Question of side-channel attack result in CW305_ECC

When I run the side-channel attack in CW305_ECC with
k = 0xffffffffffffffffffffffffffffffff00000000000000000000000000000000

But I have some question about how they can distinguish for all k=1 bits and all k=0 bits because I see the ecc algorithm is always double and add, when k=1 bits or k=0 bits they will do double and add right?why they can distinguish so perfectly?Recently I want to change the ecc algorithm to Montgomery, but when I run my version I get this

(use new ecc_cycles.npy for my ecc and my ecc spend 1027 cycles for 1 bit)

the average difference looks like below

In my opinion, always double & add and Montgomery are all do double and add when k=1 bits or k=0 bits right?So I just want to make sure where I get wrong.Thx~


The notebook explains the reason why: the result of the addition is not stored when k=0, but it is stored when k=1. That is the difference which is exploited by the attack.

Similarly, Montgomery Ladder implementations are likely to have the same kind of vulnerability. With Montgomery, double and add is done for each bit, but the result is stored in different registers depending on k. There is always some dependence on k, and that is what gets exploited. For your implementation, I suggest narrowing your focus on the clock cycle(s) where operations depend on k. Perhaps you need to average more traces.