Skip to main content
SpringerLink
Log in
Book cover

International Conference on the Theory and Application of Cryptology and Information Security

ASIACRYPT 2021: Advances in Cryptology – ASIACRYPT 2021 pp 130–159Cite as

A Formula for Disaster: A Unified Approach to Elliptic Curve Special-Point-Based Attacks

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13090))

Abstract

The Refined Power Analysis, Zero-Value Point, and Exceptional Procedure attacks introduced side-channel techniques against specific cases of elliptic curve cryptography. The three attacks recover bits of a static ECDH key adaptively, collecting information on whether a certain multiple of the input point was computed. We unify and generalize these attacks in a common framework, and solve the corresponding problem for a broader class of inputs. We also introduce a version of the attack against windowed scalar multiplication methods, recovering the full scalar instead of just a part of it. Finally, we systematically analyze elliptic curve point addition formulas from the Explicit-Formulas Database, classify all non-trivial exceptional points, and find them in new formulas. These results indicate the usefulness of our tooling, which we released publicly, for unrolling formulas and finding special points, and potentially for independent future work.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    We use the name non-affine for coordinate systems other than affine coordinates and projective to denote the standard projective coordinates.

  2. 2.

    https://github.com/crocs-muni/efd.

  3. 3.

    The attack also applies to doubling. For simplicity, we only consider addition in this paper, but our results easily extend to doubling.

  4. 4.

    In principle, our techniques apply to other curves models as well, but we use the short Weierstrass model for simplicity, as it represents all curves.

  5. 5.

    We cannot always consider affine representations as f might not be homogeneous, but in practice this is not a problem, as we have freedom in choosing f.

  6. 6.

    The homogeneity of f allows us to only consider affine representations.

  7. 7.

    Some of the formulas are just adaptations for specific coefficients (e.g. \(a= -3\) for \(E_W\)), mixed additions, etc.

  8. 8.

    Occasionally omitting the cases where the result is the neutral element.

  9. 9.

    \(ZZ_i\) and \(ZZZ_i\) are variables whose values equal \(Z_i^2\) and \(Z_i^3\) throughout the computation, respectively.

  10. 10.

    We only consider Edwards curves with \(c=1\), since the others can be isomorphically rescaled to this case without affecting the nullity of the \(Z_3\) expressions.

  11. 11.

    Note that \(x_1\) does not directly affect \(X_4\) nor \(X_5\).

  12. 12.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2730.

  13. 13.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7781.

  14. 14.

    https://github.com/openssl/openssl/pull/7000.

  15. 15.

    https://github.com/openssl/openssl/issues/6999.

  16. 16.

    https://boringssl.googlesource.com/boringssl/+/12d9ed670da3edd64ce8175c.

  17. 17.

    https://pypi.org/project/fastecdsa/.

  18. 18.

    https://github.com/AntonKueltz/fastecdsa/pull/58.

  19. 19.

    https://github.com/crocs-muni/formula-for-disaster.

References

  1. Akishita, T., Takagi, T.: Zero-value point attacks on elliptic curve cryptosystem. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 218–233. Springer, Heidelberg (2003). https://doi.org/10.1007/10958513_17

    Chapter  Google Scholar 

  2. Belyavsky, D., Brumley, B.B., Chi-Domínguez, J., Rivera-Zamarripa, L., Ustinov, I.: Set it and forget it! Turnkey ECC for instant integration. In: ACSAC 2020: Annual Computer Security Applications Conference, Virtual Event/Austin, TX, USA, 7–11 December 2020, pp. 760–771. ACM (2020). https://doi.org/10.1145/3427228.3427291

  3. Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68164-9_26

    Chapter  Google Scholar 

  4. Bernstein, D.J., Lange, T.: Explicit-Formulas database (EFD) (2007). https://www.hyperelliptic.org/EFD/

  5. Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_3

    Chapter  Google Scholar 

  6. Bernstein, D.J., Lange, T.: Inverted Edwards coordinates. In: Boztaş, S., Lu, H.-F.F. (eds.) AAECC 2007. LNCS, vol. 4851, pp. 20–27. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77224-8_4

    Chapter  Google Scholar 

  7. Bosma, W., Lenstra, H.W., Jr.: Complete systems of two addition laws for elliptic curves. J. Number Theory 53(2), 229–240 (1995). https://doi.org/10.1006/jnth.1995.1088

    Article  MathSciNet  MATH  Google Scholar 

  8. Brier, É., Joye, M.: Weierstraß elliptic curves and side-channel attacks. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 335–345. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45664-3_24

    Chapter  Google Scholar 

  9. Castryck, W., Galbraith, S.D., Farashahi, R.R.: Efficient arithmetic on elliptic curves using a mixed Edwards-Montgomery representation. IACR Cryptol. ePrint Arch. 2008(218) (2008). http://eprint.iacr.org/2008/218

  10. Chudnovsky, D.V., Chudnovsky, G.V.: Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Adv. Appl. Math. 7(4), 385–434 (1986). https://doi.org/10.1016/0196-8858(86)90023-0

    Article  MathSciNet  MATH  Google Scholar 

  11. Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 51–65. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49649-1_6

    Chapter  Google Scholar 

  12. Costello, C., Lange, T., Naehrig, M.: Faster pairing computations on curves with high-degree twists. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 224–242. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_14

    Chapter  Google Scholar 

  13. Costello, C., Smith, B.: Montgomery curves and their arithmetic - the case of large characteristic fields. J. Cryptogr. Eng. 8(3), 227–240 (2018). https://doi.org/10.1007/s13389-017-0157-6

    Article  Google Scholar 

  14. Crépeau, C., Kazmi, R.A.: An analysis of ZVP-attack on ECC cryptosystems. IACR Cryptol. ePrint Arch. 2012(329) (2012). https://eprint.iacr.org/2012/329

  15. Danger, J., Guilley, S., Hoogvorst, P., Murdica, C., Naccache, D.: Dynamic countermeasure against the zero power analysis. In: IEEE International Symposium on Signal Processing and Information Technology, Athens, Greece, 12–15 December 2013, pp. 140–147. IEEE Computer Society (2013). https://doi.org/10.1109/ISSPIT.2013.6781869

  16. Danger, J.-L., Guilley, S., Hoogvorst, P., Murdica, C., Naccache, D.: A synthesis of side-channel attacks on elliptic curve cryptography in smart-cards. J. Cryptogr. Eng. 3(4), 241–265 (2013). https://doi.org/10.1007/s13389-013-0062-6

    Article  Google Scholar 

  17. Edwards, H.M.: A normal form for elliptic curves. Bull. Amer. Math. Soc. (N.S.) 44(3), 393–422 (2007). https://doi.org/10.1090/S0273-0979-07-01153-6

  18. Fan, J., Gierlichs, B., Vercauteren, F.: To infinity and beyond: combined attack on ECC using points of low order. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 143–159. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_10

    Chapter  MATH  Google Scholar 

  19. Gaudry, P.: Variants of the Montgomery form based on Theta functions. Toronto, November 2006

    Google Scholar 

  20. Goubin, L.: A refined power-analysis attack on elliptic curve cryptosystems. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 199–211. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_15

    Chapter  Google Scholar 

  21. Hankerson, D., Menezes, A., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer Professional Computing, Springer, New York (2004). https://doi.org/10.1016/s0012-365x(04)00102-5

  22. Hasegawa, T., Nakajima, J., Matsui, M.: A practical implementation of elliptic curve cryptosystems over GF(p) on a 16-bit microcomputer. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 182–194. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054024

    Chapter  Google Scholar 

  23. Hisil, H., Carter, G., Dawson, E.: New formulae for efficient elliptic curve arithmetic. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 138–151. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77026-8_11

    Chapter  Google Scholar 

  24. Hisil, H., Wong, K.K.-H., Carter, G., Dawson, E.: Twisted Edwards curves revisited. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 326–343. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_20

    Chapter  Google Scholar 

  25. Izu, T., Takagi, T.: A fast parallel elliptic curve multiplication resistant against side channel attacks. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 280–296. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45664-3_20

    Chapter  Google Scholar 

  26. Izu, T., Takagi, T.: Exceptional procedure attack on elliptic curve cryptosystems. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 224–239. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_17

    Chapter  Google Scholar 

  27. Jancar, J.: PYECSCA: reverse-engineering black-box elliptic curve cryptography implementations via side-channels. Master’s thesis, Masaryk University, Brno, Czechia (2020). https://is.muni.cz/th/fjgay/

  28. Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987). https://doi.org/10.2307/2007884

    Article  MathSciNet  MATH  Google Scholar 

  29. Martínez, S., Sadornil, D., Tena, J., Tomàs, R., Valls, M.: On Edwards curves and ZVP-attacks. Appl. Algebra Eng. Commun. Comput. 24(6), 507–517 (2013). https://doi.org/10.1007/s00200-013-0211-2

    Article  MathSciNet  MATH  Google Scholar 

  30. Meloni, N.: New point addition formulae for ECC applications. In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 189–201. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73074-3_15

    Chapter  Google Scholar 

  31. Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_31

    Chapter  Google Scholar 

  32. Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987). https://doi.org/10.2307/2007888

    Article  MathSciNet  MATH  Google Scholar 

  33. Murdica, C., Guilley, S., Danger, J.-L., Hoogvorst, P., Naccache, D.: Same values power analysis using special points on elliptic curves. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 183–198. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29912-4_14

    Chapter  Google Scholar 

  34. Renes, J., Costello, C., Batina, L.: Complete addition formulas for prime order elliptic curves. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 403–428. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_16

    Chapter  Google Scholar 

  35. Smart, N.P.: An analysis of Goubin’s refined power analysis attack. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 281–290. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45238-6_23

    Chapter  Google Scholar 

  36. Tuveri, N., ul Hassan, S., Pereida García, C., Brumley, B.B.: Side-channel analysis of SM2: a late-stage featurization case study. In: Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, 03–07 December 2018, pp. 147–160. ACM (2018). https://doi.org/10.1145/3274694.3274725

  37. Valenta, L., Sullivan, N., Sanso, A., Heninger, N.: In search of CurveSwap: measuring elliptic curve implementations in the wild. In: 2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018, London, United Kingdom, 24–26 April 2018, pp. 384–398. IEEE (2018). https://doi.org/10.1109/EuroSP.2018.00034

  38. Washington, L.C.: Elliptic Curves: Number Theory and Cryptography. Discrete Mathematics and Its Applications, 2nd edn. Chapman and Hall/CRC (2008). https://doi.org/10.1201/9781420071474

  39. Weiser, S., Schrammel, D., Bodner, L., Spreitzer, R.: Big numbers - big troubles: systematically analyzing nonce leakage in (EC)DSA implementations. In: Capkun, S., Roesner, F. (eds.) 29th USENIX Security Symposium, USENIX Security 2020, 12–14 August 2020, pp. 1767–1784. USENIX Association (2020). https://www.usenix.org/conference/usenixsecurity20/presentation/weiser

  40. Zhang, F., Lin, Q., Liu, S.: Zero-value point attacks on Kummer-based cryptosystem. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 293–310. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31284-7_18

    Chapter  Google Scholar 

Download references

Acknowledgments

The authors would like thank Marek Sys for helpful consultations. This project has initially received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 804476), and it has been made possible in part by a grant from the Cisco University Research Program Fund, an advised fund of Silicon Valley Community Foundation. This project started when J. J. Chi-Domínguez was a postdoctoral researcher at Tampere University. V. Sedlacek and J. Jancar were supported by Czech Science Foundation project GA20-03426S. J. Jancar was also supported by Red Hat Czech and V. Sedlacek by the Ph.D. Talent Scholarship - funded by the Brno City Municipality.

Author information

Authors and Affiliations

  1. Masaryk University, Brno, Czech Republic

    Vladimir Sedlacek & Jan Jancar

  2. Ca’Foscari University, Venice, Italy

    Vladimir Sedlacek

  3. Cryptography Research Centre, Technology Innovation Institute, Abu Dhabi, UAE

    Jesús-Javier Chi-Domínguez

  4. Tampere University, Tampere, Finland

    Jesús-Javier Chi-Domínguez & Billy Bob Brumley

Authors
  1. Vladimir Sedlacek
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jesús-Javier Chi-Domínguez
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jan Jancar
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Billy Bob Brumley
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vladimir Sedlacek .

Editor information

Editors and Affiliations

  1. NTT Corporation, Tokyo, Japan

    Mehdi Tibouchi

  2. Nanyang Technological University, Singapore, Singapore

    Huaxiong Wang

Appendices

A Example: ZVP Attack on Window NAF Scalar Multiplication

To demonstrate the ZVP attack on a window NAF scalar multiplication algorithm (window size of 5), we used the pyecsca toolkit. We demonstrate the attack on NIST’s P-224 curve, which has no points suitable for RPA. Figure 2 shows the basic setup of the attack, with zvp_p0 being a point which zeros out an intermediate value when input into the add-2016-rcb formulas in projective coordinates, regardless of the second input point (Fig. 3).

B Example: Unrolled Formula

To analyze the ZVP and EPA attacks, we developed tooling for “unrolling” EFD formulas. The tooling expresses all the intermediate values in the formula as polynomials in the input variables. Figure 4 gives an excerpt of the unrolled add-2007-bl formula in projective coordinates on short Weierstrass curves.

Fig. 2.
figure 2

Setup for the ZVP window NAF attack.

Full size image
Fig. 3.
figure 3

ZVP attack demonstration on window NAF scalar multiplication algorithm.

Full size image
Fig. 4.
figure 4

An excerpt of an unrolled formula, add-2007-bl in projective coordinates on short Weierstrass curves.

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sedlacek, V., Chi-Domínguez, JJ., Jancar, J., Brumley, B.B. (2021). A Formula for Disaster: A Unified Approach to Elliptic Curve Special-Point-Based Attacks. In: Tibouchi, M., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2021. ASIACRYPT 2021. Lecture Notes in Computer Science(), vol 13090. Springer, Cham. https://doi.org/10.1007/978-3-030-92062-3_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-92062-3_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-92061-6

  • Online ISBN: 978-3-030-92062-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation