Same value analysis on Edwards curves

Abstract

Recently, several research groups in cryptography have presented new elliptic curve models based on Edwards curves. These new curves were selected for their good performance and security perspectives. Cryptosystems based on elliptic curves in embedded devices can be vulnerable to side-channel attacks (SCA), such as simple power analysis (SPA) or differential power analysis. In this paper, we analyze the existence of special points—whose use in SCA is known as same value analysis (SVA)—in the case of Edwards elliptic curves. These special points can be identified through a power analysis of the scalar multiplication. We show that all Edwards curves recently proposed for standardization contain some of these points and are therefore unsafe against SVA. As a countermeasure, we use the isogeny volcano approach to find SVA-secure isogenous curves to those proposed for standardization.

Appendices

A Addition on Edwards curves in projective coordinates

Given the points \(P_i=(\lambda _i x_i,\lambda _i y_i, \lambda _i)\) for \(i=\{1, 2\}\) in projective coordinates on the Edwards curves E, we identify the degrees in \(\lambda _1\) and \(\lambda _2\) of the partial terms computed during the projective addition of \(P_1\) and \(P_2\). Variables with matching degrees in \(\lambda _1\) and \(\lambda _2\) could potentially be used to mount an SVA-type attack. However, it is not obvious how to construct the corresponding base point except for the first few bits of the scalar.

Algorithm 3 gives the projective addition formula for Edwards curves in projective coordinates. Due to the size of the identities, we only indicate the degrees of the parameters \(\lambda _1\) and \(\lambda _2\) of each operand and of the result (right side of the algorithm). The degrees in \(\lambda _1\) are given with index 1, and those in \(\lambda _2\) with index 2.

The following table gives lists of the partial variables with matching degrees in \(\lambda _1\) and \(\lambda _2\):

Degree of \(\lambda _1\lambda _2\)	Terms
\(1_11_2\)	\(\{A, C, D, H, J \}\)
\(2_22_2\)	\(\{B, E, F, G \}\)
\(3_13_2\)	\(\{I, K\}\)
\(4_14_2\)	\(\{X_3, Y_3, Z_3 \}\)

These sets of variables produce the following identities that could potentially be used to generate SVA-points:

$$\begin{aligned} x_1x_2&=1&\Rightarrow A&=C, \\ x_1y_2 + y_1x_2&=1&\Rightarrow A&=H, \\ y_1y_2&=1&\Rightarrow A&=D, \\ 1&=y_1y_2-x_1x_2&\Rightarrow A&=J, \\ x_1x_2&=y_1y_2&\Rightarrow C&=D, \\ x_1x_2&=x_1y_2 + y_1x_2&\Rightarrow C&=H, \\ 2x_1x_2&=y_1y_2&\Rightarrow C&=J, \\ y_1y_2&=x_1y_2 + y_1x_2&\Rightarrow D&=H, \\ x_1x_2&=0&\Rightarrow D&=J, \\ (x_1+y_1)(x_2+y_2)&=2y_1y_2&\Rightarrow H&=J, \\ dx_1x_2y_1y_2&=1&\Rightarrow B&=E, \\ x_1x_2y_1y_2&=0&\Rightarrow B&=F=G,\\ 2dx_1x_2y_1y_2&=1&\Rightarrow E&=F, \\ 2dx_1x_2y_1y_2&=0&\Rightarrow I&=K, \end{aligned}$$

$$\begin{aligned} \begin{array}{rr} \\ dx_1x_2y_1y_2&{}= 1 \\ \vee &{} \\ x_1y_2 + x_2y_1 - y_1y_2 + x_1x_2 &{}=0 \\ \\ \end{array}\Bigg \}&\Rightarrow X_3&=Y_3 \\ \begin{array}{rr} \\ dx_1x_2y_1y_2&{}= 1 \\ \vee &{} \\ x_1y_2+y_1x_2+1+dx_1x_2y_1y_2&{}=0 \\ \\ \end{array}\Bigg \}&\Rightarrow X_3&=Z_3 \\ \begin{array}{rr} \\ dx_1x_2y_1y_2&{}=-1 \\ \wedge &{} \\ y_1y_2-x_1x_2-c(1-dx_1x_2y_1y_2)&{}=0 \\ \\ \end{array}\Bigg \}&\Rightarrow Y_3&=Z_3 \end{aligned}$$

B Addition Twisted Edwards curves

The same analysis as in the previous section can be performed for projective addition in Twisted Edwards curve. The formula is given in Algorithm 4:

This gives the following lists of the partial variables with matching degrees in \(\lambda _1\) and \(\lambda _2\):

Degree of \(\lambda _1 \lambda _2\)	Terms
\(1_1 1_2\)	\(\{A, C, D, I, K \}\)
\(2_1 2_2\)	\(\{B, E, F, G \}\)
\(3_1 3_2\)	\(\{H, J \}\)
\(4_1 4_2\)	\(\{X_3, Y_3, Z_3 \}\)

which in turn produce the following identities that could potentially be used to generate SVA-points:

$$\begin{aligned} x_1x_2&=1&\Rightarrow A&=C, \\ y_1y_2&=1&\Rightarrow A&=D, \\ x_1y_2+y_1x_2&=1&\Rightarrow A&=I, \\ y_1y_2-ax_1x_2&=1&\Rightarrow A&=K, \\ x_1x_2&=y_1y_2&\Rightarrow C&=D, \\ x_1y_2+y_1x_2&=x_1x_2&\Rightarrow C&=I, \\ x_1x_2(1+a)&=y_1y_2&\Rightarrow C&=K, \\ x_1y_2+y_1x_2&=y_1y_2&\Rightarrow D&=I,\\ -ax_1x_2&=0&\Rightarrow D&=K, \\ x_1y_2+y_1x_2&=y_1y_2-ax_1x_2&\Rightarrow I&=K,\\ dx_1x_2y_1y_2&=1&\Rightarrow B&=E, \\ x_1x_2y_1y_2&=0&\Rightarrow B&=F=G, J=H,\\ 2dx_1x_2y_1y_2&=1&\Rightarrow E&=F,\\ y_1y_2&=1&\Rightarrow Y_3&=Z_3. \end{aligned}$$

$$\begin{aligned}&(1-dx_1x_2y_1y_2)(x_1y_2+y_1x_2)\\&\quad = (1+dx_1x_2y_1y_2)(y_1y_2+x_1x_2) \Rightarrow X_3=Y_3, \end{aligned}$$

$$\begin{aligned} \begin{array}{rr} \\ dx_1x_2y_1y_2&{}= 1 \\ \vee &{} \\ (x_1y_2 +y_1x_2)-(1-d(x_1x_2y_1y_2)&{}=0 \\ \\ \end{array}\Bigg \} \Rightarrow X_3=Y_3 \\ \end{aligned}$$

C Alternative DPA countermeasures

1.1 C.1 Scalar randomization countermeasures

Scalar Randomization [21] Select a random number d and compute the scalar multiplication \(Q=[k']P=[k+d(\# E)]P=[k]P+[d(\#E)]P=[k]P\), since \([d(\#E)]P=P_{\infty }\).

Exponent splitting [20] For any random number r is a \(n-\)bit random integer, that is, of the same bit length as k,  and computing \([k]P=[k-r]P+[r]P.\) However, generating a random number r is expensive, and this countermeasure requires at least twice the processing power since both \([k-r]P\) and [r]P need to be computed.¹

Trichina-Bellezza countermeasure [54] Trichina et al. proposed the following countermeasure. For any random number r, evaluate \([k]P = [kr^{-1}]([r]P )\). A disadvantage of this countermeasure is that it requires to compute the inverse of r modulo ord\(_E(P).\) Besides, two scalar multiplications are needed; first \(R=[r]P\) is computed and then \([kr^{-1}]R\).

Euclidean division [18] The scalar multiplication by k is written as \([k]P=[k \bmod r]P +[\lfloor k/r \rfloor ]([r]P).\) Letting \(S:=[r]P,\)\(k_1:=k \bmod r\) and \(k_2:= \lfloor k/r\rfloor \), we can obtain \(Q=[k]P\) as \([k_1]P+[k_2]S\) where the bit length of r is n / 2. To reduce the cost, Ciet presented a regular algorithm variant of Shamir’s double-ladder technique.

Self-randomized exponentiation [16] Given a scalar \(k=(k_l,\dots ,k_0)_2=\sum _{i=0}^l k_i 2^i\) with \(k_i \in \{0,1\}\) (in binary representation), define

$$\begin{aligned} k_{d \rightarrow j} :=(k_d, \dots , k_j)_2=\sum _{j\le i \le d}k_i 2^{i-j} , \end{aligned}$$

for \(0 \le j \le d \le k\).

The idea behind self-randomized exponentiation consists in taking part of k as a source of randomness. The algorithm relies on the simple observation that, for any \(0\le i_j \le l,\) we have.

$$\begin{aligned}{}[k]P&=[k_{l\rightarrow 0}]P\\&=[((k_{l\rightarrow 0}-k_{l\rightarrow i_1})-k_{l\rightarrow i_2})\dots -k_{i_f}]P\\&\quad +\,[k_{l\rightarrow i_1}]P+[k_{l\rightarrow i_2}]P+\dots +[k_{l\rightarrow i_f}]P . \end{aligned}$$

1.2 C.2 Base point randomization countermeasures

Base point blinding [21] A fixed (secret) point R is selected and \(S=[k]R\) is precomputed. Given P,  the computation of [k]P is replaced by that of \([k](P+R)\) and the known value \(S=[k]R\) is subtracted at the end of the computation.

1.3 C.3 Other countermeasures against special points attacks

Ciet-Joye\(2P^{*}\) Algorithm [18] Ciet and Joye proposed the \(2P^{*}\) Algorithm. This randomization method is applicable to left-to-right scalar multiplication algorithm. The idea is to randomize [2]P using the method of randomized projective coordinates. This allows to keep using P in affine coordinate (which is equivalent to saying that the Z-coordinate of P is equal to 1), and the scalar multiplication is computed in mixed coordinates (which is more efficient than using purely projective coordinates). Moreover, the algorithm can be applied for elliptic curve with parameter \(a = -3\) (which allows cheaper group operations).

Random field isomorphism [32] The idea of this countermeasure is to use a randomly selected representation of the field of definition of the elliptic curve, i.e., use a random field isomorphism \(\phi :\mathbb {K} \rightarrow \mathbb {K'}\) to obtain a point \(P'=\phi (P)\) of the curve \( E' = \phi (E)\), so the scalar multiplication is calculated as

$$\begin{aligned}{}[k]P=\phi ^{-1}([k](\phi (P))) \end{aligned}$$

This countermeasure has a major disadvantage: Special fields used in most standards, for example NIST and SEGC, use irreducible polynomials for which the reduction is much more efficient (for example, in characteristic two using trinomials or pentanomials in which most of the terms have very low degree), but this property is usually lost after the field isomorphism is applied, so the operations over the isomorphic fields can be much slower (see [4]).

Random curve isomorphism [32] The idea of this countermeasure is to transfer the base point \(P_1=(x,y)\in E_1(\mathbb {K})\) to a randomly selected isomorphic curve \(\phi :E_1(\mathbb {K}) \rightarrow E_2(\mathbb {K})\) (the parameters of the curve \(E_2(\mathbb {K})\) are \(a'=r^4 a\) and \(b'=r^6 b\)), the transferred point is \(\phi (P_1)=(r^2x, r^3y)=P_2\) and the scalar multiplication is executed as (\([k]P_2= [k]\phi (P_1)\)) on the curve \(E_2(\mathbb {K})\), and the result \(Q_2=(x_k, y_k)\) is brought back to the original curve \(E_1(\mathbb {K})\), by computing \(\displaystyle Q_1=[k]P=(x_k/r^2, y_k/r^3)=\phi ^{-1}([k](\phi (P)))\). The randomization takes \(4M+2S\) at the beginning of the scalar multiplication and \(1I+3M+1S\) at the end. However, when using random curve isomorphisms, the parameters of \(E_2(\mathbb {K})\) cannot be chosen and one cannot take advantage of algorithms that require curve parameters to be set to specific values. In particular, fast doubling formula for \(a=-3\) usually cannot be used.

Generalization Tunstall and Joye [55] define

$$\begin{aligned}\phi (P)=P'=(X', Y', Z')=(f^\mu X, f^\nu Y, Z) \end{aligned}$$

for an arbitrary \(f \in \mathbb {F}_q^\times \) and some small integers \(\mu \) and \(\nu .\) The inverse of \(\phi \) can be computed without inverting f since \(P=\phi ^{-1}(P')=(f^\nu X', f^\mu Y', f^{\mu +\nu }Z)\). The case \(\mu =2\), \(\nu =3\) correspond to the technique of random curve isomorphism of Joye and Tymen [32].

Projective randomization [21] Randomizing the homogeneous projective coordinates of the point \(P=(X:Y:Z)\) with \(\lambda \ne 0\) to \(P=(\lambda X : \lambda Y : \lambda Z)\). The random variable \(\lambda \) can be updated in every execution or after each doubling or addition. When computing the scalar multiplication using Jacobian coordinates, the point Q is represented as \(Q=(X : Y : Z)\). The point Q can be recovered to affine coordinate by computing \(x=X/Z^2\) and \(y=Y/Z^3\), and so we avoid the attack presented in [44]. Moreover, when using Jacobian coordinates, it is suggested to select curve parameters a as \(a=-3\). Using randomized projective coordinates is much more efficient, but does not allow \(\lambda \) to be set to one [50], i.e., scalar multiplication cannot use mixed coordinates (Jacobian or affine). This countermeasure is effective against Template Attacks [15].

1.4 C.4 Summary

In the following table, we present a summary of known DPA countermeasures, indicating whether they will block (\(\checkmark \)) or allow (\(\times \)) the three types of special points attacks mentioned in this paper: RPA, ZVP, and SVA.

See Table 15.

Table 15 Summary of known countermeasures