SMART-CARD IMPLEMENTATION OFELLIPTIC CURVE CRYPTOGRAPHYAND DPA-TYPE ATTACKS

Marc JoyeGemplus, Card Security GroupLa Vigie, Avenue des Jujubiers, ZI Athélia IV, 13705 La Ciotat Cedex, Francemarc.joye@gemplus.com

Abstract This paper analyzes the resistance of smart-card implementations of el-liptic curve cryptography against side-channel attacks, and more specif-ically against attacks using differential power analysis (DPA) and vari-ants thereof. The use of random curve isomorphisms is a promisingway (in terms of efficiency) for thwarting DPA-type for elliptic curvecryptosystems but its implementation needs care.

Various generalized DPA-type attacks are presented against improperimplementations. Namely, a second-order DPA-type attack is mountedagainst an additive variant of randomized curve isomorphisms and a“refined” DPA-type attack against a more general variant. Of indepen-dent interest, this paper also provides an exact analysis of second-orderDPA-type attacks.

Keywords: Smart-card implementations, elliptic curve cryptography, side-channelanalysis, DPA-type attacks.

1. Introduction

With shorter key lengths, elliptic curve cryptography has received in-creased commercial acceptance and is already available in several smart-card products. It is supported by several standardization bodies, includ-ing ANSI, IEEE, ISO and NIST.

Because they better fit the constrained environment of smart cards, el-liptic curve cryptosystems are particularly relevant to smart-card imple-mentations. Until recently, efficient implementation meant fast runningtime and small memory requirements. Nowadays, an efficient imple-mentation must also be protected against attacks and more particularlyagainst side-channel attacks (e.g., based on timing analysis (TA) [11] oron simple/differential power analysis (SPA/DPA) [12]).

116 Marc Joye

Two classes of elliptic curves are mainly used in cryptography: (non-supersingular) elliptic curves over binary fields (a.k.a. binary ellipticcurves) and elliptic curves over large prime fields. The former class maybe preferred for smart card implementations as arithmetic in character-istic two can be made very efficient [6, 14] (especially in hardware). Seealso [8].

In this paper, we show how to implement in a proper yet efficient waycountermeasures against DPA-type attacks for binary elliptic curve cryp-tosystems. Of independent interest, we also provide an exact analysis ofsecond-order DPA [12, 13].

The rest of this paper is organized as follows. In the next section,we briefly review known countermeasures meant to prevent DPA-typeattacks. In Section 3, we detail the additive and multiplicative variantsof point randomization using curve isomorphisms. We point out thatthe additive variant may succumb to a DPA-type attack if the slope,resulting in the addition of two elliptic curve points, is implemented ina straightforward way. Next, we mount a second-order DPA-type attackagainst another additive variant using a randomized slope in Section 4.In Section 5, we describe an attack against the multiplicative variant.This attack also applies to the more general randomized curve isomor-phisms, combining both the additive and the multiplicative variants.Finally, we conclude in Section 6.

2. DPA-type Countermeasures

The basic operation in elliptic curve cryptography is the point mul-tiplication: on input point P and scalar point is returned.DPA-type countermeasures include the randomization of and/or P.

Let E be a nonsupersingular elliptic curve over given by the(short) Weierstrass equation

and let P and be points on E.

The usual way to randomize in the computation of consistsin adding a random multiple of the order of E (or of [5]:

for a random and then Q is evaluated as Another optionis to split in two (or several) shares [2, 4] (see also [17]):with and for a random and thenFurther countermeasures dedicated to Koblitz curves (i.e., curves givenby Eq. (1) with and are presented in [9, 10].

Smart-Card Implementation of Elliptic Curve Cryptography 117

Figure 1. Randomized evaluation of

Point P can be randomized using a randomized projective represen-tation [5] or a randomized field or curve isomorphism [10]. The useof randomized curve isomorphisms leads to better performances (andis easier to implement) than the use of randomized field isomorphisms.Furthermore, it better suits binary curves as it allows to represent pointswith affine coordinates (and so runs faster [6, 14]). However, as we willdemonstrate in the next section, its implementation needs care.

3. Randomized Curve IsomorphismsUsing randomized curve isomorphisms, a point P on an elliptic curve

E is randomized as on for a random curveisomorphism and then is evaluated as

More specifically, over a point on the ellipticcurve

is mapped to point on the isomorphiccurve

where

and with (see [15, Table III. 1.2]).

As already noted in [10], the short Weierstrass equation (i.e., Eq. (2)where and cannot be used for E* as this implies

and and hence let unchanged the of point

118 Marc Joye

3.1 Additive randomization of PIn [3], Ciet and Joye overcome the above limitation by working on the

extended Weierstrass equation

which, from Eq. (3), corresponds to (and thus ). Forsimplicity, they also set the value of to 0. As a result, point

is randomized into

Although both the and of P are now randomized, thistechnique cannot be used naively in a point multiplication algorithm.Indeed, a closer look at the addition formulas shows that the slope givenby the chord-and-tangent law, remains invariant.

Let and (with denote pointson the randomized elliptic curve given by Eq. (4). Then the sum

is defined as with

where when and otherwise

(see [15, III.2.3c]). Recall that (i) we are working in characteristic two,(ii) and for and (iii) and

Hence, we see that the slope

domly choose leading to the more general randomization,

does not depend on randoms and (we write the correspondingvalue), and consequently may be subject to a DPA-type attack (seee.g. [5]).

Randomly choosing The first idea that comes to mind is to ran-

Smart-Card Implementation of Elliptic Curve Cryptography 119

In this case, the slope involved in the addition of andbecomes

and hence is masked with the value of It should be noted that theevaluation of needs to be carefully implemented. In particular, fieldregisters cannot contain the values of non-randomized values (e.g.,

) as otherwise a DPA-type attack could still be mounted.Unfortunately, as we will see in Section 4, such an implementation

may succumb to a second-order DPA-type attack. It should however benoted that second-order DPA-type attacks are much harder to mountsince the attacker needs to know where/when certain operations aredone.

3.2 Multiplicative randomization of PThe coordinates of point can also be randomized in a

multiplicative way. Randomly choosing and pointP becomes

on the isomorphic curve

Let and pointson the randomized elliptic curve given by Eq. (8). Then the sum

is denned as with

where when and otherwise.

Again, denoting by the slope corresponding to the addition ofand on the initial curve, we see that is multiplicatively blinded:

(with denote

120 Marc Joye

4. A Second Order DPA-type AttackHigher-order side-channel attacks [12] combine several samples within

a single side-channel trace.To ease the presentation, we consider the simplified Hamming-weight

model for power leakage [13]. This model assumes that the instantaneouspower consumption (C) is linearly related to the Hamming weight (H):

for some constants and

Using the additive randomization (see Eq. (5) or (6)), pointon the elliptic curve E is randomized as

on the isomorphic elliptic curve givenby Eq. (4). Point is then evaluated asRecall that the attacker’s goal is to recover the value of(or a part thereof) during the evaluation of Q. W.l.o.g., we assumethat the point multiplication is carried out with the left-to-right binaryalgorithm and that the attacker already knows the leading bits of

with He now wants to know the value of thenext bit of namely

Let represent the instantaneous power consumption when randomis drawn in Let also represent the instantaneous power

consumption when the of point is handled in aregister. For any point we can write sinceaddition in is equivalent to a bit-wise XOR operation. From thisobservation, the attacker guesses that and produces two equal-sizesets, and of random points, defined as

where and is a Boolean selection functionreturning for the value of a given bit (in the repre-sentation) of the of point Let

and The next step con-sists in computing the two average differential power consumptions (inabsolute value),

and the second-order DPA operator

Smart-Card Implementation of Elliptic Curve Cryptography 121

If (i.e., if there are DPA peaks) then the guess of the attackerwas right, i.e., otherwise the attacker deduces that SeeAppendix A for a detailed proof. The attack proceeds iteratively in thesame way until the value of is recovered.

5. A Refinement of Goubin’s AttackIn [7], Goubin observes that the of a point

with is not randomized using the multiplicative randomization(see Eq. (7)). The same holds when considering the ofpoint with Over binary fields, elliptic curvepoints on Weierstrass curve (1) with their equal to 0 arepoints of order two. They are easily avoided with the cofactor variant incryptographic protocols [16, Section 3]. Points of large order with their

equal to 0 can also be defended against by using the Mont-gomery ladder as the is not used in this point multiplicationalgorithm [16, Section 5).

Another way for thwarting Goubin’s attack is to use the more generalrandomization (see e.g. [1, § 2.3]).We will show that this method succumbs to a “refined” power analysis.

We assume that the cofactor variant is not applied and so points withtheir equal to 0 are valid inputs to the point multiplica-tion algorithm. An elliptic curve over always possesses a pointof order two. Namely, the point satisfies Weierstrassequation

for some randoms andNext, the attacker computes the average differential power consump-

tion (remember that the computation of is randomized),

As in the attack of the previous section, we assume w.l.o.g. that thepoint multiplication, is evaluated with a left-to-right binaryalgorithm. The attacker’s goal is to recover the value of in the binaryrepresentation of scalar

The attacker guesses that andDefinerepeatedly feeds the point multiplication algorithm with point

As is of order two, it is worth noting thatHence, when it follows that

122 Marc Joye

where and denote the instantaneous power consumptionswhen the of point is handled and when israndomly drawn from respectively. With the (idealized) modelgiven by Eq. (9), this yields when If then theattacker can deduce that

6. Conclusion

This paper analyzed the resistance of elliptic curve cryptosystemsagainst DPA-type attacks. Several new attacks were mounted againstimplementations improperly using randomized curve isomorphisms as ameans for thwarting DPA-type attacks.

Since all the attacks presented in this paper require averaging severalside-channel traces with the same input multiplier, the lesson is thatpoint randomization techniques should be always used in conjunctionwith multiplier randomization techniques.

AcknowledgmentsThe author would like to thank to Francis Olivier, Pascal Paillier and

Berry Schoenmakers for useful comments.

Smart-Card Implementation of Elliptic Curve Cryptography 123

Appendix: Second-Order DPA PeaksThis appendix explains in further details why second-order DPA peaks reveal the

value of the multiplier-bit in a second-order DPA. We use the notations of Section 4.We have to show that means that and 0 otherwise.

Proof. Assume that Then we have andHence, we get

and

provided that the number of power consumption traces is sufficiently large. Moreover,we have

We also have

and thus

124 Marc Joye

This in turn implies

and consequently

On the contrary, when both sets and behave as random (i.e., uncor-related) sets. Therefore, provided that the number of power consumption traces issufficiently large, we have

and so

From

an analysis similar to the one given in [13] would erroneously deduce thatwhen and otherwise. The conclusion, however, remains correct.

References

R.M. Avanzi. Countermeasures against differential power analysis for hyperel-liptic curve cryptosystems. In C.D. Walter, Ç.K. Koç and C. Paar, editors,Cryptographic Hardware and Embedded Systems – CHES 2003, volume 2779 ofLecture Notes in Computer Science, pages 366–381. Springer-Verlag, 2003.S. Chari, C.S. Jutla, J.R. Rao, and P. Rohatgi. Towards sound approaches tocounteract power-analysis attacks. In M. Wiener, editor, Advances in Cryptology– CRYPTO ’99, volume 1666 of Lecture Notes in Computer Science, pages 398–412. Springer-Verlag, 1999.M. Ciet and M. Joye. (Virtually) free randomization techniques for elliptic curvecryptography. In S. Qing, D. Gollmann, and J. Zhou, editors, Information andCommunications Security (ICICS 2003), volume 2836 of Lecture Notes in Com-puter Science, pages 348–359. Springer-Verlag, 2003.C. Clavier and M. Joye. Universal exponentiation algorithm: A first step to-wards provable SPA-resistance. In Ç.K. Koç, D. Naccache, and C. Paar, editors,Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 ofLecture Notes in Computer Science, pages 300–308. Springer-Verlag, 2001.J.-S. Coron. Resistance against differential power analysis for elliptic curve cryp-tosystems. In Ç.K. Koç and C. Paar, editors, Cryptographic Hardware and Em-bedded Systems – CHES ’99, volume 1717 of Lecture Notes in Computer Science,pages 292–302. Springer-Verlag, 1999.E. De Win, S. Mister, B. Preneel, and M. Wiener. On the performance of signa-ture schemes based on elliptic curves. In J.P. Buhler, editor, ANTS-3: Algorith-mic Number Theory, volume 1423 of Lecture Notes in Computer Science, pages252–266. Springer-Verlag, 1998.

[1]

[2]

[3]

[4]

[5]

[6]

Smart-Card Implementation of Elliptic Curve Cryptography 125

L. Goubin. A refined power analysis attack on elliptic curve cryptosystems. InY.G. Desmedt, editor, Public Key Cryptography – PKC 2003, volume 2567 ofLecture Notes in Computer Science, pages 199–211. Springer-Verlag, 2003.D. Hankerson, J. López Hernandez, and A. Menezes. Software implementation ofelliptic curve cryptography over binary fields. In Ç.K. Koç and C. Paar, editors,Cryptographic Hardware and Embedded Systems – CHES 2000, volume 1965 ofLecture Notes in Computer Science, pages 1–24. Springer-Verlag, 2000.M.A. Hasan. Power analysis attacks and algorithmic approaches to their counter-measures for Koblitz cryptosystems. In Ç.K. Koç and C. Paar, editors, Crypto-graphic Hardware and Embedded Systems – CHES 2000, volume 1965 of LectureNotes in Computer Science, pages 93–108. Springer-Verlag, 2000.M. Joye and C. Tymen. Protections against differential analysis for elliptic curvecryptography: An algebraic approach. In Ç.K. Koç, D. Naccache, and C. Paar,editors, Cryptographic Hardware and Embedded Systems – CHES 2001, volume2162 of Lecture Notes in Computer Science, pages 377–390. Springer-Verlag,2001.P. Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, andother systems. In N. Koblitz, editor, Advances in Cryptology – CRYPTO ’96,volume 1109 of Lecture Notes in Computer Science, pages 104–113. Springer-Verlag, 1996.P.C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In M. Wiener,editor, Advances in Cryptology – CRYPTO ’99, volume 1666 of Lecture Notes inComputer Science, pages 388–397. Springer-Verlag, 1999.T.S. Messerges. Using second-order power analysis to attack DPA resistant soft-ware. In Ç.K. Koç and C. Paar, editors, Cryptographic Hardware and EmbeddedSystems – CHES 2000, volume 1965 of Lecture Notes in Computer Science, pages238–251. Springer-Verlag, 2000.R. Schroeppel, H. Orman, S. O’Malley, and O. Spatscheck. Fast key exchangewith elliptic curve systems. In D. Coppersmith, editor, Advances in Cryptology– CRYPTO ’95, volume 963 of Lecture Notes in Computer Science, pages 43–56.Springer-Verlag, 1995.J.H. Silverman. The arithmetic of elliptic curves, volume 106 of Graduate Textsin Mathematics. Springer-Verlag, 1986.N.P. Smart. An analysis of Goubin’s refined power analysis attack. In C.D. Wal-ter, Ç.K. Koç, and C. Paar, editors, Cryptographic Hardware and Embedded Sys-tems – CHES 2003, volume 2779 of Lecture Notes in Computer Science, pages281–290. Springer-Verlag, 2003.E. Trichina and A. Bellezza. Implementation of elliptic curve cryptography withbuilt-in countermeasures against side channel attacks. In B.S. Kaliski Jr., Ç.K.Koç, and C. Paar, editors, Cryptographic Hardware and Embedded Systems -CHES 2002, volume 2523 of Lecture Notes in Computer Science, pages 98–113.Springer-Verlag, 2003.

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]