Skip to Main content Skip to Navigation
Conference papers

GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures with Single-Bit Nonce Bias

Abstract : The fastest implementations of elliptic curve cryptography in recent years have been achieved on curves endowed with nontriv-ial efficient endomorphisms, using techniques due to Gallant–Lambert– Vanstone (GLV) and Galbraith–Lin–Scott (GLS). In such implementa-tions, a scalar multiplication [k]P is computed as a double multiplication [k1]P + [k2]ψ(P), for ψ an efficient endomorphism and k1, k2 appropri-ate half-size scalars. To compute a random scalar multiplication, one can either select the scalars k1, k2 at random, hoping that the resulting k = k1 + k2λ is close to uniform, or pick a uniform k instead and decom-pose it as k1 + k2λ afterwards. The main goal of this paper is to discuss security issues that may arise using either approach. When k1 and k2 are chosen uniformly at random in [0, √ n), n = ord(P), we provide a security proofs under mild assumptions. However, if they are chosen as random integers of 1 2
Document type :
Conference papers
Complete list of metadatas

Cited literature [29 references]  Display  Hide  Download

https://hal.inria.fr/hal-01094002
Contributor : Pierre-Alain Fouque <>
Submitted on : Thursday, December 11, 2014 - 2:48:04 PM
Last modification on : Thursday, January 7, 2021 - 4:33:40 PM
Long-term archiving on: : Saturday, April 15, 2017 - 7:59:09 AM

File

main.pdf
Files produced by the author(s)

Identifiers

Citation

Diego Aranha, Pierre-Alain Fouque, Benoit Gérard, Jean-Gabriel Kammerer, Mehdi Tibouchi, et al.. GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures with Single-Bit Nonce Bias. Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Dec 2014, Kaoshiung, Taiwan. pp.262-281, ⟨10.1007/978-3-662-45611-8_14⟩. ⟨hal-01094002⟩

Share

Metrics

Record views

927

Files downloads

1332