Preventing Differential Analysis in GLV Elliptic Curve Scalar Multiplication

In [2], Gallant, Lambert and Vanstone proposed a very efficient algorithmto compute Q = kP on elliptic curves having non-trivial efficiently computable endomorphisms. Cryptographic protocols are sensitive to implementations, indeed as shown in [6,7] information about the secret can be revealed analysing external leakage of the support, typically a smart card. Several software countermeasures have been proposed to protect the secret. However, speed computation is needed for practical use. In this paper, we propose a method to protect scalar multiplication on elliptic curves against Differential Analysis, that benefits fromthe speed of the Gallant, Lambert and Vanstone method. It can be viewed as a two-dimensional analogue of Coron's method [1] of randomising the exponent k. We propose two variants of this method (one linear and one affine), the second one slightly more effective, whereas the first one offers "two in one", combining point-blinding and exponent randomisation, which have hitherto been dealt separately. For instance, for at most a mere 37.5% (resp. 25%) computation speed loss on elliptic curves over fields with 160 (resp. 240) bits the computation of kP can take on 240 different consumption patterns.

[1]  Daniel M. Gordon,et al.  A Survey of Fast Exponentiation Methods , 1998, J. Algorithms.

[2]  Jean-Jacques Quisquater,et al.  Analysis of the Gallant-Lambert-Vanstone Method Based on Efficient Endomorphisms: Elliptic and Hyperelliptic Curves , 2002, Selected Areas in Cryptography.

[3]  Scott A. Vanstone,et al.  Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms , 2001, CRYPTO.

[4]  J. Solinas Low-Weight Binary Representations for Pairs of Integers , 2001 .

[5]  Marc Joye,et al.  Hessian Elliptic Curves and Side-Channel Attacks , 2001, CHES.

[6]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[7]  Jongin Lim,et al.  An Alternate Decomposition of an Integer for Faster Point Multiplication on Certain Elliptic Curves , 2002, Public Key Cryptography.

[8]  Marc Joye,et al.  Protections against Differential Analysis for Elliptic Curve Cryptography , 2001, CHES.

[9]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[10]  Nigel P. Smart,et al.  Preventing SPA/DPA in ECC Systems Using the Jacobi Form , 2001, CHES.

[11]  Jerome A. Solinas An Improved Algorithm for Arithmetic on a Family of Elliptic Curves , 1997, CRYPTO.

[12]  Bodo Möller,et al.  Securing Elliptic Curve Point Multiplication against Side-Channel Attacks , 2001, ISC.

[13]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.