Abstract
The field of elliptic curve cryptography has recently experienced a deployment of new models of elliptic curves, such as Montgomery or twisted Edwards. Computations on these curves have been proven to be exception-free and easy to make constant-time. Unfortunately many standards define elliptic curves in the short Weierstrass model, where the above properties are harder to achieve. This is especially true when scalar blinding, a simple but widely deployed side-channel attacks countermeasure, is adopted. In this paper we analyze previously undisclosed exceptional cases of popular scalar multiplication algorithms, highlighting the need for proofs of correctness. Then, with the final goal of providing a compact ECC hardware accelerator for embedded platforms, suitable to offload computations on all elliptic curve models, we present a constant-time adaptation of the Montgomery ladder, leveraging addition formulas by Izu and Takagi, that we prove return the correct result for any input point, any scalar value, on all elliptic curves in Weierstrass form defined over \(\mathbb {F}_p\) with \(p \ne 2,3\).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Montgomery ladder on the Montgomery curve Curve25519 with \(A=486662\), \(B=1\).
- 2.
M:multiplication, S:squaring, Ma, Mb, Mb4:multiplication by constants, a:addition.
References
Bauer, A., Jaulmes, É., Prouff, E., Reinhard, J.R., Wild, J.: Horizontal collision correlation attack on elliptic curves. Cryptogr. Commun. 7(1), 91–119 (2015)
Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). doi:10.1007/11745853_14
Bernstein, D.J.: Does the Curve25519 Montgomery ladder always work? CFRG Mailing List. https://www.ietf.org/mail-archive/web/cfrg/current/msg05004.html (2014). Accessed 22 Jan 2016
Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007). doi:10.1007/978-3-540-76900-2_3
Bernstein, D.J., Lange, T.: Explicit-Formulas Database (2016). http://hyperelliptic.org/EFD
Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000). doi:10.1007/3-540-44598-6_8
Bos, J.W., Costello, C., Longa, P., Naehrig, M.: Selecting elliptic curves for cryptography: an efficiency and security analysis. J. Cryptographic Eng. 6(4), 259–286 (2016). doi:10.1007/s13389-015-0097-y
Brier, E., Joye, M.: Weierstraß elliptic curves and side-channel attacks. In: Naccache and Paillier [24], pp. 335–345
Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23822-2_20
Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999). doi:10.1007/3-540-48059-5_25
Danger, J.-L., Guilley, S., Hoogvorst, P., Murdica, C., Naccache, D.: Improving the Big Mac attack on elliptic curve cryptography. In: Ryan, P.Y.A., Naccache, D., Quisquater, J.-J. (eds.) The New Codebreakers. LNCS, vol. 9100, pp. 374–386. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49301-4_23
Dugardin, M., Papachristodoulou, L., Najm, Z., Batina, L., Danger, J.-L., Guilley, S.: Dismantling real-world ECC with horizontal and vertical template attacks. In: Standaert, F.-X., Oswald, E. (eds.) COSADE 2016. LNCS, vol. 9689, pp. 88–108. Springer, Heidelberg (2016). doi:10.1007/978-3-319-43283-0_6
Ebeid, N.M., Lambert, R.: Securing the elliptic curve montgomery ladder against fault attacks. In: Breveglieri, L., Koren, I., Naccache, D., Oswald, E., Seifert, J. (eds.) Sixth International Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2009, Lausanne, Switzerland, 6 September 2009, pp. 46–50. IEEE Computer Society (2009)
Fouque, P., Lercier, R., Réal, D., Valette, F.: Fault attack on elliptic curve Montgomery ladder implementation. In: Breveglieri, L., Gueron, S., Koren, I., Naccache, D., Seifert, J. (eds.) Fifth International Workshop on Fault Diagnosis and Tolerance in Cryptography, 2008, FDTC 2008, Washington, DC, USA, 10 August 2008, pp. 92–98. IEEE Computer Society (2008)
Goundar, R.R., Joye, M., Miyaji, A.: Co-Z addition formulæ and binary ladders on elliptic curves. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 65–79. Springer, Heidelberg (2010). doi:10.1007/978-3-642-15031-9_5
Goundar, R.R., Joye, M., Miyaji, A., Rivain, M., Venelli, A.: Scalar multiplication on Weierstraß elliptic curves from Co-Z arithmetic. J. Cryptogr. Eng. 1(2), 161–176 (2011)
Hutter, M., Joye, M., Sierra, Y.: Memory-constrained implementations of elliptic curve cryptography in Co-Z coordinate representation. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 170–187. Springer, Heidelberg (2011). doi:10.1007/978-3-642-21969-6_11
Izu, T., Möller, B., Takagi, T.: Improved elliptic curve multiplication methods resistant against side channel attacks. In: Menezes, A., Sarkar, P. (eds.) INDOCRYPT 2002. LNCS, vol. 2551, pp. 296–313. Springer, Heidelberg (2002). doi:10.1007/3-540-36231-2_24
Izu, T., Takagi, T.: A fast parallel elliptic curve multiplication resistant against side channel attacks. In: Naccache and Paillier [24], pp. 280–296
Izu, T., Takagi, T.: Exceptional procedure attack on elliptic curve cryptosystems. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 224–239. Springer, Heidelberg (2003). doi:10.1007/3-540-36288-6_17
Joye, M., Tymen, C.: Protections against differential analysis for elliptic curve cryptography — an algebraic approach —. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 377–390. Springer, Heidelberg (2001). doi:10.1007/3-540-44709-1_31
Kim, K. (ed.): ICISC 2001. LNCS, vol. 2288. Springer, Heidelberg (2002)
Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)
Naccache, D., Paillier, P. (eds.): PKC 2002. LNCS, vol. 2274. Springer, Heidelberg (2002)
Okeya, K., Miyazaki, K., Sakurai, K.: A fast scalar multiplication method with randomized projective coordinates on a montgomery-form elliptic curve secure against side channel attacks. In: Kim [22], pp. 428–439
Renes, J., Costello, C., Batina, L.: Complete addition formulas for prime order elliptic curves. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 403–428. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49890-3_16
Schindler, W., Wiemers, A.: Efficient Side-Channel Attacks on Scalar Blinding on Elliptic Curves with Special Structure. NIST Workshop on ECC Standards (2015)
Yen, S., Kim, S., Lim, S., Moon, S.: A countermeasure against one physical cryptanalysis may benefit another attack. In: Kim [22], pp. 414–427
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A X-only Scalar Multiplication
We now state and prove an analogous version of Theorem 2.1 of [2] which holds for short Weierstrass curves (together with the function \(X_{1}\)). The definition of \(X_{1}:E(\mathbb {F}_{p^{2}})\rightarrow \mathbb {F}_{p^{2}}\times \left\{ 0,1\right\} \) is \(X_{1}(\infty )=(0,0),X_{1}(x,y)=(x,1)\) and in the following lines we will indicate with \(\delta \) the smallest non-square integer in \(\mathbb {F}_{p}\). For an exact description of the operations on the extension field \(\mathbb {F}_{p^{2}}\) see [2, Appendix A] but the addition law we will refer to, is the one described in Sect. 2.
First note that the following three sets are subgroups of \(E(\mathbb {F}_{p^{2}})\):
-
\(\left\{ \infty ,\text {points of order two}\right\} \). Indeed if there is just one point of order two \(\infty +\infty =\infty \); \((q_{1},0)+(q_{1},0)=\infty \); and \((q_{1},0)+\infty =(q_{1},0)\). If there are three points we have in addition that \((q_{1},0)+(q_{2},0)=(q_{3},0)\).
-
\(\left\{ \infty \right\} \cup (E(\mathbb {F}_{p^{2}})\cap (\mathbb {F}_{p}\times \mathbb {F}_{p}))\). Indeed, if \(x,y,x^\prime ,y^\prime \in \mathbb {F}_{p}\) then the quantities \(\lambda ,x_{3},y_{3}\) defined as in Eq. 2 are all in \(\mathbb {F}_{p}\).
-
\(\left\{ \infty \right\} \cup (E(\mathbb {F}_{p^{2}})\cap (\mathbb {F}_{p}\times \sqrt{\delta }\mathbb {F}_{p})\). This time \(\lambda \) is an element of \(\sqrt{\delta }\mathbb {F}_{p}\) and therefore \(x_{3}\in \mathbb {F}_{p}\) while \(y_{3}\) will be an element of \(\sqrt{\delta }\mathbb {F}_{p}\).
Theorem 5
Let n be an integer and \((q,f_{0})\in \mathbb {F}_{p}\times \left\{ 0,1\right\} \). Then there exists a unique couple \((s,f_{1})\in \mathbb {F}_{p}\times \left\{ 0,1\right\} \) such that \(X_{1}(nQ)=(s,f_{1})\) for all \(Q\in E(\mathbb {F}_{p^{2}})\) such that \(X_{1}(Q)=(q,f_{0})\).
Proof
We first consider \(f_{0}=0\). The only Q satisfying \(\left\{ Q\in \mathbb {F}_{p^{2}}:\right. \) \(\left. X_{1}(Q)=(0,0)\right\} \) is \(\infty \), so \(nQ=\infty \) and \(X_{1}(nQ)=(0,0)\). If \(f_{0}=1\) we define, as Bernstein did in [2], and check different cases for \(\alpha \).
Case 1
\(\alpha =0\). The only square root of 0 in \(\mathbb {F}_{p^{2}}\) is 0 and therefore we are speaking only of possible points of order two. A curve E could have no points of order two, in this case \(\left\{ Q\in \mathbb {F}_{p^{2}}: X_{1}(Q)=(q,1)\right\} =\left\{ \emptyset \right\} \). It could have just one single root \(q_{1}\); then the point \((q_{1},0)\) would be contained in the group \(\left\{ \infty ,(q_{1},0)\right\} \). This is a subgroup of \(E(\mathbb {F}_{p^{2}})\) and therefore nQ will lie in it. Depending on the scalar n we will have \(X_{1}(nQ)=(0,0)\) or \(X_{1}(nQ)=(q_{1},1)\). If the polynomial has two roots in \(\mathbb {F}_{p}\) it has the third too and in this last case the set \(\left\{ \infty ,(q_{1},0),(q_{2},0),(q_{3},0)\right\} \) is again a subgroup of \(E(\mathbb {F}_{p^{2}})\). The output will be \(X_{1}(nQ)=(0,0)\) or one of the three points returning \(X_{1}(nQ)=(q_i,1)\). In all these cases \(X_{1}(nQ)\in \mathbb {F}_{p}\times \left\{ 0,1\right\} \).
Case 2
\(\alpha \) nonzero square in \(\mathbb {F}_{p}\). The square roots of \(\alpha \) are \(\pm r \in \mathbb {F}_{p}\). Therefore \(\left\{ Q\in \mathbb {F}_{p^{2}}: X_{1}(Q)=(q,1)\right\} =\left\{ (q,r),(q,-r)\right\} \). These are contained in the group \(\left\{ \infty \right\} \cup (E(\mathbb {F}_{p^{2}})\cap (\mathbb {F}_{p}\times \mathbb {F}_{p}))\) and nQ too. Notice that \(n(q,-r)=n(-(q,r))=-n(q,r)\). The function \(X_{1}\) considers only the x-coordinate and eventually the infinity, so \(X_{1}(n(q,-r))=X_{1}(n(q,r))\) which is equal, depending on the scalar n to (s, 1) or (0, 0). In both cases \(X_{1}(nQ)\in \mathbb {F}_{p}\times \left\{ 0,1\right\} \).
Case 3
\(\alpha \) non-square in \(\mathbb {F}_{p}\). By definition of \(\delta \), \(\frac{\alpha }{\delta }\) is a nonzero square in \(\mathbb {F}_{p}\) with roots \(\pm r \in \mathbb {F}_{p}\); then the only square roots of \(\alpha \) are \(\pm r\sqrt{\delta } \in \mathbb {F}_{p^{2}}\). The two points \((q,r\sqrt{\delta }),(q,-r\sqrt{\delta })\) are contained in the group \(\left\{ \infty \right\} \cup (E(\mathbb {F}_{p^{2}})\cap (\mathbb {F}_{p}\times \root \of {\delta }\mathbb {F}_{p})\) so it contains also \(n(q,r\root \of {\delta })\) and \(n(q,-r\sqrt{\delta })\) which again are opposite and have the same \(X_{1}(nQ)=(s,1)/(0,0)\) depending on n with s still in \(\mathbb {F}_{p}\) as shown above. \(\square \)
B Proof of Lemma 1
The hypothesis \(R[0],R[1] \ne \infty \) implies \(y_Q \ne 0\). In fact if \(y_Q=0\) then Q would have had order 2 causing either R[0] or \(R[1]\left( =R[0]+Q\right) \) to be \(\infty \). Since \(y_Q,{z_0},{z_1} \ne 0\), then \({z}_{0}^{\prime } \ne 0\). It is easy to see that \(\frac{{x}_{0}^{\prime }}{{z}_{0}^{\prime }}=\frac{2y_Q{x}_{0}{z}_{1}{z}_{0}}{2y_Q{z}_{1}{z}_{0}^{2}}=\frac{{x}_{0}}{{z}_{0}}=X\left( R[0]\right) \). For the y-coordinate of R[0], hereafter referred to as \(y_{R[0]}\), we have two cases.
Case 1
\(R\left[ 0\right] \ne Q\). Using Eq. 2 we have \(\frac{x_1}{z_1}=\left( \frac{y_{R[0]}-y_Q}{x_0/z_0-x_Q}\right) ^{2}-x_Q-\frac{x_0}{z_0}=\frac{-2y_Qy_{R[0]}+2b+(a+x_Q\frac{x_0}{z_0})(x_Q+\frac{x_0}{z_0})}{(x_0/z_0-x_Q)^2}\). Multiplying by \(\left( x_0/z_0-x_Q\right) ^2\ne 0\) and dividing by \(2y_Q\) we obtain \(y_{R[0]}=\frac{2bz_1z_0^2+z_1(az_0+x_Qx_0)(x_Qz_0+x_0)-x_1(x_0-x_Qz_0)^2}{2y_Qz_1z_0^2}=\frac{y_0^\prime }{z_0^\prime }\).
Case 2
\(R\left[ 0\right] =Q\) (i.e. \(n\equiv 1 \mod {{\mathrm{ord}}}(Q)\)). Applying the equivalence \(x_0=z_0x_Q\) we get \(\frac{y_0^\prime }{z_0^\prime }=\frac{2bz_0^2+2x_Qz_0(az_0+x_Q^2z_0)}{2y_Qz_0^2} = \frac{x_Q^3+ax_Q+b}{y_Q} = \frac{y_Q^2}{y_Q} = y_Q\) as expected. \(\square \)
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Susella, R., Montrasio, S. (2017). A Compact and Exception-Free Ladder for All Short Weierstrass Elliptic Curves. In: Lemke-Rust, K., Tunstall, M. (eds) Smart Card Research and Advanced Applications. CARDIS 2016. Lecture Notes in Computer Science(), vol 10146. Springer, Cham. https://doi.org/10.1007/978-3-319-54669-8_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-54669-8_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-54668-1
Online ISBN: 978-3-319-54669-8
eBook Packages: Computer ScienceComputer Science (R0)