Paper 2003/191

Projective Coordinates Leak

David Naccache, Nigel Smart, and Jacques Stern

Abstract

Denoting by $P=[k]G$ the elliptic-curve double-and-add multiplication of a public base point $G$ by a secret $k$, we show that allowing an adversary access to the projective representation of $P$ results in information being revealed about $k$. Such access might be granted to an adversary by a poor software implementation that does not erase the $Z$ coordinate of $P$ from the computer's memory or by a computationally-constrained secure token that sub-contracts the affine conversion of $P$ to the external world. From a wider perspective, our result proves that the choice of representation of elliptic curve points {\sl can reveal} information about their underlying discrete logarithms, hence casting potential doubt on the appropriateness of blindly modelling elliptic-curves as generic groups. As a conclusion, our result underlines the necessity to sanitize $Z$ after the affine conversion or, alternatively, randomize $P$ before releasing it out.

Metadata
Available format(s)
PS
Publication info
Published elsewhere. Unknown where it was published
Contact author(s)
nigel @ cs bris ac uk
History
2003-09-17: received
Short URL
https://ia.cr/2003/191
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2003/191,
      author = {David Naccache and Nigel Smart and Jacques Stern},
      title = {Projective Coordinates Leak},
      howpublished = {Cryptology ePrint Archive, Paper 2003/191},
      year = {2003},
      note = {\url{https://eprint.iacr.org/2003/191}},
      url = {https://eprint.iacr.org/2003/191}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.