Classical formulae for point additions and point doublings on elliptic curves differ. This can make a side channel attack possible on a single EGG point multiplication by using simple power analysis (SPA) to observe the different times for the component point operations. Under the usual binary exponentiation algorithm, the deduced presence or absence of a point addition indicates a 1 or 0 respectively in the secret key, thus revealing the key in its entirety. Several authors have produced unified code for these operations in order to avoid this weakness. Although timing differences are thereby eliminated from this code level, it is shown that SPA attacks may still be possible on selected single point multiplications if there is sufficient side channel leakage at lower levels. Here a conditional subtraction in Montgomery modular multiplication (MMM) is assumed to give such leakage, but other modular multipliers may be equally susceptible to attack. The techniques are applicable to a single decryption or signature even under prior blinding of both the input text and the secret key. This means that one should use a constant time implementation of MMM even if the secret key is blinded or replaced every time, and all side channel leakage should be minimised, whatever multiplier is used. © International Association for Cryptologic Research 2004.
CITATION STYLE
Walter, C. D. (2004). Simple power analysis of unified code for ECC double and add. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 3156, 191–204. https://doi.org/10.1007/978-3-540-28632-5_14
Mendeley helps you to discover research relevant for your work.