The scalar multiplication on elliptic curves is a fundamental operation in elliptic curve cryptography. For example, this operation multiplies a point on the curve (typically a base point) by an integer (often a private key). Due to its importance, how a scalar multiplication is implemented can make cryptographic systems robust or vulnerable.
The implementation of the scalar multiplication for elliptic curve points has a branching condition on the individual bits of the scalar. Different time of execution can be measured depending on the values of the individual bits. Although the loop goes through each bit in the scalar rhs, operations inside the loop are not consistent for every iteration. This inconsistency arises because the operations depend on the value of each bit in rhs.
Recommendation:
To protect against timing attacks in this scenario, it should be ensured that:
• Every iteration of the loop takes the same amount of time, regardless of whether *b is true or false.
• The presence or absence of the addition operation is masked, such that it is not discernible through timing.
The scalar multiplication on elliptic curves is a fundamental operation in elliptic curve cryptography. For example, this operation multiplies a point on the curve (typically a base point) by an integer (often a private key). Due to its importance, how a scalar multiplication is implemented can make cryptographic systems robust or vulnerable.
The implementation of the scalar multiplication for elliptic curve points has a branching condition on the individual bits of the scalar. Different time of execution can be measured depending on the values of the individual bits. Although the loop goes through each bit in the scalar rhs, operations inside the loop are not consistent for every iteration. This inconsistency arises because the operations depend on the value of each bit in rhs.
Recommendation: To protect against timing attacks in this scenario, it should be ensured that: • Every iteration of the loop takes the same amount of time, regardless of whether *b is true or false. • The presence or absence of the addition operation is masked, such that it is not discernible through timing.
Ref: https://link.springer.com/chapter/10.1007/978-3-540-28632-5_14