Fault Attacks on Projective-to-Affine Coordinates Conversion

  • Diana Maimuţ
  • Cédric Murdica
  • David Naccache
  • Mehdi Tibouchi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7864)


This paper presents a new type of fault attacks on elliptic curves cryptosystems.

At EUROCRYPT 2004, Naccache et alii showed that when the result of an elliptic curve scalar multiplication [k] P (computed using a fixed scalar multiplication algorithm, such as double-and-add) is given in projective coordinates, an attacker can recover information on k. The attack is somewhat theoretical, because elliptic curve cryptosystems implementations usually convert scalar multiplication’s result back to affine coordinates before outputting [k]P.

This paper explains how injecting faults in the final projective-to-affine coordinate conversion enables an attacker to retrieve the projective coordinates of [k]P, making Naccache et alii’s attack also applicable to implementations that output points in affine coordinates. As a result, such faults allow the recovery of information about k.


Fault Attack ecc ecdsa Projective Coordinates Affine Coordinates 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The Sorcerers Apprentice Guide to Fault Attacks. Journal of iacr Cryptology ePrint Archive 2004, iacr 2004 (2004)Google Scholar
  2. 2.
    Barenghi, A., Bertoni, G., Palomba, A., Susella, R.: A novel fault attack against ecdsa. In: Proceedings of host 2011, pp. 161–166. ieee (2011)Google Scholar
  3. 3.
    Biehl, I., Meyer, B., Müller, V.: Differential Fault Attacks on Elliptic Curve Cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Blake, I.F., Seroussi, G., Smart, N.P.: Elliptic Curves in Cryptography. Cambridge University Press (1999)Google Scholar
  5. 5.
    Boneh, D.: The Decision Diffie-Hellman Problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. 6.
    Ciet, M., Joye, M.: Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults. Journal of Designs, Codes and Cryptography 2005, Des. Codes Cryptography 36, 33–43 (2004)MathSciNetGoogle Scholar
  7. 7.
    Coron, J.-S.: Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  8. 8.
    Fan, J., Gierlichs, B., Vercauteren, F.: To Infinity and Beyond: Combined Attack on ECC Using Points of Low Order. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 143–159. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Fouque, P.A., Lercier, R., Réal, D., Valette, F.: Fault Attack onElliptic Curve Montgomery Ladder Implementation. In: Proceedings of fdtc 2008, pp. 257–267. ieee (2008)Google Scholar
  10. 10.
    Fouque, P.A., Stern, J., Wackers, J.G.: CryptoComputing with Rationals. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 136–146. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Giraud, C., Knudsen, E.W.: Fault Attacks on Signature Schemes. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 478–491. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  12. 12.
    Giraud, C., Knudsen, E.W., Tunstall, M.: Improved Fault Analysis of Signature Schemes. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 164–181. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
    Goundar, R.R., Joye, M., Miyaji, A.: Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 65–79. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Hoffstein, J., Pipher, J., Silverman, J.H.: An Introduction to Mathematical Cryptography. Springer (2008)Google Scholar
  15. 15.
    Howgrave-Graham, N., Smart, N.: Lattice Attacks on Digital Signature Schemes. Journal of Designs, Codes and Cryptography 2001, Des. Codes Cryptography 23, 283–290 (2001)MathSciNetzbMATHGoogle Scholar
  16. 16.
    Johnson, D., Menezes, A., Vanstone, S.: The Elliptic Curve Digital Signature Algorithm (ecdsa), Technical report corr-34, Dept. of c&o., University of Waterloo (1999)Google Scholar
  17. 17.
    Joye, M., Tymen, C.: Protections against Differential Analysis for Elliptic Curve Cryptography. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 377–390. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Joye, M., Yen, S.M.: The Montgomery Powering Ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. 19.
    Vitek, J., Naccache, D., Pointcheval, D., Vaudenay, S.: Computational Alternatives to Random Number Generators. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 72–80. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  20. 20.
    Meloni, N.: New Point Addition Formulae for ECC Applications. In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 189–201. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Naccache, D., Smart, N.P., Stern, J.: Projective Coordinates Leak. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 257–267. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  22. 22.
    Pan, V.Y., Wang, X.: On Rational Number Reconstruction and Approximation. siam Journal on Computing 2004, siam J. Comput. 33, 502–503 (2004)MathSciNetzbMATHGoogle Scholar
  23. 23.
    Stein, W.A., et al.: Sage Mathematics Software (Version 5.0). The Sage Development Team (2012),
  24. 24.
    Vallée, B.: Gauss’ Algorithm Revisited. Journal of Algorithms 1991, J. Algorithms 12, 556–572 (1991)zbMATHGoogle Scholar
  25. 25.
    Wang, X., Pan, V.Y.: Acceleration of Euclidean algorithm and rational number reconstruction. siam Journal on Computing 2003, Siam J. Comput. 33, 548–556 (2003)MathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Diana Maimuţ
    • 1
  • Cédric Murdica
    • 2
    • 3
  • David Naccache
    • 1
  • Mehdi Tibouchi
    • 4
  1. 1.Département d’informatiqueÉcole normale supérieureParis Cedex 05France
  2. 2.Secure-IC S.A.S.RennesFrance
  3. 3.Département COMELEC, Institut TELECOMTELECOM ParisTech, CNRS LTCIParisFrance
  4. 4.Okamoto Research LaboratoryNTT Secure Platform LaboratoriesMusashino-shiJapan

Personalised recommendations