack of carry arithmetic, e.g., the addition and subtraction

Algorithm 6 Almost Montgomery inverse
Input: X ∈ Fp and p or X · 2R
∈ Fp and p
Output: Intermediate values r and z where r = X−1
· 2z
mod p and h ≤ z ≤ 2h
1: u ← p, v ← X, r ← 0, s ← 1
2: k ← 0
3: while v 0 do
4: if u is even then
5: u ← u/2, s ← 2s
6: else if v is even then
7: v ← v/2, r ← 2r
8: else if u v then
9: u ← (u − v)/2, r ← r + s, s ← 2s
10: else
11: v ← (v − u)/2, s ← r + s, r ← 2r
12: end if
13: k ← k + 1
14: end while
15: if r ≥ p then
16: r ← r − p {make sure that r is within its boundaries}
17: end if
18: return r ← p − r
MUX Layer
CLA CLA CLA
Dynamic Shift ( 2 | 2 )
REG u REG v REG r REG s
ui+1, vi+1, ri+1, si+1
a p
I1.1 I2.1 I3.1
I1.2 I2.2 I3.2
CTL
ui,vi,ri,si
Fig. 1.3 Almost Montgomery inverse algorithm in hardware using CLA adders

in F2m can be implemented as a simple XOR operation allowing to compute each
coefficient individually like in vector spaces. As already mentioned, the field F2m
is generated by an irreducible polynomial F(x) = xm
+ G(x) = xm
+
m−1
i=0 gi xi
over F2 of degree m. We assume α to be a root of F(x), thus for X, Y, Z ∈ F2m , we
write X =
m−1
i=0 xi αi
, Y =
m−1
i=0 yi αi
, Z =
m−1
i=0 zi αi
, with bit coefficients
xi , yi , zi ∈ F2. Note that by assumption F(α) = 0 since α is a root of F(x).
Therefore,
αm
= G(α) =
m−1

i=0
gi αi
(1.2)
provides an easy way to perform modulo reduction, whenever we encounter powers
of α greater than m − 1 (cf. Section 1.1). For hardware implementations of more
complex operations like multiplication and inversion, trinomial and pentanomial
reduction polynomials are chosen as they enable a very efficient implementation
with only a few gates. In the following, we present efficient architectures for multi-
plier and squarer implementations for binary fields in hardware.
1.3.1 Multiplication in F2m
Multiplication of two elements X, Y ∈ F2m with X(α) =
m−1
i=0 xi αi
and
Y(α) =
m−1
i=0 yi αi
is performed by computing
Z(α) =
m−1

i=0
zi αi
≡ X(α) · Y(α) mod F(α)
where the multiplication is a polynomial multiplication, and all αt
, with t ≥ m,
are reduced with Eq. (1.2) and α a root of the underlying field. We will discuss a
bit-parallel architecture for F2m in the following section.
1.3.1.1 Bit Multipliers in F2m
The canonical algorithm for field multiplication for binary fields is the shift-and-add
method [23] with the reduction step interleaved shown as Algorithm 7. Note that due
their independence, the computation of yi X and Zα mod F(α) can be performed in
parallel in Step 3 of Algorithm 7. However, the value of Zi of a current iteration
depends on both the value of Zi−1 at the previous iteration and on the currently
computed value yi X. This dependency has the effect of making the MSB multiplier
have a longer critical path than that of the least significant bit (LSB) multiplier,
described later in the following section. For hardware, the efficient shift-and-add
method is suitable when area is constrained. In case that the bits of Y are pro-
cessed in reverse order, i.e., from most significant bit to least significant bit (as in

Algorithm 7 Shift-and-add most significant bit (MSB) first F2m multiplication
Input: X =
m−1
i=0 ai αi
, Y =
m−1
i=0 yi αi
where xi , yi ∈ F2.
Output: C ≡ X · Y mod F(α) =
m−1
i=0 zi αi
where ci ∈ F2.
1: Z ← 0
2: for i = m − 1 downto 0 do
3: Z ← Z · α mod F(α) + yi · X
4: end for
5: Return (Z)
Algorithm 7), we call this implementation a most significant bit-serial (MSB) mul-
tiplier [43]. We have already emphasized that reduction in modular multiplication
is a step involving significant efforts. Using specific reduction polynomials can help
us reducing the overhead for lifting back intermediate multiplication results to F2m .
In the following, we will present bit-wise multipliers which incorporate an efficient
reduction scheme in F2m . For an MSB multiplier, assume a quantity of the form Qα,
where Q(α) =
m−1
i=0 qi αi
∈ F2m , to be reduced mod F(α). Multiplying Q by α,
we obtain
Qα =
m−1

i=0
qi αi+1
= qm−1αm
+
m−2

i=0
qi αi+1
(1.3)
With the property of the reduction polynomial from Eq. (1.2) at hand, we can
substitute for αm
and rewrite the index of the second summation in Eq. (1.3).
Qα mod F(α) can then be calculated as follows:
Qα mod F(α) =
m−1

i=0
(gi qm−1)αi
+
m−1

i=1
qi αi
= (g0qm−1) +
m−1

i=1
(qi−1 + gi qm−1)αi
where all coefficient arithmetic is in F2. As an example, we consider the structure
of a 163-bit MSB multiplier shown in Fig. 1.4. In this multiplier, the operand X
is placed onto the data-bus X of the multiplier directly from the memory register
location. The individual bits of yi are sent from a memory location by implementing
the memory registers as a cyclic shift register (with the output at the most significant
bit).
The intermediate reduction is performed on the accumulating result zi , as in
Step 3 in Algorithm 7. The taps that are fed back to zi are directly based on
the reduction polynomial. Figure 1.4 shows an implementation for the reduction
polynomial F(x) = x163
+ x7
+ x6
+ x3
+ 1, where the taps XOR the result
of c162 to c7, c6 c3, and c0. As mentioned before, time and area requirements of
F2m hardware are efficient and predetermined. The complexity of the multiplier is n
AND + (n + t − 1) XOR gates where t = 3 for a trinomial reduction polynomial and
t = 5 for a pentanomial reduction polynomial. The latency for the multiplier output
is n clock cycles. Furthermore, the maximum critical path is 2ΔXOR (independent
of n), where ΔXOR represents a single delay in an XOR gate.

...
...
X
yi
x163 x162 x7
z163 z162 z7
163
x3 x2 x1 x0
z3 z2 z1 z0
XY mod F(x) = Z
163
Fig. 1.4 Most significant bit-serial (MSB) multiplier circuit for F2163
Similar to the presented MSB multiplier, a least significant bit-serial (LSB) mul-
tiplier can be implemented and the choice between the two depends on the design
architecture and goals. In an LSB multiplier, the coefficients of Y are processed
starting from the least significant bit y0 and continues with the remaining coef-
ficients one at a time in ascending order. Thus, multiplication according to this
scheme is performed in the following way:
Z ≡ XY mod F(α)
≡ y0 X + y1(Xα mod F(α)) + y2(Xα2
mod F(α))
+ . . . + ym−1(Xαm−1
mod F(α))
≡ y0 X + b1(Xα mod F(α)) + y2((Xα)α mod F(α))
+ . . . + ym−1((Xαm−2
)α mod F(α))
1.3.1.2 Digit Multipliers in F2m
Compared to the previously mentioned methods for multiplication, digit multipli-
ers provide trade-offs between speed, area, and power consumption [20]. This is
achieved by processing several of Y’s coefficients simultaneously at the cost of
more hardware area. The number of coefficients that are processed in parallel is
defined to be the digit size D. Let the total number of digits in the polynomial of
degree m − 1 to be given by d = m/D. Then, we can rewrite the multiplier as
Y =
d−1
i=0 Yi αDi
, where

Yi =
D−1

j=0
yDi+ j α j
, 0 ≤ i ≤ d − 1 (1.4)
and we assume that B has been padded with zero coefficients such that yi = 0 for
m − 1 i d · D. The multiplication can then be performed as
Z ≡ X · Y mod F(α) = X
d−1

i=0
Yi αDi
mod F(α) (1.5)
The least significant digit-serial (LSD) multiplier is a generalization of the LSB
multiplier in which the digits of B are processed starting from the least significant
to the most significant. Using Eq. (1.5), the product in this scheme can be computed
as follows:
Z ≡ X · Y mod F(α)
≡ [Y0 X + Y1(XαD
mod F(α)) + Y2(XαD
αD
mod F(α))
+ . . . + Yd−1(XαD(d−2)
αD
mod F(α))] mod F(α)
Algorithm 8 shows the details of the LSD multiplier. The full multiplier core
requires the additional operation Z ← Yi X + Z (Step 4 of Algorithm 8). It consists
of ANDing the multiplicand X with each element of the digit of the multiplier Y
and XORing the result into an accumulator. As an optimization, Z can be initialized
to a value I ∈ F2m in Algorithm 8. Then, we can obtain as output the quantity, X ·
Y + I mod F(α) at no additional (hardware or delay) cost. This operation, known as
a multiply/accumulate operation is very useful, e.g., in elliptic curve-based systems.
Algorithm 8 Least significant digit-serial (LSD) multiplier [43]
Input: X =
m−1
i=0 xi αi
, where xi ∈ F2, Y =
m
D −1
i=0 Yi αDi
, where Yi as in (1.4)
Output: : C ≡ X · Y =
m−1
i=0 ci αi
, where zi ∈ F2
1: Z ← 0
2: for i = 0 to m
D
− 1 do
3: Z ← Yi X + Z
4: X ← XαD
mod F(α)
5: end for
6: Return (Z mod F(α))
Considering the reduction, the operation X ← XαD
mod F(α) from Step 3 of
Algorithm 8 needs to be efficiently implemented. Trivially, the multiplicand X is
shifted left by the digit-size D which is equivalent to multiplying by αD
. Then, the
result is reduced with the reduction polynomial by a logical AND of the higher
D elements of the shifted multiplicand with the reduction polynomial F(α) and a
subsequent exclusive-or with the result.

A final reduction circuit performs the operation X mod F(α), where X is of size
m + D − 2. It is implemented similarly to the main reduction circuit but without
any shifting. The area requirement for this circuit is (k + 1)(D − 1) AND gates
and (k + 1)(D − 1) XOR gates. The critical path of the final reduction circuit is
ΔAND + log2 (D)ΔXOR which is less than that of the main reduction circuit.
1.3.2 Squaring in F2m
Polynomial basis squaring of C ∈ F2m is implemented by expanding Z to double its
bit length by interleaving 0 bits in between the original bits of Z and then reducing
the double length result as shown here:
C ≡ X2
mod F(α)
≡ (xm−1α2(m−1)
+ xm−2α2(m−2)
+ . . . + x1α2
+ x0) mod F(α)
In hardware these two steps can be combined if the reduction polynomial has a
small number of non-zero coefficients, such as in the case of irreducible trinomials
and pentanomials. The architecture of the squarer implemented as a hardwired XOR
circuit is shown in Fig. 1.5. Here, the squaring is efficiently implemented for F(x) =
x163
+ x7
+ x6
+ x3
+ 1, to generate the result in one single clock cycle without
significant area requirements. It involves first the expansion by interleaving with
zeroes, which in hardware is just an interleaving of 0 bit valued lines on to the
bus to expand it to 2n bits (where n is the bit length of the original parameter).
The reduction of this polynomial is inexpensive, first, due to the fact that reduction
...
X
163
x
83
x
2
x
81
x
0
z3 z2 z1 z0
X2
mod F(x) = Z
163
x
160
x
161
x
160
x
160
x
161
x
162
x
81
z163
x
159
x
161
Fig. 1.5 Squaring circuit for field F2163

polynomial used is a pentanomial, and second, the polynomial being reduced is
sparse with no reduction required for n/2 of the higher order bits.
As an example for the efficient implementation of a binary field squarer unit
in hardware, XOR requirements and the maximum critical path (assuming an XOR
tree implementation) for three different reduction polynomials used in elliptic curve
cryptography are given in the Table 1.3.
Table 1.3 F2m gate consumption and latency figures for a squaring unit
Reduction polynomial F(x) XOR gates Critical path
x193
+ x15
+ 1 96 XOR 2 ΔXOR
x163
+ x7
+ x6
+ x3
+ 1 246 XOR 3 ΔXOR
x131
+ x8
+ x3
+ x2
+ 1 205 XOR 3 ΔXOR
1.3.3 Inversion in F2m using Itoh–Tsujii Algorithms
In Section 1.2.4 we have discussed the utilization of gcd algorithms for computing
the multiplicative inverse in a finite field Fp. Alternatively, Fermat’s little theorem
was mentioned to determine the inverse element at the cost of cn modular multipli-
cations, where n is the bit length of an operand and c 1 a constant dependent on
the applied exponentiation algorithm.4
Originally introduced in [21], the Itoh and
Tsujii algorithm (ITA) is a further exponentiation-based algorithm for inversion in
finite fields which reduces the complexity of computing the inverse of a non-zero
element in F2m to at most 2log2(m − 1) multiplications in F2m and m − 1 cyclic
shifts.
Next, we will show how to compute the multiplicative inverse of X ∈ F2m , X = 0,
according to the binary method for exponentiation. From Fermat’s little theorem we
know that X−1
≡ X2m
−2
, which can be computed as
X2m
−2
= X2
· X22
· · · X2m−1
This requires m − 2 multiplications and m − 1 cyclic shifts. As we have seen in
Section 1.3.2 squaring is a linear operation.
In [21] Itoh and Tsujii proposed three algorithms. The first two algorithms
describe addition chains for exponentiation-based inversion in fields F2m while the
third one describes a method based on subfield inversion. The first algorithm is only
applicable to values of m such that m = 2r
+ 1, for some positive r, and it is based
4 Exponentiation algorithms significantly influence the performance of cryptosystems like RSA,
DHKE, and ElGamal. Please find further details how to speed up exponentiation methods in [31,
16, 44].

on the observation that the exponent 2m
− 2 can be rewritten as (2m−1
− 1) · 2. Thus
if m = 2r
+ 1, we can compute X−1
≡ (X22r
−1
)2
. Furthermore, we can rewrite
22r
− 1 as
22r
− 1 =

22r−1
− 1

22r−1
+

22r−1
− 1

(1.6)
Equation (1.6) and the previous discussion result in Algorithm 9. Note that Algo-
rithm 9 performs r = log2(m − 1) iterations. In every iteration, one multiplication
and i cyclic shifts, for 0 ≤ i r, are performed which leads to an overall complex-
ity of log2(m − 1) multiplications and m − 1 cyclic shifts.
Algorithm 9 Multiplicative Inverse Computation in F2m with m = 2r
+ 1 [21]
Input: X ∈ F2m , X = 0, m = 2r
+ 1
Output: Z = X−1
Z ← X
for i = 0 to r − 1 do
Y ← Z22i
{cyclic shifts by 2i
}
Z ← Z · D
end for
Z ← Z2
Return (Z)
This is again an improvement over prime field algorithms for inversion. With a
closer look to the involved basic operations, they can obviously efficiently imple-
ment using techniques that we already proposed in Sections 1.3.1 and 1.3.2.
1.4 Summary
In this chapter, we presented a survey of finite field architectures that are suitable for
hardware implementations of popular cryptographic systems. The hardware archi-
tectures for addition/subtraction, multiplication, and inverse were presented for both
finite fields popularly used in cryptography: binary extension and prime fields. Fur-
thermore, we have highlighted selected optimizations for reduction schemes both in
prime and binary fields, e.g., using general Mersenne primes or trinomial or pen-
tanomial reduction polynomials. Further information on implementations of public-
key cryptosystems and cryptosystems can also be found in Chapter 4.
References
1. FIPS 186-2: Digital Signature Standard (DSS). 186-2, February 2000. Available for download
at http://csrc.nist.gov/encryption.
2. D. N. Amanor, C. Paar, J. Pelzl, V. Bunimov, and M. Schimmler. Efficient Hardware Archi-
tectures for Modular Multiplication on FPGAs. In 2005 International Conference on Field

Programmable Logic and Applications (FPL), Tampere, Finland, pages 539–542. IEEE Cir-
cuits and Systems Society, August 2005.
3. D. V. Bailey and C. Paar. Optimal Extension Fields for Fast Arithmetic in Public-Key Algo-
rithms. In H. Krawczyk, editor, Advances in Cryptology — CRYPTO ’98, volume LNCS 1462,
pages 472–485, Springer-Verlag, Berlin, 1998.
4. D. V. Bailey and C. Paar. Efficient Arithmetic in Finite Field Extensions with Application in
Elliptic Curve Cryptography. Journal of Cryptology, 14(3):153–176, 2001.
5. P. Barrett. Implementing the Rivest, Shamir and Adleman public-key encryption algorithm
on standard digital signal processor. In A. Odlyzko, editor, Advances in Cryptology —
CRYPTO’86, volume 263 of LNCS, pages 311–323. Springer-Verlag, Berlin 1987.
6. L. Batina, S. B. Ors, B. Preneel, and J. Vandewalle. Hardware architectures for public key
cryptography. Integration, the VLSI Journal, 34(6):1–64, 2003.
7. G. Blakley. A computer algorithm for calculating the product A · B modulo M. IEEE Trans-
actions on Computers, C-32(5):497–500, May 1983.
8. D. Boneh and M. Franklin. Identity-Based Encryption from the Weil Pairing. In J. Kil-
ian, editor, Advances in Cryptology — CRYPTO 2001, volume LNCS 2139, pages 213–229.
Springer-Verlag, Berlin 2001.
9. V. Bunimov and M. Schimmler. Area and Time Efficient Modular Multiplication of Large
Integers. In IEEE 14th International Conference on Application-specific Systems, Architec-
tures and Processors, June 2003.
10. A. Daly, L. Marnaney, and E. Popovici. Fast Modular Inversion in the Montgomery Domain
on Reconfigurable Logic. Technical report, University College Cork, Cork, Ireland, 2004.
11. W. Diffie. Subject: Authenticity of Non-secret Encryption documents. World Wide Web,
October 6, 1999. Email message sent to John Young. Available at
http://cryptome.org/ukpk-diffie.htm.
12. W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Infor-
mation Theory, IT-22(6):644–654, November 1976.
13. T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms.
IEEE Transactions on Information Theory, 31:469–472, 1985.
14. J. H. Ellis. The Story of Non-secret Encryption. Available at
http://jya.com/ellisdoc.htm, December 16th, 1997.
15. I. E. T. Force. The Kerberos Network Authentication Service (V5). RFC 4120, July 2005.
16. D. M. Gordon. A survey of fast exponentiation methods. Journal of Algorithms, 27:129–146,
1998.
17. J. Guajardo, T. Güneysu, S. S. Kumar, C. Paar, and J. Pelzl. Efficient hardware implementation
of finite fields with applications to cryptography. Acta Applicandae Mathematicae, 93:75–118,
2006.
18. J. Guajardo and C. Paar. Efficient Algorithms for Elliptic Curve Cryptosystems. In B. Kaliski,
Jr., editor, Advances in Cryptology — CRYPTO ’97, volume 1294, pages 342–356, Springer
Verlag, Berlin August 1997.
19. J. Hoffstein, D. Lieman, J. Pipher, and J. H. Silverman. NTRU: A Public Key Cryptosystem.
Technical report, Aug. 11 1999.
20. K. Hwang. Computer Arithmetic: Principles, Architecture and Design. John Wiley Sons,
Inc. New York, 1979.
21. T. Itoh and S. Tsujii. A fast algorithm for computing multiplicative inverses in GF(2m
) using
normal bases. Information and Computation, 78:171–177, 1988.
22. D. Knuth. The Art of Computer Programming, Seminumerical Algorithms, volume 2.
Addison-Wesley, Reading, MA November 1971. 2nd printing.
23. D. E. Knuth. The Art of Computer Programming, Vol. 2: Seminumerical Algorithms, volume 2.
Second edition, Addison-Wesley, Reading, MA 1973.
24. N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48(177):203–209,
January 1987.
25. N. Koblitz. Hyperelliptic cryptosystems. Journal of Cryptology, 1(3):129–150, 1989.

26. N. Koblitz. A Course in Number Theory and Cryptography. Springer Verlag, New York, 1994.
27. N. Koblitz. An Elliptic Curve Implementation of the Finite Field Digital Signature Algorithm.
In H. Krawczyk, editor, Advances in Cryptology — CRYPTO 98, volume LNCS 1462, pages
327–337. Springer-Verlag, Berlin 1998.
28. Ç. K. Koç, T. Acar, and B. S. Kaliski. Analyzing and comparing Montgomery multiplication
algorithms. IEEE Micro, 16(3):26–33, June 1996.
29. A. Lenstra and E. Verheul. Selecting Cryptographic Key Sizes. In H. Imai and Y. Zheng,
editors, Practice and Theory in Public Key Cryptography—PKC 2000, volume 1751, pages
446–465, January 2000.
30. R. J. McEliece. A public-key cryptosystem based on algebraic coding theory. DSN Progress
Report, pages 42–44, 1987.
31. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography.
The CRC Press series on discrete mathematics and its applications. 1997.
32. R. C. Merkle. Secure communications over insecure channels. Communications of the ACM,
21(4):294–299, 1978.
33. P. Mihăilescu. Optimal Galois Field Bases Which Are Not Normal. Recent Results Session —
FSE ’97, 1997.
34. V. S. Miller. Use of Elliptic Curves in Cryptography. In H. C. Williams, editor, Advances in
Cryptology — CRYPTO ’85, volume 218, pages 417–426, August 1986.
35. P. Montgomery. Modular multiplication Without trial division. Mathematics of Computation,
44(170):519–521, April 1985.
36. National Institute of Standards and Technology (NIST). Recommended Elliptic Curves for
Federal Government Use, July 1999. csrc.nist.gov/csrc/fedstandards.html.
37. J. Pollard. Monte Carlo methods for index computation mod p. Mathematics of Computation,
32(143):918–924, July 1978.
38. R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and
public-key cryptosystems. Communications of the ACM, 21(2):120–126, February 1978.
39. B. Schneier. Crypto-Gram Newsletter. World Wide Web, May 15, 1998. Available at
http://www.schneier.com/crypto-gram-9805.html.
40. K. Sloan. Comments on a computer algorithm for calculating the product A · B modulo M.
IEEE Transactions on Computers, C-34(3):290–292, March 1985.
41. N. Smart. Elliptic curve cryptosystems over small fields of odd characteristic. Journal of
Cryptology, 12(2):141–151, Spring 1999.
42. J. Solinas. Generalized Mersenne Numbers. Technical Report, CORR 99-39, Department of
Combinatorics and Optimization, University of Waterloo, Canada,, 1999.
43. L. Song and K. K. Parhi. Low energy digit-serial/parallel finite field multipliers. Journal of
VLSI Signal Processing, 19(2):149–166, June 1998.
44. J. von zur Gathen and M. Nöcker. Exponentiation in Finite Fields: Theory and Practice. In
T. Mora and H. Mattson, editors, Applied Algebra, Algebraic Algorithms and Error Correcting
Codes — AAECC-12, volume LNCS 1255, pages 88–113. Springer-Verlag, 2000.
45. C. Walter. Logarithmic speed modular multiplication. Electronics Letters, 30(17):1397–1398,
1994.

Chapter 2
Introduction to Side-Channel Attacks
François-Xavier Standaert
2.1 Introduction
A cryptographic primitive can be considered from two points of view: on the one
hand, it can be viewed as an abstract mathematical object or black box (i.e., a trans-
formation, possibly parameterized by a key, turning some input into some output);
on the other hand, this primitive will in fine have to be implemented in a program
that will run on a given processor, in a given environment, and will therefore present
specific characteristics. The first point of view is the one of “classical” cryptanal-
ysis; the second one is the one of physical security. Physical attacks on crypto-
graphic devices take advantage of implementation-specific characteristics to recover
the secret parameters involved in the computation. They are therefore much less
general – since specific to a given implementation – but often much more power-
ful than classical cryptanalysis and are considered very seriously by cryptographic
devices manufacturers.
Such physical attacks are numerous and can be classified in many ways. The
literature usually sorts them among two orthogonal axes:
1. Invasive vs. non-invasive: Invasive attacks require depackaging the chip to get
direct access to its inside components; a typical example of this is the connection
of a wire on a data bus to see the data transfers. A non-invasive attack only
exploits externally available information (the emission of which is, however,
often unintentional) such as running time, power consumption.
2. Active vs. passive: Active attacks try to tamper with the devices’ proper func-
tioning, for example, fault-induction attacks will try to induce errors in the com-
putation. As opposed, passive attacks will simply observe the devices behavior
during their processing, without disturbing it.
F.-X. Standaert (B)
UCL Crypto Group, Place du Levant 3, B-1348 Louvain-la-Neuve, Belgium
e-mail: fstandae@uclouvain.be
Postdoctoral researcher of the Belgian Fund for Scientific Research (FNRS).
I.M.R. Verbauwhede (ed.), Secure Integrated Circuits and Systems,
Integrated Circuits and Systems, DOI 10.1007/978-0-387-71829-3 2,
C
27

28 F.-X. Standaert
The side-channel attacks we consider in this chapter are a class of physical
attacks in which an adversary tries to exploit physical information leakages such
as timing information [9], power consumption [10], or electromagnetic radiation
[1]. Since they are non-invasive, passive and they can generally be performed using
relatively cheap equipment, they pose a serious threat to the security of most cryp-
tographic hardware devices. Such devices range from personal computers to small
embedded devices such as smart cards and RFIDs (radio frequency identification
devices). Their proliferation in a continuously larger spectrum of applications has
turned the physical security and side-channel issue into a real, practical concern that
we aim to introduce in this chapter.
For this purpose, we start by covering the basics of side-channel attacks. We
discuss the origin of unintended leakages in recent microelectronic technologies
and describe how simple measurement setups can be used to recover and exploit
these physical features. Then, we introduce some classical attacks: simple power
analysis (SPA) and differential power analysis (DPA). In the second part of the
chapter, we put forward the different steps of an actual side-channel attack through
two illustrative examples. We take advantage of these examples to stress a number of
practical concerns regarding the implementation of side-channel attacks and discuss
their possible improvements. Finally, we list a number of countermeasures to reduce
the impact of physical information leakages.
2.2 Basics of Side-Channel Attacks
2.2.1 Origin of the Leakages
Side-channel attacks are closely related to the existence of physically observable
phenomenons caused by the execution of computing tasks in present microelec-
tronic devices. For example, microprocessors consume time and power to perform
their assigned tasks. They also radiate an electromagnetic field, dissipate heat,
and even make some noise [22]. As a matter of fact, there are plenty of infor-
mation sources leaking from actual computers that can consequently be exploited
by malicious adversaries. In this chapter, we focus on power consumption and
electromagnetic radiation that are two frequently considered side-channels in prac-
tical attacks. Since a large part of present digital circuits is based on CMOS
gates, this introduction also only focuses on this technology. As will be men-
tioned in Section 2.4, other types of logic circuits could be considered for side-
channel attacks, sometimes providing improved resistance compared with standard
CMOS.
Power consumption in CMOS devices. Static CMOS gates have three distinct
dissipation sources [19]. The first one is due to the leakage currents in transistors.
The second one is due to the so-called short-circuit currents: there exists a short
period during the switching of a gate while NMOS and PMOS are conducting

2 Introduction to Side-Channel Attacks 29
Fig. 2.1 Charge vs. discharge of a CMOS inverter
simultaneously. Finally, the dynamic power consumption is due to the charge and
discharge of the load capacitance CL represented by the dotted paths in Fig. 2.1.
The respective importance of these dissipation sources typically depends on tech-
nology scalings. But the dynamic power consumption is particularly relevant from
a side-channel point of view since it determines a simple relationship between a
device’s internal data and its externally observable power consumption. It can be
written as
Pdyn = CL V 2
DD P0→1 f (2.1)
where P0→1 f is called the switching activity, P0→1 is the probability of a 0 → 1
transition, f is the work frequency of the device, and VDD is the voltage of the
power supply. In CMOS devices, when measuring the power consumption (either at
the ground pin or at the power pin), the highest peak will appear during the charge
of the capacitance (i.e., 0 → 1 event). During the discharge, the only current we can
measure is the short-circuit path current. This data-dependent power consumption
is the origin of side-channel information leakages.
EM radiation in CMOS devices. Just as the power consumption of CMOS devices
is data-dependent, it can be showed that its electromagnetic radiation also is. From
a theoretical point of view, electromagnetic leakages are usually explained from the
Biot–Savart law:
dB =
μIdl ×
r
4πr2
(2.2)
where μ is the magnetic permeability, I is the current carried on a conductor of
infinitesimal length dl,
r is the unit vector specifying the distance between the cur-
rent element and the field point, and r is the distance from the current element to the
field point. Although such a simple equation does not describe the exact (complex)
radiation of an integrated circuit, it already emphasizes two important facts: (1) the

30 F.-X. Standaert
field is data-dependent due to the dependence on the current intensity and (2) the
field orientation depends on the current direction. This data-dependent radiation
is again the origin of side-channel information leakages. In general, any physi-
cally observable phenomenon that can be related to the internal configuration or
activity of a cryptographic device can be a source of useful information to a mali-
cious adversary.
Leakage models. From the previous physical facts, side-channel adversaries have
derived a number of (more or less sophisticated) leakage models. They can be used
both to simulate the attacks or to improve an attack’s efficiency. For example, the
Hamming distance model assumes that, when a value x0 contained in a CMOS
device switches into a value x1, the actual side-channel leakages are correlated with
the Hamming distance of these values, namely HD(x0, x1) = HW (x0 ⊕ x1). The
Hamming weigh model is even simpler and assumes that, when a value x0 is com-
puted in a device, the actual side-channel leakages are correlated with the Hamming
weight of this value, namely HW (x0). As will be emphasized in Section 2.4, good
leakage models have a strong impact on the efficiency of a side-channel attack.
Hamming weight and distance models assume both that there are no differences
between 0 → 1 and 1 → 0 events and that every bit in an implementation con-
tributes identically to the overall power consumption. Improved models relax these
assumptions, e.g., by considering different leakages for the 0 → 1 and 1 → 0 events
[18], assigning different weights to the leakage contributions of an implementa-
tion’s different parts [23] by considering advanced statistical tools to characterize a
device’s leakage [6].
2.2.2 Measurement Setups
As far as the practical implementation of a side-channel attack is concerned, the
building of a good measurement setup is of primary importance. They aim to convert
the physical features of an observable device into digitally exploitable data. Such
setups are generally made of the following elements [12]:
– A target cryptographic device, e.g., a smart card, FPGA of integrated circuit run-
ning some cryptographic primitive, e.g., a block cipher.
– If not embedded on-chip, an external power supply, clock generator, and any
additional circuitry required for the device to run properly.
– A leakage probe. For example, power consumption can be monitored by inserting
a small resistor within the supply chain of the target device. Electromagnetic
radiation can be captured with simple handmade coils.
– An acquisition device, e.g., digital oscilloscope with sufficient features (typically,
1 GS/s, 8 bits of resolution, etc.), connected to a computer for the statistical anal-
ysis of the side-channel traces.

Just as leakage models, measurement setups have a strong influence on the effi-
ciency of side-channel attacks. The quality of a measurement setup is mainly quan-
tified by the amount of noise in its traces. Noise is a central issue in side-channel
attacks and more generally in any signal processing application. In our specific
context, various types of noise are usually considered, including physical noise
(i.e., produced by the transistors and their environment), measurement noise (i.e.,
caused by the sampling process and tools), model matching noise (i.e., meaning that
the leakage model used to attack does possibly not perfectly fit to real observations),
or algorithmic noise (i.e., produced by parasitic computations in an implementa-
tion). All these disturbances similarly affect the efficiency of a side-channel attack
and reduce the amount of information in the leakages.
2.2.3 Classical Attacks: SPA and DPA
Beyond the previous classification of physical attacks (i.e., invasive vs. non-invasive,
active vs. passive), the literature also classifies the attacks according to the statistical
treatment applied to the leakage traces. For example, “simple” and “differential”
attacks were introduced in the context of power analysis [10].
Simple power analysis (SPA) attempts to interpret the power consumption of
a device and deduce information about its performed operations. This is nicely
illustrated with the example in Fig. 2.2. It shows the power consumption trace
of a device performing an AES (advanced encryption standard) encryption [17].
The figure clearly shows a pattern that is repeated 10 times and corresponds to the
10 rounds of the AES when implemented in its 128-bit version.
Fig. 2.2 SPA monitoring from a single AES encryption performed by a smart card
Of course, this information is not an attack in itself. Everybody knows that AES-
128 has 10 rounds, and knowing that a device is performing an AES encryption
does not expose its secrets at all. However, such a visual inspection of the leakage
traces may the preliminary step in a more powerful attack, e.g., by determining the
parts of the traces that are relevant to the adversary. In addition, there are cases
in which this sequence of operations can provide useful information, mainly when
the instruction flow depends on the data. Modular exponentiation performed with a
square and multiply algorithm is a good example. If the square operation is imple-
mented differently than the multiple operation – a tempting choice, as this will allow

32 F.-X. Standaert
specific optimizations for the square operation, resulting in faster code – and pro-
vided this difference results in different consumption patterns, then the power
trace of an exponentiation directly yields the (secret) exponent’s value. Generally
speaking, all programs involving conditional branch operations depending on secret
parameters are at risk.
By contrast, differential power analysis (DPA) intends to take advantage of data
dependencies in the power consumption patterns. It is again better illustrated with an
example. Figure 2.3 shows power consumption curves that typically correspond to
the simple Hamming weight or distance leakage models introduced in Section 2.2.1.
These data dependencies exploited by powerful statistics lead to a more general
class of (so-called differential) attacks that are detailed through an example in the
next section.
Fig. 2.3 Illustration of Hamming weight or distance data dependencies in the power consumption
traces of a smart card using an 8-bit data bus
2.3 An Exemplary Differential Attack Against the DES
A side-channel attack against any cryptographic device typically involves a number
of active steps for the adversary. In this section, we aim to illustrate these different
steps with an exemplary attack against the DES (Data Encryption Standard) that
is briefly described in Appendix 1. For simplicity, we follow the practice-oriented
definition of a side-channel attack introduced in [24].
1. Selection of the target algorithm and implementation. The adversary determines
the algorithm (e.g., the DES) and a target platform (e.g., an ASIC, FPGA, or
smart card) from which he aims to recover secret information.
2. Selection of the leakage source and measurement setup. The adversary deter-
mines the type of leakage he wants to exploit, e.g., power consumption, electro-

magnetic radiation, or a combination of both. This step includes the preparation
of the measurement setup described in Section 2.2.2.
3. Selection of the target signal. Side-channel attacks are generally based on a
divide-and-conquer strategy in which different parts of a secret key are recovered
separately. Consequently, the adversary selects which part of the key is the target
of his attack, e.g., the six key bits entering the first DES S-box S0. We denote
this target part of the block cipher key as a key class s.
4. Selection of the device inputs. If allowed, the adversary selects the inputs that are
to be feeded to the target device, e.g., randomly. If not allowed, it is generally
assumed that a side-channel adversary can monitor the plaintexts.
5. Derivation of internal values within the algorithm. This is the core of the divide-
and-conquer strategy. For a number of (known) input plaintexts, the adversary
predicts (key-dependent) internal values within the target device that are to be
computed during the execution of the algorithm. For computational reasons,
only values depending on a small part of the key are useful. For example,
one could predict the 4 bits after the permutation in the first DES round for
each of the 64 possible key values entering S0, as illustrated in the central
table of Fig. 2.4. As a result of these values’ derivation phase, the adversary
has predicted internal values of the block cipher implementation for q plain-
texts and each key class candidate s∗
(out of 64 possible ones), stored in vec-
tors v
q
s∗ ’s.
Fig. 2.4 Derivation of the internal values and leakage modeling within the DES
6. Modeling of the leakage. For the same set of key class candidates as during
the derivation of the internal values, the adversary models a part or function
of the actual target device’s leakage. For example, assuming that the power
consumption in CMOS devices depends on the switching activity occurring
during a computation, the Hamming weigh or distance models can be used to
predict the leakage, as illustrated in the right table of Fig. 2.4. In this context,
the models are directly derived from the internal values, e.g., M(s∗
, v
q
s∗ ) =
HW(v
q
s∗ ).
7. Measurement of the leakage. Thanks to his measurement setup, the adver-
sary monitors the leakage (e.g., the power consumption) of the target device.

34 F.-X. Standaert
As a consequence, he obtains a leakage vector lq = [l1,l2, . . . ,lq] that con-
tains q leakage traces li ’s corresponding to the encryption of q different plain-
texts.
8. Selection of the relevant leakage samples. Since the leakage traces obtained
from an acquisition device may contain hundreds of thousands samples, actual
side-channel adversaries usually reduce the data dimensions to lower values.
This may be done using simple techniques such as SPA or by using advanced
statistical processing. In the example of Fig. 2.5, only the maximum value
of the clock cycle corresponding to the DES permutation is extracted from
the traces. As a result of this phase, the adversary obtains a reduced vector:
R(lq).
Fig. 2.5 Selection of the relevant leakage samples thanks to a transform T
9. Statistical comparison. For each of the key class candidates, the adversary finally
applies a statistic to compare the predicted leakages with the transformed mea-
surements. If the attack is successful, it is expected that the model corresponding
to the correct key candidate gives rise to the best comparison result. For example,
in our previous illustrations, both the values derivation vectors v
q
s∗ and reduced
traces R(li )

s have q elements. Therefore, if we store the hypothetical Hamming
weight models in a vector m
q
s∗ = HW(v
q
s∗ ), the empirical correlation coefficient
can be used for comparison [5] :
corr(s∗
) =
q
i=1(li − Ê(R(lq))) · (mi
s∗ − Ê(m
q
s∗ ))
q
i=1(li − Ê(R(lq)))2 ·
q
i=1(mi
s∗ − Ê(m
q
s∗ ))2
(2.3)
where Ê(.) denotes the empirical mean. In Fig. 2.6, such a correlation attack
is applied to our leaking DES implementation and the coefficient is computed
for an increasing number of observations. It clearly illustrates that the attack is
successful after approximately 100 measured encryptions.

Fig. 2.6 Statistical comparison with the correlation coefficient
2.4 Improved Side-Channel Attacks
The previous section described a typical side-channel attack against an unprotected
implementation of the DES, based on simple statistical tools and leakage models.
This section aims to put forward how such a simple attack can be improved. As a
matter of fact, such improvements basically correspond to the improvement of any
of the individual steps in the previous section. Specifically, the following ideas are
generally considered in the literature:
1. Improving the measurement setup, by reducing any possible source of noise,
better designing the side-channel probes, etc. This is a preliminary step to the
development of any powerful side-channel attack.
2. Selecting the inputs adaptively as suggested and analyzed in [11].
3. Pre-processing the side-channel leakage traces, e.g., by averaging or filtering.
4. Improving the leakage models, e.g., by profiling and characterizing the target
device or by gaining information about critical implementation details.
5. Taking advantage of multivariate statistics either by using the so-called higher-
order attacks [14] or by considering optimal strategies such as template attacks
[6] or stochastic models [20] (which generally require to characterize the device
leakage prior to the actual application of the attack).
6. Using various statistical tests: Difference of mean tests, correlation analysis, or
Bayesian classification are the most frequently considered ones.

36 F.-X. Standaert
7. Combining various types of side-channel leakages, e.g., power and EM [2]. With
this respect, it is interesting to see that different side-channels generally give
rise to different types of information. As an illustration, we provide two exem-
plary leakage traces of the same leaking device in Appendix 2, corresponding,
respectively, to the power and EM channels. They clearly illustrate that, e.g.,
the field orientation and therefore the current direction within the device can be
obtained from actual EM measurements while the power leakages only provide
information about the amplitude of this current.
In practice, the Bayesian classification of key classes based on side-channel leak-
ages exploiting the statistical profiling of a target device is usually denoted as a
template attack [6]. It is particularly important both for theoretical and practical
reasons. First from a theoretical point of view, it is usually assumed that such a
side-channel attack is the most powerful from an information theoretic point of
view. Consequently, it has important consequences in the security evaluation of a
cryptographic device and when provable security issues are discussed [24]. But in
practice, it also corresponds to a significantly different implementation context than
the previously described differential attack. Indeed the construction of a statistical
model for the side-channel leakages (i.e., templates) requires the profiling of a target
device. In the worst case, this may involve the ability to change the keys within a
device that is identical to the target. For these reasons, we now provide a second
illustrative example of a side-channel attack, exploiting templates. We use the same
steps as in the previous sections in order to put forward the specificities of such an
adversarial context.
2.4.1 A Exemplary Profiled Attack Against the DES
The main objective of a profiled attack is to take advantage of a better leakage model
than, e.g., assuming Hamming weight dependencies. For this purpose, one generally
starts by profiling or characterizing the device leakages with a statistical model. In
practice, this involves an additional step in the attack.
Preparation of the leakage model. Different approaches can be used for this pur-
pose. The most investigated solution is to assume that the leakage samples R(li )’s
were drawn from a Gaussian distribution:1
N(R(li )|μi
s, σi
s ) =
1
σi
s
√
2π
exp
−(R(li ) − μi
s)2
2σi
s
2
, (2.4)
1 We just consider the univariate case in this example. But the extension toward the multivariate
case where several leakage samples are considered is straightforward. Note also that in practice,
one has to decide what to characterize. For example, one can build templates for different key
candidates or for different Hamming weights at the output of an S-box. The selection of opera-
tions and data to characterize is important from a practical point of view since it determines the
computational cost of the attack (i.e., building more templates is more expensive).

in which the mean μi
s and standard deviation σi
s specify completely the noise asso-
ciated to each key class s. In practice, these parameters are estimated thanks to sets
of typically a few hundreds to a few thousands traces. As a consequence, the adver-
sary has an estimation of the probabilities Pr[s∗
|li ] with the Gaussian distribution
P̂r[R(li )|s∗
] = N(R(li )|μ̂i
s∗ , σ̂i
s∗ ), where μ̂i
s and σ̂i
s , respectively, denote the sample
mean and variance for a given leakage sample.
Once the leakage model has been characterized, the adversary follows essentially
the same steps as during a classical differential attack, with only a few differences
in steps 6 and 9 that we re-detail as follows:
6. Modeling of the leakage.Rather than using the Hamming weights of some
internal (key-dependent) values within the device, the adversary uses the previously
defined probabilistic model. That is, M(s∗
, R(li )) = P̂r[R(li )|s∗
].
9. Statistical comparison. Finally, from the estimated conditional probabilities
P̂r[R(li )|s∗
]’s, the adversary applies Bayes theorem and selects the key classes
according to their likelihood: L(s∗
) = P̂r[s∗
|R(lq)]. In Fig. 2.7, such a template
attack is applied to our leaking DES implementation and the key likelihoods are
computed for an increasing number of observations. It clearly illustrates that the
attack is successful after approximately 50 measured encryptions.
Fig. 2.7 Statistical comparison with the correlation coefficient
2.5 Countermeasures
In this section, we finally describe possible countermeasures to prevent side-channel
attacks and discuss the resulting security vs. efficiency trade-off. Some of these tech-
niques are extensively described in the following chapter of this book.
Countermeasures against side-channel attacks range among a large variety of
solutions. However, in the present state of the art, no single technique allows to

38 F.-X. Standaert
provide perfect security. Protecting implementations against physical attacks con-
sequently intends to make the attacks harder. In this context, the implementa-
tion cost of a countermeasure is of primary importance and must be evaluated
with respect to the additional security obtained. The exhaustive list of all possi-
ble solutions to protect cryptographic devices from side-channel opponents would
deserve a long survey in itself. In this section, we only suggest a few exam-
ples in order to illustrate that security can be added at different abstraction lev-
els:
1. At the physical level, shields, conforming glues [3], physically unclonable func-
tions [26], detectors, detachable power supplies [21], etc. can be used to improve
the resistance of a device against physical attacks.
2. At the technological level, dynamic and differential logic styles (as an alternative
to CMOS) have been proposed in various shapes (e.g., [25]) to decrease the data
dependencies of the power consumption.
3. At the algorithmic level, time randomization [13], encryption of the buses [4],
hiding (i.e., making the leakage constant), or masking (i.e., making the leakage
dependant of some random value, e.g., in [8]) are the usual countermeasures.
4. At all the previous levels, noise addition is the generic solution to decrease the
amount of information in the side-channel leakages.
5. Countermeasures also exist at the protocol level, e.g., based on key updates.
2.6 Conclusions
Side-channel attacks are an important class of cryptanalytic techniques. Although
less generic than classical cryptanalysis, since they target a specific implementation
rather than an abstract algorithm, they are generally much more powerful. Such
attacks are applicable to most (if not all) present circuit technologies and have to be
considered as a serious threat for the security of actual embedded devices. From an
operational point of view, security against side-channel attacks can be obtained by
the sound combination of various countermeasures. However, significant attention
has to be paid to the fair evaluation of these countermeasures in order to properly
assess the security of any cryptographic device and trade it with implementation
efficiency [24]. Additionally, side-channel attacks are only a part of the physical
reality and resisting them may induce weaknesses with respect to other issues. The
development of a unified framework for the analysis of physical security concerns
and possibly a theory of provable physical security is a long-term goal in crypto-
graphic research, initiated in [7, 15, 27].
Appendix 1 The Data Encryption Standard : A Case Study
In 1977, the DES algorithm [16] was adopted as a Federal Information Process-
ing Standard (FIPS) for unclassified government communication. Although a new

Fig. 2.8 Data encryption standard
Advanced Encryption Standard was selected in October 2000 [17], DES is still
widely used, particularly in the financial sector. DES encrypts 64-bit blocks with a
56-bit key and processes data with permutations, substitutions, and XOR operations.
The plaintext is first permuted by a fixed permutation IP. Next the result is split into
two 32-bit halves, denoted with L (left) and R (right) to which a round function is
applied 16 times. The ciphertext is calculated by applying the inverse of the initial
permutation IP to the result of the 16th round. The secret key is expanded by the
key schedule algorithm to sixteen 48-bit round keys Ki and in each round, a 48-bit
round key is XOR ed to the text. The key schedule consists of known bit permutations
and shift operations. Therefore, finding any round key bit directly involves that the
secret key is corrupted. The round function is represented in Fig. 2.8a and is easily
described by
Li+1 = Ri
Ri+1 = Li ⊕ f (Ri , Ki )
where f is a non-linear function detailed in Fig. 2.8b: the Ri part is first expanded
to 48 bits with the E box, by doubling some Ri bits. Then, it performs a bitwise
modulo 2 sum of the expanded Ri part and the 48-bit round key Ki . The output of
the XOR function is sent to eight non-linear S-boxes. Each of them has six input bits
and four output bits. The resulting 32 bits are permuted by the bit permutation P.
Finally, DES decryption consists of the encryption algorithm with the same round
keys but in reversed order.

40 F.-X. Standaert
Appendix 2 Exemplary Power and EM Leakage Traces
Fig. 2.9 Exemplary power and EM leakage traces
References
1. D. Agrawal, B. Archambeault, J. Rao, P. Rohatgi, The EM Side-Channel(s), in the Proceedings
of CHES 2002, LNCS, vol 2523, pp 29–45, Redwood City, CA, USA, August 2002.
2. D. Agrawal, J. Rao, P. Rohatgi, Multi-channel Attacks, in the Proceedings of CHES 2003,
LNCS, vol 2779, pp 2–16, Cologne, Germany, Sept. 2003.

Another Random Scribd Document
with Unrelated Content

whist are the great levers to pry with before Flaxback. Fact is, he can’t get
round ’em.’
“Mr. Deediddle rattled away for nearly an hour, and I was glad when he
took his departure. He had been gone but a few minutes when Mrs. Debar
came in. Harry gazed at her in great astonishment for several seconds, then
said:
“‘Eddie, this is the lady I saw in Memphis, in that old brick house, and I
thought I saw you there with her.’
“‘It was my husband, sir, and not Mr. Demar. We were stopping in an old
dilapidated brick house; my husband was waiting for some money to be
sent to him. He made his escape from this jail and went to Memphis; I
followed him, and one night we fled, as we learned that detectives were
following us. I have just received a letter from my husband; he is in
Matamoras, Mexico, and I am going to meet him as soon as Mr. Demar is
released.’
“‘I see through it all now—you and your husband left Memphis on the
very night when Demar was arrested at Horn Lake; this unlucky
coincidence led me to believe that he had eloped with you, and had been
false to my sister. Acting on this belief, I have committed an unpardonable
blunder, and caused my sister’s death and ruined all my friends.’
“As Mrs. Debar wiped the fast falling tears from her eyes, she said: ‘I
am truly sorry to hear of your misfortunes, but hope things are not so
serious as you seem to think. I, too, have had my share of trouble; my poor
husband has been compelled to exile himself from his country when he was
innocent. I love him, and I mean to go where he goes; I will share his
sorrows, and do my best to make him happy. It is true that my husband
killed Mr. Clanton, but he did it in self-defense, and would have been able
to prove it, but unfortunately, the only witness who saw the whole
transaction died soon after the killing.’
“Mrs. Debar now went away, leaving me alone with Harry. She promised
to be present on the next morning at the trial, to give her evidence, which
would, of course, be greatly in my favor.
“It was after night, and just six hours from the time my messenger had
started with my dispatch, when he came dashing into my cell with an
answer. He had made the round trip, a distance of forty-eight miles, in six

hours. He informed me that he had to wait at the office just one hour for the
answer, so he had done the traveling in five hours.
“My hand trembled when I took the dispatch from the messenger, and
well it might, for I knew that little paper would tell a tale that would seal
my fate. It would tell me whether or not those charming blue eyes were ever
again to gaze on me. It would decide whether or not I was ever to clasp dear
Lottie to my heart again. I hesitated, and looked at Harry, but saw no
encouragement there. He was as pale as death, and trembling from head to
foot, and seemed to have ceased to breathe.
“‘Eddie,’ he gasped, ‘you may be prepared to hear the very worst, for her
case was hopeless when I left home. That telegram will either tell you she is
dead, or that she is dying.’
“‘Heaven have mercy!’ I exclaimed, as I glanced over the contents of the
dispatch. My worst fears were realized—my darling was dying.
“It is useless for me to try to describe how I felt when I read the fatal
news. No one can understand or appreciate it even if I could select words to
tell how great was my misery. It was over half an hour before either of us
spoke, and there is no telling when the silence would have been broken, had
it not been for the messenger.
“‘Will you wish to send another dispatch?’ inquired the lad, who had
been silently witnessing this painful scene. ‘If you do, sir, I can be ready to
go again as soon as I can eat a bite and procure a fresh horse.’
“‘I shall want to send another dispatch at daylight in the morning.’
“My audience will readily understand what cause for grief I had when
the dispatch is read. Here it is,
“‘DEAR EDDIE—The welcome news of your safety received, would to Heaven it had
come a week sooner—it would have saved our dear Lottie’s life; but, alas! It came too late.
Put your trust in God, my unfortunate boy, and bear your great sorrow as becomes a brave
man. Lottie cannot possibly live more than forty-eight hours longer. She is sinking very
fast. Her mind is perfectly clear, and when your dispatch was read to her she smiled
sweetly as her eyes brightened up, then closing them, the tears began to stream from them.
She pressed your picture to her lips, and said:
“‘“Poor Eddie, how glad I would be to see him before I die! Then I wish to see brother
Harry, so he can forgive the wrong I have done him. I thought he had killed Eddie, and
refused to believe him when he denied it.”
“‘She talks of you and Harry all the time. I wish it were so that you could get here
before she dies. You might do it, if you get released in time for the up-train to-morrow

evening. I will send another dispatch early in the morning.
“‘DODSON.’
“I had sent up so many silent but earnest prayers to God, in which I had
implored and begged Him to let my dear Lottie live, that I was loth to
believe He would take her from me. I could not realize the fact that her
beautiful young person was to be consigned to the grave. When I had seen
her last she was the very picture of health and life, her fair cheeks all aglow
with vivacity, her large expressive eyes filled with evidences of hope, and
her elastic step indicating strength and vigor. Now how was I to realize the
fact that all this strength, health and vigor were gone, while that fair form
was struggling in the very arms of death? The fact is, I was so bewildered
with grief that I was unable to think correctly on the subject.
“Harry spent the night in my cell, and I can assert truthfully that he was
more completely subdued by his deep grief than he ever had been before. I
think that a great change was wrought in him on that occasion, which has
since proved of no little benefit to him. His indomitable pride was partially
cured, and his haughty spirit completely humbled; he threw himself
prostrate on the floor, calling aloud to God for help. He did not rise from
the floor during the night, though he never closed his eyes in sleep;
sometimes he would remain silent for several minutes—perhaps he was
praying; then again he would seem to be convulsed with his great sorrow. I
paced the floor in silence, for I was sunk so deep in despair that I was
scarcely able to command my voice. My heart yearned for freedom; my
mind flew to Memphis and looked at my darling as she was wrestling with
death.
“The first gray streaks of approaching dawn that came stealing through
my small window were indeed a welcome sight to me. As soon as it was
light enough to enable me to see to write, I penned a message to be
immediately sent to Doctor Dodson. The messenger was promptly on hand
at six o’clock, ready with a fresh horse to start with my dispatch, and long
before the sun began to peep over the eastern hills he was dashing with
great speed toward the telegraph office. He would be back with fresh news
by eleven o’clock, by which time I had reason to believe I would be
restored to liberty, and then I would fly to my darling. After the messenger
was gone I instructed Harry to go out to the village and secure two of the
best horses that could be found, and to have them ready saddled and hitched

in the court-house yard, in order that we might be off instantly after the trial
should be over. I knew that the trial would not consume much time, as the
proof would be ample and unquestionable, and I thought maybe we might
be able to start by ten o’clock.
“The rough blacksmith who had riveted the irons on my leg was
employed the evening before the trial to cut them off, and I was enabled to
secure a little exercise. In his rough, uncouth manner, the blacksmith
apologized for the unkindness he had shown toward me when fastening the
manacles on my limbs. As I was not in a mood to cherish ill-will, I accepted
the blunt apology and extended my hand to the honest mechanic, who
seized and gave it a hearty shake.
“‘Never saw two peas more alike than you and Debar! No wonder the
officer took you for Debar; I was ready to swear that you were the identical
man. It’s lucky they found out the blunder, ain’t it? They might have hung
you by mistake; that would have been rather awkward, wouldn’t it?’
“I made no answer to this strange inquiry, for I was thinking about other
things.
“Harry returned soon, and informed me that he had been so fortunate as
to secure two splendid young horses, whose owner had informed him that
they could take us to the station in two hours and a half, without any danger
of hurting them. My dungeon door was now thrown open, and all restraint
on my movements withdrawn.
“‘I thought you were the same scamp who broke jail and left me with the
bag to hold,’ said the jailer. ‘Everybody was down on me for letting Debar
get away when I couldn’t help it—some rascal furnished him with tools,
and I knew nothing about it until he was gone; therefore, when they brought
you here I thought you were the same man, and I didn’t care to be kind to
the man who had acted so badly as Debar. You are the very image of Debar,
and then your name sounds so much like his. I can detect a slight difference
in the color of your hair and that of Debar; then he had a small scar on his
forehead, just above the left eye. It was very slight, and quite small, not
over half an inch long. I have his photograph here, and if you will look
close you can see the scar very plain.’
“I looked at the picture, and sure enough the scar could be plainly seen.
This circumstance of itself would justify Judge Flaxback in ordering my
release; in fact, the trial would be a mere form to be complied with, as

everybody now admitted that a mistake had been committed. The villagers
discussed it on the street corners, and laughed over it, cracking their jokes,
little dreaming of the awful consequences that had resulted to me by the
mistake. I dare say that a vastly different feeling would have permeated the
breasts of those people if they could have witnessed the dying agonies of
poor Lottie Wallingford. If they had known how my heart was broken by
the sad mistake, they would not have been laughing and joking about the
matter as if it were a very funny coincidence. I could not eat my breakfast—
my appetite was gone, but I drank a cup of warm tea, which the jailer’s wife
was kind enough to bring to me. She seemed to sympathize with me when
she found out how deeply I had been wronged. I looked at my watch every
five minutes; I was full of impatience. It seemed that nine o’clock would
never come—but nevertheless it did come at last. The town clock began to
strike, when the jailer said it was time to go.”

CHAPTER XXVI.
During the short recess the queen had agreed to allow, which was
granted at the request of the Barbarian Chief, the excursionists assembled in
various little groups on different parts of the boat, while most of them were
discussing the merits of Ingomar’s story. George and the Duke of
Wellington were seated apart from the other passengers, deeply interested in
an animated discussion—the subject being the eccentric movements of the
black domino and the unusual sadness of the queen.
“My lord,” observed the king, “did you notice that the queen fainted
when those two men arrested Demar?”
“Of course I did! and that is not all—the lady in the black domino
fainted, too, when the Barbarian Chief was arrested.”
“Now, I would like very much to know who this Barbarian Chief is, and
why both of those women should manage to faint about him. I have never
been so fortunate as to have as much as one woman care enough about me
to faint for me.”
“As to that, I am decidedly of the opinion that you have lost nothing on
that score; but, between you and me, there is something mysterious
connected with that woman in the black domino. So far as the queen is
concerned, I imagine that she is one of those good-hearted, sympathetic
women, the kind who have more tears than talent—a sort of Niobe.”
“Look at that man yonder leaning against the corner of the Texas, and
see if you can discover anything singular about him.”
“Why, that is Henry of Navarre; of course there is nothing strange about
him. Why do you ask the question?”
“He is not the man who wore that uniform when we started from
Memphis.”
“Why do you conclude that he is not the one who personated Navarre at
the ball?”
“He is not quite so tall, but has a more dignified carriage; and then he
does not mingle with us, or participate in any of our amusements, as the real
Navarre did. The original Napoleon has also slipped out of his costume, and

a counterfeit has slipped in; and the strangest part of the mystery is that no
one knows what has become of the parties who originally personated
Navarre and Napoleon. Now if this is done in order to enable those men to
play a little joke on the ladies, there is no harm in it, but I suspect that some
sort of mischief is afloat. I guess it will appear in the wind-up that these two
men, and the black domino, are in some way interested in each other; and
you may be sure, if they are, that it will produce mischief.”
“The truth is, we are all engaged in playing a farce, and I am heartily
ashamed of my part of it—it reminds me of Shakespeare’s ‘Much Ado
About Nothing.’”
“I cannot by any means indorse that idea, for I have been very much
interested in Ingomar’s story.”
“It is too tedious. Give me something lively—something to make me
laugh—such as ‘Bill Arp,’ or ‘Artemus Ward,’ ‘Don Quixote,’ or ‘Mark
Twain.’”
“I prefer love stories. I like to read about women who prefer death to a
loveless marriage, and men who are always getting into scrapes in
attempting to protect virtue.”
“I guess, then, you like the ‘Bride of Lammermoor’ and the ‘Talisman’?”
“Yes, and all the other thrilling novels written by Sir Walter Scott.”
Don Quixote now came up and joined the king and duke in the
conversation, which soon drifted back to the lady in the black domino.
“By the by,” exclaimed Don Quixote, “I think that mysterious woman is
about to stir up a row between Napoleon and Navarre. The cauldron is
boiling and bubbling furiously, and blood is on the face of the moon.”
“How do you know that blood is on the moon, when that planet is on the
other side of the globe?”
“Of course you understand I was speaking metaphorically as to that; but
really, I should not be at all surprised to hear of a requisition being made for
pistols and coffins for two. To be more explicit, I think a duel is on the
tapis.”
“Now, sir knight,” said the duke, “if you are in possession of any news
that will in any manner relieve our minds about that strange woman, I
earnestly beg you to let us hear it at once; for you know what a deluge of
curiosity she has manufactured on this boat.”

“I am very sorry to be unable to furnish any information on that point of
a reliable nature—all is conjecture as far as the black domino is concerned;
she has had a long interview with the captain. I happened to hear enough of
the conversation to convince me that Navarre and Napoleon were the
parties discussed; then the captain appeared to be angry, and I distinctly
heard him mutter an oath or two, after he parted with the black domino.
Colonel Confed informed me that a duel was likely to be fought, and that
the lady in the black domino was at the bottom of it, but he refused to
mention the names of the parties to the quarrel; though I am convinced from
what I have heard that Navarre and Napoleon are to be the combatants.”
“I guess it will turn out to be a tempest in a teapot, or a mouse born of a
mountain,” replied the duke, as he handed the king and Don Quixote a fresh
cigar; “I wish,” continued the duke, “that Colonel Confed and General
Camphollower would cease their continual clamor about politics; they have
bored every man on this boat half to death, and each one seems to imagine
that the fate of the nation depends on his opinions.”
“They have succeeded in bridging the bloody chasm; but they have split
on the state rights question; they have generously consented that the war
shall be considered at an end.”
“Now, that indeed was very kind of them, for I dislike to hear people
continually harping on the war; but let that pass, and we will go back to the
subject. Did you tell the captain that Napoleon and Navarre were
interlopers, intruders, counterfeits, wolves in sheep’s clothing?”
“How could I impart information that I did not possess myself? What do
you mean by intruders, interlopers, etc., etc.?”
Then the duke imparted to Don Quixote the grounds of his suspicion.
“They are not the same men who personated Navarre and Napoleon at
the ball; I would risk anything on the truth of my assertion; and they are
both spotting the black domino.”
“If that is true,” replied Don Quixote, “it is our duty to mention it to the
captain without delay; and, gentlemen, I further suggest that we combine
our wits, and, if possible, prevent any hostile meeting, if such is
contemplated by any of our excursionists. In the first place, I am opposed to
the barbarous practice of dueling upon principle; then it is prohibited by the
laws of the land, and positively contrary to God’s holy ordinances. In
addition to all these objections, we must remember that a duel might put an

end to all of our innocent amusements; therefore I wish to know whether
you will co-operate with me in the effort to prevent it?”
“We certainly think your views very correct, and will gladly join you in
your peaceful mission; but I am of the opinion that it is a false alarm.”
It required some ten or fifteen minutes to collect the entire party, for they
were scattered about the boat, deeply interested in conversation. Nearly
every one of the maskers had been discussing the mysterious woman in the
black domino. At length the queen ascended her throne, and, after a
moment’s pause, ordered Ingomar to proceed.
“When I was conducted into the court-room by the deputy sheriff, his
Honor, Judge Flaxback, occupied the judicial bench; fixing his little round
eyes on me, he surveyed me like a snake endeavoring to charm a bird. A
large crowd of village idlers had assembled in the house, attracted there, no
doubt, by the peculiarity of the case. Flaxback reminded me of an Egyptian
mummy that I had seen in a museum. He was a little dried-up specimen of
decaying humanity, exhibiting in his person and dress unmistakable
evidence of dissipation and dilapidation. His nose had evidently been
broken with a heavy blow of some sort, for an ugly scar was apparent
running horizontally across his face, while his nostrils flared outward,
presenting rather an ugly appearance. He rested his chin on a plank in front
of his seat, and continued to gaze at me with a lazy, half-asleep sort of a
stare that caused my cheeks to burn with indignation. Every man in the
room had his eyes riveted on me, staring with open mouth as children do at
an elephant, while Flaxback seemed to be waiting for the inspection to be
completed before proceeding with the case. When a drop of blood starts
from such a man’s heart, with a view of making a journey to his extremities
to furnish a little life to them, it bids a long adieu to its home, knowing that
the chances are ten to one in favor of its freezing to death on the way. I sat
and impatiently watched the strange looking judge, wondering why he did
not proceed to dispose of my case. He continued to eye me for full thirty
seconds, and then in a voice sounding like that made with a file when being
need to sharpen a handsaw, he ordered the clerk to read the sheriff’s return
on the writ of habeas corpus.
“‘No return made, sir,’ said the clerk, as he began to grab promiscuously
about, snatching up every paper in sight, and looking as if he were hunting
for a small hole to crawl into.

“‘Where’s the sheriff?’ demanded the judge, in a voice which was
evidently meant to be loud and threatening, but which really did not amount
to a respectable whine.
“‘Fact is, may it please your Honor,’ said Mr. Deediddle, ‘the sheriff has
just stepped over to Mr. Dick Sninkle’s saloon to get a glass of water.’
“A smile might have been seen on the faces of a majority of the
spectators—they all knew that water did not agree with the sheriff. The
officer soon made his appearance, and the judge asked him why he had
neglected to return the writ.
“‘The writ commanded me to bring the body of Edward Demar before
the court, and here he is; what else could I do?’
“‘Mr. Clerk,’ said Flaxback, ‘enter a fine of ten dollars against Mr.
Postholder, for failing to return the writ, and unless the return is instantly
made, the fine will be doubled.’
“The sheriff was so badly confused that he did not know what he was
about; he cast an imploring look at the clerk, made a dash at a pile of papers
on the clerk’s desk, then looked up at the ceiling, like an old duck listening
for thunder when her puddle had gone dry.
“While all this nonsense was being exhibited, I was sitting there
suffering indescribable torture; every moment of time seemed to be worth a
mint of money to me, yet it was being wasted by those people as if it were
valueless. There is no telling when the farce would have ended, but for
Harry’s thoughtfulness. He took the writ, and in three minutes wrote out the
return and requested the sheriff to sign it, which he was very glad to do; he
would have signed his own death warrant then without objection. Mr.
Deediddle now made a raid to the front, and began to address the court.
“‘Fact is, your Honor, it is unnecessary to enter into an investigation of
the circumstances connected with the murder of Mr. Clanton, as this is
purely a question of personal identity. If the prisoner at the bar is not
Edward Debar, why of course he will be discharged—fact, sir—fact.’
“The district attorney consented that the investigation might be confined
to the question of personal identity.
“‘Swear your witness, Mr. Clerk,’ growled the judge.
“The clerk began to hunt for the Bible.

“‘Why don’t you swear your witnesses, Mr. Clerk?’ screamed the judge
impatiently.
“The clerk became more confused; he grabbed up a book which he
thought was the Bible, but when he found out that it was Mark Twain’s
‘Innocents Abroad,’ he let it fall on the floor, and began to grab at
everything in the shape of a book.
“‘If you don’t swear these witnesses, Mr. Clerk, I’ll send you to jail!’
screamed Flaxback.
“By this time the clerk could have been passed off as a first-class
maniac; his actions were frightful; he threw out both hands in every
direction, and at last snatched up George’s Digest, and swore the witnesses
on it before he discovered his mistake.
“‘Mrs. Debar was put on the stand first. She testified to the fact that
while I was very much like her husband, I was not the man. The district
attorney put her through a rigid cross-examination—not because he thought
she was swearing falsely, but he had a suspicion that she had aided her
husband in making his escape.
“‘Mrs. Debar,’ said the district attorney, ‘didn’t you smuggle the tools
into the jail to enable your husband to effect his escape?’
“Harry sprang to his feet in a moment, his eyes flashing with anger; I
trembled, because I was afraid he was going to commit some imprudent act
that might detain us, when I was so anxious to be flying toward Lottie; but I
had cause to change my mind very soon, for he made a modest, but
eloquent, appeal to the court in behalf of the unfortunate wife, who was in
tears.
“‘I appeal to this honorable court,’ said he, ‘to protect this unfortunate
lady; her condition is such as to entitle her to the sympathies of all good
men. The law does not require her to answer questions that would tend to
criminate her; and even if the law did not protect her, the dictates of
common humanity should be a sufficient motive to induce the honorable
attorney for the State to withdraw such a question. We must remember that
we have been taught to admire the devotion which a wife feels for her
husband. A true wife will not forsake her husband when misfortunes
overtake him; but the greater his troubles are the closer she will cling to
him; and it should prompt every true gentleman to respect the noble
sentiment of love that induces her to do it.’

“When Harry took his seat a murmur of approval was heard among the
spectators, and the district attorney said:
“‘I fully indorse the sentiments so eloquently expressed by my young
friend, and will therefore not press the question further; I will also say to the
court that I am fully satisfied that Mr. Demar has been unjustly imprisoned.
I was well acquainted with Edward Debar; and I hesitate not to say that I
never saw two men so much alike as he and Mr. Demar; though if they were
both present I think a considerable difference might be detected. Debar had
a slight scar over his left eye, which alone would be sufficient to distinguish
him from the prisoner now at the bar. I therefore give my consent, if the
court please, that Mr. Demar may be discharged.’
“‘Let the prisoner be discharged, Mr. Sheriff,’ growled the judge, as he
ordered the officer to adjourn court, and the great farce was ended.
“No doubt the judge and all of his officers imagined that they had done
for me a very great favor in releasing me, for which it was my duty to feel
grateful. Now, I am in favor of a faithful enforcement of the laws; but the
law is often used by unworthy men as a means of oppression. Judicial
murder has been committed in the State where I was so unjustly punished
by imprisonment. The case of young Boynton, mentioned by Mr. Wharton
in his treatise on criminal law, might be cited in proof of this. That poor boy
was hung by the neck until he was dead for a crime he did not commit. He
was a mere lad, only eighteen. He was charged with the murder of Mr. Ellis;
and when he was led out by the sheriff to be executed, he began to scream
and beg the spectators to save him, declaring before God that he was
innocent. He leaped from the scaffold into the arms of the assembled
multitude, imploring them to protect him. Poor boy! he was put to death,
and before his body had mingled, with the dust the real murderer died, and
on his death-bed confessed that he had murdered Mr. Ellis, and that young
Boynton was innocent. This scene was enacted in a county adjoining the
one where I had been so unjustly held as a prisoner. Who shall be able to
repair the injury so wrongfully inflicted on me? Who will ever know the
extent of the wrong?
“Three minutes had scarcely elapsed after my release, when Harry and I
were mounted on our high-mettled steeds, and dashing down the road at a
rapid speed. I knew that if we got to the station in time to meet the north-
bound train, we would have to press our horses to their utmost powers. Our

steeds were young, vigorous and full of good mettle, and needed no whip or
spur to urge them on.
“‘Let them go as fast as you like,’ said the owner of the noble animals, as
he handed me the reins; ‘they have excellent bottom, and will carry you as
swift as the wind.’
“We had much uneven ground to pass over, many tall hills to climb and
innumerable gullies to leap, but we never halted—on, on we dashed.
“We had placed ten miles of ground between us and the village of P——
when I saw the courier coming at a gallop to meet me; his horse was
foaming with perspiration, convincing me that he had been hard pressed.
The lad dashed up, and handed me a dispatch.
“‘I had to wait two hours at the office before the answer came,’ said the
boy, as he placed the envelope in my hand.
“This time I was prepared for the awful news; hence I did not feel such a
shock as I had felt when the other dispatch was handed to me, though the
news was worse than that contained in the first telegram. But you would
probably understand matters better by hearing the telegram read; it is from
Doctor Dodson, who remained with Lottie all the time:
“‘DEAR EDDIE—Your second message was received. I deeply regret that I have nothing
but the worst news to communicate—our darling Lottie is slowly but surely passing away.
She may possibly live twenty-four hours longer, though I think she will die to-night. I
would be so glad if you and Harry could get here before she dies, because she expresses
such great anxiety to see you. She says she does not feel a particle of pain. God seems to be
merciful in that respect Her mind remains perfectly clear, and she converses rationally, but
most of her conversation is about you and Harry. I believe if she could see you it would
greatly relieve her mind, and that then she would pass away without a struggle. If you
could reach home to-night you might see her before she dies. May God, in His great mercy,
give you courage and strength to bear this great loss with becoming fortitude!
DODSON.’
“As soon as I finished reading this telegram I handed it to Harry, then
told the messenger to go to the village and remain till morning, so as to give
his horse the necessary rest, and the next day to go back to the station and
get our horses and deliver them to the owner. I presented him my fine gold
watch, as a reward for his faithful services, then dashed away as fast as my
gallant steed could carry me.

“When we were within five miles of the station Harry looked at his
watch and observed:
“‘If we get to the station in time for the up-train we will have a close
race indeed; we have only twenty minutes to make the five miles.’
“I did not believe that I was doing wrong on that occasion when I urged
my noble horse forward to the very top of his speed. I knew it would
distress and press him both for us to make it in time, yet I believed he could
do it without endangering his life. My conclusions were correct; for we did
dismount at the station as the train dashed into the streets of the little town.
We gave our horses in charge of the livery stable keeper, and stepped on the
platform just as the train began to move.
“I wish I could convey to my audience a correct idea of my feelings
when I began to hope I would reach home in time to see Lottie before death
claimed her. I hastily wrote a dispatch with my pencil, intending to have it
sent forward from the next office, notifying Doctor Dodson that we were on
the train and would reach home that night. Here is the identical telegram—I
have been careful to preserve them:
“‘DEAR DOCTOR—We are aboard the train, and will be home to-night. For Heaven’s
sake don’t let my darling die before we come! Send an answer so it will meet us at
Grenada. We are due there at eight o’clock. Tell Lottie that we are begging God to spare
her dear life. Cheer her up with hope; I can’t bear the thought of losing my darling!’
“This dispatch was handed to the operator at the first office we reached,
who promised to forward it without delay. Then I dropped down on my seat
and spent every moment in earnest prayer.
“It was fifteen minutes past eight when the train arrived at Grenada, and
I believe that city is just one hundred miles from Memphis. That is the place
where the Mississippi and Tennessee Railroad connects with the New
Orleans, St. Louis and Chicago Railroad, and we would have to take the
Mississippi and Tennessee road to go to Memphis. As soon as the train
halted I hastened to the telegraph office to inquire for news, as I was
expecting an answer to my last message. I was well acquainted with the
young man who had charge of the office at Grenada—he had formerly
resided in Memphis. He was about my own age, and we had been bosom
friends for many years. I rushed into his presence and hurriedly inquired if
there was a dispatch in the office for me.

“‘Take a seat, Demar,’ said the operator, ‘you look very ill; can I do
anything for you?’
“‘Any telegram here for me?’ I exclaimed, disregarding his kind offer.
“‘Yes,’ he hesitatingly answered, ‘but you had better take a seat and
compose yourself before you read it. The news it brings is very bad, though
I infer that you have been expecting it.’
“The objects in the room seemed to be running round, a blindness began
to close over my eyes, and I felt a smothering sensation in my throat and
lungs. The operator very fortunately happened to think of a bottle of spirits
of camphor that he had bought from the drug-store that day—he seized it
and sprinkled my face and moistened my beard with the liquid, which I
believe prevented me from fainting. After a few minutes had elapsed I
requested him to give me the dispatch.
“‘You may give it to me now,’ I said, ‘because I am prepared for the very
worst.’
“He handed the envelope to me and I read the following words:
“‘MY DEAR BOY—Trust in God—He alone can comfort you now—our darling is
dying. Death began to lay his cold hands on her dear body at four o’clock. She may linger
four or five hours longer, but I think all will be over before that time. She expressed so
much anxiety to see Viola that the sheriff very kindly consented to bring her here, and
when they met it was the most affecting scene I ever witnessed. I fear we committed an
error in allowing Viola to come, because as soon as the sheriff started away with his
prisoner Lottie became worse, and is still rapidly failing. But how could I have the heart to
refuse to let her see Viola, when she insisted so earnestly to have her sent for? Lottie leaves
many messages of love with us to be delivered to you when you come, provided you do not
arrive in time to receive them from her own lips.
“‘I beseech you, my dear boy, to bow submissively to the will of God—and remember
you can meet Lottie in Heaven if you try. You will also understand that you are not the only
one who grieves for this great affliction.
DODSON.’
“‘When does the train start for Memphis?’
“‘Seven o’clock in the morning,’ replied the agent.
“‘Alas! that would be too late; all will be over before then,’ was my
reply.
“‘I believe,’ said the agent, ‘that under the circumstances the
superintendent would let you have an extra train for a reasonable

compensation. I will ask him by telegraph, if you wish it.’
‘“You are very kind, sir, and I thank you; please make the request
without delay. Tell the superintendent that money is no object—the value of
the engine and coach is offered, and will be promptly paid if required. I beg
you, sir, not to lose a moment. If you only knew how precious time is to me
now, you would be in a hurry!’
“While I was urging the agent to send the message, the clicking of the
instrument under his thumb and finger indicated the fact that the electric
fluid was dashing the request into the office at Memphis. The dispatch was
gone in three minutes. A short conversation was then commenced between
the superintendent at Memphis and the agent at Grenada. As the clicking of
the instrument carried the words to the ear of the operator, he conveyed
them to my ear by word of mouth.
“‘Is number seven there?’ inquired the superintendent.
“‘Yes,’ was the operator’s reply.
“‘Is she in good running order?’
“‘I will ascertain in a moment.’
“‘Go ask Mr. Steelbrim to come here quickly,’ said the operator to a little
negro who was dozing near the door.
“The little fellow rose up, shook himself, rubbed his eyes with his
sleeve, gaped, and staggered up against the wall and said:
“‘Sir!’
“The order was quickly repeated, and the boy walked leisurely away. It
was but a few minutes until a little dark-haired man, with long black
whiskers and large expressive eyes, entered the office. His garments were
covered with grease and smut, and his hands were thrust deep down in his
pockets, and a don’t-care sort of expression was visible on his face.
“‘Is number seven in good running order, Mr. Steelbrim?’ inquired the
operator.
“‘Apple-pie, hunkadory, O. K.—no mistake. Never nothing wrong with
that old gal when under my command, you bet!’ was replied by the greasy
little man as he limped across the floor, for his left leg was shorter by two
inches than the other.
“‘How long before you can heat her up and be ready to make a quick run
to Memphis, Mr. Steelbrim?’

“‘Do it in less than no time, sir; the old gal’s pretty hot now—just began
to cool her off. She hain’t been in more’n ten minits; but what’s up?’
“‘An extra train to Memphis; a quick run—very important—no time to
be lost—get ready immediately; take one coach and back down here, and
the orders will be ready.’
“‘Good! The old gal can make the run in two hours, if she has a clean
road and no bigger load than one coach. Glad to make the run—wanted to
go to Memphis anyhow—sweetheart there—want to see her—was going to
ask for leave anyway—ten minits we’ll be off like a greased streak of
lightnin’!’
“The greasy little man moved away as if he meant business.
“‘Number seven is in good order—Mr. Steelbrim anxious to make the
run,’ said the operator to the superintendent by wire.
“‘Start him at 8:50 with one coach. Let him make the run in 2:30 if he
can. Order track to be cleared. Tell number four to take side track at Sardis.
Number seven will only stop two minutes at Sardis for orders—two minutes
at Hernando for same purpose—no other stop to be made.’
“As the operator repeated this order to me hope, which I thought had
died within me, began to revive. A glimmering hope it was indeed, yet it
was a live hope that I should once more gaze on those pretty blue eyes
before death set his cold seal on them forever. I hurriedly wrote the
following message, which the operator sent to Dr. Dodson:
“‘Will leave here by special train at 8:50, and arrive at depot at 11:20; have carriage at
depot. Tell Lottie we are coming. For Heaven’s sake keep her alive till we come! Answer
this at Sardis. Don’t fail nor lose time. Will send another telegram from Sardis.’
“By the time this dispatch had been forwarded, Mr. Steelbrim had moved
his engine onto the main track, and began to back down to the depot.
“‘All right, cap; the old gal’s a-pantin’ to be off. Steam one-forty and a-
risin’. What’s the orders?’
“The operator read the orders carefully; then handed the paper to Mr.
Steelbrim.
“‘Good! All aboard!’ cried the greasy little man, as he leaped on the cab
and seized the throttle-lever.
“‘Pile on the coal, Jim; keep her a-bilin’; time’s up in three minits; old
gal’s a-champin’ her bits; but I’m the chap that’ll hold her on the rail and let

her fly directly!’
“Harry and I stepped aboard and took seats opposite each other in
silence. A dim lamp struggled for life in one corner of the coach, while a
pale light cast a gloomy appearance over the seats.
“‘Time’s up!’ exclaimed Mr. Steelbrim, as he gave the lever a backward
pull, and the engine dashed rapidly away.”

CHAPTER XXVII.
Miss Kate Darlington was the only daughter of Thaddeus Darlington, a
real down-eastern Yankee, who had imbibed all those unreasonable
prejudices prevailing in the New England States against all citizens of the
South. He had been sent South by the government to look after some
defaulting revenue collectors, and after discharging that duty, he concluded
to locate in Jackson, Mississippi. His daughter, Kate, had received a
polished education, but she had been petted and flattered until she was
pretty well spoiled. Her disposition was gentle and kind when things went
smoothly, but she had a temper which often got the upper hand, and then
she usually made matters rather unpleasant.
After the maskers had dispersed Miss Darlington stole away from the
crowd, and took a seat behind the ladies’ cabin, in order to have what she
called a day dream. A sentiment of a mysterious nature had of late been
disturbing her mind—a strange feeling not altogether painful, and not
entirely pleasant. A kind of joyful pain—a happy sorrow—a pleasant fear.
“What is the matter with me?” was the question she asked herself. “What
sort of a pain is this that is mixed with delicious pleasure? How strange that
such joy can be concealed under such misery!”
While she was thus soliloquizing the image of a man would every now
and then pass across the path of her imagination. She could see the image
plainer when her eyes were shut than with them open; and despite her
efforts to drive it away, it would keep thrusting itself before her, sometimes
in one shape, then in another, but always with the same look—the same
form; that shape was the exact counterpart of the gallant sir knight of
Ivanhoe.
“Yes, it is so; I am captured at last—it is love; heigh ho! there is no use
to struggle any longer. What will dear papa say when he finds that I have
fallen in love with a real double and twisted rebel—a man who fought
through four years of bloody war against the union—a downright traitor,
who brags of the part he played in the rebel army? Ah, me! how strange it is
that I should fall in love with such a man! But didn’t Juliet fall in love with
a son of her father’s bitterest enemy? Yes; but, alas! what a tragic ending

did that love produce! Something tells me that this love will end in sorrow.
But stop a moment; why should papa be Ralleigh’s enemy? Why should I
not love Captain Burk? He fought for his country—he fought in self-
defense—he battled for his life—his liberty—his home—his mother and his
sisters. He would have been less than a man if he had refused to fight—it
would have been cowardly. No, he was right and I honor him for it; I love
Captain Burk; papa will love him when he knows him better. I ought to be
proud that such a man as Captain Burk has honored me with his love. I am
proud of it. I will reciprocate his love; and, if papa is willing, I will be the
wife of what my people have misnamed a traitor. Ah, me! there is the rub.
Papa will raise a great row when he knows how I love a rebel.”
Scottie then took out her handkerchief and wiped away the tears that
were stealing down her cheeks.
“A gentleman is looking for you, miss,” said a chamber-maid who came
through the back door and approached her.
“Who is it?”
“I believe they call him Divinghoe or Hivanhoe, or some such outlandish
name.”
“Where is he?”
“He is in the front part of the saloon; he sent me to hunt you.”
“Very well; you may tell him where I am, if you wish.”
But a moment elapsed before Ivanhoe was by Scottie’s side.
“I have been looking all over the boat for you, Scottie. What induced
you to hide from me?”
“I did not hide from you particularly, but I felt sad and wanted to be
alone.”
“I hope you will not be so cruel as to drive me away, when you know
how it pleases me to be by your side!”
“Oh, no! I have had my little day dream, and am glad you came.”
“Thank you; can we have a little chat here without being interrupted?”
“Yes, I guess so; take a seat.”
“I have made another wonderful discovery.”
“What is it?”
“We have got a counterfeit emperor aboard of this boat.”

“What do you mean?”
“The real Napoleon has slipped out of his costume, and a counterfeit has
slipped in. To be plain, a stranger got aboard somewhere, and is dressed in
Napoleon’s costume; and the real Napoleon has vamoosed the ranch—run
away, disappeared, melted into thin air, fell overboard, become extinct, or
something of the sort; anyway, the original emperor is not comeatible. Now,
Scottie, I should like to know what you think of such doings?”
“I will tell you in short what I think: We are all struggling in a sea of
nonsense; and I am heartily ashamed of my part of it. I wish I were at my
father’s house—that I do; and if things don’t change pretty soon I shall set
my sails in that direction. Napoleon is not the only one who has been
playing tricks on this boat. Captain Quitman ought not to permit such
doings.”
“How did you get possession of the information?”
“I had had many conversations with the original Navarre; one subject in
particular had been frequently discussed between us. A while ago I walked
up and took Navarre’s arm and began to talk about the special subject. He
was startled when I took his arm; and I could feel his body trembling. After
I had gone on talking for about five minutes he gave a grunt like a wild hog
and abruptly walked away, leaving me thunderstruck with astonishment; I
then discovered that he was not the real Navarre.”
“Now, Scottie, if I had been present when that scamp had the impudence
to grunt at you, I think I should have broken his head with my cane.”
“I am very glad, then, you were not present, because I am on Grant’s
platform—Let us have peace.”
“Peace is a very good thing in its proper place; but I feel very much
inclined to get up a row here. I think I shall commit some sort of mischief if
these things don’t change very soon. The fact is, we may look out for
squalls—some sort of deviltry is brewing aboard of this boat certain.”
“I am of that opinion, myself; but I think we had better have nothing to
do with it.”
“That woman in the black domino keeps me on the rack all the time; and
I would not be at all surprised if it should turn out that she is at the bottom
of all this mysterious game.”

“Suppose we change the subject and let the black domino and her co-
conspirators work out their own schemes.”
“Very good. What shall we talk about?”
“Oh, anything for a change.”
“What book is that you hold in your hand?”
“Paradise Lost.”
“I would rather see Paradise found; but how do you like Milton?”
“Too much imagination and not enough sentiment. Such extravagant
ideas! Just think of his description of the war in Heaven. He says they
plucked up great mountains by the roots and threw them at each other’s
heads. Now I think that is a little too extravagant.”
“If you like sentiment, you admire Tom Moore.”
“Ah! you are right as to that. Give me Moore and Burns above all others.
I often steal away when at home and weep over the sweet sentimental songs
of those favorite poets.”
“Shakespeare is my poet. Speaking of sentiment, it gushes up on every
page, and streams from every line. Rosalind, Imogene, Juliet, Romeo,
Orlando and Hamlet—all are made to utter the most soul-stirring, heart-
melting sentiment. But enough about poetry; take my arm and let us go on
deck and enjoy the scenery.”
As soon as they reached the upper deck, George III. came up with a look
of mystery on his countenance.
“Good morning. I was wanting to speak a few words with you. Perhaps
you have heard of my great mishap?”
“No! what is it?”
“My watch was stolen from my pocket within the last thirty minutes.”
“Ah, ha!” exclaimed Scottie, “I told you so. The whirlwind has started,
and a tornado will wind up the scene.”
“Have you any idea who was the thief?”
“Yes; but my suspicions may not be well founded.”
“May I know whom you suspect?” inquired Ivanhoe.
“Yes, provided you will promise not to mention it to any one.”
“Good! I promise, of course.”
“So do I,” said Scottie.

“My suspicions point to that man who appears in Napoleon’s dress and
mask; though he is a newcomer.”
“Why not make the charge boldly, and demand the right to make a
search for the watch?” said Ivanhoe.
“Let us wait and watch him, for he is bent on mischief, and we will catch
him in the act of picking some man’s pocket.”
“I beg pardon, gentlemen,” said an old man with long, white whiskers,
as he bowed very low to Ivanhoe and George III. He was the same
gentleman who had been so often seen with the lady in the black domino
leaning on his arm. “I have a communication to make which I consider of
some importance. The fact is, matters are becoming somewhat complicated
on this boat; and if I might be so bold as to offer advice, I should say that it
is high time for all these young people to lay aside their masks. Wolves
have managed to get into the flock; and mischief will be done if matters go
on in this way much longer. A lady aboard of this boat, whose name I am
not at liberty to mention, has made a startling disclosure to me, which
portends some dire mischief. The fact is, I am constrained to believe, from
what she told, that murder is contemplated.”
“May we know the particulars?”
“Of course, yes; that is the very matter I wish to communicate. If you
will be so good as to request Ingomar to join us, I would be much obliged,
as I think he ought to hear what I have to say.”
Ivanhoe went after Ingomar, and soon returned accompanied by him.
“The young lady to whose sagacity I am indebted for the important
information which I am about to communicate has a history—yes, a very
strange history, full of queer incidents such as you see in novels. The young
lady to whom I refer is the one in the black domino. You have often seen
her leaning on my arm, gentlemen. She is a most elegant young lady, of
remarkable beauty and superior intellect, whose protector I have the honor
to be at this time. A combination of sad circumstances—unfortunate events,
I might say—have clouded her young life. You may perhaps have noticed
that she has not participated in any of the amusements in which the young
people have been indulging on this boat. If I were at liberty to reveal the
secrets of her unhappy life, I could unfold a most distressing story; but that
is a sealed book, so far as we are concerned. You have probably noticed a
disposition on the part of this young lady to wander about alone, seeking

solitude, where she could give free vent to her grief, and let her tears flow
unnoticed by the unsympathizing crowd. Well, I did not approve of this
course, but was unable to prevent it; and perhaps, after all, it was fortunate
that I did not stop it, for it was during one of these solitary rambles that the
information which I am going to communicate was obtained. She had
concealed herself on the larboard side of the boat just in front of the wheel-
house, and behind a stack of furniture, where she could meditate alone,
when two men came out and stood on the other side and held a consultation
in very low tones. She could not hear every word that was said, but what
she did hear was of a most startling character. As soon as the two men
stepped into the saloon the young lady came and immediately imparted to
me what she had heard. To say I was surprised would not convey the full
meaning of what I felt. The fact is, I was shocked, startled, paralyzed with
astonishment! Yes, gentlemen, it is most wonderful—I might say diabolical.
I can repeat, word for word, all that the young lady heard, which I mean to
do. It was unfortunate, however, that she did not see the two men—that is,
she did not get a full view of them; but she saw the head and shoulders of
one of the men as he passed through the door, and she thinks she knows
who he is; but for fear that she might be mistaken as to that, she requested
me not to mention the name of the man she suspects, which request I, of
course, must respect. Now here is the conversation verbatim, as it was
related to me by this unfortunate young lady:
“‘He is the man, beyond question,’ said the first speaker.
“‘Yes, that’s certain,’ replied number two.
“‘He has lots of greenbacks,’ says number one.
“‘We must have his money and his life, too. We must first get his money,
and then settle the other matter.’
“‘Do you know how much money he has?’
“‘No; but it is way up in the thousands—and I think I may say tens of
thousands.’
“‘Good; That’s lucky; but have you matured any plan to crib the game?’
“‘Yes.’
“Then they began to talk in a whisper, and the young lady could not hear
all that was said; but ever and anon she could catch a word such as ‘Throttle
him—chuck him overboard—dead men keep secrets—revenge—old grudge
—he ruined me—money good—revenge better—could steal his money—

Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.
More than just a book-buying platform, we strive to be a bridge
connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.
Join us on a journey of knowledge exploration, passion nurturing, and
personal growth every day!
ebookbell.com

Secure Integrated Circuits And Systems 1st Edition Tim Gneysu

More Related Content

Similar to Secure Integrated Circuits And Systems 1st Edition Tim Gneysu (20)

Recently uploaded (20)

Secure Integrated Circuits And Systems 1st Edition Tim Gneysu