### Abstract

Differential power analysis (DPA) might break implementations of elliptic curve cryptosystem (ECC) on memory constraint devices. Goubin proposed a variant of DPA using a point (0, y). which is not randomized in Jacobian coordinates or in an isomorphic class. This point often exists in standardized elliptic curves, and we have to care this attack. In this paper, we propose zero-value register attack as an extension of Goubin's attack. Note that even if a point has no zero-value coordinate, auxiliary registers might take zero value. We investigate these zero-value registers that cannot be randomized by the above randomization. Indeed, we have found several points P = (x, y) which cause the zero-value registers, e.g., (1) 3x^{2}+a = 0, (2) 5x ^{4}+2ax^{2}-4bx+a^{2} = 0, (3) P is y-coordinate self-collision point, etc. We demonstrate the elliptic curves recommended in SECG that have these points. Interestingly, some conditions required for zero-value register attack depend on explicit implementation of addition formulae - in order to resist this type of attacks, we have to care how to implement the addition formulae. Finally, we note that Goubin's attack and the proposed attack assume that a base point P can be chosen by attackers and a secret scalar d is fixed, so that they are not applicable to ECDSA.

Original language | English |
---|---|

Pages (from-to) | 132-139 |

Number of pages | 8 |

Journal | IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences |

Volume | E88-A |

Issue number | 1 |

DOIs | |

Publication status | Published - Jan 1 2005 |

### Fingerprint

### All Science Journal Classification (ASJC) codes

- Signal Processing
- Computer Graphics and Computer-Aided Design
- Electrical and Electronic Engineering
- Applied Mathematics

### Cite this

*IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences*,

*E88-A*(1), 132-139. https://doi.org/10.1093/ietfec/E88-A.1.132

**Zero-value register attack on elliptic curve cryptosystem.** / Akishita, Toru; Takagi, Tsuyoshi.

Research output: Contribution to journal › Article

*IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences*, vol. E88-A, no. 1, pp. 132-139. https://doi.org/10.1093/ietfec/E88-A.1.132

}

TY - JOUR

T1 - Zero-value register attack on elliptic curve cryptosystem

AU - Akishita, Toru

AU - Takagi, Tsuyoshi

PY - 2005/1/1

Y1 - 2005/1/1

N2 - Differential power analysis (DPA) might break implementations of elliptic curve cryptosystem (ECC) on memory constraint devices. Goubin proposed a variant of DPA using a point (0, y). which is not randomized in Jacobian coordinates or in an isomorphic class. This point often exists in standardized elliptic curves, and we have to care this attack. In this paper, we propose zero-value register attack as an extension of Goubin's attack. Note that even if a point has no zero-value coordinate, auxiliary registers might take zero value. We investigate these zero-value registers that cannot be randomized by the above randomization. Indeed, we have found several points P = (x, y) which cause the zero-value registers, e.g., (1) 3x2+a = 0, (2) 5x 4+2ax2-4bx+a2 = 0, (3) P is y-coordinate self-collision point, etc. We demonstrate the elliptic curves recommended in SECG that have these points. Interestingly, some conditions required for zero-value register attack depend on explicit implementation of addition formulae - in order to resist this type of attacks, we have to care how to implement the addition formulae. Finally, we note that Goubin's attack and the proposed attack assume that a base point P can be chosen by attackers and a secret scalar d is fixed, so that they are not applicable to ECDSA.

AB - Differential power analysis (DPA) might break implementations of elliptic curve cryptosystem (ECC) on memory constraint devices. Goubin proposed a variant of DPA using a point (0, y). which is not randomized in Jacobian coordinates or in an isomorphic class. This point often exists in standardized elliptic curves, and we have to care this attack. In this paper, we propose zero-value register attack as an extension of Goubin's attack. Note that even if a point has no zero-value coordinate, auxiliary registers might take zero value. We investigate these zero-value registers that cannot be randomized by the above randomization. Indeed, we have found several points P = (x, y) which cause the zero-value registers, e.g., (1) 3x2+a = 0, (2) 5x 4+2ax2-4bx+a2 = 0, (3) P is y-coordinate self-collision point, etc. We demonstrate the elliptic curves recommended in SECG that have these points. Interestingly, some conditions required for zero-value register attack depend on explicit implementation of addition formulae - in order to resist this type of attacks, we have to care how to implement the addition formulae. Finally, we note that Goubin's attack and the proposed attack assume that a base point P can be chosen by attackers and a secret scalar d is fixed, so that they are not applicable to ECDSA.

UR - http://www.scopus.com/inward/record.url?scp=27544441237&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=27544441237&partnerID=8YFLogxK

U2 - 10.1093/ietfec/E88-A.1.132

DO - 10.1093/ietfec/E88-A.1.132

M3 - Article

AN - SCOPUS:27544441237

VL - E88-A

SP - 132

EP - 139

JO - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

JF - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

SN - 0916-8508

IS - 1

ER -