A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems Conference paper First Online: 18 December 2002 DOI :
10.1007/3-540-36288-6_15

Part of the
Lecture Notes in Computer Science
book series (LNCS, volume 2567) Cite this paper as: Goubin L. (2003) A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems. In: Desmedt Y.G. (eds) Public Key Cryptography — PKC 2003. PKC 2003. Lecture Notes in Computer Science, vol 2567. Springer, Berlin, Heidelberg Abstract As Elliptic Curve Cryptosystems are becoming more and more popular and are included in many standards, an increasing demand has appeared for secure implementations that are not vulnerable to sidechannel attacks. To achieve this goal, several generic countermeasures against Power Analysis have been proposed in recent years.

In particular, to protect the basic scalar multiplication – on an elliptic curve — against Differential Power Analysis (DPA), it has often been recommended using “random projective coordinates”, “random elliptic curve isomorphisms” or “random field isomorphisms”. So far, these countermeasures have been considered by many authors as a cheap and secure way of avoiding the DPA attacks on the “scalar multiplication” primitive. However we show in the present paper that, for many elliptic curves, such a DPA-protection of the “scalar” multiplication is not suficient. In a chosen message scenario, a Power Analysis attack is still possible even if one of the three aforementioned countermeasures is used. We expose a new Power Analysis strategy that can be successful for a large class of elliptic curves, including most of the sample curves recommended by standard bodies such as ANSI, IEEE, ISO, NIST, SECG or WTLS.

This result means that the problem of randomizing the basepoint may be more difficult than expected and that “standard” techniques have still to be improved, which may also have an impact on the performances of the implementations.

Keywords Public-key cryptography Side-channel attacks Power Analysis Differential Power Analysis (DPA) Elliptic curves Smartcards Download to read the full conference paper text

References [1]

G.B. Agnew, R.C. Mullin, S.A. Vanstone,

An Implementation of Elliptic Curve Cryptosystems over F
_{2155} . IEEE Journal on Selected Areas in Communications, vol. 11, n. 5, pp 804–813, 1993. 200, 204

CrossRef Google Scholar [2]

ANSI X9.62, Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA) , 1999. 201, 208

[3]

A. Bellezza,

Countermeasures against Side-Channel Attacks for Elliptic Curve Cryptosystems . IACR, Cryptology ePrint Archive, 2001/103, 2001. Available from

http://eprint.iacr.org/2001/103/ 200, 201

[4]

E. Brier, M. Joye,

WeierstraßElliptic Curves and Side-Channel Attacks . In Proceedings of PKC’2002, LNCS 2274, pp. 335–345, Springer-Verlag, 2002. 200, 201, 204

Google Scholar [5]

C. Clavier, M. Joye,

Universal Exponentiation Algorithm–A First Step towards Provable SPA-Resistance . In Proceedings of CHES’2001, LNCS 2162, pp. 300–308, Springer-Verlag, 2001. 200

Google Scholar [6]

H. Cohen, A. Miyaji, T. Ono,

Efficient Elliptic Curve Exponentiation Using Mixed Coordinates . In Proceedings of ASIACRYPT’98, LNCS 1514, pp. 51–65, Springer-Verlag, 1998. 201

Google Scholar [7]

J.-S. Coron,

Resistance Against Differential Power Analysis for Elliptic Curve Cryptosystems . In Proceedings of CHES’99, LNCS 1717, pp. 292–302, Springer-Verlag, 1999. 200, 201, 203

Google Scholar [8]

W. Fischer, C. Giraud, E.W. Knudsen, J.-P. Seifert,

Parallel Scalar Multiplication on General Elliptic Curves over F
_{p} hedged against Non-Differential Side-Channel Attacks. IACR, Cryptology ePrint Archive, 2002/007, 2002. Available from

http://eprint.iacr.org/2002/007/ 200, 204

[9]

M.A. Hasan,

Power analysis attacks and algorithmic approaches to their countermeasures for Koblitz curve cryptosystems . In Proceedings of CHES’2000, LNCS 1965, pp. 93–108, Springer-Verlag, 2000. 200

Google Scholar [10]

IEEE P1363,

Standard Specifications for Public-Key Cryptography , 2000. Available from

http://groupe.ieee.org/groups/1363/ 201

[11]

ISO/IEC 15946-4, Information technology-Security techniques–Cryptographic techniques based on elliptic curves-Part 4: Digital signatures giving message recovery . Working Draft, JTC 1/SC 27, December 28th, 2001. 201, 208

[12]

T. Izu, T. Takagi,

A Fast Parallel Elliptic Curve Multiplication Resistant against Side Channel Attacks . In Proceedings of PKC’2002, LNCS 2274, pp. 280–296, Springer-Verlag, 2002. 200, 201, 203, 204

Google Scholar [13]

M. Joye, J.-J. Quisquater,

Hessian Elliptic Curves and Side-Channel Attacks . In Proceedings of CHES’2001, LNCS 2162, pp. 412–420, Springer-Verlag, 2001. 200, 202

Google Scholar [14]

M. Joye, C. Tymen,

Protections against Differential Analysis for Elliptic Curve Cryptography–An Algebraic Approach . In Proceedings of CHES’2001, LNCS 2162, pp. 377–390, Springer-Verlag, 2001. 200, 201

Google Scholar [15]

N. Koblitz,

Elliptic curve cryptosystems . Mathematics of Computation, Vol. 48, pp. 203–209, 1987. 199

MATH CrossRef MathSciNet Google Scholar [16]

P. Kocher, J. Jaffe, B. Jun,

Introduction to Differential Power Analysis and Related Attacks . Technical Report, Cryptography Research Inc., 1998. Available from

http://www.cryptography.com/dpa/technical/index.html 200

[17]

P. Kocher, J. Jaffe, B. Jun,

Differential Power Analysis . In Proceedings of CRYPTO’99, LNCS 1666, pp. 388–397, Springer-Verlag, 1999. 200

Google Scholar [18]

P.-Y. Liardet, N.P. Smart,

Preventing SPA/DPA in ECC system using the Jacobi Form . In Proceedings of CHES’2001, LNCS 2162, pp. 401–411, Springer-Verlag, 2001. 200

Google Scholar [19]

J. López, R. Dahab,

Fast Multiplication on Elliptic Curves over GF (2

^{m} ) without Precomputation. In Proceedings of CHES’99, LNCS 1717, pp. 316–327, Springer-Verlag, 1999. 200, 204

Google Scholar [20]

T. S. Messerges, E.A. Dabbish, R.H. Sloan, Power Analysis Attacks of Modular Exponentiation in Smartcards . In Proceedings of CHES’99, pp. 144–157, Springer-Verlag, 1999. 200

[21]

V. Miller,

Uses of elliptic curves in cryptography . In Proceedings of CRYPTO’85, LNCS 218, pp. 417–426, Springer-Verlag, 1986. 199

Google Scholar [22]

B. Möller,

Securing Elliptic Curve Point Multiplication against Side-Channel Attacks . In Proceedings of ISC’2001, LNCS 2200, pp. 324–334, Springer-Verlag, 2001. 200, 204

Google Scholar [23]

P. L. Montgomery,

Speeding the Pollard and Elliptic Curve Methods for Factorizations . Mathematics of Computation, vol. 48, pp. 243–264, 1987. 200, 202, 204

MATH CrossRef MathSciNet Google Scholar [24]

National Institute of Standards and Technology (NIST),

Recommended Elliptic Curves for Federal Government Use . In the appendix of FIPS 186-2, available from

http://csrc.nist.gov/publications/fips/fips186-2/fips186-2.pdf 201, 208

[25]

K. Okeya, H. Kurumatani, K. Sakurai,

Elliptic Curve with the Montgomery Form and their cryptographic Applications . In Proceedings of PKC’2000, LNCS 1751, pp. 238–257, Springer-Verlag, 2000. 200, 204

Google Scholar [26]

K. Okeya, K. Miyazaki, K. Sakurai, A Fast Scalar Multiplication Method with Randomized Projective Coordinates on a Montgomery-form Elliptic Curve Secure against Side Channel Attacks . In Pre-proceedings of ICICS’2001, pp. 475–486, 2001. 201

[27]

K. Okeya, K. Sakurai,

Power Analysis Breaks Elliptic Curve Cryptosystem even Secure against the Timing Attack . In Proceedings of INDOCRYPT’2000, LNCS 1977, pp. 178–190, Springer-Verlag, 2000. 200, 202, 204

Google Scholar [28]

K. Okeya, K. Sakurai,

Effcient Elliptic Curve Cryptosystems from a Scalar Multiplication Algorithm with Recovery of the y-coordinate on a Montgomery-form Elliptic Curve . In Proceedings of CHES’2001, LNCS 2162, pp. 126–141, Springer-Verlag, 2001. 200, 204

Google Scholar [29]

N.P. Smart,

The Hessian Form of an Elliptic Curve . In Proceedings of CHES’2001, LNCS 2162, pp. 118–125, Springer-Verlag, 2001. 200, 202

Google Scholar [30]

Standards for Efficient Cryptography Group (SECG),

Specification of Standards for Efficient Cryptography , Ver. 1.0, 2000. Available from

http://www.secg.org/secg docs.htm 201, 208

[31]

Wireless Application Protocol (WAP) Forum,

Wireless Transport Layer Security (WTLS) Specification . Available from

http://www.wapforum.org 201, 208

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations 1. CP8 Crypto Lab SchlumbergerSema Louveciennes Cedex France