Chosen Base-Point Side-Channel Attack on Montgomery Ladder with x-only coordinate: with Application to secp256k1

Congming Wei, Jiazhe Chen, An Wang, Beibei Wang, Hongsong Shi, Xiaoyun Wang
2020 IET Information Security  
This study revisits the side-channel security of the elliptic curve cryptography (ECC) scalar multiplication implemented with Montgomery ladder. Focusing on a specific implementation that does not use the y-coordinate for point addition (ECADD) and point doubling (ECDBL), the authors show that Montgomery ladder on Weierstrass curves is vulnerable to a chosen basepoint attack. Unlike the normal implementation with y-coordinate, in the scenario of this study, the chosen base-point strategy will
more » ... t lead to operations with two same inputs during the ECADD and/or ECDBL. Instead, by choosing a suitable base-point, one will find that there are operations that share a common operand; while it is not the case if the base-point is not chosen correctly. This results in the recovery of the secret (fixed) scalar. They also experiment the methods of shared operand detection on a real-world SoC, where a secp256k1 dedicated Montgomery ladder scalar multiplication with x-only coordinate is implemented, to show the efficiency of the scalar recovery attack. Naturally, the attack can be generalised to other Weierstrass curves when they contain special points.
doi:10.1049/iet-ifs.2018.5228 fatcat:4opjklptgjhh5nugdr6fedvz64