Home Protecting ECC Against Fault Attacks: The Ring Extension Method Revisited
Article Open Access

Protecting ECC Against Fault Attacks: The Ring Extension Method Revisited

  • Marc Joye EMAIL logo
Published/Copyright: August 1, 2020
Download Article (PDF)
Become an author with De Gruyter Brill
Submit Manuscript Author Information
Journal of Mathematical Cryptology
From the journal Journal of Mathematical Cryptology Volume 14 Issue 1

Abstract

Due to its shorter key size, elliptic curve cryptography (ECC) is gaining more and more popularity. However, if not properly implemented, the resulting cryptosystems may be susceptible to fault attacks. Over the past few years, several techniques for secure implementations have been published. This paper revisits the ring extension method and its adaptation to the elliptic curve setting.

Keywords: Elliptic curves; formal groups; degenerate curves; elliptic curve cryptosystems; fault attacks; countermeasures
MSC 2010: 14H52; 14G50; 94A60; 68M15

1 Introduction

This paper deals with secure implementations [24] for ECC-based cryptosystems [10, 11, 20, 45, 49, 50] and, more specifically, with the development of efficient detection methods against fault attacks (or errors) [14]. Practical ways to mount fault attacks are surveyed in [4, 27]. See also [39, Part III] for a more recent and complete account.

1.1 Fault Attacks and Countermeasures

A fault attack disturbs the expected behavior of a security device and makes it work abnormally so as to infer sensitive data. Since their discovery in 1997, several countermeasures were proposed. The key principle consists in computing a sensitive operation in a redundant way or in exploiting some redundancy already present in the calculation.

Shamir’s countermeasure

Most known countermeasures rely on an elegant method first suggested by Shamir [58] for RSA [55] using Chinese remaindering [53]. These include [2, 12, 18, 43, 61, 63] to name a few.

We follow the general presentation of [40]. Consider the ring ℤ/Nℤ of integers modulo N where N = pq is the product of two large primes. On input an element x ∈ ℤ/Nℤ (for example, x is a ciphertext or the hash value of a message) and a private exponent d, the goal is to compute an RSA exponentiation, y = xd mod N, in the presence of faults. In order to prevent fault attacks, the evaluation of y = xd mod N is carried out in three steps as follows:

  1. Compute ŷ = xd mod rN for a (small) integer r;

  2. Compute y′ = xd mod r;

  3. Check whether ŷy′ (mod r), and

    1. if so, output y = ŷ mod N;

    2. if not, return error.

Shamir’s method is an application of the Chinese remainder theorem (CRT). We obviously have ŷy (mod N) and ŷy′ (mod r) when the computations are not faulty. In the presence of random faults, the probability that ŷy (mod r) is about 1/r. Larger values for r imply a higher detection probability, but at the expense of more demanding computations.

Vigilant’s countermeasure

Another method was proposed at CHES 2008 by Vigilant [61]. Again, the goal is to perform a private RSA exponentiation, y = xd mod N, in the presence of faults. The method goes as follows:

  1. Form X = CRT(x (mod N), 1 + r (mod r2)) for a (small) integer r;

  2. Compute ŷ = Xd mod r2N;

  3. Check whether ŷ ≡ 1 + dr (mod r2), and

    1. if so, output y = ŷ mod N;

    2. if not, return error.

In Step 1, CRT(⋅, ⋅) denotes an application of the Chinese remainder theorem; namely, the so-constructed X satisfies Xx (mod N) and X ≡ 1 + r (mod r2).

Remark 1

When Vigilant’s method is applied to RSA with Chinese remaindering, special care needs to exercised. A number of potential fault attacks against RSA-CRT are presented in [21]; implementation recommendations are also provided.

1.2 Elliptic Curve Cryptography

Elliptic curve cryptography [45, 50] is an interesting alternative to RSA because the keys are much shorter for a same conjectured security level. Given a point P on an elliptic curve E and a private integer d, the basic operation consists in computing the scalar multiplication [d]P, that is, PP ⊞ ⋯ ⊞ P (d times) where ⊞ denotes the group operation on E. The goal of an attacker is to recover the value of d (or a part thereof) by inducing faults. See [1, 8, 13, 17, 42, 44, 51, 57] for examples of fault attacks against elliptic curve cryptosystems.

1.3 Our Contributions

Vigilant’s method presents a couple of advantages over Shamir’s method. In particular, it trades the small exponentiation y′ = xd mod r against the multiplication 1 + dr mod r2 = 1 + r ⋅ (d mod r) in the verification step. This latter operation is much faster. We note however that the evaluation of y′ in Shamir’s method can be sped up as xdmodφ(r) mod r (where φ denotes Euler’s totient function), provided that the value of φ(r) is known. The correctness of Vigilant’s countermeasure can be seen as a consequence of the binomial theorem. This latter states that (1+r)d=j=0ddj1djrj=j=0ddjrj=1+dr+d(d1)2r2+. Reducing this identity modulo r2 yields (1 + r)d ≡ 1 + dr (mod r2). Hence, since by construction X ≡ 1 + r (mod r2), the following relation holds modulo r2:

y^Xd(1+r)d1+dr(modr2).

Shamir’s countermeasure generalizes to the elliptic curve scalar multiplication (cf. Section 2). In contrast, Vigilant’s method does not readily lend itself to a generalization to elliptic curves. The reason is that there is no equivalent of the binomial theorem. We adopt a different approach and rely on the theory of formal groups as put forward in [26] for developing elliptic curve Paillier schemes. Doing so, we obtain a first efficient and versatile method to protect elliptic curve cryptosystems against fault attacks.

It is well known that the singular elliptic curve over the finite prime field 𝔽r given by the Weierstraß equation y2 = x3 is isomorphic to the additive group Fr+; e.g., [34, Theorem 7.2]. Neves–Tibouchi [51] take advantage of this property to propose an efficient protection against fault attacks. They also extend their method to other models (including Edwards curves) with [less efficient] multiplicative isomorphisms. As a second contribution, we exhibit efficiently computable isomorphisms to the additive group (ℤ/rℤ)+ for all elliptic curve models commonly used in cryptographic applications. This results in a second efficient and versatile method to protect against fault attacks.

Organization

The rest of this paper is organized as follows. In the next section, we review variants of Shamir’s countermeasure applied to ECC systems. Section 3 describes our general methodology for detecting faults with two possible realizations. Next, in Section 4, we apply it to a variety of elliptic curve models. Finally, we conclude the paper in Section 5.

2 Overcoming Fault Attacks

Shamir’s method generalizes to the elliptic curve scalar multiplication. We review hereafter two different implementations. The first countermeasure is due to Blömer–Otto–Seifert and known as the BOS countermeasure [13] while the second one is due to Baek–Vasyltsov [3].

BOS countermeasure

As aforementioned, the main operation for elliptic curve cryptography is the scalar multiplication. Specifically, the usual setting is the computation of Q = [d]P on an elliptic curve E defined over the prime field 𝔽p, which is given by the Weierstraß equation E : y2 = x3 + ax + b. The BOS countermeasure proceeds in five steps:

  1. For a (small) prime r, define an elliptic curve E′ over 𝔽r and a point P′ on E′;

  2. Form the combined curve Ê = CRT(E, E′) over ℤ/prℤ and the combined point = CRT(P, P′);

  3. Compute = [d] on Ê;

  4. Compute Q′ = [d] P′ on E′;

  5. Check whether Q′ (mod r), and

    1. if so, output Q = mod p;

    2. if not, return error.

Remark 2

If y2 = x3 + ax + b′ is the equation defining the elliptic curve E′ over 𝔽r, CRT(E, E′) denotes the elliptic curve over ℤ/prℤ given by the equation y2 = x3 + âx + where â = CRT(a (mod p), a′ (mod r)) and = CRT(b (mod p), b′ (mod r)); i.e., such âa (mod p) and âa′ (mod r), and idem for . Point is defined similarly from the coordinates of points P and P′.

In a concrete implementation, prime r, curve E′ and point P′ are precomputed so that the order of point P′ on E′, ordE(P′), is maximal. The value of n′ := ordE(P′) together with r, the curve parameters and point P′ are stored in non-volatile memory. This presents the further advantage that the computation of Q′ in Step 4 can be performed more efficiently as Q′ = [d mod n′]P′.

Baek–Vasyltsov’s countermeasure

Another variant of Shamir’s countermeasure was subsequently developed in [3]. Compared to the BOS countermeasure, in a practical setting, it does not require pre-computed values and does not assume that the parameter r is prime.

Numerical experiments conducted in [35] however show that a non-negligible proportion of faults is undetected and that larger bit-lengths for r should be used. For example, for a 20-bit randomizer r, the average proportion of undetected faults ranges from 23.2% to 37.3%. Moreover, by construction, Baek–Vasyltsov’s countermeasure is restricted to a special Weierstraß model and makes use of less efficient addition formulas.

3 The Ring Extension Method Revisited

In a way similar to Vigilant’s countermeasure for RSA, the adaptation of Shamir’s method to elliptic curves can be improved by finding a shortcut in the evaluation of Q′ = [d]P′ on E′ by an appropriate choice for E′ in the BOS countermeasure. Further, for more versatility and better efficiency, it should work for any randomizer r (i.e., not only prime values) and without the need of pre-computing and pre-storing curve orders.

The core idea is to replace in the BOS countermeasure the combined curve Ê with

E(Fp)×GE(Fp)×(Z/rZ)+,

that is, a group isomorphic to the cross product of the groups E(𝔽p) and (ℤ/rℤ)+ and where the group 𝔾′ is represented with elements having a group law that coincides (i.e., is compatible) with the group law used in the representation of E(𝔽p).

We present two such realizations. In the first realization, 𝔾′ is chosen as the subgroup of points on an elliptic curve over ℤ/r2ℤ that reduce to the neutral point modulo r [37]. The second realization modifies a recent countermeasure due to Neves and Tibouchi [51, §, 5]. The proposed methods are generic and can readily be adapted to any elliptic curve model and corresponding addition formulas. Also, although focusing on protecting elliptic curve computations over prime fields for the sake of concreteness, they can be generalized to elliptic curve computations over arbitrary fields, including over binary fields.

3.1 First Realization

It is useful to introduce some notation. Given a commutative ring 𝓡 with 1, we let E(𝓡) denote the set of rational points on an elliptic curve E defined over 𝓡.

For the ring 𝓡 = ℤ/r2ℤ (namely, the ring of integers modulo r2), we define the order-r subgroup

G:=E1(Z/r2Z)={PE(Z/r2Z)Pmodulorreduces toO}

where O denotes the identity element on E(ℤ/rℤ). The analogue of the combined curve Ê becomes

E(Fp)×E1(Z/r2Z)E(Z/pr2Z).

As will be made explicit in Section 4, the so-defined group 𝔾′ is isomorphic to (ℤ/rℤ)+ and the isomorphisms

Υ1:(Z/rZ)+E1(Z/r2Z),0Υ1(0)=OϑΥ1(ϑ)=P

and Υ11 are efficiently computable.

3.2 Second Realization

The authors of [51] suggest to choose 𝔾′ as the group of points on a degenerate curve over 𝔽r. However, most elliptic curve models (the Weierstraß model is a notable exception) do not have an additive degeneration: they either degenerate to the (r − 1)-order multiplicative group Fr or to the (r + 1)-order multiplicative subgroup T2(𝔽r) of elements of norm 1 in Fr2 [56]. In this case, the shortcut function translates into an exponentiation modulo r (degeneration to Fr) or into the evaluation of Lucas sequences modulo r (degeneration to T2(𝔽r)).

Actually, it turns out that we can always identify a group 𝔾′ ≅ (ℤ/rℤ)+ from the group law in E for a particular choice for the curve parameters; we call E′ the corresponding curve. We so define the r-order group

G:=E(Z/rZ)[r]={Psatisfying the curve equationEmodulor[r]P=O}

for the particular curve equation E′. Again, this comes with efficiently computable isomorphisms

Υ2:(Z/rZ)+E(Z/rZ)[r],0Υ2(0)=OϑΥ2(ϑ)=P

and Υ21.

This will be illustrated in Section 4 with several elliptic curve models commonly used in cryptographic applications. Further models are covered in Appendix A.

3.3 Implementation

The computation of Q = [d]P on an elliptic curve E(𝔽p) in the presence of faults can be carried out as depicted in Algorithms 1 and 2. Algorithm 1 corresponds to the first realization and Algorithm 2 corresponds to the second realization.

Algorithm 1

Fault-protected scalar multiplication on elliptic curves (1)

Data: Point PE(𝔽p) and private scalar d ∈ ℤ
Result: Point P = [d]PE(𝔽p) or “error”
1Randomly select a small integer r and define the point P′Υ1(ϑ) ∈ E(ℤ/r2ℤ) for some ϑ ∈ ℤ/r
2Form the point ← CRT(P, P′) ∈ E(ℤ/pr2ℤ)
3Compute ← [d] E(ℤ/pr2ℤ)
4Compute Q′Υ1(dϑ mod r) ∈ E(ℤ/r2ℤ)
5If ( mod r2) ≠ Q′ return “error”
6Return mod p.

Algorithm 2

Fault-protected scalar multiplication on elliptic curves (2)

Data: Point PE(𝔽p) and private scalar d ∈ ℤ
Result: Point Q = [d]PE(𝔽p) or “error”
1Randomly select a small integer r and define the point P′Υ2(ϑ) ∈ E′(ℤ/rℤ) for some ϑ ∈ ℤ/r
2Form the curve equation Ê ← CRT(E, E’) for some curve equation E′ and point
← CRT(P, P′) ∈ Ê(ℤ/prℤ)
3Compute ← [d] Ê(ℤ/prℤ)
4Compute Q′Υ2(dϑ mod r) ∈ E’(ℤ/rℤ)
5If ( mod r) ≠ Q′ return “error”
Return mod p.

Implementation notes

It is worth noting that in the “redundancy” step (i.e., Step 4 in Algorithms 1 and 2) the resulting point Q′ = [d mod r]Υ1(ϑ) (resp. Q′ = [d mod r]Υ2(ϑ)) is viewed as an element of 𝔾′ = E1(ℤ/r2ℤ) (resp. of 𝔾′ = E’(ℤ/rℤ)[r]). This is much faster than computing a scalar multiplication in E(ℤ/r2ℤ) (resp. in E′(ℤ/rℤ)). This also allows the reduction of d modulo r, the group order of 𝔾′.

Furthermore, single points of failure like conditional branchings should be avoided in fault-resistant implementations. The verification step (i.e., Step 5 in Algorithms 1 and 2) involves an if-branching. By inducing a fault during the comparison

(Q^modr2)?Q(resp. (Q^modr)?Q),

an attacker may hope to force the comparison bit to 0 (i.e., false) and therefore get the value of mod p. The if-branching can however be avoided by making use of the so-called “infective computation” technique [63].

For better fault coverage, it is recommended to choose ϑ in Step 1 of Algorithms 1 and 2 so that P′ is of maximal order (i.e., of order r). Obtaining a generator for the additive group (ℤ/rℤ)+ is fairly easy since any non-zero integer co-prime to r generates (ℤ/rℤ)+. Two possible strategies are:

  1. Take 1 as a generator or fix a priori a prime ϑ larger than the maximum value for r. Then (ℤ/rℤ)+ = 〈1〉 or (ℤ/rℤ)+ = 〈ϑ〉.

  2. Select r as a prime number. Then any non-zero integer 0 < ϑ < r is a generator of (ℤ/rℤ)+.

The first strategy is preferred as it does not impose conditions on r.

4 Illustration

The proposed methods apply to many elliptic curve models. This is illustrated below with the (twisted) Edwards model and the Weierstraß model. Applications to further models can be found in Appendix A.

4.1 Edwards Model

In [23], Edwards proposed a normal form for elliptic curves. It was later extended in [5] and subsequently in [6] (see also [30]). The latter form, referred to as the twisted Edwards form, is given by the equation

EEa,d:ax2+y2=1+dx2y2.(1)

The neutral element is O = (0, 1). The addition law is unified. Given two points (x1, y1) and (x2, y2), their sum (x3, y3) = (x1, y1) ⊞ (x2, y2) is given by

(x3,y3)=x1y2+x2y11+dx1x2y1y2,y1y2ax1x21dx1x2y1y2.(2)

4.1.1 First Realization

We define:

EEa,d,1(Z/r2Z)={Υ1(ϑ)=(ϑr,1)ϑZ/rZ}(Z/rZ)+.(3)

In words, the group 𝔾′ = Ea,d,1(ℤ/r2ℤ) is the set of points (x, 1) = (ϑr, 1) on an Edwards curve (1) over the ring ℤ/r2 ℤ, equipped with the addition law (2). It is easily verified that:

  1. Υ1(ϑ) ≡ (ϑr, 1) ≡ (0, 1) ≡ Υ1(0) ≡ O (mod r), and

  2. Υ1(ϑ1)Υ1(ϑ2)=(ϑ1r,1)(ϑ2r,1)=ϑ1r1+ϑ2r11,111=((ϑ1+ϑ2)r,1)=Υ1(ϑ1+ϑ2)

as desired. We also have Ea,d,1(ℤ/r2 ℤ) = 〈(r, 1)〉.

4.1.2 Second Realization

We have:

(Z/rZ)+EE0,0(Z/rZ)[r]={Υ2(ϑ)=(ϑ,1)ϑZ/rZ}{(x,y)EE0,0(Z/rZ)}.(4)

In more detail, the group 𝔾′ = EE0,0)(ℤ/rℤ)[r] is the set of points (x, 1) on an Edwards curve E′ given by Eq. (1) with parameters a = d = 0, over the ring ℤ/rℤ, equipped with the addition law (2). When a = d = 0, it immediately follows that:

  1. Υ2(0) = (0, 1) = O, and

  2. Υ2(ϑ1)Υ2(ϑ2)=(ϑ1,1)(ϑ2,1)=ϑ11+ϑ211,111=(ϑ1+ϑ2,1)=Υ2(ϑ1+ϑ2)

and EE0,0)(ℤ/rℤ)[r] = 〈(1, 1)〉.

4.2 Weierstraß Model

The Weierstraß model (e.g., [59, Chapter III]) is the most common way to represent an elliptic curve. It is given by the equation E𝒲a,b : y2 = x3 + ax + b or, using projective coordinates,

EWa,b:Y2Z=X3+aXZ2+bZ3.(5)

The neutral element is the point at infinity O = (0 : 1 : 0). A unified addition formula [46, Section 3] (see also [15, 36, 47, 54]) for adding two projective points (X1 : Y1 : Z1) and (X2 : Y2 : Z2) is given by (X3 : Y3 : Z3) = (X1 : Y1 : Z1) ⊞ (X2 : Y2 : Z2) where

X3=(Y1Z2+Y2Z1)A+(X1Y2+X2Y1)BY3=(X1Z2+X2Z1)M+(Y1Y2+3bZ1Z2)(Y1Y23bZ1Z2)aNZ3=(X1Y2+X2Y1)(aZ1Z2+3X1X2)+(Y1Z2+Y2Z1)V(6)

with A = a(aZ1Z2X1X2) − 3b(X1Z2 + X2Z1), B = Y1Y2a(X1Z2 + X2Z1) − 3bZ1Z2, M = 3b(3X1X2aZ1Z2) − a2(X1Z2 + X2Z1), N = (aZ1Z2 + 3X1X2)(aZ1Z2X1X2), and V = Y1Y2 + 3bZ1Z2 + a(X1Z2 + X2Z1). As detailed in [54, Algorithm 1], this can be evaluated with only 12 general multiplications plus 5 multiplications by constants (namely, a and 3b).

4.2.1 First Realization

We define:

EWa,b,1(Z/r2Z)={Υ1(ϑ)=(ϑr:1:0)ϑZ/rZ}(Z/rZ)+.(7)

Here again, it can be verified that Υ1(ϑ) ≡ (ϑr : 1 : 0) ≡ (0 : 1 : 0) ≡ Υ1(0) ≡ O (mod r) and that the addition formula (6) yields Υ1(ϑ1) ⊞ Υ1(ϑ2) = (ϑ1r : 1 : 0) ⊞ (ϑ2r : 1 : 0) = ((ϑ1 + ϑ2)⋅ r : 1 : 0) = Υ1(ϑ1 + ϑ2) by observing that we then have A = 0, B = 1, M = N = 0, V = 1 and thus (X3 : Y3 : Z3) = ((ϑ1r ⋅ 1 + ϑ2r ⋅ 1)⋅ 1 : 1 ⋅ 1 :(ϑ1r ⋅ 1 + ϑ2r ⋅ 1) ⋅ 0 + 0 ⋅ 1) = ((ϑ1 + ϑ2)⋅ r : 1 : 0). We also have E𝒲a,b,1(ℤ/r2 ℤ) = 〈(r : 1 : 0)〉.

4.2.2 Second Realization

We have:

(Z/rZ)+EW0,0(Z/rZ)[r]={Υ2(ϑ)=(ϑ:1:ϑ3)ϑZ/rZ}{(X:Y:Z)EW0,0(Z/rZ)}.(8)

Similarly to the first realization, it can be verified that Υ2(0) = (0 : 1 : 0) = O and, when a = b = 0, that the addition formula (6) yields Υ2(ϑ1) ⊞ Υ2(ϑ2) = (ϑ1 : 1 : ϑ13) ⊞ (ϑ2 : 1 : ϑ23) = (ϑ1 + ϑ2 : 1 : (ϑ1 + ϑ2)3ϑ1ϑ2 + ϑ13 + ϑ23) = (ϑ1 + ϑ2 : 1 : (ϑ1 + ϑ2)3) = Υ2(ϑ1 + ϑ2); and EW0,0(ℤ/rℤ)[r] = 〈(1 : 1 : 1)〉.

4.3 Comparison

The proposed methods share the advantages (but not the weaknesses!) of the Baek–Vasyltsov’s countermeasure: they do not require pre-computed values in some non-volatile memory and do not suppose randomizer r to be prime. Furthermore, they are more general as they are not restricted to a special type of Weierstraß parametrization.

Another advantage of the proposed methods is that they carry the completeness of the addition law, whatever the choice of the parameters. For example, for twisted Edwards curves, completeness is guaranteed provided that curve parameter a is a square and curve parameter d is a non-square. Further, twisted Edwards curves as given by Eq. (1) do not hold in characteristic 2. There are no such restrictions on 𝔾′ = Ea,d,1(ℤ/r2 ℤ) (cf. (4)) or on 𝔾′ = EE0,0(ℤ/rℤ)[r] (cf. (4)). Indeed, for any points P1 = (ϑ1r, 1) and P2 = (ϑ2r, 1) in Ea,d,1(ℤ/r2 ℤ) (resp. P1 = (ϑ1, 1) and P2 = (ϑ2, 1) ∈ EE0,0(ℤ/rℤ)[r]), the addition formula given by Eq. (2) remains always valid since the denominators always are equal to 1 and thus are invertible modulo r2 (resp. modulo r), including for even values for r. The same conclusion holds true for the completeness of the Weierstraß model as described in § 4.2 and the other models given in appendix.

Furthermore, unlike the BOS countermeasure, the order of the small curve is known in advance: by construction, we have #𝔾′ ≅ (ℤ/rℤ)+. Scalar d in the computation of Q′ in E1(ℤ/r2 ℤ) (resp. E′(ℤ/rℤ)) can therefore be reduced modulo r. Because the BOS countermeasure makes use of general groups of points on an elliptic curve, the group order is not so easily obtained; this is addressed by fixing randomizer r once and for all and by pre-computing (and storing) the group order for the curve modulo r. In our case, randomizer r can be freely selected on the fly, with a fresh value for each execution. In addition to better efficiency and easier implementation, this offers better security guarantees and fault coverage.

Finally, the verification step essentially boils down to a mere modular multiplication modulo r rather than a full scalar multiplication on an elliptic curve.

5 Conclusion

This paper revisited the ring extension method over elliptic curves as presented in [3, 13]. The proposed approaches apply to a variety of elliptic models and provide more practical countermeasures against fault attacks.

References

[1] Adrian Antipa, Daniel R. L. Brown, Alfred Menezes, René Struik, and Scott A. Vanstone. Validation of elliptic curve public keys. In Y. Desmedt, editor, Public Key Cryptography − PKC 2003, volume 2567 of Lecture Notes in Computer Science, pages 211–223. Springer, 2003. 10.1007/3-540-36288-6_16.10.1007/3-540-36288-6_16Search in Google Scholar

[2] Christian Aumüller, Peter Bier, Wieland Fischer, Peter Hofreiter, and Jean-Pierre Seifert. Fault attacks on RSA with CRT: Concrete results and practical countermeasures. In B. S. Kaliski Jr., Ç. K. Koç, and C. Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2002, volume 2523 of Lecture Notes in Computer Science, pages 260–275. Springer, 2002. 10.1007/3-540-36400-5_20.10.1007/3-540-36400-5_20Search in Google Scholar

[3] Yoo-Jin Baek and Ihor Vasyltsov. How to prevent DPA and fault attacks in a unified way for ECC scalar multiplication: Ring extension method. In E. Dawson and D. S. Wong, editors, Information Security Practice and Experience – ISPEC 2007, volume 4464 of Lecture Notes in Computer Science, pages 225–237. Springer, 2007. 10.1007/978-3-540-72163-5_18.10.1007/978-3-540-72163-5_18Search in Google Scholar

[4] Hagai Bar-El, Hamid Choukri, David Naccache, Michael Tunstall, and Claire Whelan. The sorcerer’s apprentice guide to fault attacks. Proceedings the IEEE, 94 (2): 370–382, 2006. 10.1109/JPROC.2005.862424.10.1109/JPROC.2005.862424Search in Google Scholar

[5] Daniel J. Bernstein and Tanja Lange. Faster addition and doubling on elliptic curves. In K. Kurosawa, editor, Advances in Cryptology – ASIACRYPT 2007, volume 4833 of Lecture Notes in Computer Science, pages 29–50. Springer, 2007. 10.1007/978-3-540-76900-2_3.10.1007/978-3-540-76900-2_3Search in Google Scholar

[6] Daniel J. Bernstein, Peter Birkner, Marc Joye, Tanja Lange, and Christiane Peters. Twisted Edwards curves. In S. Vaudenay, editor, Progress in Cryptology – AFRICACRYPT 2008, volume 5023 of Lecture Notes in Computer Science, pages 389–405. Springer, 2008. 10.1007/978-3-540-68164-9_26.10.1007/978-3-540-68164-9_26Search in Google Scholar

[7] Daniel J. Bernstein, Chitchanok Chuengsatiansup, David Kohel, and Tanja Lange. Twisted Hessian curves. In K. E. Lauter and F. Rodríguez-Henríquez, editors, Progress in Cryptology – LATINCRYPT 2015, volume 9230 of Lecture Notes in Computer Science, pages 269–294. Springer, 2015. 10.1007/978-3-319-22174-8_15.10.1007/978-3-319-22174-8_15Search in Google Scholar

[8] Ingrid Biehl, Bernd Meyer, and Volker Müller. Differential fault attacks on elliptic curve cryptosystems. In M. Bellare, editor, Advances in Cryptology – CRYPTO 2000, volume 1880 of Lecture Notes in Computer Science, pages 131–146. Springer, 2000. 10.1007/3-540-44598-6_8.10.1007/3-540-44598-6_8Search in Google Scholar

[9] Olivier Billet and Marc Joye. The Jacobi model of an elliptic curve and side-channel analysis. In M. Fossorier, T. Høholdt, and A. Poli, editors, Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, volume 2643 of Lecture Notes in Computer Science, pages 34–42. Springer, 2003. 10.1007/3-540-44828-4_5.10.1007/3-540-44828-4_5Search in Google Scholar

[10] Ian Blake, Gadiel Seroussi, and Nigel Smart. Elliptic Curves in Cryptography, volume 265 of London Mathematical Society Lecture Note Series. Cambridge University Press, 1999. 10.1017/CBO9781107360211.10.1017/CBO9781107360211Search in Google Scholar

[11] Ian F. Blake, Gadiel Seroussi, and Nigel P. Smart, editors. Advances in Elliptic Curve Cryptography, volume 317 of London Mathematical Society Lecture Note Series. Cambridge University Press, 2005. 10.1017/CBO9780511546570.10.1017/CBO9780511546570Search in Google Scholar

[12] Johannes Blömer, Martin Otto, and Jean-Pierre Seifert. A new CRT-RSA algorithm secure against Bellcore attack. In 10th ACM Conference on Computer and Communications Security (CCS 2003), pages 311–320. ACM Press, 2003. 10.1145/948109.948151.10.1145/948109.948151Search in Google Scholar

[13] Johannes Blömer, Martin Otto, and Jean-Pierre Seifert. Sign change fault attacks on elliptic curve cryptosystems. In L. Breveglieri et al., editors, Fault Diagnosis and Tolerance in Cryptography – FDTC 2006, volume 4236 of Lecture Notes in Computer Science, pages 36–52. Springer, 2006. 10.1007/11889700_4.10.1007/11889700_4Search in Google Scholar

[14] Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. On the importance of eliminating errors in cryptographic computations. J. Cryptology, 14 (2): 101–119, 2001. 10.1007/s001450010016. Extended abstract in Proc. of EUROCRYPT’97.10.1007/s001450010016Search in Google Scholar

[15] Wieb Bosma and Hendrik W. Lenstra Jr. Complete systems of two addition laws for elliptic curves. J. Number Theor., 53 (2): 229–240, 1995. 10.1006/jnth.1995.1088.10.1006/jnth.1995.1088Search in Google Scholar

[16] David V. Chudnovsky and Gregory V. Chudnovsky. Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Adv. Appl. Math., 7: 385–434, 1986. 10.1016/0196-8858(86)90023-0.10.1016/0196-8858(86)90023-0Search in Google Scholar

[17] Mathieu Ciet and Marc Joye. Elliptic curve cryptosystems in the presence of permanent and transient faults. Designs, Codes and Cryptography, 36 (1): 33–43, 2005 10.1007/s10623-003-1160-8.10.1007/s10623-003-1160-8Search in Google Scholar

[18] Mathieu Ciet and Marc Joye. Practical fault countermeasures for Chinese remaindering based RSA. In 2nd Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2005), pages 124–132, Edinburgh, UK, 2005. URL http://conferenze.dei.polimi.it/FDTC05/Joye%20-%20publisheable.pdf.Search in Google Scholar

[19] Abdoul Aziz Ciss and Djiby Sow. On a new generalization of Huff curves. Cryptology ePrint Archive, Report 2011/580, 2011. URL http://eprint.iacr.org/2011/580.Search in Google Scholar

[20] Henri Cohen and Gerhard Frey, editors. Handbook of Elliptic and Hyperelliptic Curve Cryptography, volume 34 of Discrete Mathematics and Its Applications. Chapman & Hall/CRC, 2005.Search in Google Scholar

[21] Jean-Sébastien Coron, Christophe Giraud, Nicolas Morin, Gilles Piret, and David Vigilant. Fault attacks and countermeasures on Vigilant’s RSA-CRT algorithm. In L. Breveglieri et al., editors, 7th Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2010), pages 89–96. IEEE Computer Society, 2010. 10.1109/FDTC.2010.9.Search in Google Scholar

[22] Sylvain Duquesne. Improving the arithmetic of elliptic curves in the Jacobi model. Information Processing Letters, 104 (3): 101–105, 2007. 10.1016/j.ipl.2007.05.012.10.1016/j.ipl.2007.05.012Search in Google Scholar

[23] Harold M. Edwards. A normal form for elliptic curves. Bull. Am. Math. Soc., 44 (3): 393–422, 2007. 10.1090/S0273-0979-07-01153-6.10.1090/S0273-0979-07-01153-6Search in Google Scholar

[24] Junfeng Fan and Ingrid Verbauwhede. An updated survey on secure ECC implementations: Attacks, countermeasures and cost. In D. Naccache, editor, Cryptography and Security: From Theory to Applications (Quisquater Festschrift), volume 6805 of Lecture Notes in Computer Science, pages 265–282. Springer, 2012. 10.1007/978-3-642-28368-0_18.Search in Google Scholar

[25] Reza Rezaeian Farashahi and Marc Joye. Efficient arithmetic on Hessian curves. In P. Q. Nguyen and D. Pointcheval, editors, Public Key Cryptography – PKC 2010, volume 6056 of Lecture Notes in Computer Science, pages 243–260. Springer, 2010. 10.1007/978-3-642-13013-7_15.10.1007/978-3-642-13013-7_15Search in Google Scholar

[26] Steven D. Galbraith. Elliptic curve Paillier schemes. J. Cryptology, 15 (2): 129–138, 2002. 10.1007/s00145-001-0015-6.10.1007/s00145-001-0015-6Search in Google Scholar

[27] Christophe Giraud and Hugues Thiebeauld. A survey on fault attacks. In J.-J. Quisquater et al., editors, Smart Card Research and Advanced Applications VI (CARDIS 2004), pages 159–176. Kluwer, 2004. 10.1007/1-4020-8147-2_11.10.1007/1-4020-8147-2_11Search in Google Scholar

[28] Otto Hesse. Öber die Elimination der Variabeln aus drei algebraischen Gleichungen vom zweiten Grade mit zwei Variabeln. J. Reine Angew. Math., 10: 68–96, 1844. 10.1515/crll.1844.28.68.10.1515/9783112368268-010Search in Google Scholar

[29] Hüseyin Hı şıl, Gary Carter, and Ed Dawson. New formulae for efficient elliptic curve arithmetic. In K. Srinathan, C. P. Rangan, and M. Yung, editors, Progress in Cryptology – INDOCRYPT 2007, volume 4859 of Lecture Notes in Computer Science, pages 138–151. Springer, 2007. 10.1007/978-3-540-77026-8_11.10.1007/978-3-540-77026-8_11Search in Google Scholar

[30] Hüseyin Hışıl, Kenneth K.-H. Wong, Gary Carter, and Ed Dawson. Twisted Edwards curves revisited. In J. Pieprzyk, editor, Advances in Cryptology – ASIACRYPT 2008, volume 5350 of Lecture Notes in Computer Science, pages 326–343. Springer, 2008. 10.1007/978-3-540-89255-7_20.10.1007/978-3-540-89255-7_20Search in Google Scholar

[31] Hüseyin Hışıl, Kenneth K.-H. Wong, Gary Carter, and Ed Dawson. Jacobi quartic curves revisited. In C. Boyd and J. M. G. Nieto, editors, Information Security and Privacy (ACISP 2009), volume 5594 of Lecture Notes in Computer Science, pages 452–468. Springer, 2009. 10.1007/978-3-642-02620-1_31.10.1007/978-3-642-02620-1_31Search in Google Scholar

[32] Hüseyin Hışıl, Kenneth Koon-Ho Wong, Gary Carter, and Ed Dawson. An exploration of affine group laws for elliptic curves. J. Math. Cryptol., 5 (1): 1–50, 2011. 10.1515/jmc.2011.005.10.1515/jmc.2011.005Search in Google Scholar

[33] Gerald B. Huff. Diophantine problems in geometry and elliptic ternary forms. Duke Math. J., 15: 443–453, 1948. 10.1215/S0012-7094-48-01543-9.10.1215/S0012-7094-48-01543-9Search in Google Scholar

[34] Dale Husemöller. Elliptic Curves, volume 111 of Graduate Texts in Mathematics. Springer, 1987. 10.1007/978-1-4757-5119-2.10.1007/978-1-4757-5119-2Search in Google Scholar

[35] Marc Joye. On the security of a unified countermeasure. In L. Breveglieri et al., editors, 5th Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2008), pages 87–91. IEEE Computer Society, 2008. 10.1109/FDTC.2008.8.10.1109/FDTC.2008.8Search in Google Scholar

[36] Marc Joye. Complete addition formulæ for elliptic curves. Technical report, Technicolor, Rennes, October 2008. URL https://marcjoye.github.io/techreps/complete.pdf.Search in Google Scholar

[37] Marc Joye. Edwards curves and fault attacks. Presented at the rump session of CRYPTO 2012, Santa Barbara, USA, August 21, 2012. URL http://crypto.2012.rump.cr.yp.to/.Search in Google Scholar

[38] Marc Joye and Jean-Jacques Quisquater. Hessian elliptic curves and side-channel attacks. In Ç. K. Koç, D. Naccache, and C. Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 402–410. Springer, 2001. 10.1007/3-540-44709-1_33.10.1007/3-540-44709-1_33Search in Google Scholar

[39] Marc Joye and Michael Tunstall, editors. Fault Analysis in Cryptography. Information Security and Cryptography. Springer, 2012. 10.1007/978-3-642-29656-7.10.1007/978-3-642-29656-7Search in Google Scholar

[40] Marc Joye, Pascal Paillier, and Sung-Ming Yen. Secure evaluation of modular functions. In R. J. Hwang and C. K. Wu, editors, 2001 International Workshop on Cryptology and Network Security, pages 227–229, Taipei, Taiwan, September 2001. URL https://marcjoye.github.io/papers/JPY01.pdf.Search in Google Scholar

[41] Marc Joye, Mehdi Tibouchi, and Damien Vergnaud. Huff’s model for elliptic curves. In G. Hanrot, F. Morain, and E. Thomé, editors, Algorithmic Number Theory (ANTS-IX), volume 6197 of Lecture Notes in Computer Science, pages 234–250. Springer-Velag, July 2010. 10.1007/978-3-642-14518-6_20.10.1007/978-3-642-14518-6_20Search in Google Scholar

[42] Koray Karabina and Berkant Ustaoglu. Invalid-curve attacks on (hyper)elliptic curve cryptosystems. Adv. Math. Commun., 4 (3): 307–321, 2010. 10.3934/amc.2010.4.307.10.3934/amc.2010.4.307Search in Google Scholar

[43] Chong Hee Kim and Jean-Jacques Quisquater. How can we overcome both side channel analysis and fault attacks on RSA-CRT? In L. Breveglieri et al., editors, 4th Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2007), pages 21–29. IEEE Computer Society, 2007. 10.1109/FDTC.2007.11.Search in Google Scholar

[44] Taechan Kim and Mehdi Tibouchi. Bit-flip faults on elliptic curve base fields, revisited. In I. Boureanu, P. Owesarski, and S. Vaudenay, editors, Applied Cryptography and Network Security (ACNS 2014), volume 8479 of Lecture Notes in Computer Science, pages 163–180. Springer, 2014. 10.1007/978-3-319-07536-5_11.10.1007/978-3-319-07536-5_11Search in Google Scholar

[45] Neal Koblitz. Elliptic curve cryptosystems. Math. Comp., 48 (177): 203–209, 1987. 10.2307/2007884.10.1090/S0025-5718-1987-0866109-5Search in Google Scholar

[46] Herbert Lange and Wolfgang Ruppert. Complete systems of addition laws on abelian varieties. Invent. Math., 79 (3): 603–610, 1985. 10.1007/BF01388526.10.1007/BF01388526Search in Google Scholar

[47] Herbert Lange and Wolfgang Ruppert. Addition laws on elliptic curves in arbitrary characteristics. Journal of Algebra, 107 (1): 106–116, 1987. 10.1016/0021-8693(87)90077-9.10.1016/0021-8693(87)90077-9Search in Google Scholar

[48] Pierre-Yvan Liardet and Nigel P. Smart. Preventing SPA/DPA in ECC systems using the Jacobi form. In Ç. K. Koç, D. Naccache, and C. Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 391–401. Springer, 2001. 10.1007/3-540-44709-1_32.10.1007/3-540-44709-1_32Search in Google Scholar

[49] Alfred Menezes. Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, 1993. 10.1007/978-1-4615-3198-2.10.1007/978-1-4615-3198-2Search in Google Scholar

[50] Victor Miller. Use of elliptic curves in cryptography. In H. C. Williams, editor, Advances in Cryptology – CRYPTO’85, volume 218 of Lecture Notes in Computer Science, pages 417–426. Springer, 1986. 10.1007/3-540-39799-X_31.10.1007/3-540-39799-X_31Search in Google Scholar

[51] Samuel Neves and Mehdi Tibouchi. Degenerate curve attacks: Extending invalid curve attacks to Edwards curves and other models. IET Information Security, 12 (3): 217–225, 2018. 10.1049/iet-ifs.2017.0075.10.1049/iet-ifs.2017.0075Search in Google Scholar

[52] Neriman Gamze Orhon and Hüseyin Hışıl. Speeding up Huff form of elliptic curves. Designs, Codes and Cryptography, 86 (12): 2807–2803, 2018. 10.1007/s10623-018-0475-4.10.1007/s10623-018-0475-4Search in Google Scholar

[53] Jean-Jacques Quisquater and C. Couvreur. Fast decipherment algorithm for RSA public-key cryptosystem. Electronics Letters, 18 (21): 905–907, 1982. 10.1049/el:19820617.10.1049/el:19820617Search in Google Scholar

[54] Joost Renes, Craig Costello, and Lejla Batina. Complete addition formulas for prime order elliptic curves. In M. Fischlin and J.-S. Coron, editors, Adv ances in Cryptology – EUROCRYPT 2016, Part I, volume 9665 of Lecture Notes in Computer Science, pages 403–428. Springer, 2016. 10.1007/978-3-662-49890-3_16.10.1007/978-3-662-49890-3_16Search in Google Scholar

[55] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM, 21 (2): 120–126, 1978. 10.1145/359340.359342.10.1145/359340.359342Search in Google Scholar

[56] Karl Rubin and Alice Silverberg. Torus-based cryptography. In D. Boneh, editor, Advances in Cryptology – CRYPTO 2003, volume 2729 of Lecture Notes in Computer Science, pages 349–365. Springer, 2000. 10.1007/978-3-540-45146-4_21.10.1007/978-3-540-45146-4_21Search in Google Scholar

[57] Jörn-Marc Schmidt and Marcel Medwed. A fault attack on ECDSA. In L. Breveglieri et al., editors, 6th Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2009), pages 93–99. IEEE Computer Society, 2009. 10.1109/FDTC.2009.38.10.1109/FDTC.2009.38Search in Google Scholar

[58] Adi Shamir. How to check modular exponentiation. Presented at the rump session of EUROCRYPT’97, Konstanz, Germany, May 13, 1997. URL https://www.iacr.org/conferences/ec97/rump.html.Search in Google Scholar

[59] Joseph H. Silverman. The Arithmetic of Elliptic Curves, volume 106 of Graduate Texts in Mathematics. Springer, 1986. 10.1007/978-0-387-09494-6.10.1007/978-1-4757-1920-8Search in Google Scholar

[60] Nigel P. Smart. The Hessian form of an elliptic curve. In Ç. K. Koç, D. Naccache, and C. Paar, editors, Cryptographic Hardware and Embedded Systems – CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 118–125. Springer, 2001. 10.1007/3-540-44709-1_11.10.1007/3-540-44709-1_11Search in Google Scholar

[61] David Vigilant. RSA with CRT: A new cost-effective solution to thwart fault attacks. In E. Oswald and P. Rohatgi, editors, Cryptographic Hardware and Embedded Systems – CHES 2008, volume 5154 of Lecture Notes in Computer Science, pages 130–145. Springer, 2008. 10.1007/978-3-540-85053-3_9.10.1007/978-3-540-85053-3_9Search in Google Scholar

[62] Hongfeng Wu and Rongquan Feng. Elliptic curves in Huff’s model. Wuhan University Journal of Natural Sciences, 17 (6): 473–480, 2012. 10.1007/s11859-012-0873-9.10.1007/s11859-012-0873-9Search in Google Scholar

[63] Sung-Ming Yen, Seungjoo Kim, Seongan Lim, and Sangjae Moon. RSA speedup with Chinese remainder theorem immune against hardware fault cryptanalysis. IEEE Trans. Computers, 52 (4): 461–472, 2003. 10.1109/TC.2003.1190587.10.1109/TC.2003.1190587Search in Google Scholar

A Further Models

A.1 Jacobi Quartic Model

The (extended) Jacobi quartic model is presented in [9] (see also [16, 22, 29, 31]). Its curve equation is given by

EJa,d:y2=dx4+2ax2+1

with O = (0, 1) as the neutral element. The unified addition of two points (x1, y1) and (x2, y2), (x3, y3) = (x1, y1) ⊞ (x2, y2), is given by

(x3,y3)=x1y2+x2y11dx12x22,(1+dx12x22)(y1y2+2ax1x2)+2dx1x2(x12+x22)(1dx12x22)2.

[The original Jacobi quartics correspond to the case d = k2 and − 2a = 1 + k2 for some parameter k.]

A.1.1 First Realization

We define:

EJa,d,1(Z/r2Z)={Υ1(ϑ)=(ϑr,1)ϑZ/rZ}(Z/rZ)+.

Analogously to the Edwards model (cf. § 4.1), it is easily verified that Υ1(ϑ) ≡ (ϑr, 1) ≡ (0, 1) ≡ Υ1(0) ≡ O (mod r) and that Υ1(ϑ1) ⊞ Υ1(ϑ2) = (ϑ1, 1) ⊞ (ϑ2, 1) = (ϑ1r1+ϑ2r11,1112) = ((ϑ1 + ϑ2) ⋅ r, 1) = Υ1(ϑ1 + ϑ2).

A.1.2 Second Realization

We have:

(Z/rZ)+EJ0,0(Z/rZ)[r]={Υ2(ϑ)=(ϑ,1)ϑZ/rZ}{(x,y)EJ0,0(Z/rZ)}.

As for the Edwards model, we have Υ2(0) = (0, 1) = O and, when a = d = 0, Υ2(ϑ1) ⊞ Υ2(ϑ2) = (ϑ1, 1) ⊞ (ϑ2, 1) = (ϑ11+ϑ211,1112) = (ϑ1 + ϑ2, 1) = Υ2(ϑ1 + ϑ2).

A.2 Jacobi Quadrics Intersection Model

Another way to represent an elliptic curve is as the intersection of two quadrics in ℙ3 (see, e.g., [16]). Applications to cryptography are discussed in [16, 29, 48]. The most general form [32] reads as

EQa,b:ax2+y2=1bx2+z2=1.

The neutral element is O = (0, 1, 1). The unified sum of two points (x1, y1, z1) and (x2, y2, z2) is given by (x3, y2, z3) = (x1, y1, z1) ⊞ (x2, y2, z2) where

(x3,y3,z3)=x1y2z2+x2y1z11abx12x22,y1y2ax1z1x2z21abx12x22,z1z2bx1y1x2y21abx12x22.

A.2.1 First Realization

We define:

EQa,b,1(Z/r2Z)={Υ1(ϑ)=(ϑr,1,1)ϑZ/rZ}(Z/rZ)+.

A straightforward calculation shows that Υ1(ϑ) ≡ (ϑr, 1, 1) ≡ (0, 1, 1) ≡ Υ1(0) ≡ O (mod r) and that Υ1(ϑ1) ⊞ Υ1(ϑ2) = (ϑ1r, 1, 1) ⊞ (ϑ2r, 1, 1) = (ϑ1r11+ϑ2r111,111,111) = ((ϑ1 + ϑ2)⋅ r, 1, 1)) = Υ1(ϑ1 + ϑ2).

A.2.2 Second Realization

We have:

(Z/rZ)+EQ0,0(Z/rZ)[r]={Υ2(ϑ)=(ϑ,1,1)ϑZ/rZ}{(x,y,z)EQ0,0(Z/rZ)}.

It can be checked that Υ2(0) = (0, 1, 1) = O and, when a = b = 0, that Υ2(ϑ1) ⊞ Υ2(ϑ2) = (ϑ1, 1, 1) ⊞ (ϑ2, 1, 1) = (ϑ111+ϑ2111,111,111) = (ϑ1 + ϑ2, 1, 1) = Υ2(ϑ1 + ϑ2).

A.3 Hessian Model

Hessian curves [28] were generalized, modified, and extended for cryptographic applications in several works, including [7, 25, 38, 60]. We follow the presentation of [7] where the neutral element is O = (0, −1). The curve equation is

EHa,d:ax3+y3+1=dxy.

The unified sum (x3, y3) = (x1, y1) ⊞ (x2, y2) of two points (x1, y1) and (x2, y2) is given by

(x3,y3)=x1y12x2y2ax1y1x22y2,y1y22ax12x2ax1y1x22y2.

A.3.1 First Realization

We define:

EHa,d,1(Z/r2Z)={Υ1(ϑ)=(3ϑr,1dϑr)ϑZ/rZ}(Z/rZ)+.

Again, it can be verified that Υ1(ϑ) ≡ (3ϑr, − 1 − d ϑr) ≡ (0, −1) ≡ Υ1(0) ≡ O (mod r). A quick inspection shows that the above addition law for computing Υ1(ϑ1) ⊞ Υ1(ϑ2) = (3ϑ1r, − 1 − 1r) ⊞ (3ϑ2r, − 1 − 2r) incurs the value of − (− 1 − 2r) = 1 + 2r in the denominator. We therefore must have 2r ≠ − 1 (mod r2). This is always satisfied since 2r ≡ − 1 (mod r2) would imply 0 ≡ − 1 (mod r). Hence, the sum is always defined and is given by as Υ1(ϑ1) ⊞ Υ1(ϑ2) = (3ϑ1r(1dϑ1r)2(3ϑ2r)(1dϑ2r)(1dϑ2r),(1dϑ1r)(1dϑ2r)2(1dϑ2r))=(3ϑ1r+3ϑ2r1+dϑ2r,1dϑ1rdϑ2r1)=(3(ϑ1+ϑ2)r,1d(ϑ1+ϑ2)r)=Υ1(ϑ1+ϑ2), noting that (1 + 2r)−1 = 1 − 2r and that (3ϑ1r + 3ϑ2r)(1 − 2r) = 3(ϑ1 + ϑ2)⋅ r.

A.3.2 Second Realization

We have:

(Z/rZ)+EH0,0(Z/rZ)[r]={Υ2(ϑ)=(ϑ,1)ϑZ/rZ}{(x,y)EH0,0(Z/rZ)}.

Likewise, we have Υ2(0) = (0, − 1) = O and the addition law when a = d = 0 yields Υ2(ϑ1) ⊞ Υ2(ϑ2) = (ϑ1, − 1) ⊞ (ϑ2, − 1) = (ϑ1(1)2ϑ2(1)(1),(1)(1)2(1)) = (ϑ1 + ϑ2, − 1) = Υ2(ϑ1 + ϑ2).

A.4 Huff’s Model

Huff curves, after [33], were introduced for cryptographic applications in [41]. The most general form as presented in [52] (see also [19, 62]) is given by the equation

EHa,c,d:y(ax2+1)=cx(dy2+1)

with neutral element O = (0, 0). The unified addition formula of points (x1, y1) and (x2, y2) is given by (x3, y3) = (x1, y1) ⊞ (x2, y2) where

(x3,y3)=(x1+x2)(1dy1y2)(1ax1x2)(1+dy1y2),(y1+y2)(1ax1x2)(1+ay1y2)(1dx1x2).

A.4.1 First Realization

We define:

EHa,c,d,1(Z/r2Z)={Υ1(ϑ)=(ϑr,cϑr)ϑZ/rZ}(Z/rZ)+.

The correctness follows by observing that Υ1(ϑ) ≡ (ϑr, c ϑr) ≡ (0, 0) ≡ Υ1(0) ≡ O (mod r) and that the addition law leads to Υ1(ϑ1) ⊞ Υ1(ϑ2) = (ϑ1r, c ϑ1r) ⊞ (ϑ2r, c ϑ2r) = ((ϑ1r+ϑ2r)111,(cϑ1r+cϑ2r)111) = ((ϑ1 + ϑ2)⋅ r, c(ϑ1 + ϑ2)⋅ r) = Υ1(ϑ1 + ϑ2).

A.4.2 Second Realization

Fix ∈ ℤ/rℤ. We have:

(Z/rZ)+EH0,c¯,0(Z/rZ)[r]={Υ2(ϑ)=(ϑ,c¯ϑ)ϑZ/rZ}{(x,y)EH0,c¯,0(Z/rZ)}.

We observe that Υ2(0) = (0, 0) = O and, when (a, c, d) = (0, , 0), the addition law gives Υ2(ϑ1) ⊞ Υ2(ϑ2) = (ϑ1, ϑ1) ⊞ (ϑ2, ϑ2) = (ϑ1 + ϑ2, ϑ1 + ϑ2) = Υ2(ϑ1 + ϑ2).

Received: 2019-07-15
Accepted: 2020-03-04
Published Online: 2020-08-01

© 2020 M. Joye, published by De Gruyter

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

  1. MathCrypt 2018
  2. Preface to the First Annual MathCrypt Proceedings Volume
  3. Multiparty Non-Interactive Key Exchange and More From Isogenies on Elliptic Curves
  4. Recovering Secrets From Prefix-Dependent Leakage
  5. Quasi-subfield Polynomials and the Elliptic Curve Discrete Logarithm Problem
  6. A signature scheme from the finite field isomorphism problem
  7. Efficiently Processing Complex-Valued Data in Homomorphic Encryption
  8. Flattening NTRU for Evaluation Key Free Homomorphic Encryption
  9. Self-dual DeepBKZ for finding short lattice vectors
  10. Designing Efficient Dyadic Operations for Cryptographic Applications
  11. Characterizing overstretched NTRU attacks
  12. New Techniques for SIDH-based NIKE
  13. A subexponential-time, polynomial quantum space algorithm for inverting the CM group action
  14. Nutmic JMC Special Edition
  15. Preface for the Number-Theoretic Methods in Cryptology conferences
  16. A framework for cryptographic problems from linear algebra
  17. Improved cryptanalysis of the AJPS Mersenne based cryptosystem
  18. New number-theoretic cryptographic primitives
  19. New Zémor-Tillich Type Hash Functions Over GL2 (𝔽pn)
  20. Protecting ECC Against Fault Attacks: The Ring Extension Method Revisited
  21. Hash functions from superspecial genus-2 curves using Richelot isogenies
  22. Can we Beat the Square Root Bound for ECDLP over 𝔽p2 via Representation?
  23. A variant of the large sieve inequality with explicit constants
  24. CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes
  25. Equidistribution Among Cosets of Elliptic Curve Points in Intervals
  26. Integer factoring and compositeness witnesses
  27. Short Principal Ideal Problem in multicubic fields
  28. Algorithms for CRT-variant of Approximate Greatest Common Divisor Problem
  29. Orienting supersingular isogeny graphs
  30. Delegating a Product of Group Exponentiations with Application to Signature Schemes (Submission to Special NutMiC 2019 Issue of JMC)
  31. Complexity bounds on Semaev’s naive index calculus method for ECDLP
  32. Regular Articles
  33. An elementary proof of Fermat’s last theorem for all even exponents
  34. Retraction of: An elementary proof of Fermat’s Last Theorem for all even exponents
  35. Survey on SAP and its application in public-key cryptography
  36. Privacy-preserving verifiable delegation of polynomial and matrix functions
  37. New approach to practical leakage-resilient public-key cryptography
https://doi.org/10.1515/jmc-2019-0030
Keywords for this article
Elliptic curves; formal groups; degenerate curves; elliptic curve cryptosystems; fault attacks; countermeasures
Creative Commons
BY 4.0

Articles in the same Issue

  1. MathCrypt 2018
  2. Preface to the First Annual MathCrypt Proceedings Volume
  3. Multiparty Non-Interactive Key Exchange and More From Isogenies on Elliptic Curves
  4. Recovering Secrets From Prefix-Dependent Leakage
  5. Quasi-subfield Polynomials and the Elliptic Curve Discrete Logarithm Problem
  6. A signature scheme from the finite field isomorphism problem
  7. Efficiently Processing Complex-Valued Data in Homomorphic Encryption
  8. Flattening NTRU for Evaluation Key Free Homomorphic Encryption
  9. Self-dual DeepBKZ for finding short lattice vectors
  10. Designing Efficient Dyadic Operations for Cryptographic Applications
  11. Characterizing overstretched NTRU attacks
  12. New Techniques for SIDH-based NIKE
  13. A subexponential-time, polynomial quantum space algorithm for inverting the CM group action
  14. Nutmic JMC Special Edition
  15. Preface for the Number-Theoretic Methods in Cryptology conferences
  16. A framework for cryptographic problems from linear algebra
  17. Improved cryptanalysis of the AJPS Mersenne based cryptosystem
  18. New number-theoretic cryptographic primitives
  19. New Zémor-Tillich Type Hash Functions Over GL2 (𝔽pn)
  20. Protecting ECC Against Fault Attacks: The Ring Extension Method Revisited
  21. Hash functions from superspecial genus-2 curves using Richelot isogenies
  22. Can we Beat the Square Root Bound for ECDLP over 𝔽p2 via Representation?
  23. A variant of the large sieve inequality with explicit constants
  24. CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes
  25. Equidistribution Among Cosets of Elliptic Curve Points in Intervals
  26. Integer factoring and compositeness witnesses
  27. Short Principal Ideal Problem in multicubic fields
  28. Algorithms for CRT-variant of Approximate Greatest Common Divisor Problem
  29. Orienting supersingular isogeny graphs
  30. Delegating a Product of Group Exponentiations with Application to Signature Schemes (Submission to Special NutMiC 2019 Issue of JMC)
  31. Complexity bounds on Semaev’s naive index calculus method for ECDLP
  32. Regular Articles
  33. An elementary proof of Fermat’s last theorem for all even exponents
  34. Retraction of: An elementary proof of Fermat’s Last Theorem for all even exponents
  35. Survey on SAP and its application in public-key cryptography
  36. Privacy-preserving verifiable delegation of polynomial and matrix functions
  37. New approach to practical leakage-resilient public-key cryptography
Sign up now to receive a 20% welcome discount
Institutional Access
How does access work?
Have an idea on how to improve our website?
Please write us.
© 2025 De Gruyter Brill
Downloaded on 8.9.2025 from https://www.degruyterbrill.com/document/doi/10.1515/jmc-2019-0030/html
Scroll to top button