Abstract
The Refined Power Analysis, Zero-Value Point, and Exceptional Procedure attacks introduced side-channel techniques against specific cases of elliptic curve cryptography. The three attacks recover bits of a static ECDH key adaptively, collecting information on whether a certain multiple of the input point was computed. We unify and generalize these attacks in a common framework, and solve the corresponding problem for a broader class of inputs. We also introduce a version of the attack against windowed scalar multiplication methods, recovering the full scalar instead of just a part of it. Finally, we systematically analyze elliptic curve point addition formulas from the Explicit-Formulas Database, classify all non-trivial exceptional points, and find them in new formulas. These results indicate the usefulness of our tooling, which we released publicly, for unrolling formulas and finding special points, and potentially for independent future work.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
We use the name non-affine for coordinate systems other than affine coordinates and projective to denote the standard projective coordinates.
- 2.
- 3.
The attack also applies to doubling. For simplicity, we only consider addition in this paper, but our results easily extend to doubling.
- 4.
In principle, our techniques apply to other curves models as well, but we use the short Weierstrass model for simplicity, as it represents all curves.
- 5.
We cannot always consider affine representations as f might not be homogeneous, but in practice this is not a problem, as we have freedom in choosing f.
- 6.
The homogeneity of f allows us to only consider affine representations.
- 7.
Some of the formulas are just adaptations for specific coefficients (e.g. \(a= -3\) for \(E_W\)), mixed additions, etc.
- 8.
Occasionally omitting the cases where the result is the neutral element.
- 9.
\(ZZ_i\) and \(ZZZ_i\) are variables whose values equal \(Z_i^2\) and \(Z_i^3\) throughout the computation, respectively.
- 10.
We only consider Edwards curves with \(c=1\), since the others can be isomorphically rescaled to this case without affecting the nullity of the \(Z_3\) expressions.
- 11.
Note that \(x_1\) does not directly affect \(X_4\) nor \(X_5\).
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
References
Akishita, T., Takagi, T.: Zero-value point attacks on elliptic curve cryptosystem. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 218–233. Springer, Heidelberg (2003). https://doi.org/10.1007/10958513_17
Belyavsky, D., Brumley, B.B., Chi-Domínguez, J., Rivera-Zamarripa, L., Ustinov, I.: Set it and forget it! Turnkey ECC for instant integration. In: ACSAC 2020: Annual Computer Security Applications Conference, Virtual Event/Austin, TX, USA, 7–11 December 2020, pp. 760–771. ACM (2020). https://doi.org/10.1145/3427228.3427291
Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68164-9_26
Bernstein, D.J., Lange, T.: Explicit-Formulas database (EFD) (2007). https://www.hyperelliptic.org/EFD/
Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_3
Bernstein, D.J., Lange, T.: Inverted Edwards coordinates. In: Boztaş, S., Lu, H.-F.F. (eds.) AAECC 2007. LNCS, vol. 4851, pp. 20–27. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77224-8_4
Bosma, W., Lenstra, H.W., Jr.: Complete systems of two addition laws for elliptic curves. J. Number Theory 53(2), 229–240 (1995). https://doi.org/10.1006/jnth.1995.1088
Brier, É., Joye, M.: Weierstraß elliptic curves and side-channel attacks. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 335–345. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45664-3_24
Castryck, W., Galbraith, S.D., Farashahi, R.R.: Efficient arithmetic on elliptic curves using a mixed Edwards-Montgomery representation. IACR Cryptol. ePrint Arch. 2008(218) (2008). http://eprint.iacr.org/2008/218
Chudnovsky, D.V., Chudnovsky, G.V.: Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Adv. Appl. Math. 7(4), 385–434 (1986). https://doi.org/10.1016/0196-8858(86)90023-0
Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 51–65. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49649-1_6
Costello, C., Lange, T., Naehrig, M.: Faster pairing computations on curves with high-degree twists. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 224–242. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_14
Costello, C., Smith, B.: Montgomery curves and their arithmetic - the case of large characteristic fields. J. Cryptogr. Eng. 8(3), 227–240 (2018). https://doi.org/10.1007/s13389-017-0157-6
Crépeau, C., Kazmi, R.A.: An analysis of ZVP-attack on ECC cryptosystems. IACR Cryptol. ePrint Arch. 2012(329) (2012). https://eprint.iacr.org/2012/329
Danger, J., Guilley, S., Hoogvorst, P., Murdica, C., Naccache, D.: Dynamic countermeasure against the zero power analysis. In: IEEE International Symposium on Signal Processing and Information Technology, Athens, Greece, 12–15 December 2013, pp. 140–147. IEEE Computer Society (2013). https://doi.org/10.1109/ISSPIT.2013.6781869
Danger, J.-L., Guilley, S., Hoogvorst, P., Murdica, C., Naccache, D.: A synthesis of side-channel attacks on elliptic curve cryptography in smart-cards. J. Cryptogr. Eng. 3(4), 241–265 (2013). https://doi.org/10.1007/s13389-013-0062-6
Edwards, H.M.: A normal form for elliptic curves. Bull. Amer. Math. Soc. (N.S.) 44(3), 393–422 (2007). https://doi.org/10.1090/S0273-0979-07-01153-6
Fan, J., Gierlichs, B., Vercauteren, F.: To infinity and beyond: combined attack on ECC using points of low order. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 143–159. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_10
Gaudry, P.: Variants of the Montgomery form based on Theta functions. Toronto, November 2006
Goubin, L.: A refined power-analysis attack on elliptic curve cryptosystems. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 199–211. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_15
Hankerson, D., Menezes, A., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer Professional Computing, Springer, New York (2004). https://doi.org/10.1016/s0012-365x(04)00102-5
Hasegawa, T., Nakajima, J., Matsui, M.: A practical implementation of elliptic curve cryptosystems over GF(p) on a 16-bit microcomputer. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 182–194. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054024
Hisil, H., Carter, G., Dawson, E.: New formulae for efficient elliptic curve arithmetic. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 138–151. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77026-8_11
Hisil, H., Wong, K.K.-H., Carter, G., Dawson, E.: Twisted Edwards curves revisited. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 326–343. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_20
Izu, T., Takagi, T.: A fast parallel elliptic curve multiplication resistant against side channel attacks. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 280–296. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45664-3_20
Izu, T., Takagi, T.: Exceptional procedure attack on elliptic curve cryptosystems. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 224–239. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_17
Jancar, J.: PYECSCA: reverse-engineering black-box elliptic curve cryptography implementations via side-channels. Master’s thesis, Masaryk University, Brno, Czechia (2020). https://is.muni.cz/th/fjgay/
Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987). https://doi.org/10.2307/2007884
Martínez, S., Sadornil, D., Tena, J., Tomàs, R., Valls, M.: On Edwards curves and ZVP-attacks. Appl. Algebra Eng. Commun. Comput. 24(6), 507–517 (2013). https://doi.org/10.1007/s00200-013-0211-2
Meloni, N.: New point addition formulae for ECC applications. In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 189–201. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73074-3_15
Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_31
Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987). https://doi.org/10.2307/2007888
Murdica, C., Guilley, S., Danger, J.-L., Hoogvorst, P., Naccache, D.: Same values power analysis using special points on elliptic curves. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 183–198. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29912-4_14
Renes, J., Costello, C., Batina, L.: Complete addition formulas for prime order elliptic curves. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 403–428. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_16
Smart, N.P.: An analysis of Goubin’s refined power analysis attack. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 281–290. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45238-6_23
Tuveri, N., ul Hassan, S., Pereida García, C., Brumley, B.B.: Side-channel analysis of SM2: a late-stage featurization case study. In: Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC 2018, San Juan, PR, USA, 03–07 December 2018, pp. 147–160. ACM (2018). https://doi.org/10.1145/3274694.3274725
Valenta, L., Sullivan, N., Sanso, A., Heninger, N.: In search of CurveSwap: measuring elliptic curve implementations in the wild. In: 2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018, London, United Kingdom, 24–26 April 2018, pp. 384–398. IEEE (2018). https://doi.org/10.1109/EuroSP.2018.00034
Washington, L.C.: Elliptic Curves: Number Theory and Cryptography. Discrete Mathematics and Its Applications, 2nd edn. Chapman and Hall/CRC (2008). https://doi.org/10.1201/9781420071474
Weiser, S., Schrammel, D., Bodner, L., Spreitzer, R.: Big numbers - big troubles: systematically analyzing nonce leakage in (EC)DSA implementations. In: Capkun, S., Roesner, F. (eds.) 29th USENIX Security Symposium, USENIX Security 2020, 12–14 August 2020, pp. 1767–1784. USENIX Association (2020). https://www.usenix.org/conference/usenixsecurity20/presentation/weiser
Zhang, F., Lin, Q., Liu, S.: Zero-value point attacks on Kummer-based cryptosystem. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 293–310. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31284-7_18
Acknowledgments
The authors would like thank Marek Sys for helpful consultations. This project has initially received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 804476), and it has been made possible in part by a grant from the Cisco University Research Program Fund, an advised fund of Silicon Valley Community Foundation. This project started when J. J. Chi-Domínguez was a postdoctoral researcher at Tampere University. V. Sedlacek and J. Jancar were supported by Czech Science Foundation project GA20-03426S. J. Jancar was also supported by Red Hat Czech and V. Sedlacek by the Ph.D. Talent Scholarship - funded by the Brno City Municipality.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Example: ZVP Attack on Window NAF Scalar Multiplication
To demonstrate the ZVP attack on a window NAF scalar multiplication algorithm (window size of 5), we used the pyecsca toolkit. We demonstrate the attack on NIST’s P-224 curve, which has no points suitable for RPA. Figure 2 shows the basic setup of the attack, with zvp_p0 being a point which zeros out an intermediate value when input into the add-2016-rcb formulas in projective coordinates, regardless of the second input point (Fig. 3).
B Example: Unrolled Formula
To analyze the ZVP and EPA attacks, we developed tooling for “unrolling” EFD formulas. The tooling expresses all the intermediate values in the formula as polynomials in the input variables. Figure 4 gives an excerpt of the unrolled add-2007-bl formula in projective coordinates on short Weierstrass curves.
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Sedlacek, V., Chi-Domínguez, JJ., Jancar, J., Brumley, B.B. (2021). A Formula for Disaster: A Unified Approach to Elliptic Curve Special-Point-Based Attacks. In: Tibouchi, M., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2021. ASIACRYPT 2021. Lecture Notes in Computer Science(), vol 13090. Springer, Cham. https://doi.org/10.1007/978-3-030-92062-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-92062-3_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92061-6
Online ISBN: 978-3-030-92062-3
eBook Packages: Computer ScienceComputer Science (R0)