Resistance against Di erential Power Analysis

for Elliptic Curve Cryptosystems

Jean-Sebastien Coron
Ecole Normale Superieure Gemplus Card International
45 rue d'Ulm 34 rue Guynemer
Paris, F-75230, France Issy-les-Moulineaux, F-92447, France
coron@clipper.ens.fr coron@gemplus.com

Abstract. Di erential Power Analysis, rst introduced by Kocher et

al. in [14], is a powerful technique allowing to recover secret smart card
information by monitoring power signals. In [14] a speci c DPA attack
against smart-cards running the DES algorithm was described. As few as
1000 encryptions were sucient to recover the secret key. In this paper
we generalize DPA attack to elliptic curve (EC) cryptosystems and de-
scribe a DPA on EC Die-Hellman key exchange and EC El-Gamal type
encryption. Those attacks enable to recover the private key stored inside
the smart-card. Moreover, we suggest countermeasures that thwart our
attack.

Keywords. Elliptic curve, power consumption, Di erential Power Analysis.

1 Introduction
The use of elliptic curve in cryptography was rst proposed by Miller [17] and
Koblitz [12] in 1985. Since that time, a lot of attention has been paid to elliptic
curves for cryptographic applications and it has become increasingly common to
implement public-key protocols on elliptic curves over large nite eld. Elliptic
curves (EC) provide a group structure, which can be used to translate existing
discrete-logarithm cryptosystems into the context of EC. The discrete logarithm
problem in a cyclic group G of order n with generator g refers to the problem of
nding x given some element y = g of G. The discrete logarithm problem over
x

an EC seems to be much harder than in other groups such as the multiplicative

group of a nite eld. No subexponential-time algorithm is known for the discrete
logarithm problem in the class of non-supersingular EC. Consequently, keys can
be much smaller in the EC context, typically about 160 bits.
In this paper we consider attacks based on the monitoring of power con-
sumption of smart-card EC implementation. Di erential Power Analysis, rst
described by Kocher et al. in [14], is a powerful technique that exploit the leak-
age of information related to power consumption. The attack was successfully
applied to a DES implementation; as few as 1000 encryptions were sucient to
recover the secret key [14]. More recently, the resistance of smart-card imple-
mentations of the AES candidates against monitoring power consumption was
considered in [1, 3, 5]. The conclusion was that straightforward implementations
of AES candidates were highly vulnerable to power analysis. In this paper we
show that naive implementations of ECC are also highly vulnerable to power
analysis.
The paper is organized as follows. After recalling the principle of EC op-
erations in section 2, we describe in section 3 the principle of our power con-
sumption attack. In section 4, we apply the attack to some common discrete-
logarithm based cryptosystems such as Die-Hellman key exchange [7] and El-
Gamal public-key encryption [8]. Finally we suggest three countermeasures that
prevent our attack.

2 Elliptic curve group operation

2.1 De nition of an elliptic curve
An elliptic curve is the set of points (x; y) which are solutions of a bivariate cubic
equation over a eld K (see [16]). An equation of the form :
y2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 (1)
where a 2 K , de nes an elliptic curve over K .
i

If char K 6= 2 and char K 6= 3, equation (1) can be transformed to :

y2 = x3 + ax + b
with a; b 2 K .
In the eld GF(2 ) of characteristic 2, equation (1) can be reduced to the
n

form :
y2 + xy = x3 + ax2 + b
with a; b 2 K .
The set of points on an elliptic curve, together with a special point O called
the point at in nity can be equipped with an Abelian group structure by the
following addition operation :
Addition formula [16] for char K 6= 2; 3 :
Let P = (x1 ; y1 ) 6= O be a point, the inverse of P is ?P = (x1 ; ?y1). Let
Q = (x2 ; y2 ) 6= O be a second point with Q 6= ?P , the sum P + Q = (x3 ; y3)
can be calculated as :

x3 = 2 ? x1 ? x2
y3 = (x1 ? x3 ) ? y1
with
 8 y2 ? y1
>< if P 6= Q,
x ?x ;
 = > 3x2 2 + a1
: 21y ; if P = Q.
1
To subtract the point P = (x; y), one adds the point ?P .
Addition formula for char K = 2 :
Let P = (x1 ; y1 ) 6= O be a point, the inverse of P is ?P = (x1 ; x1 + y1 ). Let
Q = (x2 ; y2 ) 6= O be a second point with Q 6= ?P , the sum P + Q = (x3 ; y3 )
can be calculated as :

x3 = 2 +  + x1 + x2 + a
y3 = (x1 + x3 ) + x3 + y1
 = xy1 +
+ y2
x
1 2
if P 6= Q and :

x3 =  2 +  + a
y3 = x21 + ( + 1)x3
 = x1 + xy1
1
if P = Q.
2.2 Computing a multiple of a point
The operation of adding a point P to itself d times is called scalar multiplica-
tion by d and denoted dP . Scalar multiplication is the basic operation for EC
protocols. Scalar multiplication in the group of points of an elliptic curve is the
analogous of exponentiation in the multiplicative group of integers modulo a
xed integer m.
Computing dP can be done with the straightforward double-and-add ap-
proach based on the binary expansion of d = (d ?1 ; : : : ; d0 ) where d ?1 is the
` `

most signi cant bit of d (the method is the analogous of the square-and-multiply
algorithm for exponentiation) :
Algorithm 1 (Double-and-add)
input P
Q P
for i from ` ? 2 to 0 do
Q 2Q
if d = 1 then Q
i Q+P
output Q
 Various techniques exist to speed-up scalar multiplication by reducing the
number of elementary point operations : see [9] for a good survey. If the point P
is known in advance, it may be advantageous to precompute a table of multiples
of P [2]. Because elliptic curve subtraction has the same cost as addition, the pre-
vious double-and-add algorithm can be improved with the addition-subtraction
algorithm which uses a signed binary expansion of d :
X
?1
`

d= c2
i
i

=0
i

with c 2 f?1; 0; 1g.

i

The non-adjacent form (NAF) of d is a signed binary expansion of d with

c c +1 = 0 for all i  0. Each positive integer has a unique NAF. Moreover, the
i i

NAF of d has the fewest nonzero coecients of any signed binary expansion of d
[9]. [18] describes an algorithm that generates the NAF of any positive integer.
Algorithm 2 (Addition-subtraction method)
input P
Q P
for i from ` ? 2 to 0 do
Q 2Q
if c = 1 then Q
i Q+P
if c = ?1 then Q
i Q?P
output Q

The double-and-add method and addition-subtraction method can be gener-

alized to the m-ary method, the window method and the signed binary window
method [9, 15].
The problem of nding a method to compute dP with the fewest number of
elliptic curve group operations for a given d is equivalent to nding the shortest
addition-subtraction chain for d [9]. An addition chain [11] for d is a sequence of
positive integers :
a0 = 1 ! a 1 ! a 2 ! : : : ! a = d r

such that a = a + a , for some k  j < i, for all i = 1; 2; : : : ; r.

i j k

An addition chain can be extended to an addition-subtraction chain [11] with

a = a  a in place of a = a + a . The shortest addition-subtraction chain
i j k i j k

for d gives the fewest number of elliptic group operations for computing dP by
computing a1 P; a2 P; : : : a P = dP .
r

3 Recovering d in Q = dP from the power consumption

In 1998, Kocher described in a technical draft [14] Simple Power Attacks (SPA)
and Di erential Power Analysis (DPA) on DES. A SPA consists in observing
the power consumption of one single execution of a cryptographic algorithm. A
DPA is more sophisticated and powerful. It consists in performing a statistical
analysis of many executions of the same algorithm with di erent inputs.
Here we show that monitoring power consumption during the computation
of Q = dP knowing P may enable to recover d. First we show that a naive
implementation of scalar multiplication may be vulnerable to SPA. However,
it is not dicult to make the implementation resistant against SPA. We then
describe a DPA attack of an implementation of scalar multiplication.

3.1 Resistance against SPA

Power consumption attacks are based on the observation that the power con-
sumed at a given time during cryptographic process is related to the instruction
being executed and the data being manipulated. Power consumption enables
to visually identify large features, for example the main loop in algorithm 1.
Power consumption analysis may also enable to distinguish between instruction
being executed. For example, it might be possible to distinguish between point
doubling and point addition in algorithm 1, thereby revealing the bits of the
exponent d.
In order to be resistant against SPA, the instructions performed during a
cryptographic algorithm should not depend on the data being processed, e.g.
there should not be any branch instructions conditioned by the data. It is easy
to modify algorithm 1 to achieve this goal :
Algorithm 1' (Double-and-add resistant against SPA)
input P
Q[0] P
for i from ` ? 2 to 0 do
Q[0] 2Q[0]
Q[1] Q[0] + P
Q[0] Q[d ] i

output Q[0]

3.2 DPA against double-and-add algorithm

In this section we describe a DPA against an implementation of algorithm 1'.
We assume that the algorithm is performed in constant time. Otherwise the
implementation may be subject to timing attack [13] and Simple Power Attacks
[14].
DPA on DES [6] algorithm as described in [14] uses correlation between power
consumption and speci c key-dependent bits which appear at known steps of the
encryption computation. For example, a selected bit b at the output of one SBOX
of the rst round will depend on the known input message and 6 unknown bits of
the key. In [14], the correlation between power consumption and b is computed
for the 64 possible values of the 6 unknown bits of the key. The correlation is
likely to be maximal for the correct guess of the 6 bits of the key. The attack
can be repeated for the remaining SBOXes, thus revealing 48 bits of the key.
The remaining 8 bits of the key can be recovered by exhaustive search.
A Di erential Power Analysis on algorithm 1' in section 3.1 can be performed
by noticing that at step j the processed point Q depends only on the rst bits
(d ?1 ; : : : ; d ) of d. Now assume that we know how points are represented in
` j

memory during computation and select a particular bit (the same for all points)
of this representation. When point Q is processed, power consumption will be
correlated to this speci c bit of Q. No correlation will be observed with a point
not computed inside the card. Thus it is possible to successively recover the bits
of the exponent by guessing which points are computed by the card.
The second most signi cant bit d ?2 of d can be recovered by computing
`

the correlation between power consumption and any speci c bit of the binary
representation of 4P . If d ?2 = 0, 4P is computed during algorithm 1', and
`

power consumption is thus correlated with any speci c bit of 4P . Otherwise if

d ?2 = 1, 4P is never computed, and no correlation will be observed with 4P .
`

This gives d ?2 . The following bits of d can be recursively recovered in the same
`

way.
Assume that algorithm 1' is performed k times with distinct P1 ; P2 ; : : : ; P k

to compute Q1 = dP1 ; Q2 = dP2 ; : : : ; Q = dP . Let C (t) be the power con-

k k i

sumption associated with the i-th execution of the algorithm for 1  i  k. Let
s be any speci c bit of the binary representation of 4P for 1  i  k. The
i i

correlation function g(t) between s and C (t) can be computed as follows :

i i

g(t) =< C (t) > =1 2 j =1 ? < C (t) > =1 2 j =0

i i ; :::;k si i i (2)
; ;:::;k si

Assume that the points 4P are processed at time t = t1 , power consumption

i

C (t1 ) will then be correlated with the speci c bit s of the binary representation
i i

of 4P . The average of power consumption for those points 4P for which s = 1

i i i

will be di erent from the power consumption for the points 4P for which s = 0, i i

and function g(t) will present a "peak" at time t = t1 . If the points 4P are never i

computed, no "peak" will be observed in function g(t). This is illustrated in gure

1 and 2.1

3.3 Extending the attack to any scalar multiplication algorithm

In this section we show how to extend the previous attack to any scalar multipli-
cation algorithm executed in constant time with a constant addition-subtraction
chain, i.e. for any point P the algorithm computes the sequence of point :
a0 P = P ! a1 P ! a2 P ! : : : ! a P = dP r

such that a = a  a , for some k  j < i, for all i = 1; 2; : : : ; r.

i j k

The attack consists in successively guessing the a starting from a0 = 1 to

a = d. At step i  1, one constructs the set A of all possible a0 = a  a
i

r i i j k

1 Real power consumption curves were voluntarily excluded from this paper to avoid
straightforward product identi cation.
 1

0.75

0.5

0.25

5 10 15 20
-0.25

-0.5

-0.75

-1

Fig. 1. Simulated correlation function g(t) between the points 4Pi and power consump-
tion Ci (t) when d`?2 = 0. A peak is observed corresponding to the computation of 4Pi
inside the card.

0.75

0.5

0.25

5 10 15 20
-0.25

-0.5

-0.75

-1

Fig. 2. Simulated correlation function g(t) between the points 4Pi and power consump-
tion Ci (t) when d`?2 = 1. No peak is observed since the points 4Pi are never computed
by the card.

for all 0  k  j < i, and for each a0 2 A computes the correlation function
g(t) between the point a0 P and power consumption. If a peak can be observed
i i

in g(t), this will indicate that the point a0 P has been computed by the device
i

and thus a = a0 . This enables to recover d = a in O(r2 ) time.

i

i i r

4 Attacks on elliptic curve public key protocols

In this section we apply the attack to elliptic curve public key protocols such as
El-Gamal encryption and Die-Helman key exchange. The attack can not apply
to the ECDSA signatures, since in this case scalar multiplication is performed
with a random exponent instead of a xed exponent.

4.1 Elliptic Curve Encryption Scheme

This scheme is analogous to El-Gamal encryption [8].
System parameters :
An elliptic curve E over GF (p) or GF (2 ).
n

The order of E denoted #E must be divisible by a large prime q.

G 2 E of order q.
Key generation :
Secret key : d 2 [1; q ? 1].
R

Public key : Q = dP .
Encryption of a message m :
Pick k 2 [1; q ? 1].
R

Compute the points kP = (x1 ; y1 ) and kQ = (x2 ; y2), and c = x2 + m.

The ciphertext is (x1 ; y1 ; c).
Decryption :
Compute (x02 ; y20 ) = d(x1 ; y1 ) and m = c ? x02 .

The attack described before enables to recover d when the device decrypts
the ciphertext (x1 ; y1 ; c) for various points (x1 ; y1 ).

4.2 Elliptic Curve Die-Hellman key exchange

The EC Die-Hellman protocol derives a common secret value z from one
party's private key and another party's public key. The protocol is referenced as
ECSVDP-DH (Elliptic Curve Secret Value Derivation Primitive, Die-Hellman
version) in [10]. If the two parties correctly execute this primitive, they will
produce the same output.
System parameter :
An elliptic curve E over GF (p) or GF (2 ).
n

The order of E denoted #E must be divisible by a large prime q.

Alice's own private key s.
Bob's public key W .
Derivation of the shared secret value z :
Compute the point P = sW .
If P = O output "error" and stop.
The shared secret value is z = x , the x-coordinate of P .
p

The attack described in the previous section recovers Alice's secret key when
she computes the point P = sW for Bob's public key W .
5 Countermeasures against DPA
In this section we describe three countermeasures that prevent from the attack
described in section 3. Recall that the attack enables to recover d when Q = dP
i i

are computed inside the card for various P for 1  i  k. These three counter-
i

measures are based on introducing random numbers during the computation of

Q = dP . We underline that other attacks might of course not be thwarted by
our countermeasures.

5.1 First countermeasure : randomization of the private exponent

Let #E be the number of points of the curve. The computation of Q = dP is
done by the following algorithm :
1. Select a random number k of size n bits. In practice, one can take n = 20 bits.
2. Compute d0 = d + k:#E .
3. Compute the point Q = d0 P . We have Q = dP since #E P = O.
This countermeasure makes the previous attack infeasible since the exponent
d0 in Q = d0 P changes at each new execution of the algorithm.

5.2 Second countermeasure : blinding the point P

The method is analogous to Chaum's blind signature scheme for RSA [4]. The
point P to be multiplied is "blinded" by adding a secret random point R for
which we know S = dR. Scalar multiplication is done by computing the point
d(R + P ) and subtracting S = dR to get Q = dP . The points R and S = dR
can be initially stored inside the card and refreshed at each new execution by
computing R (?1) 2R and S (?1) 2S , where b is a random bit generated
b b

at each new execution. This makes the previous attack infeasible since the point
P 0 = P + R to be multiplied by d is not known to the attacker.

5.3 Third countermeasure : randomized projective coordinates

Projective coordinates [16] can be used to avoid the costly eld inversion for
point addition and doubling. The projective coordinates (X; Y; Z ) of a point
P = (x; y) are given by :
x= X
Z y = Y
Z
Another system of projective coordinates may be found in [10]. The projective
coordinates of a point are not unique because :
(X; Y; Z ) = (X; Y; Z ) (3)
for every  6= 0 in the nite eld.
 The third countermeasure consists in randomizing the projective coordinate
representation of a point P = (X; Y; Z ). Before each new execution of the scalar
multiplication algorithm for computing Q = dP , the projective coordinates of P
are randomized according to equation (3) with a random . The randomization
can also occur after each point addition and doubling.
This makes the attack described above infeasible since it is not possible for
the attacker to predict any speci c bit of the binary representation of P in
projective coordinates.

6 Conclusion
We have shown that unless protected, implementations of elliptic curve cryp-
tosystems such as El-Gamal type encryption or Die-Hellman key exchange
are vulnerable to Di erential Power Analysis. We have introduced three coun-
termeasures that address speci cally these attacks. Those countermeasures are
easy to implement and do not impact eciency in a signi cant way. However, we
do not pretend that those countermeasures thwart from all kinds of power at-
tacks, since it may be possible to exploit the information leakage through power
consumption in a di erent way.

Acknowledgments I thank David Naccache and Jean-Marc Robert for their

careful reading and valuable suggestions, and the anonymous referees for their
helpful comments.

References
1. E. Biham, A. Shamir. Power analysis of the key scheduling of the AES candidates,
Proceedings of the second AES Candidate Conference, March 1999, pp. 115-121.
2. E. Brickell, D. Gordon, K. McCurley, D. Wilson. Fast Exponentiation with Pre-
computation (Extended Abstract), Advances in Cryptology - Eurocrypt '92, LNCS
658 (1993), Springer-Verlag, pp. 200-207.
3. S. Chari, C. Jutla, J.R. Rao, P. Rohatgi. A cautionary note regarding evalua-
tion of AES candidates on smart-cards, Proceedings of the second AES Candidate
Conference, March 1999, pp. 133-147.
4. D. Chaum. Security without identi cation : transaction systems to make Big
Brother obsolete, Communications of the ACM, vol. 28, n. 10, Oct 1985, pp. 1030-
1044.
5. J. Daemen, V. Rijmen. Resistance against implementation attacks A comparative
study of the AES proposals, Proceedings of the second AES Candidate Conference,
March 1999, pp. 122-132.
6. FIPS 46, Data encryption standard, Federal Information Processing Standards
Publication 46, U.S. Department of Commerce/National Bureau of Standards, Na-
tional Technical Information Service, Spring eld, Virginia, 1977.
 7. W. Die and M. Hellman. New directions in cryptography, IEEE Trans. Info.
Theory, IT-22, 1976, pp 644-654.
8. T. El Gamal. A public key cryptosystem and a signature scheme based on discrete
logarithms, IEEE Trans. Info. Theory, IT-31, 1985, pp 469-472.
9. D.M. Gordon. A Survey of Fast Exponentiation Methods, Journal of Algorithms
27, 129-146 (1998).
10. IEEE P1363/D7. Standard Speci cations for Public Key Cryptography. September
11, 1998.
11. D.E. Knuth, Seminumerical Algorithms, The Art of Computer Programming, 2
Addison Wesley, 1969.
12. N. Koblitz. Elliptic Curve Cryptosystems, Mathematics of Computation, vol. 48,
1987, pp. 203-209.
13. Paul Kocher. Timing attacks on implementations of Die-Hellman, RSA, DSS and
other systems, Advances in Cryptology, Proceedings of Crypto' 96, LNCS 1109, N.
Koblitz, Ed., Springer-Verlag, 1996, pp. 104-113.
14. Paul Kocher, Joshua Ja e, and Benjamin Jun, Introduction to Di erential Power
Analysis and Related Attacks, http://www.cryptography.com/dpa/technical,
1998.
15. K. Koyama, Y. Tsuruoka, Speeding up elliptic cryptosystems by using a signed
binary window method, Advances in Cryptology - Proceedings of Crypto '92, LNCS
740, pp. 345-357, Springer-Verlag, Berlin/New-York, 1993.
16. A. J. Menezes, "Elliptic Curve Public Key Cryptosystems", Kluwer Academic Pub-
lishers, 1993.
17. V.S. Miller. Use of Elliptic Curves in Cryptography, Proceedings of Crypto 85,
LNCS 218, Springer, 1986, pp. 417-426.
18. F. Morain, J. Olivos. Speeding up the computation of an elliptic curve using
addition-subtraction chains, Inform. Theory Appl. 24 (1990), 531-543.

This article was processed using the LATEX macro package with LLNCS style