A Compact and Exception-Free Ladder for All Short Weierstrass Elliptic Curves

Abstract

The field of elliptic curve cryptography has recently experienced a deployment of new models of elliptic curves, such as Montgomery or twisted Edwards. Computations on these curves have been proven to be exception-free and easy to make constant-time. Unfortunately many standards define elliptic curves in the short Weierstrass model, where the above properties are harder to achieve. This is especially true when scalar blinding, a simple but widely deployed side-channel attacks countermeasure, is adopted. In this paper we analyze previously undisclosed exceptional cases of popular scalar multiplication algorithms, highlighting the need for proofs of correctness. Then, with the final goal of providing a compact ECC hardware accelerator for embedded platforms, suitable to offload computations on all elliptic curve models, we present a constant-time adaptation of the Montgomery ladder, leveraging addition formulas by Izu and Takagi, that we prove return the correct result for any input point, any scalar value, on all elliptic curves in Weierstrass form defined over \(\mathbb {F}_p\) with \(p \ne 2,3\).

Appendices

A X-only Scalar Multiplication

We now state and prove an analogous version of Theorem 2.1 of [2] which holds for short Weierstrass curves (together with the function \(X_{1}\)). The definition of \(X_{1}:E(\mathbb {F}_{p^{2}})\rightarrow \mathbb {F}_{p^{2}}\times \left\{ 0,1\right\} \) is \(X_{1}(\infty )=(0,0),X_{1}(x,y)=(x,1)\) and in the following lines we will indicate with \(\delta \) the smallest non-square integer in \(\mathbb {F}_{p}\). For an exact description of the operations on the extension field \(\mathbb {F}_{p^{2}}\) see [2, Appendix A] but the addition law we will refer to, is the one described in Sect. 2.

First note that the following three sets are subgroups of \(E(\mathbb {F}_{p^{2}})\):

• \(\left\{ \infty ,\text {points of order two}\right\} \). Indeed if there is just one point of order two \(\infty +\infty =\infty \); \((q_{1},0)+(q_{1},0)=\infty \); and \((q_{1},0)+\infty =(q_{1},0)\). If there are three points we have in addition that \((q_{1},0)+(q_{2},0)=(q_{3},0)\).

• \(\left\{ \infty \right\} \cup (E(\mathbb {F}_{p^{2}})\cap (\mathbb {F}_{p}\times \mathbb {F}_{p}))\). Indeed, if \(x,y,x^\prime ,y^\prime \in \mathbb {F}_{p}\) then the quantities \(\lambda ,x_{3},y_{3}\) defined as in Eq. 2 are all in \(\mathbb {F}_{p}\).

• \(\left\{ \infty \right\} \cup (E(\mathbb {F}_{p^{2}})\cap (\mathbb {F}_{p}\times \sqrt{\delta }\mathbb {F}_{p})\). This time \(\lambda \) is an element of \(\sqrt{\delta }\mathbb {F}_{p}\) and therefore \(x_{3}\in \mathbb {F}_{p}\) while \(y_{3}\) will be an element of \(\sqrt{\delta }\mathbb {F}_{p}\).

Theorem 5

Let n be an integer and \((q,f_{0})\in \mathbb {F}_{p}\times \left\{ 0,1\right\} \). Then there exists a unique couple \((s,f_{1})\in \mathbb {F}_{p}\times \left\{ 0,1\right\} \) such that \(X_{1}(nQ)=(s,f_{1})\) for all \(Q\in E(\mathbb {F}_{p^{2}})\) such that \(X_{1}(Q)=(q,f_{0})\).

Proof

We first consider \(f_{0}=0\). The only Q satisfying \(\left\{ Q\in \mathbb {F}_{p^{2}}:\right. \) \(\left. X_{1}(Q)=(0,0)\right\} \) is \(\infty \), so \(nQ=\infty \) and \(X_{1}(nQ)=(0,0)\). If \(f_{0}=1\) we define, as Bernstein did in [2], and check different cases for \(\alpha \).

Case 1

\(\alpha =0\). The only square root of 0 in \(\mathbb {F}_{p^{2}}\) is 0 and therefore we are speaking only of possible points of order two. A curve E could have no points of order two, in this case \(\left\{ Q\in \mathbb {F}_{p^{2}}: X_{1}(Q)=(q,1)\right\} =\left\{ \emptyset \right\} \). It could have just one single root \(q_{1}\); then the point \((q_{1},0)\) would be contained in the group \(\left\{ \infty ,(q_{1},0)\right\} \). This is a subgroup of \(E(\mathbb {F}_{p^{2}})\) and therefore nQ will lie in it. Depending on the scalar n we will have \(X_{1}(nQ)=(0,0)\) or \(X_{1}(nQ)=(q_{1},1)\). If the polynomial has two roots in \(\mathbb {F}_{p}\) it has the third too and in this last case the set \(\left\{ \infty ,(q_{1},0),(q_{2},0),(q_{3},0)\right\} \) is again a subgroup of \(E(\mathbb {F}_{p^{2}})\). The output will be \(X_{1}(nQ)=(0,0)\) or one of the three points returning \(X_{1}(nQ)=(q_i,1)\). In all these cases \(X_{1}(nQ)\in \mathbb {F}_{p}\times \left\{ 0,1\right\} \).

Case 2

\(\alpha \) nonzero square in \(\mathbb {F}_{p}\). The square roots of \(\alpha \) are \(\pm r \in \mathbb {F}_{p}\). Therefore \(\left\{ Q\in \mathbb {F}_{p^{2}}: X_{1}(Q)=(q,1)\right\} =\left\{ (q,r),(q,-r)\right\} \). These are contained in the group \(\left\{ \infty \right\} \cup (E(\mathbb {F}_{p^{2}})\cap (\mathbb {F}_{p}\times \mathbb {F}_{p}))\) and nQ too. Notice that \(n(q,-r)=n(-(q,r))=-n(q,r)\). The function \(X_{1}\) considers only the x-coordinate and eventually the infinity, so \(X_{1}(n(q,-r))=X_{1}(n(q,r))\) which is equal, depending on the scalar n to (s, 1) or (0, 0). In both cases \(X_{1}(nQ)\in \mathbb {F}_{p}\times \left\{ 0,1\right\} \).

Case 3

\(\alpha \) non-square in \(\mathbb {F}_{p}\). By definition of \(\delta \), \(\frac{\alpha }{\delta }\) is a nonzero square in \(\mathbb {F}_{p}\) with roots \(\pm r \in \mathbb {F}_{p}\); then the only square roots of \(\alpha \) are \(\pm r\sqrt{\delta } \in \mathbb {F}_{p^{2}}\). The two points \((q,r\sqrt{\delta }),(q,-r\sqrt{\delta })\) are contained in the group \(\left\{ \infty \right\} \cup (E(\mathbb {F}_{p^{2}})\cap (\mathbb {F}_{p}\times \root \of {\delta }\mathbb {F}_{p})\) so it contains also \(n(q,r\root \of {\delta })\) and \(n(q,-r\sqrt{\delta })\) which again are opposite and have the same \(X_{1}(nQ)=(s,1)/(0,0)\) depending on n with s still in \(\mathbb {F}_{p}\) as shown above.    \(\square \)

B Proof of Lemma 1

The hypothesis \(R[0],R[1] \ne \infty \) implies \(y_Q \ne 0\). In fact if \(y_Q=0\) then Q would have had order 2 causing either R[0] or \(R[1]\left( =R[0]+Q\right) \) to be \(\infty \). Since \(y_Q,{z_0},{z_1} \ne 0\), then \({z}_{0}^{\prime } \ne 0\). It is easy to see that \(\frac{{x}_{0}^{\prime }}{{z}_{0}^{\prime }}=\frac{2y_Q{x}_{0}{z}_{1}{z}_{0}}{2y_Q{z}_{1}{z}_{0}^{2}}=\frac{{x}_{0}}{{z}_{0}}=X\left( R[0]\right) \). For the y-coordinate of R[0], hereafter referred to as \(y_{R[0]}\), we have two cases.

Case 1

\(R\left[ 0\right] \ne Q\). Using Eq. 2 we have \(\frac{x_1}{z_1}=\left( \frac{y_{R[0]}-y_Q}{x_0/z_0-x_Q}\right) ^{2}-x_Q-\frac{x_0}{z_0}=\frac{-2y_Qy_{R[0]}+2b+(a+x_Q\frac{x_0}{z_0})(x_Q+\frac{x_0}{z_0})}{(x_0/z_0-x_Q)^2}\). Multiplying by \(\left( x_0/z_0-x_Q\right) ^2\ne 0\) and dividing by \(2y_Q\) we obtain \(y_{R[0]}=\frac{2bz_1z_0^2+z_1(az_0+x_Qx_0)(x_Qz_0+x_0)-x_1(x_0-x_Qz_0)^2}{2y_Qz_1z_0^2}=\frac{y_0^\prime }{z_0^\prime }\).

Case 2

\(R\left[ 0\right] =Q\) (i.e. \(n\equiv 1 \mod {{\mathrm{ord}}}(Q)\)). Applying the equivalence \(x_0=z_0x_Q\) we get \(\frac{y_0^\prime }{z_0^\prime }=\frac{2bz_0^2+2x_Qz_0(az_0+x_Q^2z_0)}{2y_Qz_0^2} = \frac{x_Q^3+ax_Q+b}{y_Q} = \frac{y_Q^2}{y_Q} = y_Q\) as expected.    \(\square \)