A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems

  • Louis Goubin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2567)


As Elliptic Curve Cryptosystems are becoming more and more popular and are included in many standards, an increasing demand has appeared for secure implementations that are not vulnerable to sidechannel attacks. To achieve this goal, several generic countermeasures against Power Analysis have been proposed in recent years.

In particular, to protect the basic scalar multiplication – on an elliptic curve — against Differential Power Analysis (DPA), it has often been recommended using “random projective coordinates”, “random elliptic curve isomorphisms” or “random field isomorphisms”. So far, these countermeasures have been considered by many authors as a cheap and secure way of avoiding the DPA attacks on the “scalar multiplication” primitive. However we show in the present paper that, for many elliptic curves, such a DPA-protection of the “scalar” multiplication is not suficient. In a chosen message scenario, a Power Analysis attack is still possible even if one of the three aforementioned countermeasures is used. We expose a new Power Analysis strategy that can be successful for a large class of elliptic curves, including most of the sample curves recommended by standard bodies such as ANSI, IEEE, ISO, NIST, SECG or WTLS.

This result means that the problem of randomizing the basepoint may be more difficult than expected and that “standard” techniques have still to be improved, which may also have an impact on the performances of the implementations.


Public-key cryptography Side-channel attacks Power Analysis Differential Power Analysis (DPA) Elliptic curves Smartcards 


  1. [1]
    G.B. Agnew, R.C. Mullin, S.A. Vanstone, An Implementation of Elliptic Curve Cryptosystems over F 2155. IEEE Journal on Selected Areas in Communications, vol. 11, n. 5, pp 804–813, 1993. 200, 204CrossRefGoogle Scholar
  2. [2]
    ANSI X9.62, Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA), 1999. 201, 208Google Scholar
  3. [3]
    A. Bellezza, Countermeasures against Side-Channel Attacks for Elliptic Curve Cryptosystems. IACR, Cryptology ePrint Archive, 2001/103, 2001. Available from 200, 201
  4. [4]
    E. Brier, M. Joye, WeierstraßElliptic Curves and Side-Channel Attacks. In Proceedings of PKC’2002, LNCS 2274, pp. 335–345, Springer-Verlag, 2002. 200, 201, 204Google Scholar
  5. [5]
    C. Clavier, M. Joye, Universal Exponentiation Algorithm–A First Step towards Provable SPA-Resistance. In Proceedings of CHES’2001, LNCS 2162, pp. 300–308, Springer-Verlag, 2001. 200Google Scholar
  6. [6]
    H. Cohen, A. Miyaji, T. Ono, Efficient Elliptic Curve Exponentiation Using Mixed Coordinates. In Proceedings of ASIACRYPT’98, LNCS 1514, pp. 51–65, Springer-Verlag, 1998. 201Google Scholar
  7. [7]
    J.-S. Coron, Resistance Against Differential Power Analysis for Elliptic Curve Cryptosystems. In Proceedings of CHES’99, LNCS 1717, pp. 292–302, Springer-Verlag, 1999. 200, 201, 203Google Scholar
  8. [8]
    W. Fischer, C. Giraud, E.W. Knudsen, J.-P. Seifert, Parallel Scalar Multiplication on General Elliptic Curves over F p hedged against Non-Differential Side-Channel Attacks. IACR, Cryptology ePrint Archive, 2002/007, 2002. Available from 200, 204
  9. [9]
    M.A. Hasan, Power analysis attacks and algorithmic approaches to their countermeasures for Koblitz curve cryptosystems. In Proceedings of CHES’2000, LNCS 1965, pp. 93–108, Springer-Verlag, 2000. 200Google Scholar
  10. [10]
    IEEE P1363, Standard Specifications for Public-Key Cryptography, 2000. Available from 201
  11. [11]
    ISO/IEC 15946-4, Information technology-Security techniques–Cryptographic techniques based on elliptic curves-Part 4: Digital signatures giving message recovery. Working Draft, JTC 1/SC 27, December 28th, 2001. 201, 208Google Scholar
  12. [12]
    T. Izu, T. Takagi, A Fast Parallel Elliptic Curve Multiplication Resistant against Side Channel Attacks. In Proceedings of PKC’2002, LNCS 2274, pp. 280–296, Springer-Verlag, 2002. 200, 201, 203, 204Google Scholar
  13. [13]
    M. Joye, J.-J. Quisquater, Hessian Elliptic Curves and Side-Channel Attacks. In Proceedings of CHES’2001, LNCS 2162, pp. 412–420, Springer-Verlag, 2001. 200, 202Google Scholar
  14. [14]
    M. Joye, C. Tymen, Protections against Differential Analysis for Elliptic Curve Cryptography–An Algebraic Approach. In Proceedings of CHES’2001, LNCS 2162, pp. 377–390, Springer-Verlag, 2001. 200, 201Google Scholar
  15. [15]
    N. Koblitz, Elliptic curve cryptosystems. Mathematics of Computation, Vol. 48, pp. 203–209, 1987. 199MATHCrossRefMathSciNetGoogle Scholar
  16. [16]
    P. Kocher, J. Jaffe, B. Jun, Introduction to Differential Power Analysis and Related Attacks. Technical Report, Cryptography Research Inc., 1998. Available from 200
  17. [17]
    P. Kocher, J. Jaffe, B. Jun, Differential Power Analysis. In Proceedings of CRYPTO’99, LNCS 1666, pp. 388–397, Springer-Verlag, 1999. 200Google Scholar
  18. [18]
    P.-Y. Liardet, N.P. Smart, Preventing SPA/DPA in ECC system using the Jacobi Form. In Proceedings of CHES’2001, LNCS 2162, pp. 401–411, Springer-Verlag, 2001. 200Google Scholar
  19. [19]
    J. López, R. Dahab, Fast Multiplication on Elliptic Curves over GF(2m) without Precomputation. In Proceedings of CHES’99, LNCS 1717, pp. 316–327, Springer-Verlag, 1999. 200, 204Google Scholar
  20. [20]
    T. S. Messerges, E.A. Dabbish, R.H. Sloan, Power Analysis Attacks of Modular Exponentiation in Smartcards. In Proceedings of CHES’99, pp. 144–157, Springer-Verlag, 1999. 200Google Scholar
  21. [21]
    V. Miller, Uses of elliptic curves in cryptography. In Proceedings of CRYPTO’85, LNCS 218, pp. 417–426, Springer-Verlag, 1986. 199Google Scholar
  22. [22]
    B. Möller, Securing Elliptic Curve Point Multiplication against Side-Channel Attacks. In Proceedings of ISC’2001, LNCS 2200, pp. 324–334, Springer-Verlag, 2001. 200, 204Google Scholar
  23. [23]
    P. L. Montgomery, Speeding the Pollard and Elliptic Curve Methods for Factorizations. Mathematics of Computation, vol. 48, pp. 243–264, 1987. 200, 202, 204MATHCrossRefMathSciNetGoogle Scholar
  24. [24]
    National Institute of Standards and Technology (NIST), Recommended Elliptic Curves for Federal Government Use. In the appendix of FIPS 186-2, available from 201, 208
  25. [25]
    K. Okeya, H. Kurumatani, K. Sakurai, Elliptic Curve with the Montgomery Form and their cryptographic Applications. In Proceedings of PKC’2000, LNCS 1751, pp. 238–257, Springer-Verlag, 2000. 200, 204Google Scholar
  26. [26]
    K. Okeya, K. Miyazaki, K. Sakurai, A Fast Scalar Multiplication Method with Randomized Projective Coordinates on a Montgomery-form Elliptic Curve Secure against Side Channel Attacks. In Pre-proceedings of ICICS’2001, pp. 475–486, 2001. 201Google Scholar
  27. [27]
    K. Okeya, K. Sakurai, Power Analysis Breaks Elliptic Curve Cryptosystem even Secure against the Timing Attack. In Proceedings of INDOCRYPT’2000, LNCS 1977, pp. 178–190, Springer-Verlag, 2000. 200, 202, 204Google Scholar
  28. [28]
    K. Okeya, K. Sakurai, Effcient Elliptic Curve Cryptosystems from a Scalar Multiplication Algorithm with Recovery of the y-coordinate on a Montgomery-form Elliptic Curve. In Proceedings of CHES’2001, LNCS 2162, pp. 126–141, Springer-Verlag, 2001. 200, 204Google Scholar
  29. [29]
    N.P. Smart, The Hessian Form of an Elliptic Curve. In Proceedings of CHES’2001, LNCS 2162, pp. 118–125, Springer-Verlag, 2001. 200, 202Google Scholar
  30. [30]
    Standards for Efficient Cryptography Group (SECG), Specification of Standards for Efficient Cryptography, Ver. 1.0, 2000. Available from docs.htm 201, 208
  31. [31]
    Wireless Application Protocol (WAP) Forum, Wireless Transport Layer Security (WTLS) Specification. Available from 201, 208

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Louis Goubin
    • 1
  1. 1.CP8 Crypto LabSchlumbergerSemaLouveciennes CedexFrance

Personalised recommendations