Elliptic curve scalar multiplication: Attacks vs. Countermeasures

[Last update: 09/17/09]

SPA
SEMA

DPA
DEMA

Doubling
Attack

Refined
PA

Safe
error

Invalid
Point

Invalid curve

Sign
change

Twist
curve

Double-add-always

--

--

--

×H

--

--

*

--

Balanced PA/PD

--

--

--

*H

--

--

*

--

Montgomery Ladder

--

--

--

*

--

--

*

×H

Randomized splitting key

--

--?

--

--

--?

Scalar randomization

--

×

--

--?

--

--

--?

--

Base point blinding

--

×

--

--

*?

*?

--

--

Randomized proj. coord.

--

×

--

--

--

--

--

Point validity check

--

--

--

--

*H

×

×H

*

Curve integrity check

--

--

--

--

--

--?

--

--

Coherence check

--

--

--

--

--

--

--?

*

--

Combined

*

*

*




Related work


[CHES 1999] [Coron] Resistance against differential power analysis for elliptic curve cryptosystems


[IEEE TOC 2000][Yen, Joye] Checking before output may not be enough against fault-based


[Crypto2000][Biehl, Meyer, Muller] Differential Fault Attacks on Elliptic Curve Cryptosystems


[CHES 2001][Joye, Tymen] Protections against differential analysis for elliptic curve [algebraic]


[CHES2002] [Joye, Yen] The montgomery powering ladder


[CHES2003][Fouque, Valette] The doubling attack - why upwards is better than downwards


[PKC2003][Goubin] A refined power-analysis attack on elliptic curve cryptosystems


[ICICS2003] [Ciet, Joye] Free randomization techniques for elliptic curve cryptography


[IndoCrypt2003][Izu, Moller, Takagi] Improved elliptic curve multiplication methods resistant against side channel attacks


[DCC2005][Ciet, Joye] Elliptic curve cryptosystems in the presence of permanent and transient faults


[FDTC2006][Blomer, Otto, Seifert] Sign Change Fault Attacks on Elliptic Curve Cryptosystems


[FDTC2008][Fouque, Lercier, Real, Valette] Fault attack on Elliptic curve with Montgomery Ladder Implementations


[CHES2008][Fouque, Real, Valette, Drissi] The carry leakage on the randomized exponent countermeasure



This page has been visited times