# A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems

## Abstract

As Elliptic Curve Cryptosystems are becoming more and more popular and are included in many standards, an increasing demand has appeared for secure implementations that are not vulnerable to sidechannel attacks. To achieve this goal, several generic countermeasures against Power Analysis have been proposed in recent years.

In particular, to protect the basic scalar multiplication – on an elliptic curve — against Differential Power Analysis (DPA), it has often been recommended using “random projective coordinates”, “random elliptic curve isomorphisms” or “random field isomorphisms”. So far, these countermeasures have been considered by many authors as a cheap and secure way of avoiding the DPA attacks on the “scalar multiplication” primitive. However we show in the present paper that, for many elliptic curves, such a DPA-protection of the “scalar” multiplication is not suficient. In a *chosen message* scenario, a Power Analysis attack is still possible even if one of the three aforementioned countermeasures is used. We expose a new Power Analysis strategy that can be successful for a large class of elliptic curves, including most of the sample curves recommended by standard bodies such as ANSI, IEEE, ISO, NIST, SECG or WTLS.

This result means that the problem of randomizing the basepoint may be more difficult than expected and that “standard” techniques have still to be improved, which may also have an impact on the performances of the implementations.

## Keywords

Public-key cryptography Side-channel attacks Power Analysis Differential Power Analysis (DPA) Elliptic curves Smartcards## References

- [1]G.B. Agnew, R.C. Mullin, S.A. Vanstone,
*An Implementation of Elliptic Curve Cryptosystems over F*_{2155}. IEEE Journal on Selected Areas in Communications, vol. 11, n. 5, pp 804–813, 1993. 200, 204CrossRefGoogle Scholar - [2]ANSI X9.62, Public Key Cryptography for the Financial Services Industry,
*The Elliptic Curve Digital Signature Algorithm (ECDSA)*, 1999. 201, 208Google Scholar - [3]A. Bellezza,
*Countermeasures against Side-Channel Attacks for Elliptic Curve Cryptosystems*. IACR, Cryptology ePrint Archive, 2001/103, 2001. Available from http://eprint.iacr.org/2001/103/ 200, 201 - [4]E. Brier, M. Joye,
*WeierstraßElliptic Curves and Side-Channel Attacks*. In Proceedings of PKC’2002, LNCS 2274, pp. 335–345, Springer-Verlag, 2002. 200, 201, 204Google Scholar - [5]C. Clavier, M. Joye,
*Universal Exponentiation Algorithm–A First Step towards Provable SPA-Resistance*. In Proceedings of CHES’2001, LNCS 2162, pp. 300–308, Springer-Verlag, 2001. 200Google Scholar - [6]H. Cohen, A. Miyaji, T. Ono,
*Efficient Elliptic Curve Exponentiation Using Mixed Coordinates*. In Proceedings of ASIACRYPT’98, LNCS 1514, pp. 51–65, Springer-Verlag, 1998. 201Google Scholar - [7]J.-S. Coron,
*Resistance Against Differential Power Analysis for Elliptic Curve Cryptosystems*. In Proceedings of CHES’99, LNCS 1717, pp. 292–302, Springer-Verlag, 1999. 200, 201, 203Google Scholar - [8]W. Fischer, C. Giraud, E.W. Knudsen, J.-P. Seifert,
*Parallel Scalar Multiplication on General Elliptic Curves over F*_{p}hedged against Non-Differential Side-Channel Attacks. IACR, Cryptology ePrint Archive, 2002/007, 2002. Available from http://eprint.iacr.org/2002/007/ 200, 204 - [9]M.A. Hasan,
*Power analysis attacks and algorithmic approaches to their countermeasures for Koblitz curve cryptosystems*. In Proceedings of CHES’2000, LNCS 1965, pp. 93–108, Springer-Verlag, 2000. 200Google Scholar - [10]IEEE P1363,
*Standard Specifications for Public-Key Cryptography*, 2000. Available from http://groupe.ieee.org/groups/1363/ 201 - [11]ISO/IEC 15946-4,
*Information technology-Security techniques–Cryptographic techniques based on elliptic curves-Part 4: Digital signatures giving message recovery*. Working Draft, JTC 1/SC 27, December 28th, 2001. 201, 208Google Scholar - [12]T. Izu, T. Takagi,
*A Fast Parallel Elliptic Curve Multiplication Resistant against Side Channel Attacks*. In Proceedings of PKC’2002, LNCS 2274, pp. 280–296, Springer-Verlag, 2002. 200, 201, 203, 204Google Scholar - [13]M. Joye, J.-J. Quisquater,
*Hessian Elliptic Curves and Side-Channel Attacks*. In Proceedings of CHES’2001, LNCS 2162, pp. 412–420, Springer-Verlag, 2001. 200, 202Google Scholar - [14]M. Joye, C. Tymen,
*Protections against Differential Analysis for Elliptic Curve Cryptography–An Algebraic Approach*. In Proceedings of CHES’2001, LNCS 2162, pp. 377–390, Springer-Verlag, 2001. 200, 201Google Scholar - [15]N. Koblitz,
*Elliptic curve cryptosystems*. Mathematics of Computation, Vol. 48, pp. 203–209, 1987. 199zbMATHCrossRefMathSciNetGoogle Scholar - [16]P. Kocher, J. Jaffe, B. Jun,
*Introduction to Differential Power Analysis and Related Attacks*. Technical Report, Cryptography Research Inc., 1998. Available from http://www.cryptography.com/dpa/technical/index.html 200 - [17]P. Kocher, J. Jaffe, B. Jun,
*Differential Power Analysis*. In Proceedings of CRYPTO’99, LNCS 1666, pp. 388–397, Springer-Verlag, 1999. 200Google Scholar - [18]P.-Y. Liardet, N.P. Smart,
*Preventing SPA/DPA in ECC system using the Jacobi Form*. In Proceedings of CHES’2001, LNCS 2162, pp. 401–411, Springer-Verlag, 2001. 200Google Scholar - [19]J. López, R. Dahab,
*Fast Multiplication on Elliptic Curves over GF*(2^{m}) without Precomputation. In Proceedings of CHES’99, LNCS 1717, pp. 316–327, Springer-Verlag, 1999. 200, 204Google Scholar - [20]T. S. Messerges, E.A. Dabbish, R.H. Sloan,
*Power Analysis Attacks of Modular Exponentiation in Smartcards*. In Proceedings of CHES’99, pp. 144–157, Springer-Verlag, 1999. 200Google Scholar - [21]V. Miller,
*Uses of elliptic curves in cryptography*. In Proceedings of CRYPTO’85, LNCS 218, pp. 417–426, Springer-Verlag, 1986. 199Google Scholar - [22]B. Möller,
*Securing Elliptic Curve Point Multiplication against Side-Channel Attacks*. In Proceedings of ISC’2001, LNCS 2200, pp. 324–334, Springer-Verlag, 2001. 200, 204Google Scholar - [23]P. L. Montgomery,
*Speeding the Pollard and Elliptic Curve Methods for Factorizations*. Mathematics of Computation, vol. 48, pp. 243–264, 1987. 200, 202, 204zbMATHCrossRefMathSciNetGoogle Scholar - [24]National Institute of Standards and Technology (NIST),
*Recommended Elliptic Curves for Federal Government Use*. In the appendix of FIPS 186-2, available from http://csrc.nist.gov/publications/fips/fips186-2/fips186-2.pdf 201, 208 - [25]K. Okeya, H. Kurumatani, K. Sakurai,
*Elliptic Curve with the Montgomery Form and their cryptographic Applications*. In Proceedings of PKC’2000, LNCS 1751, pp. 238–257, Springer-Verlag, 2000. 200, 204Google Scholar - [26]K. Okeya, K. Miyazaki, K. Sakurai,
*A Fast Scalar Multiplication Method with Randomized Projective Coordinates on a Montgomery-form Elliptic Curve Secure against Side Channel Attacks*. In Pre-proceedings of ICICS’2001, pp. 475–486, 2001. 201Google Scholar - [27]K. Okeya, K. Sakurai,
*Power Analysis Breaks Elliptic Curve Cryptosystem even Secure against the Timing Attack*. In Proceedings of INDOCRYPT’2000, LNCS 1977, pp. 178–190, Springer-Verlag, 2000. 200, 202, 204Google Scholar - [28]K. Okeya, K. Sakurai,
*Effcient Elliptic Curve Cryptosystems from a Scalar Multiplication Algorithm with Recovery of the y-coordinate on a Montgomery-form Elliptic Curve*. In Proceedings of CHES’2001, LNCS 2162, pp. 126–141, Springer-Verlag, 2001. 200, 204Google Scholar - [29]N.P. Smart,
*The Hessian Form of an Elliptic Curve*. In Proceedings of CHES’2001, LNCS 2162, pp. 118–125, Springer-Verlag, 2001. 200, 202Google Scholar - [30]Standards for Efficient Cryptography Group (SECG),
*Specification of Standards for Efficient Cryptography*, Ver. 1.0, 2000. Available from http://www.secg.org/secg docs.htm 201, 208 - [31]Wireless Application Protocol (WAP) Forum,
*Wireless Transport Layer Security (WTLS) Specification*. Available from http://www.wapforum.org 201, 208