1

Let $E$ be an elliptic curve over a prime or a binary extension field $GF(2^m)$, and let $G(x_g,y_g)$ be a generator point on the curve. Let $Q$ be an arbitrary point $Q = r*G$, with $r$ scalar, and $Q$ an element from the group of generator $G$ of order $n$.

I have read in some sources (e.g. here for curves over binary extension fields) that, if an actor can distinguish whether the doubling of $Q$ is accompanied by reduction (modulo $n$), then it mathematically follows that he/she can distiguish between utilizing the algorithm of division (0) or subtraction-division to reverse the sought-for number $2^l G$ or $(2^l + 1) G$, which requires no more than $log_2n$ divisions and thus reverse the elliptic curve multiplication and solve the DLP for binary elliptic curves.

Yet, I do not follow why knowledge of whether a doubling is reduced mod $n$ or not provides enough information to solve the DLP. Can someone elaborate?

G. Stergiopoulos
  • 115
  • 9
  • Similar to first image of this answer. This is why we need a completeness – kelalaka May 06 '22 at 20:26
  • Is there a particular reason you're not including curves over other extension fields? – Aman Grewal May 06 '22 at 20:43
  • @kelalaka both a point addition and a multiplication can result to reduction mod n, I do not see the connection to measuring the power usage and determine exponent bits to the question at hand. – G. Stergiopoulos May 06 '22 at 20:46
  • 1
    @AmanGrewal not particularly, just because of the cases I am working on, in case it makes a difference (although I can't think of any). Possibly I should generalise the question. – G. Stergiopoulos May 06 '22 at 20:46
  • 1
    It is not about the mod, it is about different formulas of double and add... – kelalaka May 06 '22 at 20:49
  • Sorry but I do not understand your point. Please elaborate on an answer if you feel like it. – G. Stergiopoulos May 06 '22 at 20:56
  • To see Look at the standard addition and doubling formulas – kelalaka May 06 '22 at 21:22
  • @kelaka I am fully aware of all these, your thoughts are either incomplete or out of context, so please be so kind as to either elaborate on an answer or simply let someone else do it. Thank you for your time. – G. Stergiopoulos May 06 '22 at 21:25
  • I cannot comment on the article you linked to because it is behind a paywall. My (probably very dated) understanding is that kelalaka is discussing the procedure of protecting multiplication by $r$ by blinding it by using $r+m*n$, $m$ random, instead. So when a side-channel attacker is trying to recover $r$ bit-by-bit (according to a choice of branch in double-and-add) they don't have the benefit of collecting statistical data from several runs as $m$ varies from one run to the next. The linked article may be discussing something else entirely. – Jyrki Lahtonen Jun 03 '22 at 05:44
  • @JyrkiLahtonen indeed this is my understanding too but this is out of scope in terms of the question asked and yes the article discusses something else. My question doesn't have to do with leaking bits due to differential tests, but with utilizing the mod p as a discriminator in ECC equations when calculating doublings and additions. My initial understanding is that, if we know that a specific x-coordinate does/does not include a modular reduction, then we can distinguish situations to enforce a reverse binary search on the public key by following doublings/additions done. [continued] – G. Stergiopoulos Jun 03 '22 at 10:35
  • [continued] At least that's what I think the article is implying, but cannot put it down into math. – G. Stergiopoulos Jun 03 '22 at 10:36

0 Answers0