A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems

  • Authors:
  • Louis Goubin

  • Affiliations:
  • -

  • Venue:
  • PKC '03 Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography: Public Key Cryptography
  • Year:
  • 2003

Quantified Score

Hi-index 0.00

Visualization

Abstract

As Elliptic Curve Cryptosystems are becoming more and more popular and are included in many standards, an increasing demand has appeared for secure implementations that are not vulnerable to side-channel attacks. To achieve this goal, several generic countermeasures against Power Analysis have been proposed in recent years.In particular, to protect the basic scalar multiplication - on an elliptic curve - against Differential Power Analysis (DPA), it has often been recommended using "random projective coordinates", "random elliptic curve isomorphisms" or "random field isomorphisms". So far, these countermeasures have been considered by many authors as a cheap and secure way of avoiding the DPA attacks on the "scalar multiplication" primitive. However we show in the present paper that, for many elliptic curves, such a DPA-protection of the "scalar" multiplication is not sufficient. In a chosen message scenario, a Power Analysis attack is still possible even if one of the three aforementioned countermeasures is used. We expose a new Power Analysis strategy that can be successful for a large class of elliptic curves, including most of the sample curves recommended by standard bodies such as ANSI, IEEE, ISO, NIST, SECG or WTLS.This result means that the problem of randomizing the basepoint may be more difficult than expected and that "standard" techniques have still to be improved, which may also have an impact on the performances of the implementations.