Appendix A
We applied Type 1 and Type 2 vulnerabilities to unified point additions on other elliptic curves. As a result, we found that most unified point additions on these elliptic curves (such as Weierstraß, Hessian, Edwards, Jacobi intersections, Jacobi quartic, and binary Edwards elliptic curves) have these vulnerabilities.
Table A1 shows the vulnerability of each unified point addition. In the case of Hessian, Edwards, Jacobi intersections, and Jacobi quartic curves, it is enough to apply
wRPC to unified point additions to ensure security against Type 1 and Type 2 vulnerabilities. However, in the case of Weierstraß and binary Edwards elliptic curves, we need to modify the unified point addition formula. In this section, we explain the vulnerabilities of unified point addition and its countermeasure for Weierstraß, Hessian, Edwards, Jacobi intersections, Jacobi quartic, and binary Edwards elliptic curves.
Table A1.
The vulnerabilities of the elliptic curve forms and it countermeasures.
Table A1.
The vulnerabilities of the elliptic curve forms and it countermeasures.
Curve | Type 1 | Type 2 | Countermeasures |
---|
Weierstraß | insecure | insecure | wRPC The modified unified point addition |
Hessian | insecure | insecure | wRPC |
Edwards | insecure | secure | wRPC |
Jacobi intersections | secure | insecure | wRPC |
Jacobi quartic | insecure | insecure | wRPC |
binary Edwards | insecure | insecure | wRPC The modified unified point addition |
Appendix A.1. Weierstraß Elliptic Curve
A Weierstraß elliptic curve has the parameters
a and
b that satisfy the following equations:
The projective coordinates have the assumption
and represent
as
to satisfy the following equations:
The equivalence class containing
is
We describe a projective form of the unified point addition method (add-2007-bl) given in [
21]. Let
and
; then, we can get
by the unified point addition formula for the Weierstraß elliptic curve:
where
and
This formula requires 11 field multiplications and 6 field squarings. We found both Type 1 and Type 2 vulnerabilities during the computations of for and .
Type 1 vulnerability: Let us consider the computation . In this formula, it is computed as for , whereas it is computed as for . Similarly, for in R, this is computed as for . Thus, we can distinguish between and using ROSETTA.
Type 2 vulnerability: Let us consider the computations and . If , then is computed twice. Namely, the operands of and for and are the same for but different for . Similarly, considering and , the multiplications for and have the same operands for but different operands for . Therefore, we can distinguish between and using HCCA.
Applying
wRPC to unified point addition on the Weierstraß elliptic curve, the two inputs are expressed as follows:
where
. Although
wRPC is applied to unified point addition,
in
R is computed as
for
. Thus, we need to modify
in
R. We modified
R as follows:
After applying the above modification to unified point addition, 11 field multiplications and 6 field squarings were required, which are exactly the same as those required by the original one. After applying
wRPC to the modified unified point addition formula, Type 1 and Type 2 vulnerabilities no longer exist (
Table A2).
Table A2.
The proposed unified point addition method on the Weierstraß elliptic curve by applying wRPC.
Table A2.
The proposed unified point addition method on the Weierstraß elliptic curve by applying wRPC.
Out | | |
---|
| | |
| | |
| | |
| | |
Z | | |
| | |
| | |
| | |
⋮ | ⋮ | ⋮ |
Appendix A.2. Hessian Elliptic Curve
A Hessian elliptic curve has a parameter
d that satisfies the following equation:
The projective coordinates represent
as
satisfying the following equation:
The equivalence class containing
is
We describe a projective form of the unified point addition formula (add-2009-bkl) given in [
21]. Let
and
; then, we get
with the unified point addition formula for the Hessian elliptic curve:
where
This formula requires 12 field multiplications. We can identify vulnerabilities of Type 1 and Type 2 during the computations of for and .
Type 1 vulnerability: Let us consider the computation . In this formula, it is computed as for , whereas it is computed as for . Similarly, in and , these are computed as and for , respectively. Thus, we can distinguish between and using ROSETTA.
Type 2 vulnerability: Let us consider the computations and . If , then and are computed. Thus, they have the same operand when but not when . Similarly, considering and , the multiplications for C and E have the same operand for and different operands for . Also, the multiplications for A and E have the same operand for . Therefore, we can distinguish between and using HCCA.
When applying
wRPC to unified point addition on the Hessian elliptic curve, the two inputs are expressed as follows:
where
. It is sufficient to secure against Type 1 and Type 2 vulnerabilities by applying
wRPC to unified point addition. The application of
wRPC to unified point addition is evaluated in
Table A3.
Table A3 shows that vulnerabilities of Type 1 and Type 2 no longer exist.
Table A3.
Unified point addition for the Hessian elliptic curve form.
Table A3.
Unified point addition for the Hessian elliptic curve form.
Out | | |
---|
A | | |
B | | |
C | | |
D | | |
E | | |
F | | |
⋮ | ⋮ | ⋮ |
Appendix A.3. Edwards Elliptic Curve
An Edwards elliptic curve has the parameters
c and
d that satisfy the following equation:
The inverted projective coordinates represent
as
to satisfy the following equation:
The equivalence class containing
is
We describe a inverted projective form of the unified point addition formula (add-2007-bl) given in [
21]. Let
and
. Then, we get
by the unified point addition formula for the Edwards elliptic curve:
where
This formula requires 9 field multiplications and 1 field squaring. We can identify vulnerabilities of Type 1 and Type 2 during the computations of for and .
Type 1 vulnerability: Let us consider the computation . In this formula, it is computed as for , whereas it is computed as for . Similarly, in , and , and these are computed as , , and for , respectively. Thus, we can distinguish between and using ROSETTA.
Type 2 vulnerability: The vulnerability of Type 2 does not exist.
When applying
wRPC to unified point addition for the Edwards elliptic curve, the two inputs are expressed as follows:
where
. It is sufficient to secure against a Type 1 vulnerability by applying
wRPC to unified point addition. The application of
wRPC to unified point addition is evaluated in
Table A4.
Table A4 shows that vulnerability of Type 1 no longer exists.
Table A4.
Unified point addition for the Edwards elliptic curve.
Table A4.
Unified point addition for the Edwards elliptic curve.
Out | | |
---|
A | | |
B | | |
C | | |
D | | |
| | |
| | |
| | |
⋮ | ⋮ | ⋮ |
Appendix A.4. Jacobi Intersections Elliptic Curve
An elliptic curve in Jacobi intersection form has the parameter
a and coordinate
that satisfy the following equations:
The projective coordinates represent
as
to satisfy the following equations:
The equivalence class containing
is
We describe a projective form of the unified point addition formula (add-20080225-hwcd) given in [
21]. Let
and
; then, we get
with the unified point addition formula for the Jacobi intersection elliptic curve:
where
This formula requires 13 field multiplications and 1 field squaring. We can identify vulnerabilities of Type 1 and Type 2 during the computations of for and .
Type 1 vulnerability: The vulnerability of Type 1 does not exist.
Type 2 vulnerability: Let us consider the computations of and . If , then are computed twice. Namely, the operands of and for A and B are the same for and different for . Similarly, consider multiplications for B and D, E and G, F and H, and J and K. These multiplication pairs have the same operands for and different operands for . Also, consider multiplication of and . If , then and are computed. Thus, they have the same operand when but not when . Similarly, the multiplication pairs A and H, B and E, B and F, C and E, C and F, D and G, and D and H have the same operand , , , , , , and for , respectively. Therefore, we can distinguish between and using HCCA.
Applying
wRPC to unified point addition of the Jacobi intersection elliptic curve, the two inputs are expressed as follows:
where
. It is sufficient to secure against a Type 2 vulnerability by applying
wRPC to unified point addition. The application of
wRPC to unified point addition is evaluated in
Table A5.
Table A5 shows that vulnerability of Type 2 no longer exists.
Table A5.
Unified point addition for the Jacobi intersection elliptic curve form.
Table A5.
Unified point addition for the Jacobi intersection elliptic curve form.
Out | | |
---|
A | | |
B | | |
C | | |
D | | |
E | | |
F | | |
G | | |
H | | |
| | |
| | |
⋮ | ⋮ | ⋮ |
Appendix A.5. Jacobi Quartic Elliptic Curve
An elliptic curve in the Jacobi quartic form has the parameter
a and coordinates
that satisfy the following equation:
The projective coordinates represent
as
to satisfy the following equations:
The equivalence class containing
is
We describe a projective form of the unified point addition formula (add-2007-bl) given in [
21]. Let
and
; then, we get
with the unified point addition formula for the Jacobi quartic elliptic curve:
where
This formula requires 8 field multiplications and 6 field squarings. We can identify vulnerabilities of Type 1 and Type 2 during the computations of for and .
Type 1 vulnerability: Let us consider the computation . In this formula, it is computed as for , whereas it is computed as for . Similarly, in and , these are computed as and for , respectively. Thus, we can distinguish between and using ROSETTA.
Type 2 vulnerability: Let us consider the computations and . If ; then, and are computed. Thus, they have the same operand when but not when . Similarly, considering and , the multiplications for C and E have the same operand for and different operands for . Also, the multiplications for A and E have the same operand for . Therefore, we can distinguish between and using HCCA.
By Algorithm 2, to use unified point addition on the Jacobi quartic elliptic curve, the two inputs of step 8 are expressed as follows:
where
. It is sufficient to secure against Type 1 and Type 2 vulnerabilities by applying
wRPC to unified point addition. The application of
wRPC to unified point addition is evaluated in
Table A6.
Table A6 shows that vulnerabilities of Type 1 and Type 2 no longer exist.
Table A6.
Unified point addition for the Jacobi quartic elliptic curve form.
Table A6.
Unified point addition for the Jacobi quartic elliptic curve form.
Out | | |
---|
A | | |
B | | |
C | | |
D | | |
E | | |
F | | |
⋮ | ⋮ | ⋮ |
Appendix A.6. Binary Edwards Elliptic Curve
A binary Edwards elliptic curve has the parameters
and
that satisfy the following equation:
The projective coordinates represent
as
to satisfy the following equation:
The equivalence class containing
is
We describe a projective form of the unified point addition formula (add-2008-blr-4) given in [
21]. Let
and
; then, we can get
with unified point addition for the binary Edwards elliptic curve:
where
This formula requires 18 field multiplications. We found both Type 1 and Type 2 vulnerabilities during the computations of for and .
Type 1 vulnerability: Let us consider the computation . In this formula, it is computed as for , whereas it is computed as for . Similarly, for , , , , and , these are computed as , , , , and for . Also, if , I and J compute as follows:
and
Thus, if , An adversary can distinguish between and using ROSETTA.
Type 2 vulnerability: Let us consider the computations , in V and in . If , since , both operations have at least one same operand. Therefore, they can be distinguished using HCCA.
By Algorithm 2, to use unified point addition on the binary Edwards elliptic curve, the two inputs of step 8 are expressed as follows:
where
. Although
wRPC is applied to unified point addition,
for
. Thus, we need to modify the unified point addition formula. The collision pairs exposed by HCCA are (
and
in
V) or (
in
and
in
V). Since both collision pairs contain the operation
, we only have to mask its operands. We modified
in
V as follows:
To use the advantage of the free computational cost of squaring in a binary field, we configured the masking of
and
by squaring. The proposed unified point addition method for the binary Edwards elliptic curve is as follows:
where
After applying the above modification to the unified point addition, 18 field multiplications were required, which was exactly the same as in the original one. After applying
wRPC to the modified unified point addition method, Type 1 and Type 2 vulnerabilities no longer exist (
Table A7).
Table A7.
The proposed unified point addition method on the binary Edwards elliptic curve.
Table A7.
The proposed unified point addition method on the binary Edwards elliptic curve.
Out | | |
---|
A | | |
B | | |
C | | |
| | |
| | |
| | |
G | | |
H | | |
| | |
| | |
| | |
K | | |
| | |
| | |
⋮ | ⋮ | ⋮ |