The wide number and variety of side-channel attacks against scalar multiplication algorithms makes their security evaluations complex, in particular in case of time constraints making exhaustive analyses impossible. In this paper, we present a systematic way to evaluate the security of such implementations against horizontal attacks. As horizontal attacks allow extracting most of the information in the leakage traces of scalar multiplications, they are suitable to avoid risks of overestimated

more »

... curity levels. For this purpose, we additionally propose to use linear regression in order to accurately characterize the leakage function and therefore approach worst-case security evaluations. We then show how to apply our tools in the contexts of ECDSA and ECDH implementations, and validate them against two targets: a Cortex-M4 and a Cortex-A8 micro-controllers. k0 Pr [k0 = 0] Pr [k1 = 1|k0 = 1] k1 Pr [k1 = 0|k0 = 1] Pr [k1 = 1|k0 = 0] Pr [k1 = 0|k0 = 0] Pr [k2 = 1|k0 = 1, k1 = 1] k0 Pr [k2 = 0|k0 = 1, k1 = 1] Pr [k2 = 1|k0 = 1, k1 = 0] Pr [k2 = 0|k0 = 1, k1 = 0] Pr [k2 = 1|k0 = 0, k1 = 1] Pr [k2 = 0|k0 = 0, k1 = 1] Pr [k2 = 1|k0 = 0, k1 = 0] Pr [k2 = 0|k0 = 0, k1 = 0]