Projective coordinates leak

Abstract

Denoting by P = [k]G the elliptic-curve double-and-add multiplication of a public base point G by a secret k, we show that allowing an adversary access to the projective representation of P, obtained using a particular double and add method, may result in information being revealed about k. Such access might be granted to an adversary by a poor software implementation that does not erase the Z coordinate of P from the computer's memory or by a computationally- constrained secure token that sub-contracts the affine conversion of P to the external world. From a wider perspective, our result proves that the choice of representation of elliptic curve points can reveal information about their underlying discrete logarithms, hence casting potential doubt on the appropriateness of blindly modelling elliptic-curves as generic groups. As a conclusion, our result underlines the necessity to sanitize Z after the affine conversion or, alternatively, randomize P before releasing it out. © International Association for Cryptologic Research 2004.