Appendix A
We applied Type 1 and Type 2 vulnerabilities to unified point additions on other elliptic curves. As a result, we found that most unified point additions on these elliptic curves (such as Weierstraß, Hessian, Edwards, Jacobi intersections, Jacobi quartic, and binary Edwards elliptic curves) have these vulnerabilities.
Table A1 shows the vulnerability of each unified point addition. In the case of Hessian, Edwards, Jacobi intersections, and Jacobi quartic curves, it is enough to apply
wRPC to unified point additions to ensure security against Type 1 and Type 2 vulnerabilities. However, in the case of Weierstraß and binary Edwards elliptic curves, we need to modify the unified point addition formula. In this section, we explain the vulnerabilities of unified point addition and its countermeasure for Weierstraß, Hessian, Edwards, Jacobi intersections, Jacobi quartic, and binary Edwards elliptic curves.
Table A1.
The vulnerabilities of the elliptic curve forms and it countermeasures.
Table A1.
The vulnerabilities of the elliptic curve forms and it countermeasures.
Curve | Type 1 | Type 2 | Countermeasures |
---|
Weierstraß | insecure | insecure | wRPC The modified unified point addition |
Hessian | insecure | insecure | wRPC |
Edwards | insecure | secure | wRPC |
Jacobi intersections | secure | insecure | wRPC |
Jacobi quartic | insecure | insecure | wRPC |
binary Edwards | insecure | insecure | wRPC The modified unified point addition |
Appendix A.1. Weierstraß Elliptic Curve
A Weierstraß elliptic curve has the parameters
a and
b that satisfy the following equations:
The projective coordinates have the assumption
$a=-3$ and represent
$x,y$ as
$X,Y,Z$ to satisfy the following equations:
The equivalence class containing
$(X,Y,Z)$ is
We describe a projective form of the unified point addition method (add-2007-bl) given in [
21]. Let
${P}_{1}=({X}_{1}:{Y}_{1}:{Z}_{1})$ and
${P}_{2}=({X}_{2}:{Y}_{2}:{Z}_{2})$; then, we can get
${P}_{1}+{P}_{2}=({X}_{3}:{Y}_{3}:{Z}_{3})$ by the unified point addition formula for the Weierstraß elliptic curve:
where
${U}_{1}={X}_{1}{Z}_{2},$ ${U}_{2}={X}_{2}{Z}_{1},$ ${S}_{1}={Y}_{1}{Z}_{2},$ ${S}_{2}={Y}_{2}{Z}_{1},$
$Z={Z}_{1}{Z}_{2},$ $T={U}_{1}+{U}_{2},$ $M={S}_{1}+{S}_{2},$
$R={T}^{2}-{U}_{1}{U}_{2}+a{Z}^{2},$ $F=ZM,$ $L=MF,$
$G={(T+L)}^{2}-{T}^{2}-{L}^{2},$ and $W=2{R}^{2}-G.$
This formula requires 11 field multiplications and 6 field squarings. We found both Type 1 and Type 2 vulnerabilities during the computations of ${P}_{1}+{P}_{2}$ for ${P}_{1}\ne {P}_{2}$ and ${P}_{1}={P}_{2}$.
Type 1 vulnerability: Let us consider the computation $Z=\left[{Z}_{1}\right]\xb7\left[{Z}_{2}\right]$. In this formula, it is computed as $\left[{Z}_{1}\right]\xb7\left[{Z}_{1}\right]$ for ${P}_{1}={P}_{2}$, whereas it is computed as $\left[{Z}_{1}\right]\xb7\left[{Z}_{2}\right]$ for ${P}_{1}\ne {P}_{2}$. Similarly, for ${U}_{1}\xb7{U}_{2}$ in R, this is computed as $\left[{X}_{1}{Z}_{1}\right]\xb7\left[{X}_{1}{Z}_{1}\right]$ for ${P}_{1}={P}_{2}$. Thus, we can distinguish between ${P}_{1}={P}_{2}$ and ${P}_{1}\ne {P}_{2}$ using ROSETTA.
Type 2 vulnerability: Let us consider the computations ${U}_{1}=\left[{X}_{1}\right]\xb7\left[{Z}_{2}\right]$ and ${U}_{2}=\left[{X}_{2}\right]\xb7\left[{Z}_{1}\right]$. If ${P}_{1}={P}_{2}$, then $\left[{X}_{1}\right]\xb7\left[{Z}_{1}\right]$ is computed twice. Namely, the operands of $\left[{X}_{1}\right]\xb7\left[{Z}_{2}\right]$ and $\left[{X}_{2}\right]\xb7\left[{Z}_{1}\right]$ for ${U}_{1}$ and ${U}_{2}$ are the same for ${P}_{1}={P}_{2}$ but different for ${P}_{1}\ne {P}_{2}$. Similarly, considering ${S}_{1}=\left[{Y}_{1}\right]\xb7\left[{Z}_{2}\right]$ and ${S}_{2}=\left[{Y}_{2}\right]\xb7\left[{Z}_{1}\right]$, the multiplications for ${S}_{1}$ and ${S}_{2}$ have the same operands for ${P}_{1}={P}_{2}$ but different operands for ${P}_{1}\ne {P}_{2}$. Therefore, we can distinguish between ${P}_{1}={P}_{2}$ and ${P}_{1}\ne {P}_{2}$ using HCCA.
Applying
wRPC to unified point addition on the Weierstraß elliptic curve, the two inputs are expressed as follows:
where
$r\ne 1$. Although
wRPC is applied to unified point addition,
${U}_{1}\xb7{U}_{2}$ in
R is computed as
$\left[r{X}_{1}{Z}_{1}\right]\xb7\left[r{X}_{1}{Z}_{1}\right]$ for
${P}_{1}={P}_{2}$. Thus, we need to modify
${U}_{1}\xb7{U}_{2}$ in
R. We modified
R as follows:
After applying the above modification to unified point addition, 11 field multiplications and 6 field squarings were required, which are exactly the same as those required by the original one. After applying
wRPC to the modified unified point addition formula, Type 1 and Type 2 vulnerabilities no longer exist (
Table A2).
Table A2.
The proposed unified point addition method on the Weierstraß elliptic curve by applying wRPC.
Table A2.
The proposed unified point addition method on the Weierstraß elliptic curve by applying wRPC.
Out | ${\mathit{P}}_{1}={\mathit{P}}_{2}$ | ${\mathit{P}}_{1}\ne {\mathit{P}}_{2}$ |
---|
${U}_{1}$ | $\left[{X}_{1}\right]\xb7\left[{r}_{1}{Z}_{1}\right]$ | $\left[{X}_{1}\right]\xb7\left[{r}_{2}{Z}_{2}\right]$ |
${U}_{2}$ | $\left[{r}_{1}{X}_{1}\right]\xb7\left[{Z}_{1}\right]$ | $\left[{r}_{2}{X}_{2}\right]\xb7\left[{Z}_{1}\right]$ |
${S}_{1}$ | $\left[{Y}_{1}\right]\xb7\left[{r}_{1}{Z}_{1}\right]$ | $\left[{Y}_{1}\right]\xb7\left[{r}_{2}{Z}_{2}\right]$ |
${S}_{2}$ | $\left[{r}_{1}{Y}_{1}\right]\xb7\left[{Z}_{1}\right]$ | $\left[{r}_{2}{Y}_{2}\right]\xb7\left[{Z}_{1}\right]$ |
Z | $\left[{Z}_{1}\right]\xb7\left[{r}_{1}{Z}_{1}\right]$ | $\left[{Z}_{1}\right]\xb7\left[{r}_{2}{Z}_{2}\right]$ |
$T={U}_{1}+{U}_{2}$ | ${r}_{1}{X}_{1}{Z}_{1}+{r}_{1}{X}_{1}{Z}_{1}$ | ${r}_{2}{X}_{1}{Z}_{2}+{r}_{2}{X}_{2}{Z}_{1}$ |
$M={S}_{1}+{S}_{2}$ | ${r}_{1}{Y}_{1}{Z}_{1}+{r}_{1}{Y}_{1}{Z}_{1}$ | ${r}_{2}{Y}_{1}{Z}_{2}+{r}_{2}{Y}_{2}{Z}_{1}$ |
$R=T\xb7{U}_{1}+{U}_{2}^{2}+a{Z}^{2}$ | $\left[2{r}_{1}{X}_{1}{Z}_{1}\right]\xb7\left[{r}_{1}{X}_{1}{Z}_{1}\right]+{\left({r}_{1}{X}_{1}{Z}_{1}\right)}^{2}+a{\left({r}_{1}{Z}_{1}^{2}\right)}^{2}$ | $\left[{r}_{2}({X}_{1}{Z}_{2}+{X}_{2}{Z}_{1})\right]\xb7\left[{r}_{2}{X}_{1}{Z}_{2}\right]+{\left({r}_{2}{X}_{2}{Z}_{1}\right)}^{2}+a{\left({r}_{2}{Z}_{1}{Z}_{2}\right)}^{2}$ |
⋮ | ⋮ | ⋮ |
Appendix A.2. Hessian Elliptic Curve
A Hessian elliptic curve has a parameter
d that satisfies the following equation:
The projective coordinates represent
$x,y$ as
$X,Y,Z$ satisfying the following equation:
The equivalence class containing
$(X,Y,Z)$ is
We describe a projective form of the unified point addition formula (add-2009-bkl) given in [
21]. Let
${P}_{1}=({X}_{1}:{Y}_{1}:{Z}_{1})$ and
${P}_{2}=({X}_{2}:{Y}_{2}:{Z}_{2})$; then, we get
${P}_{1}+{P}_{2}=({X}_{3}:{Y}_{3}:{Z}_{3})$ with the unified point addition formula for the Hessian elliptic curve:
where
$A={Y}_{1}{X}_{2},$$B={Y}_{1}{Y}_{2},$$C={Z}_{1}{Y}_{2},$
$D={Z}_{1}{Z}_{2},$$E={X}_{1}{Z}_{2},$$F={X}_{1}{X}_{2}.$
This formula requires 12 field multiplications. We can identify vulnerabilities of Type 1 and Type 2 during the computations of ${P}_{1}+{P}_{2}$ for ${P}_{1}\ne {P}_{2}$ and ${P}_{1}={P}_{2}$.
Type 1 vulnerability: Let us consider the computation $B=\left[{Y}_{1}\right]\xb7\left[{Y}_{2}\right]$. In this formula, it is computed as $\left[{Y}_{1}\right]\xb7\left[{Y}_{1}\right]$ for ${P}_{1}={P}_{2}$, whereas it is computed as $\left[{Y}_{1}\right]\xb7\left[{Y}_{2}\right]$ for ${P}_{1}\ne {P}_{2}$. Similarly, in $D=\left[{Z}_{1}\right]\xb7\left[{Z}_{2}\right]$ and $F=\left[{X}_{1}\right]\xb7{X}_{2}]$, these are computed as $\left[{Z}_{1}\right]\xb7\left[{Z}_{1}\right]$ and $\left[{X}_{1}\right]\xb7\left[{X}_{1}\right]$ for ${P}_{1}={P}_{2}$, respectively. Thus, we can distinguish between ${P}_{1}={P}_{2}$ and ${P}_{1}\ne {P}_{2}$ using ROSETTA.
Type 2 vulnerability: Let us consider the computations $A=\left[{Y}_{1}\right]\xb7\left[{X}_{2}\right]$ and $C=\left[{Z}_{1}\right]\xb7\left[{Y}_{2}\right]$. If ${P}_{1}={P}_{2}$, then $\left[{Y}_{1}\right]\xb7\left[{X}_{1}\right]$ and $\left[{Z}_{1}\right]\xb7\left[{Y}_{1}\right]$ are computed. Thus, they have the same operand ${Y}_{1}$ when ${P}_{1}={P}_{2}$ but not when ${P}_{1}\ne {P}_{2}$. Similarly, considering $C=\left[{Z}_{1}\right]\xb7\left[{Y}_{2}\right]$ and $E=\left[{X}_{1}\right]\xb7\left[{Z}_{2}\right]$, the multiplications for C and E have the same operand ${Z}_{1}$ for ${P}_{1}={P}_{2}$ and different operands for ${P}_{1}\ne {P}_{2}$. Also, the multiplications for A and E have the same operand ${X}_{1}$ for ${P}_{1}={P}_{2}$. Therefore, we can distinguish between ${P}_{1}={P}_{2}$ and ${P}_{1}\ne {P}_{2}$ using HCCA.
When applying
wRPC to unified point addition on the Hessian elliptic curve, the two inputs are expressed as follows:
where
$r\ne 1$. It is sufficient to secure against Type 1 and Type 2 vulnerabilities by applying
wRPC to unified point addition. The application of
wRPC to unified point addition is evaluated in
Table A3.
Table A3 shows that vulnerabilities of Type 1 and Type 2 no longer exist.
Table A3.
Unified point addition for the Hessian elliptic curve form.
Table A3.
Unified point addition for the Hessian elliptic curve form.
Out | $\mathit{P}=\mathit{Q}$ | $\mathit{P}\ne \mathit{Q}$ |
---|
A | $\left[{Y}_{1}\right]\xb7\left[{r}_{1}{X}_{1}\right]$ | $\left[{Y}_{1}\right]\xb7\left[{r}_{2}{X}_{2}\right]$ |
B | $\left[{Y}_{1}\right]\xb7\left[{r}_{1}{Y}_{1}\right]$ | $\left[{Y}_{1}\right]\xb7\left[{r}_{2}{Y}_{2}\right]$ |
C | $\left[{Z}_{1}\right]\xb7\left[{r}_{1}{Y}_{1}\right]$ | $\left[{Z}_{1}\right]\xb7\left[{r}_{2}{Y}_{2}\right]$ |
D | $\left[{Z}_{1}\right]\xb7\left[{r}_{1}{Z}_{1}\right]$ | $\left[{Z}_{1}\right]\xb7\left[{r}_{2}{Z}_{2}\right]$ |
E | $\left[{X}_{1}\right]\xb7\left[{r}_{1}{Z}_{1}\right]$ | $\left[{X}_{1}\right]\xb7\left[{r}_{2}{Z}_{2}\right]$ |
F | $\left[{X}_{1}\right]\xb7\left[{r}_{1}{X}_{1}\right]$ | $\left[{X}_{1}\right]\xb7\left[{r}_{2}{X}_{2}\right]$ |
⋮ | ⋮ | ⋮ |
Appendix A.3. Edwards Elliptic Curve
An Edwards elliptic curve has the parameters
c and
d that satisfy the following equation:
The inverted projective coordinates represent
$x,y$ as
$X,Y,Z$ to satisfy the following equation:
The equivalence class containing
$(X,Y,Z)$ is
We describe a inverted projective form of the unified point addition formula (add-2007-bl) given in [
21]. Let
${P}_{1}=({X}_{1}:{Y}_{1}:{Z}_{1})$ and
${P}_{2}=({X}_{2}:{Y}_{2}:{Z}_{2})$. Then, we get
${P}_{1}+{P}_{2}=({X}_{3}:{Y}_{3}:{Z}_{3})$ by the unified point addition formula for the Edwards elliptic curve:
where
$A={Z}_{1}{Z}_{2},$$B=d{A}^{2},$$C={X}_{1}{X}_{2},$$D={Y}_{1}{Y}_{2},$
$E=CD,$$H=C-D,$$I=({X}_{1}+{Y}_{1})({X}_{2}+{Y}_{2})-C-D.$
This formula requires 9 field multiplications and 1 field squaring. We can identify vulnerabilities of Type 1 and Type 2 during the computations of ${P}_{1}+{P}_{2}$ for ${P}_{1}\ne {P}_{2}$ and ${P}_{1}={P}_{2}$.
Type 1 vulnerability: Let us consider the computation $A=\left[{Z}_{1}\right]\xb7\left[{Z}_{2}\right]$. In this formula, it is computed as $\left[{Z}_{1}\right]\xb7\left[{Z}_{1}\right]$ for ${P}_{1}={P}_{2}$, whereas it is computed as $\left[{Z}_{1}\right]\xb7\left[{Z}_{2}\right]$ for ${P}_{1}\ne {P}_{2}$. Similarly, in $C=\left[{X}_{1}\right]\xb7\left[{X}_{2}\right]$, $D=\left[{Y}_{1}\right]\xb7\left[{Y}_{2}\right]$ and $I=\left[({X}_{1}+{Y}_{1})\right]\xb7\left[({X}_{2}+{Y}_{2})\right]-C-D$, and these are computed as $\left[{X}_{1}\right]\xb7\left[{X}_{1}\right]$, $\left[{Y}_{1}\right]\xb7\left[{Y}_{1}\right]$, and $\left[({X}_{1}+{Y}_{1})\right]\xb7\left[({X}_{1}+{Y}_{1})\right]-C-D$ for ${P}_{1}={P}_{2}$, respectively. Thus, we can distinguish between ${P}_{1}={P}_{2}$ and ${P}_{1}\ne {P}_{2}$ using ROSETTA.
Type 2 vulnerability: The vulnerability of Type 2 does not exist.
When applying
wRPC to unified point addition for the Edwards elliptic curve, the two inputs are expressed as follows:
where
$r\ne 1$. It is sufficient to secure against a Type 1 vulnerability by applying
wRPC to unified point addition. The application of
wRPC to unified point addition is evaluated in
Table A4.
Table A4 shows that vulnerability of Type 1 no longer exists.
Table A4.
Unified point addition for the Edwards elliptic curve.
Table A4.
Unified point addition for the Edwards elliptic curve.
Out | $\mathit{P}=\mathit{Q}$ | $\mathit{P}\ne \mathit{Q}$ |
---|
A | $\left[{Z}_{1}\right]\xb7\left[{r}_{1}{Z}_{1}\right]$ | $\left[{Z}_{1}\right]\xb7\left[{r}_{2}{Z}_{2}\right]$ |
B | $d{\left({r}_{1}{Z}_{1}^{2}\right)}^{2}$ | $d{\left({r}_{2}{Z}_{1}{Z}_{2}\right)}^{2}$ |
C | $\left[{X}_{1}\right]\xb7\left[{r}_{1}{X}_{1}\right]$ | $\left[{X}_{1}\right]\xb7\left[{r}_{2}{X}_{2}\right]$ |
D | $\left[{Y}_{1}\right]\xb7\left[{r}_{1}{Y}_{1}\right]$ | $\left[{Y}_{1}\right]\xb7\left[{r}_{2}{Y}_{2}\right]$ |
$E=C\xb7D$ | $\left[{r}_{1}{X}_{1}^{2}\right]\xb7\left[{r}_{1}{Y}_{1}^{2}\right]$ | $\left[{r}_{2}{X}_{1}{X}_{2}\right]\xb7\left[{r}_{2}{Y}_{1}{Y}_{2}\right]$ |
$H=C-D$ | $\left[{r}_{1}{X}_{1}^{2}\right]-\left[{r}_{1}{Y}_{1}^{2}\right]$ | $\left[{r}_{2}{X}_{1}{X}_{2}\right]-\left[{r}_{2}{Y}_{1}{Y}_{2}\right]$ |
$I=({X}_{1}+{Y}_{1})\xb7({X}_{2}+{Y}_{2})-C-D$ | $\left[({X}_{1}+{Y}_{1})\right]\xb7\left[({r}_{1}{X}_{1}+{r}_{1}{Y}_{1})\right]-\left[{r}_{1}{X}_{1}^{2}\right]-\left[{r}_{1}{Y}_{1}^{2}\right]$ | $\left[({X}_{1}+{Y}_{1})\right]\xb7\left[({r}_{2}{X}_{2}+{r}_{2}{Y}_{2})\right]-\left[{r}_{2}{X}_{1}{X}_{2}\right]-\left[{r}_{2}{Y}_{1}{Y}_{2}\right]$ |
⋮ | ⋮ | ⋮ |
Appendix A.4. Jacobi Intersections Elliptic Curve
An elliptic curve in Jacobi intersection form has the parameter
a and coordinate
$s,c,d$ that satisfy the following equations:
The projective coordinates represent
$s,c,d$ as
$S,C,D,Z$ to satisfy the following equations:
The equivalence class containing
$(S,C,D,Z)$ is
We describe a projective form of the unified point addition formula (add-20080225-hwcd) given in [
21]. Let
${P}_{1}=({S}_{1}:{C}_{1}:{D}_{1}:{Z}_{1})$ and
${P}_{2}=({S}_{2}:{C}_{2}:{D}_{2}:{Z}_{2})$; then, we get
${P}_{1}+{P}_{2}=({S}_{3}:{C}_{3}:{D}_{3}:{Z}_{3})$ with the unified point addition formula for the Jacobi intersection elliptic curve:
where
$A={S}_{1}{C}_{1},$$B={D}_{1}{Z}_{1},$$C={S}_{2}{C}_{2},$$D={D}_{2}{Z}_{2},$
$E={S}_{1}{D}_{2},$$F={C}_{1}{Z}_{2},$$G={D}_{1}{S}_{2},$$H={Z}_{1}{C}_{2},$
$J=AD,$$K=BC.$
This formula requires 13 field multiplications and 1 field squaring. We can identify vulnerabilities of Type 1 and Type 2 during the computations of ${P}_{1}+{P}_{2}$ for ${P}_{1}\ne {P}_{2}$ and ${P}_{1}={P}_{2}$.
Type 1 vulnerability: The vulnerability of Type 1 does not exist.
Type 2 vulnerability: Let us consider the computations of $A=\left[{S}_{1}\right]\xb7\left[{C}_{1}\right]$ and $C=\left[{S}_{2}\right]\xb7\left[{C}_{2}\right]$. If ${P}_{1}={P}_{2}$, then $\left[{S}_{1}\right]\xb7\left[{C}_{1}\right]$ are computed twice. Namely, the operands of $\left[{S}_{1}\right]\xb7\left[{C}_{1}\right]$ and $\left[{S}_{2}\right]\xb7\left[{C}_{2}\right]$ for A and B are the same for ${P}_{1}={P}_{2}$ and different for ${P}_{1}\ne {P}_{2}$. Similarly, consider multiplications for B and D, E and G, F and H, and J and K. These multiplication pairs have the same operands for ${P}_{1}={P}_{2}$ and different operands for ${P}_{1}\ne {P}_{2}$. Also, consider multiplication of $A=\left[{S}_{1}\right]\xb7\left[{C}_{1}\right]$ and $G=\left[{D}_{1}\right]\xb7\left[{S}_{1}\right]$. If ${P}_{1}={P}_{2}$, then $\left[{S}_{1}\right]\xb7\left[{C}_{1}\right]$ and $\left[{D}_{1}\right]\xb7\left[{S}_{1}\right]$ are computed. Thus, they have the same operand ${S}_{1}$ when ${P}_{1}={P}_{2}$ but not when ${P}_{1}\ne {P}_{2}$. Similarly, the multiplication pairs A and H, B and E, B and F, C and E, C and F, D and G, and D and H have the same operand ${C}_{1}$, ${D}_{1}$, ${Z}_{1}$, ${S}_{1}$, ${C}_{1}$, ${D}_{1}$, and ${Z}_{1}$ for ${P}_{1}={P}_{2}$, respectively. Therefore, we can distinguish between ${P}_{1}={P}_{2}$ and ${P}_{1}\ne {P}_{2}$ using HCCA.
Applying
wRPC to unified point addition of the Jacobi intersection elliptic curve, the two inputs are expressed as follows:
where
$r\ne 1$. It is sufficient to secure against a Type 2 vulnerability by applying
wRPC to unified point addition. The application of
wRPC to unified point addition is evaluated in
Table A5.
Table A5 shows that vulnerability of Type 2 no longer exists.
Table A5.
Unified point addition for the Jacobi intersection elliptic curve form.
Table A5.
Unified point addition for the Jacobi intersection elliptic curve form.
Out | $\mathit{P}=\mathit{Q}$ | $\mathit{P}\ne \mathit{Q}$ |
---|
A | $\left[{S}_{1}\right]\xb7\left[{C}_{1}\right]$ | $\left[{S}_{1}\right]\xb7\left[{C}_{1}\right]$ |
B | $\left[{D}_{1}\right]\xb7\left[{Z}_{1}\right]$ | $\left[{D}_{1}\right]\xb7\left[{Z}_{1}\right]$ |
C | $\left[{r}_{1}{S}_{1}\right]\xb7\left[{r}_{1}{C}_{1}\right]$ | $\left[{r}_{2}{S}_{2}\right]\xb7\left[{r}_{2}{C}_{2}\right]$ |
D | $\left[{r}_{1}{D}_{1}\right]\xb7\left[{r}_{1}{Z}_{1}\right]$ | $\left[{r}_{2}{D}_{2}\right]\xb7\left[{r}_{2}{Z}_{2}\right]$ |
E | $\left[{S}_{1}\right]\xb7\left[{r}_{1}{D}_{1}\right]$ | $\left[{S}_{1}\right]\xb7\left[{r}_{2}{D}_{2}\right]$ |
F | $\left[{C}_{1}\right]\xb7\left[{r}_{1}{Z}_{1}\right]$ | $\left[{C}_{1}\right]\xb7\left[{r}_{2}{Z}_{2}\right]$ |
G | $\left[{D}_{1}\right]\xb7\left[{r}_{1}{S}_{1}\right]$ | $\left[{D}_{1}\right]\xb7\left[{r}_{2}{S}_{2}\right]$ |
H | $\left[{Z}_{1}\right]\xb7\left[{r}_{1}{C}_{1}\right]$ | $\left[{Z}_{1}\right]\xb7\left[{r}_{2}{C}_{2}\right]$ |
$J=A\xb7D$ | $\left[{S}_{1}{C}_{1}\right]\xb7\left[{r}_{1}^{2}{D}_{1}{Z}_{1}\right]$ | $\left[{S}_{1}{C}_{1}\right]\xb7\left[{r}_{2}^{2}{D}_{2}{Z}_{2}\right]$ |
$K=B\xb7C$ | $\left[{D}_{1}{Z}_{1}\right]\xb7\left[{r}_{1}^{2}{S}_{1}{C}_{1}\right]$ | $\left[{D}_{1}{Z}_{1}\right]\xb7\left[{r}_{2}^{2}{S}_{2}{C}_{2}\right]$ |
⋮ | ⋮ | ⋮ |
Appendix A.5. Jacobi Quartic Elliptic Curve
An elliptic curve in the Jacobi quartic form has the parameter
a and coordinates
$x,y$ that satisfy the following equation:
The projective coordinates represent
$x,y$ as
$X,Y,Z$ to satisfy the following equations:
The equivalence class containing
$(X,Y,Z)$ is
We describe a projective form of the unified point addition formula (add-2007-bl) given in [
21]. Let
${P}_{1}=({X}_{1}:{Y}_{1}:{Z}_{1})$ and
${P}_{2}=({X}_{2}:{Y}_{2}:{Z}_{2})$; then, we get
${P}_{1}+{P}_{2}=({X}_{3}:{Y}_{3}:{Z}_{3})$ with the unified point addition formula for the Jacobi quartic elliptic curve:
where
${A}_{2}={X}_{2}^{2},$${C}_{2}={Z}_{2}^{2},$${D}_{2}={A}_{2}+{C}_{2},$${B}_{2}={({X}_{2}+{Z}_{2})}^{2}-{D}_{2},$
${E}_{2}={B}_{2}+{Y}_{2},$${A}_{1}={X}_{1}^{2},$${C}_{1}={Z}_{1}^{2},$${D}_{1}={A}_{1}+{C}_{1},$
${B}_{1}={({X}_{1}+{Z}_{1})}^{2}-{D}_{1},$${E}_{1}={B}_{1}+{Y}_{1},$$H={A}_{1}{A}_{2},$
$I={B}_{1}{B}_{2},$$J={C}_{1}{C}_{2},$$K={Y}_{1}{Y}_{2},$$F=J+H,$$F=2I.$
This formula requires 8 field multiplications and 6 field squarings. We can identify vulnerabilities of Type 1 and Type 2 during the computations of ${P}_{1}+{P}_{2}$ for ${P}_{1}\ne {P}_{2}$ and ${P}_{1}={P}_{2}$.
Type 1 vulnerability: Let us consider the computation $B=\left[{Y}_{1}\right]\xb7\left[{Y}_{2}\right]$. In this formula, it is computed as $\left[{Y}_{1}\right]\xb7\left[{Y}_{1}\right]$ for ${P}_{1}={P}_{2}$, whereas it is computed as $\left[{Y}_{1}\right]\xb7\left[{Y}_{2}\right]$ for ${P}_{1}\ne {P}_{2}$. Similarly, in $D=\left[{Z}_{1}\right]\xb7\left[{Z}_{2}\right]$ and $F=\left[{X}_{1}\right]\xb7{X}_{2}]$, these are computed as $\left[{Z}_{1}\right]\xb7\left[{Z}_{1}\right]$ and $\left[{X}_{1}\right]\xb7\left[{X}_{1}\right]$ for ${P}_{1}={P}_{2}$, respectively. Thus, we can distinguish between ${P}_{1}={P}_{2}$ and ${P}_{1}\ne {P}_{2}$ using ROSETTA.
Type 2 vulnerability: Let us consider the computations $A=\left[{Y}_{1}\right]\xb7\left[{X}_{2}\right]$ and $C=\left[{Z}_{1}\right]\xb7\left[{Y}_{2}\right]$. If ${P}_{1}={P}_{2}$; then, $\left[{Y}_{1}\right]\xb7\left[{X}_{1}\right]$ and $\left[{Z}_{1}\right]\xb7\left[{Y}_{1}\right]$ are computed. Thus, they have the same operand ${Y}_{1}$ when ${P}_{1}={P}_{2}$ but not when ${P}_{1}\ne {P}_{2}$. Similarly, considering $C=\left[{Z}_{1}\right]\xb7\left[{Y}_{2}\right]$ and $E=\left[{X}_{1}\right]\xb7\left[{Z}_{2}\right]$, the multiplications for C and E have the same operand ${Z}_{1}$ for ${P}_{1}={P}_{2}$ and different operands for ${P}_{1}\ne {P}_{2}$. Also, the multiplications for A and E have the same operand ${X}_{1}$ for ${P}_{1}={P}_{2}$. Therefore, we can distinguish between ${P}_{1}={P}_{2}$ and ${P}_{1}\ne {P}_{2}$ using HCCA.
By Algorithm 2, to use unified point addition on the Jacobi quartic elliptic curve, the two inputs of step 8 are expressed as follows:
where
$r\ne 1$. It is sufficient to secure against Type 1 and Type 2 vulnerabilities by applying
wRPC to unified point addition. The application of
wRPC to unified point addition is evaluated in
Table A6.
Table A6 shows that vulnerabilities of Type 1 and Type 2 no longer exist.
Table A6.
Unified point addition for the Jacobi quartic elliptic curve form.
Table A6.
Unified point addition for the Jacobi quartic elliptic curve form.
Out | $\mathit{P}=\mathit{Q}$ | $\mathit{P}\ne \mathit{Q}$ |
---|
A | $\left[{Y}_{1}\right]\xb7\left[{r}_{1}{X}_{1}\right]$ | $\left[{Y}_{1}\right]\xb7\left[{r}_{2}{X}_{2}\right]$ |
B | $\left[{Y}_{1}\right]\xb7\left[{r}_{1}^{2}{Y}_{1}\right]$ | $\left[{Y}_{1}\right]\xb7\left[{r}_{2}^{2}{Y}_{2}\right]$ |
C | $\left[{Z}_{1}\right]\xb7\left[{r}_{1}^{2}{Y}_{1}\right]$ | $\left[{Z}_{1}\right]\xb7\left[{r}_{2}^{2}{Y}_{2}\right]$ |
D | $\left[{Z}_{1}\right]\xb7\left[{r}_{1}{Z}_{1}\right]$ | $\left[{Z}_{1}\right]\xb7\left[{r}_{2}{Z}_{2}\right]$ |
E | $\left[{X}_{1}\right]\xb7\left[{r}_{1}{Z}_{1}\right]$ | $\left[{X}_{1}\right]\xb7\left[{r}_{2}{Z}_{2}\right]$ |
F | $\left[{X}_{1}\right]\xb7\left[{r}_{1}{X}_{1}\right]$ | $\left[{X}_{1}\right]\xb7\left[{r}_{2}{X}_{2}\right]$ |
⋮ | ⋮ | ⋮ |
Appendix A.6. Binary Edwards Elliptic Curve
A binary Edwards elliptic curve has the parameters
${d}_{1}$ and
${d}_{2}$ that satisfy the following equation:
The projective coordinates represent
$x,y$ as
$X,Y,Z$ to satisfy the following equation:
The equivalence class containing
$(X,Y,Z)$ is
We describe a projective form of the unified point addition formula (add-2008-blr-4) given in [
21]. Let
${P}_{1}=({X}_{1}:{Y}_{1}:{Z}_{1})$ and
${P}_{2}=({X}_{2}:{Y}_{2}:{Z}_{2})$; then, we can get
${P}_{1}+{P}_{2}=({X}_{3}:{Y}_{3}:{Z}_{3})$ with unified point addition for the binary Edwards elliptic curve:
where
$A={X}_{1}{X}_{2},$$B={Y}_{1}{Y}_{2},$$C={Z}_{1}{Z}_{2},$$D={d}_{1}C,$$E={C}^{2},$$F={D}^{2},$
$G=({X}_{1}+{Z}_{1})({X}_{2}+{Z}_{2}),$$H=({Y}_{1}+{Z}_{1})({Y}_{2}+{Z}_{2}),$$I=A+G,$
$J=B+H,$$K=({X}_{1}+{Y}_{1})({X}_{2}+{Y}_{2}),$$U=C(F+{d}_{1}K(K+I+J+C)),$
$V=U+DF+K({d}_{2}({d}_{1}E+GH+AB)+({d}_{2}+{d}_{1})IJ).$
This formula requires 18 field multiplications. We found both Type 1 and Type 2 vulnerabilities during the computations of ${P}_{1}+{P}_{2}$ for ${P}_{1}\ne {P}_{2}$ and ${P}_{1}={P}_{2}$.
Type 1 vulnerability: Let us consider the computation $A=\left[{X}_{1}\right]\xb7\left[{X}_{2}\right]$. In this formula, it is computed as $\left[{X}_{1}\right]\xb7\left[{X}_{1}\right]$ for ${P}_{1}={P}_{2}$, whereas it is computed as $\left[{X}_{1}\right]\xb7\left[{X}_{2}\right]$ for ${P}_{1}\ne {P}_{2}$. Similarly, for $B=\left[{Y}_{1}\right]\xb7\left[{Y}_{2}\right]$, $C=\left[{Z}_{1}\right]\xb7\left[{Z}_{2}\right]$, $G=\left[({X}_{1}+{Z}_{1})\right]\xb7\left[({X}_{2}+{Z}_{2})\right]$, $H=\left[({Y}_{1}+{Z}_{1})\right]\xb7\left[({Y}_{2}+{Z}_{2})\right]$, and $K=\left[({X}_{1}+{Y}_{1})\right]\xb7\left[({X}_{2}+{Y}_{2})\right]$, these are computed as $B=\left[{Y}_{1}\right]\xb7\left[{Y}_{1}\right]$, $C=\left[{Z}_{1}\right]\xb7\left[{Z}_{1}\right]$, $G\phantom{\rule{3.33333pt}{0ex}}=\phantom{\rule{3.33333pt}{0ex}}\left[({X}_{1}+{Z}_{1})\right]\xb7\left[({X}_{1}+{Z}_{1})\right]$, $H=\left[({Y}_{1}+{Z}_{1})\right]\xb7\left[({Y}_{1}+{Z}_{1})\right]$, and $K=\left[({X}_{1}+{Y}_{1})\right]\xb7\left[({X}_{1}+{Y}_{1})\right]$ for ${P}_{1}={P}_{2}$. Also, if ${P}_{1}={P}_{2}$, I and J compute as follows:
$I=A+G={X}_{1}{X}_{1}+({X}_{1}+{Z}_{1})({X}_{1}+{Z}_{1})={X}_{1}^{2}+{X}_{1}^{2}+{Z}_{1}^{2}={Z}_{1}^{2}$ and
$J=B+H={Y}_{1}{Y}_{1}+({Y}_{1}+{Z}_{1})({Y}_{1}+{Z}_{1})={Y}_{1}^{2}+{Y}_{1}^{2}+{Z}_{1}^{2}={Z}_{1}^{2}.$
Thus, if ${P}_{1}={P}_{2}$, $\left[I\right]\xb7\left[J\right]=\left[{Z}_{1}^{2}\right]\xb7\left[{Z}_{1}^{2}\right].$ An adversary can distinguish between ${P}_{1}={P}_{2}$ and ${P}_{1}\ne {P}_{2}$ using ROSETTA.
Type 2 vulnerability: Let us consider the computations $U=\left[C\right]\xb7\left[(F+{d}_{1}K(K+I+J+C))\right]$, $\left[({d}_{2}+{d}_{1})\right]\xb7\left[I\right]\xb7\left[J\right]$ in V and $\left[({d}_{2}+{d}_{1})\right]\xb7\left[C\right]\xb7\left[{K}^{2}\right]$ in ${Z}^{3}$. If ${P}_{1}={P}_{2}$, since $C=I=J$, both operations have at least one same operand. Therefore, they can be distinguished using HCCA.
By Algorithm 2, to use unified point addition on the binary Edwards elliptic curve, the two inputs of step 8 are expressed as follows:
where
$r\ne 1$. Although
wRPC is applied to unified point addition,
$C=I=J$ for
${P}_{1}={P}_{2}$. Thus, we need to modify the unified point addition formula. The collision pairs exposed by HCCA are (
$U=\left[C\right]\xb7\left[(F+{d}_{1}K(K+I+J+C))\right]$ and
$\left[({d}_{2}+{d}_{1})\right]\xb7\left[I\right]\xb7\left[J\right]$ in
V) or (
$\left[({d}_{2}+{d}_{1})\right]\xb7\left[C\right]\xb7\left[{K}^{2}\right]$ in
${Z}^{3}$ and
$\left[({d}_{2}+{d}_{1})\right]\xb7\left[I\right]\xb7\left[J\right]$ in
V). Since both collision pairs contain the operation
$\left[({d}_{2}+{d}_{1})\right]\xb7\left[I\right]\xb7\left[J\right]$, we only have to mask its operands. We modified
$\left[({d}_{2}+{d}_{1})\right]\xb7\left[I\right]\xb7\left[J\right]$ in
V as follows:
To use the advantage of the free computational cost of squaring in a binary field, we configured the masking of
${d}_{2}+{d}_{1}$ and
$({d}_{2}+{d}_{1})I$ by squaring. The proposed unified point addition method for the binary Edwards elliptic curve is as follows:
where
$A={X}_{1}{X}_{2},$$B={Y}_{1}{Y}_{2},$$C={Z}_{1}{Z}_{2},$$D={d}_{1}C,$$E={C}^{2},$$F={D}^{2},$
$G=({X}_{1}+{Z}_{1})({X}_{2}+{Z}_{2}),$$H=({Y}_{1}+{Z}_{1})({Y}_{2}+{Z}_{2}),$$I=A+G,$
$J=B+H,$$L=({d}_{2}+{d}_{1})(I+{d}_{2}+{d}_{1})+{({d}_{2}+{d}_{1})}^{2}$$K=({X}_{1}+{Y}_{1})({X}_{2}+{Y}_{2}),$
$U=C(F+{d}_{1}K(K+I+J+C)),$
$V=U+DF+K({d}_{2}({d}_{1}E+GH+AB)+L(J+L)+{L}^{2}).$
After applying the above modification to the unified point addition, 18 field multiplications were required, which was exactly the same as in the original one. After applying
wRPC to the modified unified point addition method, Type 1 and Type 2 vulnerabilities no longer exist (
Table A7).
Table A7.
The proposed unified point addition method on the binary Edwards elliptic curve.
Table A7.
The proposed unified point addition method on the binary Edwards elliptic curve.
Out | ${\mathit{P}}_{1}={\mathit{P}}_{2}({\mathit{k}}^{\prime}=0)$ | ${\mathit{P}}_{1}\ne {\mathit{P}}_{2}({\mathit{k}}^{\prime}=1)$ |
---|
A | $\left[{X}_{1}\right]\xb7\left[{r}_{1}{X}_{1}\right]$ | $\left[{X}_{1}\right]\xb7\left[{r}_{2}{X}_{2}\right]$ |
B | $\left[{Y}_{1}\right]\xb7\left[{r}_{1}{Y}_{1}\right]$ | $\left[{Y}_{1}\right]\xb7\left[{r}_{2}{Y}_{2}\right]$ |
C | $\left[{Z}_{1}\right]\xb7\left[{r}_{1}{Z}_{1}\right]$ | $\left[{Z}_{1}\right]\xb7\left[{r}_{2}{Z}_{2}\right]$ |
$D={d}_{1}\xb7C$ | $\left[{d}_{1}\right]\xb7\left[{r}_{1}{Z}_{1}^{2}\right]$ | $\left[{d}_{1}\right]\xb7\left[{r}_{2}{Z}_{1}{Z}_{2}\right]$ |
$E={C}^{2}$ | ${\left({r}_{1}{Z}_{1}^{2}\right)}^{2}$ | ${\left({r}_{2}{Z}_{1}{Z}_{2}\right)}^{2}$ |
$F={D}^{2}$ | ${\left({r}_{1}{d}_{1}{Z}_{1}^{2}\right)}^{2}$ | ${\left({r}_{2}{d}_{1}{Z}_{1}{Z}_{2}\right)}^{2}$ |
G | $\left[({X}_{1}+{Z}_{1})\right]\xb7\left[({r}_{1}{X}_{1}+{r}_{1}{Z}_{1})\right]$ | $\left[({X}_{1}+{Z}_{1})\right]\xb7\left[({r}_{2}{X}_{2}+{r}_{2}{Z}_{2})\right]$ |
H | $\left[({Y}_{1}+{Z}_{1})\right]\xb7\left[({r}_{1}{Y}_{1}+{r}_{1}{Z}_{1})\right]$ | $\left[({Y}_{1}+{Z}_{1})\right]\xb7\left[({r}_{2}{Y}_{2}+{r}_{2}{Z}_{2})\right]$ |
$I=A+G$ | ${r}_{1}{X}_{1}^{2}+({r}_{1}{X}_{1}^{2}+{r}_{1}{Z}_{1}^{2})$ | ${r}_{2}{X}_{1}{X}_{2}+({X}_{1}+{Z}_{1})({r}_{2}{X}_{2}+{r}_{2}{Z}_{2})$ |
$J=B+H$ | ${r}_{1}{Y}_{1}^{2}+({r}_{1}{Y}_{1}^{2}+{r}_{1}{Z}_{1}^{2})$ | ${r}_{2}{Y}_{1}{Y}_{2}+({Y}_{1}+{Z}_{1})({r}_{2}{Y}_{2}+{r}_{2}{Z}_{2})$ |
$L=({d}_{2}+{d}_{1})\xb7(I+{d}_{2}+{d}_{1})+{({d}_{2}+{d}_{1})}^{2}+{({d}_{2}+{d}_{1})}^{2}$ | $\left[({d}_{2}+{d}_{1})\right]\xb7\left[({r}_{1}{Z}_{1}^{2}+{d}_{2}+{d}_{1})\right]$ | $\left[({d}_{2}+{d}_{1})\right]\xb7\left[({r}_{2}{X}_{1}{X}_{2}+{r}_{2}({X}_{1}+{Z}_{1})({X}_{2}+{Z}_{2})+{d}_{2}+{d}_{1})\right]+{({d}_{2}+{d}_{1})}^{2}$ |
K | $\left[({X}_{1}+{Y}_{1})\right]\xb7\left[({r}_{1}{X}_{1}+{r}_{1}{Y}_{1})\right]$ | $\left[({X}_{1}+{Y}_{1})\right]\xb7\left[({r}_{2}{X}_{2}+{r}_{2}{Y}_{2})\right]$ |
| | $\left[{r}_{2}{Z}_{1}{Z}_{2}\right]\xb7\left[\right({\left({r}_{2}{d}_{1}{Z}_{1}{Z}_{2}\right)}^{2}+\left[{d}_{1}\right]$ |
$U=C\xb7(F+{d}_{1}\xb7K\xb7(K+I+J+C\left)\right)$ | $\left[{r}_{1}{Z}_{1}^{2}\right]\xb7\left[\right({\left({r}_{1}{d}_{1}{Z}_{1}^{2}\right)}^{2}+\left[{d}_{1}\right]\xb7\left[({r}_{1}{X}_{1}^{2}+{r}_{1}{Y}_{1}^{2})\right]\xb7\left[\right({r}_{1}{X}_{1}^{2}+{r}_{1}{Y}_{1}^{2}+{r}_{1}{Z}_{1}^{2}+{r}_{1}{Z}_{1}^{2}+{r}_{1}{Z}_{1}^{2}\left)\right]\left)\right]$ | $\xb7\left[{r}_{2}({X}_{1}+{Y}_{1})({X}_{2}+{Y}_{2})\right]\xb7\left[\right({r}_{2}({X}_{1}+{Y}_{1})({X}_{2}+{Y}_{2})+{r}_{2}{X}_{1}{X}_{2}+{r}_{2}({X}_{1}+{Z}_{1})({X}_{2}+{Z}_{2})+{r}_{2}{Y}_{1}{Y}_{2}+{r}_{2}({Y}_{1}+{Z}_{1})({Y}_{2}+{Z}_{2})+{r}_{2}{Z}_{1}{Z}_{2}\left)\right]\left)\right]$ |
⋮ | ⋮ | ⋮ |