Side-Channel Analysis on Blinded Regular Scalar Multiplications
We present a new side-channel attack path threatening state-of-the-art protected implementations of elliptic curves embedded scalar multiplications. Regular algorithms such as the double-and-add-always and the Montgomery ladder are commonly used to protect the scalar multiplication from simple side-channel analysis. Combining such algorithms with scalar and/or point blinding countermeasures lead to scalar multiplications protected from all known attacks. Scalar randomization, which consists in adding a random multiple of the group order to the scalar value, is a popular countermeasure due to its efficiency. Amongst the several curves defined for usage in elliptic curves products, the most used are those standardized by the NIST. As observed in several previous publications, the modulus, hence the orders, of these curves are sparse, primarily for efficiency reasons. In this paper, we take advantage of this specificity to present new attack paths which combine vertical and horizontal side-channel attacks to recover the entire secret scalar in state-of-the-art protected elliptic curve implementations.
KeywordsElliptic crves Scalar multiplication Side-channel analysis Correlation analysis
Unable to display preview. Download preview PDF.
- 1.Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal collision correlation attack on elliptic curves. In: Selected Areas in Cryptography (2013)Google Scholar
- 3.Bernstein, D.J., Lange, T.: Explicit-formulas database. http://hyperelliptic.org/EFD/g1p/auto-shortw.html
- 5.Bernstein, D.J., Lange, T.: Safecurves: choosing safe curves for elliptic-curve cryptography. http://safecurves.cr.yp.to (accessed May 26, 2014)
- 16.Feix, B., Roussellet, M., Venelli, A.: Side-channel analysis on blinded regular scalar multiplications. IACR Cryptology ePrint Archive (2014)Google Scholar
- 19.Hanley, N., Kim, H., Tunstall, M.: Exploiting collisions in addition chain-based exponentiation algorithms. Cryptology ePrint Archive, Report 2012/485 (2012)Google Scholar
- 23.Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
- 25.Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
- 29.National Institute Standards and Technology: Digital Signature Standard (DSS). Publication 186–2 (2000)Google Scholar
- 32.SEC2: Standards for Efficient Cryptography Group/Certicom Research. Recommanded Elliptic Curve Cryptography Domain Parameters (2000)Google Scholar
- 33.Smart, N., Oswald, E., Page, D.: Randomised representations. IET Information Security 2, 19–27(8) (2008)Google Scholar
- 34.Solinas, J.: Generalized Mersenne numbers. Technical report CORR-39, Dept. of C&O, University of Waterloo (1999)Google Scholar