Learn More
This paper introduces simple methods to convert a cryptographic algorithm into an algorithm protected against simple side-channel attacks. Contrary to previously known solutions, the proposed techniques are not at the expense of the execution time. Moreover, they are generic and apply to virtually any algorithm. In particular, we present several novel(More)
Elliptic curve cryptosystems in the presence of faults were studied by Biehl, Meyer and Müller (2000). The first fault model they consider requires that the input point P in the computation of dP is chosen by the adversary. Their second and third fault models only require the knowledge of P. But these two latter models are less 'practical' in the sense that(More)
Recently, Eisenträger et al. proposed a very elegant method for speeding up scalar multiplication on elliptic curves. Their method relies on improved formulas for evaluating S = (2P + Q) from given points P and Q on an elliptic curve. Compared to the naive approach, the improved formulas save a field multiplication each time the operation is performed. This(More)
Randomization techniques play an important role in the protection of cryptosystems against implementation attacks. This paper studies the case of elliptic curve cryptography and propose three novel randomization methods, for the elliptic curve point multiplication, which do not impact the overall performance. Our first method, dedicated to elliptic curves(More)
In most algorithms involving elliptic curves, the most expensive part consists in computing multiples of points. This paper investigates how to extend the τ-adic expansion from Koblitz curves to a larger class of curves defined over a prime field having an efficiently-computable endomorphism φ in order to perform an efficient point multiplication with(More)
Let E be an elliptic curve defined over F2n. The inverse operation of point doubling, called point halving, can be done up to three times as fast as doubling. Some authors have therefore proposed to perform a scalar multiplication by an " halve-and-add " algorithm, which is faster than the classical double-and-add method. If the coefficients of the equation(More)
In this paper we produce a practical and efficient algorithm to find a decomposition of type n = k i=1 2 s i 3 t i , si, ti ∈ N ∪ {0} with k ≤ c + o(1) ¡ log n log log n. It is conjectured that one can take c = 2 above. Then this decomposition is refined into an effective scalar multiplication algorithm to compute nP on some supersingular elliptic curves of(More)
In this work we analyse the GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) which uses a fast endomorphism Φ with minimal polynomial X 2 + rX + s to compute any multiple kP of a point P of order n lying on an elliptic curve. First we fill in a gap in the proof of the bound of the kernel K vectors of the reduction map f : (i, j) → i + λj (mod n).(More)