Zero-value point attacks on elliptic curve cryptosystem

Toru Akishita, Tsuyoshi Takagi

Research output: Contribution to journalArticle

73 Citations (Scopus)

Abstract

The differential power analysis (DPA) might break the implementation of elliptic curve cryptosystem (ECC) on memory constraint devices. Goubin proposed avariant of DPA using the point (0, y), which is not randomized in Jacobian coordinates or in the isomorphic class. This point often exists in the standard curves, and we have to care this attack. In this paper, we propose the zero-value point attack as an extension of Goubin's attack. Note that even if a point has no zero-value coordinate, the auxiliary registers might take zero-value. We investigate these zero-value registers that cannot be randomized by the above randomization. Indeed, we have found several points P = (x, y) which cause the zero-value registers, e.g., (1)3x2 + a = 0, (2)5x4 + 2ax2 - 4bx + a2 = 0, (3)P is y-coordinate self-collision point, etc. We demonstrate the standard curves that have these points. Interestingly, some conditions required for the zero-value attack depend on the explicit implementation of the addition formula - in order to resist this type of attacks, we have to care how to implement the addition formula. Finally, we note that Goubin's attack and the proposed attack assume that the base point P can be chosen by the attacker and the secret scalar d is fixed, so that they are not applicable to ECDSA signature generation.

Original languageEnglish
Pages (from-to)218-233
Number of pages16
JournalLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume2851
Publication statusPublished - Dec 1 2003

Fingerprint

Elliptic Curve Cryptosystem
Cryptography
Attack
Zero
Differential Power Analysis
Addition formula
P-point
Data storage equipment
Curve
Randomisation
Resist
Signature
Collision
Isomorphic
Scalar

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Zero-value point attacks on elliptic curve cryptosystem. / Akishita, Toru; Takagi, Tsuyoshi.

In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Vol. 2851, 01.12.2003, p. 218-233.

Research output: Contribution to journalArticle

@article{de9300f557b8457b80b199918932492f,
title = "Zero-value point attacks on elliptic curve cryptosystem",
abstract = "The differential power analysis (DPA) might break the implementation of elliptic curve cryptosystem (ECC) on memory constraint devices. Goubin proposed avariant of DPA using the point (0, y), which is not randomized in Jacobian coordinates or in the isomorphic class. This point often exists in the standard curves, and we have to care this attack. In this paper, we propose the zero-value point attack as an extension of Goubin's attack. Note that even if a point has no zero-value coordinate, the auxiliary registers might take zero-value. We investigate these zero-value registers that cannot be randomized by the above randomization. Indeed, we have found several points P = (x, y) which cause the zero-value registers, e.g., (1)3x2 + a = 0, (2)5x4 + 2ax2 - 4bx + a2 = 0, (3)P is y-coordinate self-collision point, etc. We demonstrate the standard curves that have these points. Interestingly, some conditions required for the zero-value attack depend on the explicit implementation of the addition formula - in order to resist this type of attacks, we have to care how to implement the addition formula. Finally, we note that Goubin's attack and the proposed attack assume that the base point P can be chosen by the attacker and the secret scalar d is fixed, so that they are not applicable to ECDSA signature generation.",
author = "Toru Akishita and Tsuyoshi Takagi",
year = "2003",
month = "12",
day = "1",
language = "English",
volume = "2851",
pages = "218--233",
journal = "Lecture Notes in Computer Science",
issn = "0302-9743",
publisher = "Springer Verlag",

}

TY - JOUR

T1 - Zero-value point attacks on elliptic curve cryptosystem

AU - Akishita, Toru

AU - Takagi, Tsuyoshi

PY - 2003/12/1

Y1 - 2003/12/1

N2 - The differential power analysis (DPA) might break the implementation of elliptic curve cryptosystem (ECC) on memory constraint devices. Goubin proposed avariant of DPA using the point (0, y), which is not randomized in Jacobian coordinates or in the isomorphic class. This point often exists in the standard curves, and we have to care this attack. In this paper, we propose the zero-value point attack as an extension of Goubin's attack. Note that even if a point has no zero-value coordinate, the auxiliary registers might take zero-value. We investigate these zero-value registers that cannot be randomized by the above randomization. Indeed, we have found several points P = (x, y) which cause the zero-value registers, e.g., (1)3x2 + a = 0, (2)5x4 + 2ax2 - 4bx + a2 = 0, (3)P is y-coordinate self-collision point, etc. We demonstrate the standard curves that have these points. Interestingly, some conditions required for the zero-value attack depend on the explicit implementation of the addition formula - in order to resist this type of attacks, we have to care how to implement the addition formula. Finally, we note that Goubin's attack and the proposed attack assume that the base point P can be chosen by the attacker and the secret scalar d is fixed, so that they are not applicable to ECDSA signature generation.

AB - The differential power analysis (DPA) might break the implementation of elliptic curve cryptosystem (ECC) on memory constraint devices. Goubin proposed avariant of DPA using the point (0, y), which is not randomized in Jacobian coordinates or in the isomorphic class. This point often exists in the standard curves, and we have to care this attack. In this paper, we propose the zero-value point attack as an extension of Goubin's attack. Note that even if a point has no zero-value coordinate, the auxiliary registers might take zero-value. We investigate these zero-value registers that cannot be randomized by the above randomization. Indeed, we have found several points P = (x, y) which cause the zero-value registers, e.g., (1)3x2 + a = 0, (2)5x4 + 2ax2 - 4bx + a2 = 0, (3)P is y-coordinate self-collision point, etc. We demonstrate the standard curves that have these points. Interestingly, some conditions required for the zero-value attack depend on the explicit implementation of the addition formula - in order to resist this type of attacks, we have to care how to implement the addition formula. Finally, we note that Goubin's attack and the proposed attack assume that the base point P can be chosen by the attacker and the secret scalar d is fixed, so that they are not applicable to ECDSA signature generation.

UR - http://www.scopus.com/inward/record.url?scp=35248871165&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=35248871165&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:35248871165

VL - 2851

SP - 218

EP - 233

JO - Lecture Notes in Computer Science

JF - Lecture Notes in Computer Science

SN - 0302-9743

ER -