Side-Channel Vulnerabilities of Uniﬁed Point Addition on Binary Huff Curve and Its Countermeasure

: Uniﬁed point addition for computing elliptic curve point addition and doubling is considered to be resistant to simple power analysis. Recently, new side-channel attacks, such as recovery of secret exponent by triangular trace analysis and horizontal collision correlation analysis, have been successfully applied to elliptic curve methods to investigate their resistance to side-channel attacks. These attacks turn out to be very powerful since they only require leakage of a single power consumption trace. In this paper, using these side-channel attack analyses, we introduce two vulnerabilities of uniﬁed point addition on the binary Huff curve. Also, we propose a new uniﬁed point addition method for the binary Huff curve. Furthermore, to secure against these vulnerabilities, we apply an equivalence class to the side-channel atomic algorithm using the proposed uniﬁed point addition method.


Introduction
Side-channel attacks (SCAs) are major threats to the security of cryptographic embedded devices. Power analysis, the most actively researched SCA technique, can be used to find secret information by using the power consumption data extracted during the cryptographic operations of embedded devices. Power analysis attacks on elliptic curve cryptosystems (ECCs) are classified into two types: simple power analysis (SPA) and differential power analysis (DPA) [1]. SPA exposes secret information by observing the power consumption of a single execution of a cryptographic algorithm. For example, a secret key can be easily extracted from the binary scalar multiplication algorithm by differentiating the point addition signal from the point doubling signal. On the other hand, DPA reveals secret information by statistically analyzing many executions of the same algorithm with different inputs without the physical decapsulation of the target device, even if it is impossible to apply SPA. DPA utilizes a correlation between power consumption and specific key-dependent bits that appear at the cryptographic computations. Among the representative countermeasures against DPA are randomization techniques, e.g., scalar/message blinding methods and randomized projective coordinates, which make it impossible to guess the specified values [2]. The countermeasures against SPA can be divided into two main categories. The first strategy is to perform point addition and point doubling, regardless of the secret bit value, such as the double-and-add-always method and Montgomery ladder algorithm [2,3]. The second approach is to make basic operations indistinguishable, such as side-channel atomicity and unified point addition [4,5].
Recently, two new SCAs using only one power consumption trace-recovery of secret exponent by triangular trace analysis (ROSETTA) and horizontal collision correlation analysis (HCCA)-have been proposed to analyze various countermeasures against DPA and SPA [6,7]. While ROSETTA can find secret information by distinguishing whether the operands of a field multiplication are the same or different, HCCA can find it by distinguishing whether the two field multiplications have at least one operand in common. These two attacks do not require any prior knowledge of the input operands of the field multiplications.
Unified point addition is useful for resisting ECCs to SPA. This technique, by which point addition and point doubling use the same sequence of field operations, was first introduced by Brier and Joye in affine and projective coordinates [5]. After that, various unified point addition formulae were proposed for their application to many kinds of elliptic curves, such as Edwards curves, binary Huff curves, and so on. Recently, unified point addition for the binary Huff curve was proposed by Debigne and Joye at the CT-RSA 2011 conference [8]. However, at the CHES 2013 conference, S. Ghosh et al. showed that unified point addition was insecure against SPA. They further proposed a modified unified point addition formula for the binary Huff curve which would provide resistance to SPA [9].
In this paper, we demonstrate two vulnerabilities of unified point addition on the binary Huff curve using ROSETTA and HCCA. Unified point addition operates with an identical sequence of field operations, regardless of the input points. However, some field multiplications of the unified point addition computation can be affected by investigating whether the two input points are equal or not. If two input points of the unified point addition operation are equal, field multiplications are computed with the same operands (i.e., squaring). Also, there are some field multiplication pairs with common operands. Hence, unified point addition can be exposed to the risk of these vulnerabilities using ROSETTA and HCCA. In order to show that unified point addition actually has these weaknesses, we implemented unified point addition on a binary Huff curve on an ARM cortex-m4 processor that performs field multiplications depending on the secret bit value, repeatedly. Then, we analyzed a power consumption trace collected from the implementation by using our attack methods. As a result of the actual experiments, we were able to find secret bit values more than 94% of the time, which proves that this unified point addition operation is indeed vulnerable to our attacks, and the single trace attack is a practical threat.
To provide security against our attack methods, we propose a new countermeasure using an equivalence class for unified point addition. By using the equivalence class, even though two input points of the unified point addition operation are in the same class, the two points can be different projective coordinate values. In addition, to provide perfect security against our attack methods, we reconfigured the operations of the unified point addition formula. The proposed unified point addition method for the binary Huff curve using the equivalence class is just about 2∼4.4% slower than the existing unified point addition method from [8,9]. In addition, the proposed method is about 8.5∼17.5% faster than an existing countermeasure that provides same security, i.e., unified point addition using blinding operands of a field multiplication [10]. We applied the aforementioned attacks to the unified point addition formulae of other elliptic curves and confirmed that most unified point addition formulae have these vulnerabilities. This paper is organized as follows. Section 2 introduces basic knowledge of binary Huff curves and a description of ROSETTA and HCCA. In Sections 3 and 4, we explain the vulnerabilities of the unified point addition formulae and describe the experimental results of applying these methods. Section 5 proposes our method to make unified point addition secure against our attacks. In Section 6, we compare the proposed method with previous methods. Finally, Section 7 addresses our conclusions. In addition, we explain the vulnerabilities of several unified addition formulae and their countermeasures in the Appendix A.

Binary Huff Curve and Unified Point Addition
At CT-RSA in 2011, a Huff curve for the binary field was proposed by Devigne and Joye. Instead of providing general point addition, this construction provides a unified point addition operation to resist side-channel attacks. However, at CHES in 2013, Ghosh et al. demonstrated that the unified point addition method from CT-RSA 2011 was insecure against SPA. Even though both point addition and point doubling are computed with the same formula and executed by the same sequence of finite field operations, they demand different amounts of power consumption. Specifically, point doubling with unified point addition produces a zero value in some intermediate operations. However, point addition does not. Such zero values in point doubling are used in some field multiplications in unified point addition. Apparently, the outputs are also zero. The power consumption of these multiplications with zero and nonzero inputs are significantly different. Therefore, it is possible to distinguish between point doubling and point addition. Hence, they proposed a new unified point addition formula which is secure against SPA. Here, we provide a brief description.

Definition 1 ([11]).
A generalized binary Huff curve is the set of projective points (X : Y : Z) ∈ P 2 (F 2 m ) satisfying the equation where a, b, f ∈ (F) * 2 m and a = b.
There are three points at infinity that satisfy the curve equation, namely, (a : b : 0), (1 : 0 : 0), and (0 : 1 : 0). Let P 1 = (X 1 : Y 1 : Z 1 ) and P 2 = (X 2 : Y 2 : Z 2 ); then, we get P 1 + P 2 = (X 3 : Y 3 : Z 3 ) with unified point addition [8]: where α = (a + b)/b and β = (a + b)/a. The unified point addition formula in Equation (2) can be evaluated as described in [9]: The above operation needs 17 field multiplications, which is exactly the same as in the original one. Since point doubling does not have a zero value in any intermediate operation, it is secure against SPA. Recently, however, SCAs such as SPA using only one power consumption trace have been proposed [6,7]. Therefore, security analysis of the unified point addition formula should be considered not only for SPA but also for other analyses. Using these analyses, we present the vulnerabilities of the unified point addition method from [9] and report our experimental results in Sections 3 and 4, respectively.

ROSETTA and HCCA
Recovery of secret exponent by triangular trace analysis (ROSETTA) [7] and horizontal collision correlation attack (HCCA) [6] are based on the observations of the power consumption of the cryptosystems during the executions of field multiplications. They are powerful attacks on elliptic curve cryptosystems since they use only one power consumption trace for SPA. ROSETTA and HCCA can be used to reveal secret information by analyzing the correlation between the secret bit value and the power consumption of field multiplications without any prior knowledge of the inputs. Details of the analyses are as follows.
ROSETTA. Clavier's attack needs a single power consumption trace to recover secret information. For each field multiplication, ROSETTA detects whether the operation is x · x (squaring) or x · y (multiplication). Let x = (x m−1 , x m−2 , ..., x 0 ) 2 w and y = (y m−1 , y m−2 , ..., y 0 ) 2 w . A w-bit multiplication x i · y j can be identified from the specific pattern in side-channel power consumption. ROSETTA considers the observation O 1 and O 2 extracted from the multiplication x i · y j for all i = j: From the observations O 1 and O 2 , collisions between x i · y j and x j · y i for all i = j can be used to identify squarings from multiplications. To identify these collisions of field multiplication trace, ROSETTA exploits a triangle trace analysis which uses a Euclidean distance distinguisher relying on a collision correlation technique.
HCCA. Bauer et al. introduced this method to extract keys using the collision of field multiplications in a single power consumption trace. The core idea of this attack is that collision occurs during two field multiplication computations when the same operands are used, which can be detected by HCCA. When performed in a horizontal setting, the observations O 1 and O 2 are extracted from the two field multiplications.
The advantage of these analyses is that the inputs of field multiplication can remain unknown since the adversary does not need to compute intermediate values. Countermeasures against ROSETTA and HCCA include shuffling the operands and blinding the operands of a field multiplication [10]. For n-bit field multiplication, the blinding operand method requires t 2 + 2t + 1 w-bit multiplications, where t = n/w . Unified point addition using blinding operands requires a great additional computational cost. Therefore, for efficiency, we propose a suitable and efficient countermeasure for the unified point addition operation, and we compare and analyze the proposed method with the existing unified point addition method using blinding operands on the binary Huff curve.

Vulnerabilities of Unified Point Addition
Many methods have been proposed to prevent SPA, such as unified point addition and the Montgomery ladder algorithm. Since unified point addition can compute point addition and point doubling with the same formula, it is secure against SPA. In addition, it can be applied to various algorithms easily. In this section, we define two types of vulnerabilities of unified point addition and find vulnerabilities of unified point addition of the binary Huff curve in [9].

Vulnerabilities of Unified Point Addition
We describe the vulnerabilities of unified point addition considering ROSETTA and HCCA. Both are analyses using the correlation between the input data and operations. ROSETTA can determine whether the operands of a field multiplication are equal (squaring) or different (multiplication). HCCA can determine whether two field multiplications have the same or different operands. We defined the two types of vulnerabilities exposed by these analyses.

Type 1. (Vulnerability by ROSETTA):
The unified point addition operation can compute the point doubling and point addition with the same formula. However, depending on the input points of unified point addition, field multiplications can be performed as squaring or multiplication. For example, let P 1 = (X 1 : Y 1 : Z 1 ) and P 2 = (X 2 : Y 2 : Z 2 ) be the two input points of the unified point addition formula. Note that there exists the operation X 1 · X 2 in unified point addition. If P 1 = P 2 , then this operation computes to X 1 · X 1 . If P 1 = P 2 , then this operation computes to X 1 · X 2 . Then, this operation becomes a vulnerability that is exploitable by ROSETTA.

Type 2. (Vulnerability by HCCA):
Considering two field multiplications, if they have at least one common operand, they can be distinguished by HCCA. In unified point addition, the two different multiplications can be identically computed according to the inputs. For example, the operations X 1 · Y 1 and X 2 · Y 2 exist in unified point addition. If P 1 = P 2 , then X 1 · Y 1 will be computed twice. If P 1 = P 2 , then X 1 · Y 1 and X 2 · Y 2 will be computed. Then, these operations become a vulnerability that is exploitable by HCCA.

Vulnerabilities of Binary Huff Curve
In this section, we find Type 1 and Type 2 vulnerabilities of unified point addition on the binary Huff curve from [9] during the computations of P 1 + P 2 for P 1 = P 2 and P 1 = P 2 . Let P 1 = (X 1 : Y 1 : Z 1 ) and P 2 = (X 2 : Y 2 : Z 2 ). In each case, the unified point addition formula can be evaluated as shown in Table 1. Table 1. Unified point addition on binary Huff curve.

Type 1 vulnerability: Let us consider the computation of m
Similarly, for P 1 = P 2 , for m 2 , m 3 , m 4 , and m 5 , these are computed as , respectively. Thus, an adversary can distinguish between P 1 = P 2 and P 1 = P 2 .

Type 2 vulnerability:
In Table 1 and Y 3 are the same for P 1 = P 2 but different for have the same inputs for P 1 = P 2 but different inputs for P 1 = P 2 . Therefore, they can be distinguished between P 1 = P 2 and P 1 = P 2 .
In this section, we have defined the two types of vulnerabilities and highlighted them in unified point addition on the binary Huff curve. These vulnerabilities can also be found in unified point additions on other elliptic curves. We explain how to find these vulnerabilities of unified point addition on other elliptic curves in the Appendix A.

Experiments
In this section, we provide experimental results showing that unified point addition on the binary Huff curve is vulnerable to HCCA and ROSETTA. For this, we implemented a field multiplication for unified point addition on the binary Huff curve on an ARM cortex-m4 processor on the ChipWhisperer CW308 UFO evaluation board [12]. The scheme of the experimental setup used for measuring the power consumption is shown in Figure 1. We collected a power consumption trace which is measured when 192 field multiplications are performed. We randomly selected whether the two operands of the two multiplications of each pair are identical or not for HCCA. Also, we randomly selected whether the operands of the multiplication are identical or not for ROSETTA. The power consumption trace was acquired using a Lecroy HDO oscilloscope with a sampling rate of 5 GS/s. We preprocessed the power consumption trace with a 168 MHz low-pass filter and 3-point maximum compression only for ROSETTA. Figure 2 shows a power consumption trace of field multiplications for unified point addition on the binary Huff curve. Using SPA and a cross-correlation technique, we identified each w-bit multiplication in a field multiplication and separated these into subtraces which correspond to each w-bit multiplication, as shown in Figure 3. For the experiment, we divided them into 96 pairs of subtraces of field multiplications for (x 1 ) · (y 1 ) and (x 2 ) · (y 2 ) for HCCA. Similarly, we separated a power consumption trace into subtraces of 192 field multiplications for (x) · (y) for ROSETTA. To perform HCCA and ROSETTA, each subtrace was classified into two groups appropriately according to each analysis method. To find a pairwise collision, we separated the subtraces into two groups based on the following fact. Since HCCA determines whether a collision occurs during two field multiplications or not, we divided the subtraces of the w-bit multiplications (x 1 ) i · (y 1 ) j and (x 2 ) i · (y 2 ) j for all i, j of the two multiplications (x 1 ) · (y 1 ) and (x 2 ) · (y 2 ) into each group. In the case of ROSETTA, similar to HCCA, we divided the subtraces of the w-bit multiplications (x) i · (y) j and (x) j · (y) i for all i = j of a field multiplication x · y into each group.  To find points of interest (POIs), i.e., those having the most collision-related leakage information, we calculated the sum of squared pairwise t-differences (SOST), which is Welch's t-test of two groups, using the following: where m i is the mean trace of group i, and σ 2 i is the variance trace of group i [13,14]. SOST is a tool mainly used to identify side-channel leakage and is discussed in the SCA literature [15][16][17]. Because SOST is computed depending on the group's statistics and each group is separated based on the operand of w-bit multiplication, points having high SOST indicate POIs. Since HCCA uses both the inputs and the output of w-bit multiplication, we selected points having a SOST value higher than some heuristic threshold. However, ROSETTA uses the output of w-bit multiplication, and we selected points having leakage of manipulating the output, considering the sequence of the multiplication. The SOST results and POIs for HCCA and ROSETTA are shown in Figure 4a,b, respectively.  We checked for a collision between subtraces corresponding to each group. The occurrence of a collision was determined by calculating Pearson's correlation coefficients. For this, we reconstructed all subtraces composed of values of POIs only. Then, Pearson's correlation coefficients were calculated between subtraces corresponding to each group over every point. Then, correlation coefficients corresponding to the same field multiplications and the same groups were averaged over the points. The values of the correlation coefficient sequences indicating a collision were averaged. As a result, this averaged value became a criterion for determining whether a collision occurs or not. We set the threshold by averaging all final values, which were the criteria for each collision check, and confirmed collisions by comparing the magnitude of each value and threshold. If a value was higher than the threshold, we guessed that collision occurs; otherwise, the collision was assumed not to occur. The analysis results of HCCA and ROSETTA are shown in Figure 5a,b, respectively. As a result, the success rates of HCCA and ROSETTA are 97.92% and 94.79%, respectively. These results prove that the aforementioned HCCA and ROSETTA vulnerabilities are real.

Countermeasures
As for the two types of vulnerabilities considered in this paper, we introduce the following interesting properties: they make use of a single power consumption trace, yet they do not require knowledge of the inputs to the unified point addition formula for the binary Huff curve. Due to these properties, the application of classical blinding countermeasures (point blinding, scalar blinding, random projective coordinates) is not recommended. We propose new countermeasures against these vulnerabilities of unified point addition.
Type 1 and Type 2 vulnerabilities are due to two problems in unified point addition on the binary Huff curve. The first is that each coordinate of input points of the unified point addition operation has the same value. This problem can be solved by using the equivalence class of projective coordinates [18]. Let F be a finite field. In a binary Huff curve, the equivalence class containing (X, Y, Z) is Notice that if (X , Y , Z ) ∈ (X : Y : Z), then (X : Y : Z ) = (X : Y : Z). Let P = (X : Y : Z) and P = (X : Y : Z ) be the equivalence class, where X = rX, Y = rY, and Z = rZ, r = 1. Then, (X : Y : Z) = (X : Y : Z ). When considering P 3 = P + P and P 4 = P + P, each coordinate of input points of P and P has a different value, but P 3 = P 4 . The equivalence class has been used in random projective coordinates (RPCs), which is a countermeasure of DPA [19]. However, RPCs are generally applied only to the input P of the elliptic curve scalar multiplication. Of course, RPCs can be applied to every execution or after each unified point addition. Unfortunately, in this case, the computational cost is disadvantageously increased for RPCs. Since we only need to convert P to a different coordinate of the same equivalence class, the bit size of r need not be the same as the bit size of the finite field. Therefore, for computational efficiency, we propose a w-bit random projective coordinate (wRPC) that limits the size of r to w bits. The proposed wRPC for the binary Huff curve is depicted in Algorithm 1.

Algorithm 1:
A w-bit random projective coordinate for the binary Huff curve (wRPC) Require: P = (X : Y : Z) Ensure: P = (X : Y : Z ) 1: Generate a w-bit random number r with r = 1 2: X ← rX; Y ← rY; Z ← rZ 3: return P In Algorithm 1, w is the bit size of a word multiplication for a field multiplication. In this work, we only considered the application of wRPC on a side-channel atomic algorithm using unified point addition [4]. The side-channel atomic algorithm using wRPC is described by Algorithm 2. We show the additional cost of Algorithm 2 in Section 5. R 0 ← wRPC(R 2 ) 5: i ← i − ¬k 9: end while 10: return R 0 Although Algorithm 2 using unified point addition is secure against Type 1 vulnerabilities, it is still insecure against Type 2. We show in the next subsection that it is not secure against Type 2 vulnerabilities. To be secure against Type 2 vulnerabilities, it is necessary to reconstruct the calculation process of unified point addition. For this reason, we propose a new unified point addition formula for the binary Huff curve as follows: The proposed unified point addition operation is based on masking by m 4 and m 5 . To use the advantage of almost no computational cost for squaring in a binary field, we configured the calculation of masking m 4 and m 5 by squaring. Thus, the proposed method needs 17 field multiplications, which is exactly the same as in [9]. Furthermore, we explain Type 1 and Type 2 vulnerabilities of several unified point addition formulae and propose countermeasures in the Appendix A.

Security Analysis of the Proposed Method
In this section, we analyze Type 1 and Type 2 vulnerabilities of Algorithm 2 using the proposed unified point addition method. Let the input R 2 = (X 1 : Y 1 : Z 1 ) in step 4 and let the input R 1 = (X 2 : Y 2 : Z 2 ) in step 5. Then, in step 6, the two inputs R 2 and R k of the proposed unified point addition are P 1 = R 2 , P 2 = R 0 if k = 0 and P 1 = R 2 , P 2 = R 1 if k = 1. The two inputs are expressed as follows: where r = 1. The proposed unified point addition method can be evaluated as shown in Table 2. Out Table 2, if P 1 = P 2 (k = 0), then the output of the proposed unified point addition operation is X 3 = r 4 1 X 3 , Y 3 = r 4 1 Y 3 , Z 3 = r 4 1 Z 3 , where (X 3 : Y 3 : Z 3 ) is the output of Table 1. Since (X 3 , Y 3 , Z 3 ) ∈ (X 3 , Y 3 , Z 3 ), then (X 3 , Y 3 , Z 3 ) = (X 3 : Y 3 : Z 3 ). In addition, if P 1 = P 2 , then m 1 , m 2 , m 3 , m 4 , and m 5 can be computed as follows:

Type 1 vulnerability: As shown in
For m 1 , although P 1 = P 2 , the operands X 1 and r 1 X 1 are different. Similarly, the operands of the field multiplications for m 2 , m 3 , m 4 , and m 5 are different. Also, there is no other field multiplication vulnerable to Type 1. Thus, the proposed algorithm is secure against the Type 1 vulnerability for the binary Huff curve.

Type 2 vulnerability:
Although wRPC is applied to the proposed unified point addition operation,  11 ] + M · m 11 so that an adversary cannot distinguish between P 1 = P 2 and P 1 = P 2 using a Type 2 vulnerability. However, we additional cost is incurred for M · m 11 . To reduce this additional cost, we computed  (Table 2).

Comparisons
We compared the proposed method with the previously presented unified point addition operations with respect to computational cost. Also, we compared the proposed method with the previously unified point addition formulae to which we applied the blinding operands of field multiplication. In this work, as the side-channel atomic algorithms, we considered (i) the proposed method, (ii) the unified point additions in [8,9], and (iii) the application of the blinding operands of a field multiplication [10] on the unified point addition method in [8,9]. We analyzed two aspects, that is, security against SCAs and computational cost. Table 3 shows the security against SCAs. The unified point additions described in [8,9] using the blinding operands in [10] are secure against ROSETTA and HCCA. Table 3. The security against side-channel attacks (SCAs) of algorithms.

Algorithm
SPA ROSETTA HCCA [8] insecure insecure insecure [9] secure insecure insecure [8] using [10] secure secure secure [9] using [10] secure secure secure proposed method secure secure secure The computational costs of [8,9] are the same. Also, the computational cost of the proposed unified point addition method is the same as that of the previous one. Thus, the computational costs of the algorithms are affected by the additional cost of wRPC and [10]. Let w = 32 and let n be the bit size of a finite field. Also, let t = n/32 . We consider that n has one of the bit sizes of the standard binary curve in FIPS 186-3 [20] (233, 283, 409, and 571). The computational cost of an iteration of the algorithms is shown in Table 4.  [8,9] 169 -2873 1.000 [8,9] using [10] 196 -3332 1.160 proposed 169 78 2951 1.027 571 [8,9] 324 -5508 1.000 [8,9] using [10] 361 -6137 1.114 proposed method 324 108 5616 1.020 In Table 4, M is the number of w-bit multiplications of a field multiplication. Namely, M = t 2 in [8,9] and in the proposed method. Also, M = t 2 + 2t + 1 in [8,9] with [10]. The additional cost is the number of w-bit multiplications of wRPC in the proposed method. Namely, (additional cost) = 2 * (3 * t) for the proposed method. The total cost is the number of w-bit multiplications of an iteration of the side-channel atomic algorithm using unified point additions. Namely, (total cost) = 17 * M+ (additional cost). The ratio is the overhead of the algorithm when the original algorithm [8,9] is assumed as 1. This shows that the proposed algorithm is about 0.2∼4.4% slower than [8,9]. However, the methods from [8,9] are not secure against ROSETTA and HCCA. The proposed method is about 8.5∼17.5% faster than the previous methods from [8,9] using [10], which are secure against ROSETTA and HCCA. In addition, the previous methods ( [8,9] using [10]) also require random number generation for r 1 and r 2 in each field multiplication.

Conclusions
In this paper, we present two vulnerabilities of unified point addition on the binary Huff curve; these vulnerabilities are exploitable by ROSETTA and HCCA. In particular, we found these vulnerabilities of unified point addition on the binary Huff curve as presented in [9]. As countermeasures, we propose wRPC and present a new unified point addition method for the binary Huff curve. Additionally, we show the proposed unified point addition method and wRPC applied to the side-channel atomic algorithm. The proposed method is secure against ROSETTA and HCCA. In addition, the proposed unified point addition method has no additional cost compared to the previous one. However, wRPC does incur additional cost. Depending on the size of the base field of an elliptic curve, the proposed method is about 0.2∼4.4% slower than the original one. However, it is about 8.5∼17.5% faster than unified point additions using blinding operands as a countermeasure. Additionally, we present our analyses of the vulnerabilities of unified point addition on other elliptic curves, such as Weierstraß, Hessian, Edwards, Jacobi intersections, Jacobi quartic, and binary Edwards elliptic curves in the Appendix A.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A
We applied Type 1 and Type 2 vulnerabilities to unified point additions on other elliptic curves. As a result, we found that most unified point additions on these elliptic curves (such as Weierstraß, Hessian, Edwards, Jacobi intersections, Jacobi quartic, and binary Edwards elliptic curves) have these vulnerabilities. Table A1 shows the vulnerability of each unified point addition. In the case of Hessian, Edwards, Jacobi intersections, and Jacobi quartic curves, it is enough to apply wRPC to unified point additions to ensure security against Type 1 and Type 2 vulnerabilities. However, in the case of Weierstraß and binary Edwards elliptic curves, we need to modify the unified point addition formula. In this section, we explain the vulnerabilities of unified point addition and its countermeasure for Weierstraß, Hessian, Edwards, Jacobi intersections, Jacobi quartic, and binary Edwards elliptic curves. A Weierstraß elliptic curve has the parameters a and b that satisfy the following equations: The projective coordinates have the assumption a = −3 and represent x, y as X, Y, Z to satisfy the following equations: We describe a projective form of the unified point addition method (add-2007-bl) given in [21]. Let P 1 = (X 1 : Y 1 : Z 1 ) and P 2 = (X 2 : Y 2 : Z 2 ); then, we can get P 1 + P 2 = (X 3 : Y 3 : Z 3 ) by the unified point addition formula for the Weierstraß elliptic curve: where This formula requires 11 field multiplications and 6 field squarings. We found both Type 1 and Type 2 vulnerabilities during the computations of P 1 + P 2 for P 1 = P 2 and P 1 = P 2 .

Type 1 vulnerability: Let us consider the computation
Thus, we can distinguish between P 1 = P 2 and P 1 = P 2 using ROSETTA.

Type 2 vulnerability: Let us consider the computations
for U 1 and U 2 are the same for P 1 = P 2 but different for P 1 = P 2 . Similarly, considering , the multiplications for S 1 and S 2 have the same operands for P 1 = P 2 but different operands for P 1 = P 2 . Therefore, we can distinguish between P 1 = P 2 and P 1 = P 2 using HCCA.
Applying wRPC to unified point addition on the Weierstraß elliptic curve, the two inputs are expressed as follows: where r = 1. Although wRPC is applied to unified point addition, Thus, we need to modify U 1 · U 2 in R. We modified R as follows: After applying the above modification to unified point addition, 11 field multiplications and 6 field squarings were required, which are exactly the same as those required by the original one. After applying wRPC to the modified unified point addition formula, Type 1 and Type 2 vulnerabilities no longer exist (Table A2). Table A2. The proposed unified point addition method on the Weierstraß elliptic curve by applying wRPC.

Appendix A.2 Hessian Elliptic Curve
A Hessian elliptic curve has a parameter d that satisfies the following equation: The projective coordinates represent x, y as X, Y, Z satisfying the following equation: x = X/Z and y = Y/Z The equivalence class containing (X, Y, Z) is We describe a projective form of the unified point addition formula (add-2009-bkl) given in [21]. Let P 1 = (X 1 : Y 1 : Z 1 ) and P 2 = (X 2 : Y 2 : Z 2 ); then, we get P 1 + P 2 = (X 3 : Y 3 : Z 3 ) with the unified point addition formula for the Hessian elliptic curve: This formula requires 12 field multiplications. We can identify vulnerabilities of Type 1 and Type 2 during the computations of P 1 + P 2 for P 1 = P 2 and P 1 = P 2 .

Type 1 vulnerability: Let us consider the computation
respectively. Thus, we can distinguish between P 1 = P 2 and P 1 = P 2 using ROSETTA.

Type 2 vulnerability: Let us consider the computations
are computed. Thus, they have the same operand Y 1 when P 1 = P 2 but not when P 1 = P 2 . Similarly, considering C = [Z 1 ] · [Y 2 ] and E = [X 1 ] · [Z 2 ], the multiplications for C and E have the same operand Z 1 for P 1 = P 2 and different operands for P 1 = P 2 . Also, the multiplications for A and E have the same operand X 1 for P 1 = P 2 . Therefore, we can distinguish between P 1 = P 2 and P 1 = P 2 using HCCA.
When applying wRPC to unified point addition on the Hessian elliptic curve, the two inputs are expressed as follows: where r = 1. It is sufficient to secure against Type 1 and Type 2 vulnerabilities by applying wRPC to unified point addition. The application of wRPC to unified point addition is evaluated in Table A3. Table A3 shows that vulnerabilities of Type 1 and Type 2 no longer exist. Table A3. Unified point addition for the Hessian elliptic curve form. Out . . . . . . . . .

Appendix A.3 Edwards Elliptic Curve
An Edwards elliptic curve has the parameters c and d that satisfy the following equation: The inverted projective coordinates represent x, y as X, Y, Z to satisfy the following equation: We describe a inverted projective form of the unified point addition formula (add-2007-bl) given in [21]. Let P 1 = (X 1 : Y 1 : Z 1 ) and P 2 = (X 2 : Y 2 : Z 2 ). Then, we get P 1 + P 2 = (X 3 : Y 3 : Z 3 ) by the unified point addition formula for the Edwards elliptic curve: This formula requires 9 field multiplications and 1 field squaring. We can identify vulnerabilities of Type 1 and Type 2 during the computations of P 1 + P 2 for P 1 = P 2 and P 1 = P 2 .

Type 1 vulnerability: Let us consider the computation
Thus, we can distinguish between P 1 = P 2 and P 1 = P 2 using ROSETTA.

Type 2 vulnerability:
The vulnerability of Type 2 does not exist.
When applying wRPC to unified point addition for the Edwards elliptic curve, the two inputs are expressed as follows: P 1 = (X 1 : Y 1 : Z 1 ), P 2 = (r 1 X 1 : r 1 Y 1 : r 1 Z 1 ) If k = 0, where r = 1. It is sufficient to secure against a Type 1 vulnerability by applying wRPC to unified point addition. The application of wRPC to unified point addition is evaluated in Table A4. Table A4 shows that vulnerability of Type 1 no longer exists. Table A4. Unified point addition for the Edwards elliptic curve. Out . . . . . . . . .

Appendix A.4 Jacobi Intersections Elliptic Curve
An elliptic curve in Jacobi intersection form has the parameter a and coordinate s, c, d that satisfy the following equations: The projective coordinates represent s, c, d as S, C, D, Z to satisfy the following equations: We describe a projective form of the unified point addition formula (add-20080225-hwcd) given in [21]. Let P 1 = (S 1 : C 1 : D 1 : Z 1 ) and P 2 = (S 2 : C 2 : D 2 : Z 2 ); then, we get P 1 + P 2 = (S 3 : C 3 : D 3 : Z 3 ) with the unified point addition formula for the Jacobi intersection elliptic curve: where This formula requires 13 field multiplications and 1 field squaring. We can identify vulnerabilities of Type 1 and Type 2 during the computations of P 1 + P 2 for P 1 = P 2 and P 1 = P 2 . for A and B are the same for P 1 = P 2 and different for P 1 = P 2 . Similarly, consider multiplications for B and D, E and G, F and H, and J and K. These multiplication pairs have the same operands for P 1 = P 2 and different operands for P 1 = P 2 . Also, consider multiplication of are computed. Thus, they have the same operand S 1 when P 1 = P 2 but not when P 1 = P 2 . Similarly, the multiplication pairs A and H, B and E, B and F, C and E, C and F, D and G, and D and H have the same operand C 1 , D 1 , Z 1 , S 1 , C 1 , D 1 , and Z 1 for P 1 = P 2 , respectively. Therefore, we can distinguish between P 1 = P 2 and P 1 = P 2 using HCCA.
Applying wRPC to unified point addition of the Jacobi intersection elliptic curve, the two inputs are expressed as follows: P 1 = (S 1 : C 1 : D 1 : Z 1 ), P 2 = (r 1 S 1 : r 1 C 1 : r 1 D 1 : r 1 Z 1 ) If k = 0, P 1 = (S 1 : C 1 : D 1 : Z 1 ), P 2 = (r 2 S 2 : r 2 C 2 : r 2 D 2 : r 2 Z 2 ) If k = 1. (A16) where r = 1. It is sufficient to secure against a Type 2 vulnerability by applying wRPC to unified point addition. The application of wRPC to unified point addition is evaluated in Table A5. Table A5 shows that vulnerability of Type 2 no longer exists. Table A5. Unified point addition for the Jacobi intersection elliptic curve form.

Appendix A.5 Jacobi Quartic Elliptic Curve
An elliptic curve in the Jacobi quartic form has the parameter a and coordinates x, y that satisfy the following equation: The projective coordinates represent x, y as X, Y, Z to satisfy the following equations: The equivalence class containing (X, Y, Z) is We describe a projective form of the unified point addition formula (add-2007-bl) given in [21]. Let P 1 = (X 1 : Y 1 : Z 1 ) and P 2 = (X 2 : Y 2 : Z 2 ); then, we get P 1 + P 2 = (X 3 : Y 3 : Z 3 ) with the unified point addition formula for the Jacobi quartic elliptic curve: where This formula requires 8 field multiplications and 6 field squarings. We can identify vulnerabilities of Type 1 and Type 2 during the computations of P 1 + P 2 for P 1 = P 2 and P 1 = P 2 .

Type 1 vulnerability: Let us consider the computation
respectively. Thus, we can distinguish between P 1 = P 2 and P 1 = P 2 using ROSETTA.

Type 2 vulnerability: Let us consider the computations
are computed. Thus, they have the same operand Y 1 when P 1 = P 2 but not when P 1 = P 2 . Similarly, considering the multiplications for C and E have the same operand Z 1 for P 1 = P 2 and different operands for P 1 = P 2 . Also, the multiplications for A and E have the same operand X 1 for P 1 = P 2 . Therefore, we can distinguish between P 1 = P 2 and P 1 = P 2 using HCCA.
By Algorithm 2, to use unified point addition on the Jacobi quartic elliptic curve, the two inputs of step 8 are expressed as follows: (A20) where r = 1. It is sufficient to secure against Type 1 and Type 2 vulnerabilities by applying wRPC to unified point addition. The application of wRPC to unified point addition is evaluated in Table A6. Table A6 shows that vulnerabilities of Type 1 and Type 2 no longer exist. Table A6. Unified point addition for the Jacobi quartic elliptic curve form.

Appendix A.6 Binary Edwards Elliptic Curve
A binary Edwards elliptic curve has the parameters d 1 and d 2 that satisfy the following equation: The projective coordinates represent x, y as X, Y, Z to satisfy the following equation: x = X/Z and y = Y/Z The equivalence class containing (X, Y, Z) is (X : Y : Z) = (rX, rY, rZ) : r ∈ F.
This formula requires 18 field multiplications. We found both Type 1 and Type 2 vulnerabilities during the computations of P 1 + P 2 for P 1 = P 2 and P 1 = P 2 .
Type 1 vulnerability: Let us consider the computation A = [X 1 ] · [X 2 ]. In this formula, it is computed as [X 1 ] · [X 1 ] for P 1 = P 2 , whereas it is computed as [X 1 ] · [X 2 ] for P 1 = P 2 . Similarly, Also, if P 1 = P 2 , I and J compute as follows: ]. An adversary can distinguish between P 1 = P 2 and P 1 = P 2 using ROSETTA. ] in Z 3 . If P 1 = P 2 , since C = I = J, both operations have at least one same operand. Therefore, they can be distinguished using HCCA.
After applying the above modification to the unified point addition, 18 field multiplications were required, which was exactly the same as in the original one. After applying wRPC to the modified unified point addition method, Type 1 and Type 2 vulnerabilities no longer exist (Table A7). Table A7. The proposed unified point addition method on the binary Edwards elliptic curve.