Skip to main content
SpringerLink
Log in

A synthesis of side-channel attacks on elliptic curve cryptography in smart-cards

  • Regular Paper
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

Elliptic curve cryptography in embedded systems is vulnerable to side-channel attacks. Those attacks exploit biases in various kinds of leakages, such as power consumption, electromagnetic emanation, execution time, .... The integration of countermeasures is required to thwart known attacks. No single countermeasure can cover the whole range of attacks; thus many of them shall be combined. However, as each of them has a non negligible cost, one cannot simply apply all of them. It is necessary to wisely select countermeasures, depending on the context and on the trade-off between security and performance. This paper summarizes the side-channel attacks and countermeasures on Elliptic Curve Cryptography. For each countermeasure, the cost in time and space is given. Some attacks are clarified such as the doubling attack; others are improved like the horizontal SVA, and new attacks are described like the horizontal attack against the unified formulae.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Notes

  1. And its equivalent points \((r^2, r^3, 0)\) for \(r \in {\mathbb {F}}_p^*\).

  2. The notation \(2P\) for a point \(P\) refers to a point doubling procedure. Do not confuse with the notation \([k]P\) that refers to the computed point \(\underbrace{P + \cdots + P}_{k \text { times}}\).

  3. For a 128 bits security, the integers manipulated on (ECC) are 256 bits length as opposed to 3,072 on rsa.

  4. This attack needs a detailed look at the implementation.

  5. Another method to find the value \(x_{P'}\), with less computational effort, is described in [23] but it needs more faulted results.

  6. \(Q_i'\) does not lie on the elliptic curve. Biehl et al. argued that this is not an issue. The computation of \(Q_i' = Q' - [2^ik^{(i)}]P\) can be performed with elements in \({\mathbb {F}}_p^2\) that do not lie on the same elliptic curve [8].

  7. The cost of an addition and subtraction are rarely significantly different.

  8. Six temporary registers are needed in [27], we added one extra temporary registers for the fake operations.

  9. A Jacobian to affine coordinates conversion of the point \(S\) is sometimes needed in the case where the base point needs to be in affine coordinates.

  10. \(a^{-1}\) and \(b^{-1}\) can be computed as: first compute \(c = (ab)^{-1}\), then \(a^{-1} = cb\) and \(b^{-1} = ca\).

References

  1. Akishita, T., Takagi, T.: Zero-value point attacks on elliptic curve cryptosystem. In: Proceedings of ISC’03, LNCS, vol. 2851. Springer, pp. 218–233 (2003)

  2. Amiel, F., Villegas, K., Feix, B., Marcel, L.: Passive and active combined attacks: combining fault attacks and side channel analysis. In: Proceedings of FDTC’07, IEEE Computer Society, pp. 92–102

  3. Bajard, J.C.: An RNS montgomery modular multiplication algorithm. J. IEEE Trans. Comput ’98 47, 766–776 (1998)

    Google Scholar 

  4. Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The sorcerer’s apprentice guide to fault attacks. In: Proceedings of IEEE’06, vol. 94, pp. 370–382 (2006)

  5. Bauer, A., Jaulmes, É., Prouff, E., Wild, J.: Horizontal and vertical side-channel attacks against secure RSA implementations. In: Proceedings of CT-RSA’13, LNCS, vol. 7779. Springer, Berlin, pp. 1–17 (2013)

  6. Barrett, P.: Implementing the Rivest Shamir and Adleman public key encryption algorithm on a standard digital signal processor. In: Proceedings of CRYPTO’86, LNCS, vol. 263. Springer, Berlin, pp. 311–323 (1987)

  7. Boscher, A., Handschuh, H., Trichina, E.: Blinded fault resistant exponentiation revisited. In: Proceedings of FDTC’09, IEEE, pp. 3–9 (2009)

  8. Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Proceedings of CRYPTO’00, LNCS, vol. 1880. Springer, Berlin, pp. 131–146 (2000)

  9. Blömer, J., Otto, M., Seifert, J.-P.: Sign change fault attacks on elliptic curve cryptosystems. In: Proceedings of FDTC’06, LNCS, vol. 4236. Springer, New York, pp. 36–52 (2006)

  10. Brier, E., Joye, M.: Weierstraß elliptic curves and side-channel attacks. In: Proceedings of PKC’02, LNCS, vol. 2274. Springer, New York, pp. 335–345 (2002)

  11. Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Proceedings of CHES’02, LNCS, vol. 2523. Springer, New York, pp. 13–28 (2003)

  12. Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity. J. IEEE Trans. Comput.’04 53(6), 460–468 (2004)

    Google Scholar 

  13. Ciet, M., Joye, M.: (Virtually) free randomization techniques for elliptic curve cryptography. In: Proceedings of ICIS’03, LNCS, vol. 2836. Springer, New York, pp. 348–359 (2003)

  14. Ciet, M., Joye, M.: Elliptic curve cryptosystems in the presence of permanent and transient faults. J. Des. Codes Cryptogr.’05 36(1), 33–43 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  15. Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Proceedings of ICIS’10, LNCS, vol. 6476. Springer, New York, pp. 46–61 (2010)

  16. Clavier, C., Joye, M.: Universal exponentiation algorithm. In: Proceedings of CHES’01, LNCS, vol. 2162. Springer, New York, pp. 300–308 (2001)

  17. Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Proceedings of ASIACRYPT’98, LNCS, vol. 1514. Springer, New York, pp. 51–65 (1998)

  18. Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Proceedings of CHES’99, LNCS, vol. 1717. Springer, New York, pp. 292–302 (1999)

  19. Danger, J.-L., Guilley, S., Hoogvorst, P., Murdica, C., Naccache, D.: Low-cost countermeasure against RPA. In: Proceedings of CARDIS’12, LNCS, vol. 7771. Springer, Berlin, pp. 106–122 (2013)

  20. Fan, J., Gierliches, B., Vercauteren, F.: To infinity and beyond: combined attack on (ECC) using points of low order. In: Proceedings of CHES’11, LNCS, vol. 6917. Springer, Berlin, pp. 143–159 (2011)

  21. Fan, J., Guo, X., De Mulder, E., Schaumont, P., Preneel, B., Verbauwhede, I.: State-of-the-art of secure (ECC) implementations: a survey on known side-channel attacks and countermeasures. In: Proceedings of HOST’10, IEEEE, pp. 76–87 (2010)

  22. Fan, J., Verbauwhede, I.: An updated survey on secure (ECC) implementations: attacks, countermeasures and cost. Cryptography and security: from theory to applications, LNCS, vol. 6805. Springer, New York, pp. 265–282 (2012)

  23. Fouque, P.-A., Lercier, R., Réal, D., Valette, F.: Fault attack on elliptic curve Montgomery ladder implementation. In: Proceedings of FDTC’08, IEEE Computer Society, pp. 92–98 (2008)

  24. Fouque, P.-A., Réal, D., Valette, F., Drissi, M.: The Carry leakage on the randomized exponent countermeasure. In: Proceedings of CHES’08, LNCS, vol. 5154. Springer, New York, pp. 198–213 (2008)

  25. Fouque, P.-A., Valette, F.: The doubling attack—why upwards is better than downwards. In: Proceedings of CHES’03, LNCS, vol. 2779. Springer, New York, pp. 269–280 (2003)

  26. Giraud, C.: An RSA implementation resistant to fault attacks and to simple power analysis. J. IEEE Trans. Comput.’06 55(9), 1116–1120 (2006)

    Article  Google Scholar 

  27. Giraud, C., Verneuil, V.: Atomicity improvement for elliptic curve scalar multiplication. In: Proceedings of CARDIS’10, LNCS, vol. 6035. Springer, Berlin, pp. 80–101 (2010)

  28. Goubin, L.: A refined power-analysis attack on elliptic curve cryptosystems. In: Proceedings of PKC’03, LNCS, vol. 2567. Springer, Berlin, pp. 199–210 (2002)

  29. Goundar, R.R., Joye, M., Miyaji, A.: Co-Z addition formulae and binary ladders on elliptic curves—extended abstract. In: Proceedings of CHES’10, LNCS, vol. 6225. Springer, Berlin, pp. 65–79 (2010)

  30. Goundar, R.R., Joye, M., Miyaji, A., Rivain, M., Venelli, A.: Scalar multiplication on Weierstraß elliptic curves from Co-\(Z\) arithmetic. J. Cryptogr. Eng.’11 1(2), 161–176 (2011)

    Article  Google Scholar 

  31. Hachez, G., Quisquater, J.-J.: Montgomery exponentiation with no final subtractions: improved results. In: Proceedings of CHES’00, LNCS, vol. 1965. Springer, New York, pp. 293–301 (2000)

  32. Howgrave-Graham, N., Smart, N.: Lattice attacks on digital signature schemes. J. Des. Codes Cryptogr.’01 23(3), 283–290 (2001)

    Article  MathSciNet  MATH  Google Scholar 

  33. Itoh, K., Izu, T., Takenaka, M.: Address-bit differential power analysis of cryptographic schemes OK-ECDH and OK-ECDSA. In: Proceedings of CHES’02, LNCS, vol. 2523. Springer, Berlin, pp. 129–143 (2003)

  34. Itoh, K., Izu, T., Takenaka, M.: A practical countermeasure against address-bit differential power analysis. In: Proceedings of CHES’03, LNCS, vol. 2779. Springer, Berlin, pp. 382–396 (2003)

  35. Itoh, K., Izu, T., Takenaka, M.: Efficient countermeasures against power analysis for elliptic curve cryptosystems. In: CARDIS’04, Kluwer, Dordrecht, pp. 99–114 (2004)

  36. Izu, T., Möller, B., Takagi, T.: Improved elliptic curve multiplication methods resistant against side channel attacks. In: Proceedings of INDOCRYPT’02, LNCS, vol. 2551. Springer, New York, pp. 296–313 (2002)

  37. Izumi, M., Ikegami, J., Sakiyama, K., Ohta, K.: Improved countermeasure against address-bit DPA for (ECC) scalar multiplication. DATE’10, IEEE, pp. 981–984 (2010)

  38. Joye, M., Tymen, C.: Protections against differential analysis for elliptic curve cryptography. In: Proceedings of CHES’01, LNCS, vol. 2162. Springer, Berlin, pp. 377–390 (2001)

  39. Joye, M., Yen, S.-M.: The Montgomery powering ladder. In: Proceedings of CHES’02, LNCS, vol. 2162. Springer, Berlin, pp. 291–302 (2003)

  40. Koblitz, N.: Elliptic curve cryptosystems. J. Math. Comput.’87 48(177), 203–209 (1987)

    Article  MathSciNet  MATH  Google Scholar 

  41. Kocher, P.C.: Timing attacks on implementations of Diffie–Hellman, RSA, DSS, and other systems. In: Proceedings of CRYPTO’96, LNCS, vol. 1109. Springer, Berlin, pp. 104–113 (1996)

  42. Mamiya, H., Miyaji, A., Morimoto, H.: Efficient countermeasures against RPA, DPA, and SPA. In: Proceedings of CHES’04, LNCS, vol. 3156. Springer, Berlin, pp. 343–356 (2004)

  43. Miller, V.S.: Use of elliptic curves in cryptography. In: Proceedings of CRYPTO’85, LNCS, vol. 218. Springer, New York, pp. 417–426 (1985)

  44. Medwed, M., Oswald, E.: Template attacks on ECDSA. In: Proceedings of WISA’08, LNCS, vol. 5379. Springer, Berlin, pp. 14–27 (2009)

  45. Meloni, N.: New point addition formulae for (ECC) applications. In: Proceedings of WAIFI’07, LNCS, vol. 4547. Springer, Berlin, pp. 189–201 (2007)

  46. Montgomery, P.L.: Modular multiplication without trial division. J. Math. Comput.’85 44(170), 519–521 (1985)

    Article  MATH  Google Scholar 

  47. Murdica, C., Guilley, S., Danger, J.-L., Hoogvorst, P., Naccache, D.: Same values power analysis using special points on elliptic curves. In: Proceedings of COSADE’12, LNCS, vol. 7275. Springer, Berlin, pp. 183–198 (2012)

  48. Muller, F., Valette, F.: High-order attacks against the exponent splitting protection. In: Proceedings of PKC’06, LNCS, vol. 3958. Springer, New York, pp. 315–329 (2006)

  49. Dominguez-Oviedo, A., Hansan, M.A.: Algorithm-level error detection for Montgomery ladder-based ecsm. J. Cryptogr. Eng.’11 1(1), 57–69 (2011)

    Google Scholar 

  50. Sato, H., Schepers, D., Takagi, T.: Exact analysis of Montgomery multiplication. In: Proceedings of INDOCRYPT’04, LNCS, vol. 3348. Springer, Berlin, pp. 290–304 (2004)

  51. Stebila, D., Thériault, N.: Unified point addition formulae and side-channel attacks. In: Proceedings of CHES’06, LNCS, vol. 4249. Springer, Berlin, pp. 354–368 (2006)

  52. Shanks, D.: Class number, a theory of factorization and genera. Proc. Symp. Pure Math.’71 20, 415–440 (1971)

    Google Scholar 

  53. Trichina, E. Bellezza, A.: Implementation of elliptic curve cryptography with built-in counter measures against side channel attacks. In: Proceedings of CHES’02, LNCS, vol. 2523. Springer, Berlin, pp. 98–113 (2002)

  54. Verneuil, V.: Cryptographie à base de courbes elliptiques et sécurité de composants embarqués. Ph.D. thesis, Université de Bordeaux (2012)

  55. Walter, C.D.: Sliding windows succumbs to big mac attack. In: Proceedings of CHES’01, LNCS, vol. 2162. Springer, Berlin, pp. 286–299 (2001)

  56. Walter, C.D.: Montgomery’s multiplication technique: how to make it smaller and faster. In: Proceedings of CHES’99, LNCS, vol. 1717. Springer, Berlin, pp. 80–93 (1999)

  57. Walter, C.D.: Simple power analysis of unified code for (ECC) double and add. In: Proceedings of CHES’04, LNCS, vol. 3156. Springer, Berlin, pp. 191–204 (2004)

  58. Yen, S.-M., Joye, M.: Checking before output may not be enough against fault-based cryptanalysis. J. IEEE Trans. Comput.’00 49(9), 967–970 (2000)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Département COMELEC, Institut TELECOM, TELECOM ParisTech, CNRS LTCI, Paris, France

    Jean-Luc Danger, Sylvain Guilley, Philippe Hoogvorst & Cédric Murdica

  2. Secure-IC S.A.S., 80 avenue des Buttes de Coësmes, 35700 , Rennes, France

    Jean-Luc Danger, Sylvain Guilley & Cédric Murdica

  3. Département d’informatique, École normale supérieure, 45, rue d’Ulm, 75230 , Paris Cedex 05, France

    David Naccache

Authors
  1. Jean-Luc Danger
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sylvain Guilley
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Philippe Hoogvorst
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Cédric Murdica
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. David Naccache
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Cédric Murdica.

Appendices

Appendix A: Elliptic curve formulae

The number of registers for each formulae is given without taking into account input and output registers. Only the number of temporary registers are given. This number can be decreased with some additional addition and subtractions.

Except as otherwise indicated, the points are in Jacobian coordinates, and different from \({\mathcal {O}}\).

figure b

If \(Q\) is in affine coordinates (\(Z_2=1\)), one can gain four multiplications and one square. It is called mixed addition (mecadd) [17]. If \(Z_2^2\) and \(Z_2^3\) are precomputed and stored, one multiplication and one square are saved. It is called re-addition (reecadd).

Cost (ecadd): 12 mmul \({}_n\), 4 msqr \({}_n\), 7 madd \({}_n\), 5 mem \({}_n\).

Cost (mecadd): 8 mmul \({}_n\), 3 msqr \({}_n\), 7 madd \({}_n\), 3 mem \({}_n\).

Cost (reecadd): 11 mmul \({}_n\), 3 msqr \({}_n\), 7 madd \({}_n\), 5 mem \({}_n\).

figure c

If \(P\) is used for re-addition, the computation of \(Z_2^2\) and \(Z_2^3\) need one extra square and one extra multiplication. If \(aZ_1^4\) is precomputed, two squares are saved, and it needs one extra addition. It is called the modified Jacobian coordinates [17]. The use of both modified coordinates and re-addition is also given.

Cost (ecdbl): 4 mmul \({}_n\), 6 msqr \({}_n\), 11 madd \({}_n\), 4 mem \({}_n\).

Cost (reecdbl): 5 mmul \({}_n\), 7 msqr \({}_n\), 11 madd \({}_n\), 4 mem \({}_n\).

Cost (modecdbl): 4 mmul \({}_n\), 4 msqr \({}_n\), 12 madd \({}_n\), 4 mem \({}_n\).

Cost (mod-reecdbl): 5 mmul \({}_n\), 5 msqr \({}_n\), 12 madd \({}_n\), 4 mem \({}_n\).

figure d

Cost: 13 mmul \({}_n\), 5 msqr \({}_n\), 9 madd \({}_n\), 6 mem \({}_n\).

figure e

The computation of the \(Z\) coordinate is not necessary if the Montgomery ladder is used. The final \(Z\) coordinate can be recovered at the end. It is called \((X, Y)\)-only co-\(Z\) addition and update (zaddu’) [30]. One multiplication can be saved.

Cost (zaddu): 5 mmul \({}_n\), 2 msqr \({}_n\), 7 madd \({}_n\), 5 mem \({}_n\).

Cost (zaddu’): 4 mmul \({}_n\), 2 msqr \({}_n\), 7 madd \({}_n\), 5 mem \({}_n\).

figure f

The computation of the \(Z\) coordinate is not necessary if the Montgomery ladder is used. The final \(Z\) coordinate can be recovered at the end. It is called \((X, Y)\)-only conjugate co-\(Z\) addition (zaddc’) [30]. One multiplication can be saved.

Cost (zaddc): 6 mmul \({}_n\), 3 msqr \({}_n\), 11 madd \({}_n\), 5 mem \({}_n\).

Cost (zaddc’): 5 mmul \({}_n\), 3 msqr \({}_n\), 11 madd \({}_n\), 5 mem \({}_n\).

Appendix B: ecsms algorithms

\({\mathcal {A}}, {\mathcal {D}}\) stand for elliptic curve addition and doubling, respectively.

1.1 B.1 Unregular ecsms

figure g

Cost: \(\frac{n}{2}{\mathcal {A}}+ n{\mathcal {D}}\)

figure h

Cost: \((\frac{n}{w+v(w)} + \frac{2^w - (-1)^w}{3}-1){\mathcal {A}}+ (n+1){\mathcal {D}}\), with \(v(w) = \frac{4}{3} - \frac{(-1)^w}{3\times 2^{w-2}}\), and the computation of the NAF of \(k\).

figure i

Cost: \((\frac{n}{w+1} + 2^{2w-4}-1){\mathcal {A}}+ n{\mathcal {D}}\)

1.2 B.2 Regular ecsms

figure j

Cost: \(n{\mathcal {A}}+ n{\mathcal {D}}\).

figure k

Cost: \(n{\mathcal {A}}+ n{\mathcal {D}}\).

figure l

Cost: \(n{\mathcal {A}}+ n{\mathcal {D}}\).

figure m

Cost: \(n{\mathcal {A}}+ n{\mathcal {D}}\).

figure n

Cost: \(n{\mathcal {A}}+ n{\mathcal {D}}\).

figure o

Cost: \(n{\mathcal {A}}+ n{\mathcal {D}}\).

Rights and permissions

Reprints and permissions

About this article

Cite this article

Danger, JL., Guilley, S., Hoogvorst, P. et al. A synthesis of side-channel attacks on elliptic curve cryptography in smart-cards. J Cryptogr Eng 3, 241–265 (2013). https://doi.org/10.1007/s13389-013-0062-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-013-0062-6

Keywords

Search

Navigation