Error detection in addition chain based ECC point multiplication S. Pontarelli ⋄⋆ , G.C. Cardarilli ⋄ , M. Re ⋄ , A. Salsano ⋄ {pontarelli, salsano}@ing.uniroma2.it, {marco.re, g.cardarilli}@ieee.org ⋄ University of Rome ”Tor Vergata”, Via del Politecnico 1, 00191, Rome, ITALY ∗ (ASI) Italian Space Agency, Viale Liegi, 26, 00198 Rome, ITALY Abstract— In this paper the problem of error detection in elliptic curve point multiplication is faced. Elliptic Curve Point Multiplication is often used to design cryptographic algorithms that use fewer bits than other methods with the same security level. One of the mode used to break the security of cryptosystem is the injection of a fault in the hardware realizing the crypto- graphic algorithm. Therefore, to avoid this kind of attack, is very important to develop cryptosystems that are able to detect errors induced by a fault. The paper takes into account the algorithm for elliptic Curve Point Multiplication based on a sequence of additions called ”addition chain” and shows how suitable modifications of the algorithms used for computing the point multiplication adds the error detection property to the algorithm. I. I NTRODUCTION Elliptic Curve Point Multiplication (ECC) is often used to design cryptographic algorithms that use fewer bits than other methods with the same security level. Because the crypt- analysis applied to the Elliptic Curve Cryptography (ECC) is unfeasible, a realistic attack to a cryptosystem must take into account the information extracted from the physical implementation of the cryptosystem. The injection of fault can be used to discover the secret key, as originally proposed in [1] and [2]. To face the use of fault attack, ECC systems with self- checking or error detection properties have been proposed. The work in [3] is on an ECC based on a finite field F p and use parity-preserving circuits [4] to detect errors inside the modular operations on F p implemented by using a redundant binary encoding. Instead, [5] and [6] face this problem for a finite field of type F 2 n . All these methods are focused on the detection of faults in the single operation performed on the finite field. Instead, our method does not operate at the level of the operation on the finite field, but at level of the addition operation between points on the elliptic curve. This characteristic of our method allows implementing its in both hardware and software with very few modifications. The algorithm taken into account is based on the Euclidean Addition Chains (EAC) and has been proposed in [7] to compute the elliptic curve point multiplication. This algorithm is proposed in [7] to avoiding a side channel attack based on the power consumption analysis. Our modification provides also robustness against fault attacks. II. ECC BACKGROUND An elliptic curve over a finite field F p (where p is a large prime number) is formed by the set of points (x, y) satisfying the Weierstrass equation E : y 2 = x 3 + ax + b (1) with x, y, a and b ∈ F p and 4a 3 + 27b 2 ≡ 0 (mod p). Adding the point at infinity ∞ the set E forms an additive group with ∞ as the neutral element and the opposite of P 1 is −P 1 = (x 1 , −y 1 ). Given two points on the curve P 1 =(x 1 ,y 1 ) and P 2 = (x 2 ,y 2 ) the addition between P 1 and P 2 is the point P 3 = (x 3 ,y 3 ), with x 3 and y 3 defined by the following equations: x 3 = λ 2 − (x 1 + x 2 ), y 3 = λ(x 1 − x 3 ) − y 1 (2) where λ = ⎧ ⎪ ⎪ ⎪ ⎪ ⎨ ⎪ ⎪ ⎪ ⎪ ⎩ y 2 − y 1 x 2 − x 1 , if P 1 = ±P 2 3x 2 1 + a 2y 1 , if P 1 = P 2 The point scalar multiplication is defined as: E × Z , → E(P,k) → Q =[k]P = P + P + ··· + P + P    k times (3) III. POINT MULTIPLICATION BY MEANS OF EUCLIDEAN ADDITION CHAIN One of the methods proposed to compute the multiplication presented in equation (3) is based on the Euclidean Addition Chain [7]. An introduction to this method to speed up multi- plications is given by Knuth in [8]. An addition chain for k is a list of positive integers a 1 =1,a 2 ,...,a l = k, such that for each i> 1, there is some i 1 and i 2 with 1 ≤ i 1 ≤ i 2 <i and a i = a i 1 + a i 2 . A short addition chain for k gives a fast algorithm for computing [k]P by computing a 2 P , a 3 P , ...a l P . A simplification of the algorithm that use the addition chain can be done restricting the value that can assume i 1 and i 2 for each i. The euclidean restriction fixes the index i 1 = i − 1 and the index i 2 = i − 2 or i 2 = j , where 192 978-1-4244-4595-0/09/$25.00 c  2009 IEEE