Revisiting Atomic Patterns for Scalar Multiplications on Elliptic Curves

  • Franck Rondepierre
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8419)


This paper deals with the protection of elliptic curve scalar multiplications against side-channel analysis by using the atomicity principle. Unlike other atomic patterns, we investigate new formulæ with same cost for both doubling and addition. This choice is particularly well suited to evaluate double scalar multiplications with the Straus-Shamir trick. Thus, in situations where this trick is used to evaluate single scalar multiplications our pattern allows an average improvement of \(40\,\%\) when compared with the most efficient atomic scalar multiplication published so far. Surprisingly, in other cases our choice remains very efficient. Besides, we also point out a security threat when the curve parameter \(a\) is null and propose an even more efficient pattern in this case.


Elliptic curves Scalar multiplication Straus-Shamir trick Side-Channel Analysis Atomicity 



The author is grateful to Christophe Giraud and Emmanuelle Dottax for their valuable comments on preliminary versions of this article. Many thanks also go to anonymous reviewers of Cardis 2013 for their advices.


  1. 1.
    Arno, S., Wheeler, F.: Signed digit representations of minimal Hamming weight. IEEE Trans. Comput. 42(8), 1007–1009 (1993)CrossRefGoogle Scholar
  2. 2.
    Brier, E., Joye, M.: Weierstraß elliptic curves and side-channel attacks. In: Naccache and Paillier [25], pp. 335–345Google Scholar
  3. 3.
    Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity. Cryptology ePrint Archive, Report 2003/237 (2003).
  4. 4.
    Chudnovsky, D.V., Chudnovsky, G.V.: Sequences of numbers genereated by addition in formal groups and new primality and factorization tests. Adv. Appl. Math. 7, 385–434 (1986)CrossRefzbMATHMathSciNetGoogle Scholar
  5. 5.
    Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 51–65. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  6. 6.
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  7. 7.
    ECC Brainpool: ECC brainpool standard curves and curve generation. BSI, internet Draft v. 3, (2009).
  8. 8.
    ElGamal, T.: A public-key cryptosystems and a signature scheme based on discret logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)CrossRefzbMATHMathSciNetGoogle Scholar
  9. 9.
    Faugère, J.-C., Goyet, C., Renault, G.: Attacking (EC)DSA given only an implicit hint. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 252–274. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  10. 10.
    FIPS PUB 186–4: Digital Signature Standard. National Institute of Standards and Technology, July 2013Google Scholar
  11. 11.
    Fischer, W., Giraud, C., Knudsen, E.W., Seifert, J.P.: Parallel scalar multiplication on general elliptic curves over \(\mathbb{F}_p\) hedged against non-differential side-channel attacks. Cryptology ePrint Archive, Report 2002/007, Jan 2002.
  12. 12.
    Giraud, C., Verneuil, V.: Atomicity improvement for elliptic curve scalar multiplication. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 80–101. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  13. 13.
    Giry, D., Bulens, P.: - Cryptographic Key Length Recommandation, Aug 2007.
  14. 14.
    Goundar, R.R., Joye, M., Miyaji, A., Rivain, M., Venelli, A.: Scalar multiplication on weierstraß elliptic curves from co- z arithmetic. J. Cryptol. 1(2), 161–176 (2011)CrossRefGoogle Scholar
  15. 15.
    Hankerson, D., Menezes, A., Vanstone, S.: Guide to Elliptic Curve Cryptography: Professional Computing Series. Springer, New York (2003)Google Scholar
  16. 16.
    Hutter, M., Joye, M., Sierra, Y.: Memory-constrained implementations of elliptic curve cryptography in co-Z coordinate representation. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 170–187. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  17. 17.
    ISO/IEC JTC1 SC17 WG3/TF5: Supplemental Access Control for Machine Readable Travel Documents. International Civial Aviation Organization, Nov 2010Google Scholar
  18. 18.
    Izu, T., Takagi, T.: A fast parallel elliptic curve multiplication resistant against side channel attacks. In: Naccache and Paillier [25], pp. 280–296Google Scholar
  19. 19.
    JORF n: Avis relatif aux paramètres de courbes elliptiques définis par l’État français, Oct 2011Google Scholar
  20. 20.
    Knuth, D.: The Art of Computer Programming, vol. 2, 3rd edn. Addison Wesley, Reading (1988)Google Scholar
  21. 21.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996) Google Scholar
  22. 22.
    Longa, P.: Accelerating the scalar multiplication on elliptic curve cryptosystems over prime fields. Master’s thesis, School of Information Technology and Engineering, University of Ottawa, Canada (2007)Google Scholar
  23. 23.
    Möller, B.: Improved techniques for fast exponentiation. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 298–312. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  24. 24.
    Montgomery, P.: Modular multiplication without trial division. Math. Comp. 44(170), 519–521 (1985)CrossRefzbMATHMathSciNetGoogle Scholar
  25. 25.
    Naccache, D., Paillier, P. (eds.): PKC 2002. LNCS, vol. 2274. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  26. 26.
    Okeya, K., Kato, H., Nogami, Y.: Width-3 joint sparse form. In: Kwak, J., Deng, R.H., Won, Y., Wang, G. (eds.) ISPEC 2010. LNCS, vol. 6047, pp. 67–84. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  27. 27.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)CrossRefzbMATHMathSciNetGoogle Scholar
  28. 28.
    Solinas, J.: Low-Weight Binary Representations for Pairs of Integers. Technical report (2001).
  29. 29.
    Solinas, J.A.: Efficient arithmetic on koblitz curves. Des. Codes Crypt. 19(2/3), 195–249 (2000)CrossRefzbMATHMathSciNetGoogle Scholar
  30. 30.
    Straus, E.G.: Addition chains of vectors (problem 5125). Am. Math. Monthly 70, 806–808 (1964)MathSciNetGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Oberthur TechnologiesCrypto GroupColombesFrance

Personalised recommendations