Preventing differential analysis in GLV elliptic curve scalar multiplication

Mathieu Ciet, Jean Jacques Quisquater, Francesco Sica

Research output: Contribution to journalArticlepeer-review

8 Citations (Scopus)

Abstract

In [2], Gallant, Lambert and Vanstone proposed a very efficient algorithm to compute Q = kP on elliptic curves having non-trivial efficiently computable endomorphisms. Cryptographic protocols are sensitive to implementations, indeed as shown in [6,7] information about the secret can be revealed analysing external leakage of the support, typically a smart card. Several software countermeasures have been proposed to protect the secret. However, speed computation is needed for practical use. In this paper, we propose & method to protect scalar multiplication on elliptic curves against Differential Analysis, that benefits from the speed of the Gallant, Lambert and Vanstone method. It can be viewed as a two-dimensional analogue of Coron's method [1] of randomising the exponent k. We propose two variants of this method (one linear and one affine), the second one slightly more effective, whereas the first one offers "two in one", combining point-blinding and exponent randomisation, which have hitherto been dealt separately. For instance, for at most a mere 37.5% (resp. 25%) computation speed loss on elliptic curves over fields with 160 (resp. 240) bits the computation of kP can take on 2 40 different consumption patterns.

Original languageEnglish
Pages (from-to)540-550
Number of pages11
JournalLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume2523
DOIs
Publication statusPublished - Jan 1 2003

Keywords

  • Differential power analysis
  • Elliptic curve cryptosystem
  • Fast computation
  • Public key cryptography

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint Dive into the research topics of 'Preventing differential analysis in GLV elliptic curve scalar multiplication'. Together they form a unique fingerprint.

Cite this