2020
DOI: 10.46586/tches.v2020.i3.428-453
|View full text |Cite
|
Sign up to set email alerts
|

From A to Z: Projective coordinates leakage in the wild

Abstract: At EUROCRYPT 2004, Naccache et al. showed that the projective coordinates representation of the resulting point of an elliptic curve scalar multiplication potentially allows to recover some bits of the scalar. However, this attack has received little attention by the scientific community, and the status of deployed mitigations to prevent it in widely adopted cryptography libraries is unknown. In this paper, we aim to fill this gap, by analyzing several cryptography libraries in this context. To demonstrate the… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1

Citation Types

0
2
0

Year Published

2021
2021
2023
2023

Publication Types

Select...
2
2
2

Relationship

1
5

Authors

Journals

citations
Cited by 13 publications
(2 citation statements)
references
References 32 publications
0
2
0
Order By: Relevance
“…The approach is purely algebraic and relies on-when inverting Process based on a guess about K i -no modular roots existing, concluding that said K i is incorrect. However, due to modular root properties, the search tree explodes very quickly, hence the number of bits that can be recovered is small [NSS04,APGB20].…”
Section: Attack Input and Directionmentioning
confidence: 99%
See 1 more Smart Citation
“…The approach is purely algebraic and relies on-when inverting Process based on a guess about K i -no modular roots existing, concluding that said K i is incorrect. However, due to modular root properties, the search tree explodes very quickly, hence the number of bits that can be recovered is small [NSS04,APGB20].…”
Section: Attack Input and Directionmentioning
confidence: 99%
“…This attack assumes the adversary knows the projective coordinates of the last R i just before converting the point to affine coordinates. This requirement can be fulfilled using a side-channel attack on the modular inversion algorithm in libgcrypt [APGB20]. The last value of R will be the initial OTA state, thus the adversary reverses the target trace order, such that the first iteration processed by an OTA will be the last one executed by the algorithm.…”
Section: End-to-end Attack On Libgcryptmentioning
confidence: 99%