Zero-Value Point Attacks on Elliptic Curve Cryptosystem
The differential power analysis (DPA) might break the implementation of elliptic curve cryptosystem (ECC) on memory constraint devices. Goubin proposed a variant of DPA using the point (0,y), which is not randomized in Jacobian coordinates or in the isomorphic class. This point often exists in the standard curves, and we have to care this attack. In this paper, we propose the zero-value point attack as an extension of Goubin’s attack. Note that even if a point has no zero-value coordinate, the auxiliary registers might take zero-value. We investigate these zero-value registers that cannot be randomized by the above randomization. Indeed, we have found several points P = (x,y) which cause the zero-value registers, e.g., (1)3x 2 + a = 0, (2)5x 4 + 2ax 2 – 4bx + a 2 = 0, (3)P is y-coordinate self-collision point, etc. We demonstrate the standard curves that have these points. Interestingly, some conditions required for the zero-value attack depend on the explicit implementation of the addition formula — in order to resist this type of attacks, we have to care how to implement the addition formula. Finally, we note that Goubin’s attack and the proposed attack assume that the base point P can be chosen by the attacker and the secret scalar d is fixed, so that they are not applicable to ECDSA signature generation.
Keywordsside channel attack differential power analysis elliptic curve cryptosystem addition formula zero-value register
Unable to display preview. Download preview PDF.
- 1.Akishita, T., Takagi, T.: Zero-Value Point Attacks on Elliptic Curve Cryptosystem., Technical Report No. TI-1/03, Technische Universtät Darmstadt (2003), http://www.informatik.tu-darmstadt.de/TI/
- 4.Cohen, H.: Course in Computational Algebraic Number Theory. In: CADE 1982, vol. 138. Springer, Heidelberg (1994)Google Scholar
- 7.Fischer, W., Giraud, C., Knundsen, E.W., Seifert, J.-P.: Parallel Scalar Multiplication on General Elliptic Curves over IF p Hedged against Non- Differential Side-Channel Attacks, IACR Cryptology ePrint Archive (2002/2007), http://eprint.iacr.org/2002/007/
- 20.Silverman, J.: The Arithmetic of Elliptic Curves, GMT 106. Springer, Heidelberg (1986)Google Scholar
- 22.Standard for Efficient Cryptography (SECG), SEC2: Recommended Elliptic Curve Domain Parameters, Version 1.0 (2000), http://www.secg.org/
- 23.Wallace, C.S.: A Suggestion for a Fast Multiplier. IEEE Trans. Electron. Comput., 14–17 (1964)Google Scholar