Equidistribution Among Cosets of Elliptic Curve Points in Intervals

2.1 Character Sums

We recall the following standard lemma on character sums of abelian groups.

In particular, we will frequently use that lemma for the pairs {𝔽_q, Ψ} and {E(𝔽_q), Ω}. Additionally, for any subgroup H of E(𝔽_q), the subgroup Ω_H of Ω consisting of characters that vanish on H is canonically isomorphic to the character group of the quotient E(𝔽_q)/H. Applying the lemma above to that setting, it follows that:

Note also that, since for any finite abelian group, the pairing G × Ĝ → ℂ^* given by (g, ω) ↦ ω(g) is perfect, we have |G| = |Ĝ|. In particular:

(the index of H in E(𝔽_q)).

Let f be a non-constant rational function on E defined over 𝔽_q. For characters ω ∈ Ω and ψ ∈ Ψ, we consider the character sum defined by

The following estimate was established by Kohel and Shparlinski.

We will also rely on a bound on exponential sums on intervals of finite fields. Recall first the definition of an interval in 𝔽_q, for not necessarily prime q (see [4, §4]).

The result we need is then the following.

Description of fault attack with uniform faulty point in 𝔽_p

Recently, Takahashi, Tibouchi and Abe [8] presented fault attacks against the qDSA signature [6] instantiated over the Curve25519 Montgomery curve [1]. The qDSA signature scheme is a variant of Schnorr signatures instantiated over Montgomery curves, and it relies on x-only arithmetic based on the Montgomery ladder. We refer to [3] for more details on Montgomery curves and the Montgomery ladder.

Let E_A,B : y² = x(x² + Ax + B) be the Montgomery curve [5] over 𝔽_p under our consideration. The parameters are chosen such that E_A,B(𝔽_p) ≅ ℤ₈ × ℤ_n for some prime n. Arithmetic is carried out not on the curve itself, but on the Kummer line E_A,B/〈±1〉 ≅ ℙ¹, and a point Q on the curve is mapped to ± Q on the Kummer line, which is simply identified with the x-coordinate of Q. Given that x-coordinate and a scalar k, the Montgomery ladder efficiently computes ±[k]Q, i.e. the x-coordinate of the scalar multiplication of Q by k.

In qDSA, operations normally occur in the subgroup of E_A,B(𝔽_p) of prime order n, generated by some point P. In particular, the first step of signature generation is to compute ± R = ±[k]P for some secret, uniformly random nonce k, and ± R is in fact part of the resulting signature itself (so it is known to the adversary).

The idea in [8] is to inject faults into the device computing the qDSA signatures so as to replace the point P by a different faulty point P͠ still on E_A,B, but with different order. Then, even without knowing the exact value of P͠, one can deduce information on the least significant bits of the nonce k from the signature element ± R͠ = ±[k]P͠. This leakage on k (for sufficiently many signatures) can be used to apply Bleichenbacher’s attack [2] and recover the secret signing key.

In particular, we are interested in the case when P͠ is of exact order 8n. One can obtain such P͠ with probability approximately 1/4 if one assumes that the fault injection yields a faulty point P͠ whose x-coordinate x͠ ∈ 𝔽_p is uniformly random in 𝔽_p. Once such a P͠ is obtained, one can deduce the 3 least significant bits of k whenever k is divisible by 4: one computes R′ := [n](±R͠) = ±[nk] P͠ which has order dividing 8. If it is the point at infinity then we deduce k ≡ 0 (mod 8). On the other hand, if R′ is of exact order 2, we obtain k ≡ 4 (mod 8). Although one cannot hope to learn 3 least significant bits of k when k is not divisible by 4, one can simply throw away those signatures (those for which R′ is of order at least 4) and collect sufficiently many signatures with k divisible by 4.

Deducing the secret signing key from sufficiently many of those signature with 3-bit nonce leakage can then be done by a straightforward application of Bleichebacher’s attack; we refer to [8] for further details.

Attack with faulty point uniform in an interval I ⊂ 𝔽_p

The authors of [8] also gave a heuristic argument to justify the applicability of their attack when x͠ is non-uniform. Their observation is that, for the attack to succeed, it suffices that the faulty base point P͠ be of order 8n with significant probability.

We provide a more rigorous argument by applying our result in Section 3. In short, our result implies that if x͠ is uniformly random in an interval in 𝔽_p of size p^1/2+ϵ, instead of 𝔽_p itself, then P͠ is indistinguishable from a uniformly random element in E(𝔽_p)/〈P〉 ≅ ℤ₈ with negligible deviation. Since P͠ is of order exactly 8n if and only if it corresponds to elements in Z8∗, we deduce that the probability of a faulty base point yielding an element of order 8n is within negligible distance of 1/2 ⋅ 1/2 = 1/4 (where the former 1/2 is from P͠ to be in the original curve and the latter comes from |Z8∗|/|ℤ₈| = 1/2).

Concretely speaking, this means that a fault attack which randomly flips a fixed substring of bits in x of length slightly larger than half of the entire length of x provably satisfies the desired condition. Indeed, the set of resulting x-coordinates is a subset of 𝔽_p of the form {x₀, x₀ + 2^k, x₀ + 2^k ⋅ 2, ⋯, x₀ + 2^k ⋅ (2^ℓ – 1)} (where k is the position of the least significant bit modified by the fault attack, ℓ is the length of the corresponding bit string, and x₀ is the value obtained from x by zeroing out that substring of bits). This subset I is an interval in the sense of Definition 2.3, with β = 2^k, s = (x₀/2^k) mod p and t = 2^ℓ – 1, as required. Note that the distribution of points on E(𝔽_p) obtained by taking a random x in I and choosing a corresponding curve point if it exists (and try again otherwise) is not necessarily identical to the uniform distribution of points of E(𝔽_p) with an x-coordinate in I, because a given x may correspond to either one or two curve points. However, the two distributions are always statistically close, because there are at most 3 values of x with only one corresponding curve point (namely, the roots of the Weierstrass polynomial), and they only account for a negligible fraction of I. This is therefore sufficient for the stated purpose.

The fault model described above (a random flip of a substring of bits of x) can typically be realized using optical fault injection techniques [7] (such as laser faults on memory), as discussed in [8].