Fault Attack on Elliptic Curve with Montgomery Ladder Implementation

Pierre-Alain Fouque Reynald Lercier

École normale supérieure - CNRS - INRIA DGA/CÉLAR - IRMAR, Université de Rennes
45 rue d’Ulm, 75230 Paris cedex 05, France La Roche Marguerite, 35174 Bruz, France
[email protected] [email protected]
Denis Réal Frédéric Valette
DGA/CÉLAR - INSA-IETR, Université de Rennes DGA/CÉLAR
La Roche Marguerite, 35174 Bruz, France La Roche Marguerite, 35174 Bruz, France
[email protected] [email protected]

Abstract duced. Indeed such schemes allow to use smaller keys since
algorithms to compute discrete logarithms are less efficient
In this paper, we present a new fault attack on elliptic in such groups than in the multiplicative group of a finite
curve scalar product algorithms. This attack is tailored to field. Elliptic curves can be used in signature schemes as
work on the classical Montgomery ladder method when the in the standard ECDSA or in encryption schemes as in the
y-coordinate is not used. No weakness has been reported El Gamal cryptosystem. Consequently, it is useful to have
so far on such implementations, which are very efficient and secure implementations of the scalar product algorithm. In
were promoted by several authors. But taking into account 1999, Coron developed three countermeasures to withstand
the twist of the elliptic curves, we show how, with few faults SPA and DPA attacks on elliptic curve scalar binary expo-
(around one or two faults), we can retrieve the full secret nentiations [8]. However, the first two were shown to be
exponent even if classical countermeasures are employed to inefficient by Fouque and Valette in [10] and the third one
prevent fault attacks. It turns out that this attack has not by Goubin in [11]. All these attacks are SPA or DPA at-
been anticipated as the security of the elliptic curve param- tacks. However, other implementations of the scalar prod-
eters in most standards can be strongly reduced. Especially, uct algorithm, for instance, Montgomery algorithm when
the attack is meaningful on some NIST or SECG parame- the y-coordinate is not used, are still believed to be secure.
ters.
1.1. Previous Work
Keywords: EC Cryptosystem, Montgomery Ladder,
Fault Attack.
Fault attacks on elliptic curve cryptosystems appeared
since 2000 by Biehl et al. at Crypto’00 [1]. The idea
is to change the input points or the curve parameters or
1. Introduction also the base field so that the computations is performed
on a different and weakly secure cryptographic curve. On
Fault attack is a very powerful side-channel technique to such curves, the discrete logarithms can be easy to com-
break cryptographic schemes. The idea is to inject a fault pute using Pohlig-Hellman and Rho-Pollard algorithm for
during the computations of an implementation and to use instance. Then, Ciet and Joye in [7] extended this attack
the faulty outputs to deduce information on the secret key by reducing the power of the attacker so that random and
stored in the secure component. Boneh et al. first intro- unknown errors can be used instead of controlled ones.
duced this model in 1997 [3] and show how to recover secret Recently at FDTC’06, Blömer et al. [2] mounted an-
keys of RSA and DLog-based cryptosystems. Since these other side-channel attack by changing the sign of the y-
attacks and other side-channel attacks, many countermea- coordinate. They also claimed that the attacks of Biehl et
sures have been proposed so far and some implementations al. and of Ciet and Joye can be easily avoided since it is
are believed to be more secure than others. sufficient to verify at the end of the computation whether
Elliptic curve cryptosystems are very important in smart the resulting point is on the curve or not. Moreover, they
card products since the computational cost is strongly re- proposed an attack on the Montgomery algorithm when

1
the y-coordinate is used. Furthermore, they reported the cal way to perform it is the use of a binary exponentiation
following claim of Joye and Yen in [13], that the “Mont- algorithm (cf. Fig. 1) but it turns out that these algorithms
gomery ladder may be a first-class substitute of the cele- have unpleasant drawbacks in view of side channel attacks.
brated square-and-multiply algorithm” and put as an open
problem to attack Montgomery Ladder algorithm when the
y-coordinate is not used. Input: P ∈ E, d = (d0 , . . . , dn−1 ) ∈ {0, 1}n
Output: R = d P
1.2. Our Results R=O
for j = n − 1 downto 0 do
In this paper, we show that Montgomery method when R = 2R.
the y-coordinate is not used can be attacked with only one if dj = 1 then R = R + P
or two faults during the computation. More generally, we return R
show that a special fault attack that changes the point on the
Figure 1. Left to right binary algorithm
original curve to a point on a cryptographically weak curve
can be not detected, while the resulting output, a point of
the original strong elliptic curve, can still be used to recover
the secret key. The probability of success of the attack is 2.1 Montgomery’s Algorithm
very high as the probability to obtain the right effect is of
one half. In this context, Joye et al [13] emphasize that an alter-
The basic idea is to use the twist of the elliptic curve. native (but less general) model due to P. Montgomery [17]
This curve is associated to the original curve so that a given could be a valuable countermeasure since no operation de-
abscissa corresponds either to a point on the curve or to a pends on the bit of the secret exponent. The so called
point on the twist with probability approximately one half. Montgomery ladder 2 , was extended to all kind of ellip-
Consequently, by performing an error at random on some tic curves. One attractive advantage of the latter (cf. [22])
small size register of the abscissa, we can go from a point is that there exists efficient formulas to obtain the x and z-
on the original elliptic curve to a point on its twist and back- coordinates of the sum of two points P = (xP : . : zP )
ward. Moreover, Montgomery implementation when the y- and Q = (xQ : . : zQ ) with the help of the extra point
coordinate is not used, does not care of whether the com- P − Q = (xP −Q : . : zP −Q ). The detail of the computa-
putation is performed on the original curve or on its twist. tion can be seen in [12]. It needs only 13 multiplications, 4
Furthermore, the attack can still be mounted even though squarings and 18 additions. It does not not require the use
classical countermeasures are used(such as exponent mask- of the y coordinates. The main idea of the algorithm is to
ing for example). compute two values in parallel which have a difference of
Finally, we discover that the elliptic curve parameters P . The algorithm only double points or add points with a
recommended in most standards do not take into account difference of P .
such an attack since the order of the twist is often smooth, (cf. Fig 2).
almost never a prime number.
Input: P = (xP : . : zP ) ∈ E,
d = (d0 , . . . , dn−1 ) ∈ {0, 1}n
2. Elliptic Curve Scalar Product and Twist Output: R = (xR : . : zR ) = d P
R0 = O, R1 = P
An elliptic curve E defined over a field k is a (smooth, for j = n − 1 downto 0 do
geometrically irreducible and projective) curve of genus one R1−dj = R1−dj + Rdj , Rdj = 2Rdj
with a based point O [20]. For k a finite field Fp of char- return R0
acteristic p > 3, application of the Riemann Roch The-
orem yields a Weierstrass projective model for E of the Figure 2. Montgomery Powering Ladder
form Y 2 Z = X 3 + AXZ 2 + BZ 3 where A, B ∈ Fp ,
4A3 + 27B 2 6= 0 and where O = (0 : 1 : 0). Such a
curve admits a group structure with neutral element O and 2.2. The Twist of an Elliptic Curve
efficient formulas to add points. Extensive use of the group
law is done in cryptography due to the fact that numerous One interesting feature of this algorithm for our purposes
Diffie-Hellman problems are believed to be hard in these is that the y-coordinates of the points is not needed. As a
groups. consequence, this algorithm is also valid for points (x :
Most of the cryptographic schemes imply the scalar y : z) ∈ E with y ∈ Fp2 , instead of simply y ∈ Fp . This
product of a point P by a secret exponent d. The classi- remark yields thus some interest on the subset of points with
x and z-coordinates defined in Fp on an elliptic curve with is a square is enough). We will see in the following that this
model in Fp , but defined over Fp2 . Let us denote S, this set might not be the case.
of points, that is
2.3. Generic Algorithms for Discrete Loga-
S = {(0 : 1 : 0)} rithms
∪ {(x : y : 1) ∈ E(Fp2 ) with x ∈ Fp , y ∈ Fp2 }.
In [19], Pollard describes a heuristic method, called
Obviously, S = {O} ∪ S 0 ∪ S 1 ∪ S 2 with S 0 = {(x : 0 :
the ρ-method, to compute discrete logarithms in a generic
1) ∈ E(Fp2 ) with x ∈ Fp } (points of order 2), S 1 = {(x :
cyclic group with constantpmemory and in probabilistic time
y : 1) ∈ E(Fp2 ) with x ∈ Fp , y ∈ F∗p } and S 2 = {(x :
approximately equal to 3 2n π/2 group operations, where
y : 1) ∈ E(Fp2 ) with x ∈ Fp , y ∈ Fp2 \ Fp }. Let α be the
n is the size of the group cardinal. In particular, this algo-
number of points of order two, that is the number of roots of
rithm can be applied on a prime order group. Then, using
x3 + ax + b , then S contains 2p + 1 − α distinct points. Let
the Pohlig-Hellman algorithm [18], it is possible to recover
us furthermore assume that E(Fp ) (that is, O ∪ S 0 ∪ S 1 ) has
the entire discrete logarithm in time at most O(2n/2 ), even
got p + 1 − c points, the cardinality of S 2 is thus equal to
though the order is not prime.
p+c−α, and therefore the cardinality of O∪S 0 ∪S 2 is equal
to p + 1 + c. The attentive reader will notice immediately
that this number is exactly equal to the cardinality of the In the sequel, we use the following facts:
quadratic twist of E, Ẽ. In truth, it is not very surprising • The group order of the original elliptic curve and of its
since the equation for Ẽ is equal to (ε)y 2 z = x3 + axz 2 + twist is roughly of the same size;
bz 3 , where ε is a quadratic non-residue in Fp , it is then clear
that if x is not the abscissa of a point of E, it is a point on • With probability approximatively one half a random
Ẽ. Points in O ∪ S 0 ∪ S 2 can therefore be easily mapped abscissa corresponds to a point on the original curve
to points on the twist. Finally, we can thus deduce that if or to a point on its twist;
we have on input of the Montgomery’s ladder algorithm an
exponent d and coordinates x and z in Fp which are not • Montgomery algorithm when the y-coordinate is not
coordinates of points of E, the result of the algorithm is used works without difference either on the original
equal to d times (x : . : z) on the twist of E (since this curve or on its twist;
algorithm makes no use of the coefficient ε for the twist). • Even though the order of the group on the elliptic curve
In a constructive approach, this observation suggests an is a prime, there is no reason that the order of its twist
elegant way to implement cryptographic protocols which is also a prime, and consequently generic algorithms
makes a simultaneous use of an elliptic curve and its twist, to compute discrete logarithms in time the square-root
especially to get with uniform distribution elements in Fp of the largest factor can always be used.
from points on elliptic curves. Such a scheme was for in-
stance proposed by Kaliski in 1991 for getting a random
permutation from a random function [14]. More recently, 3. Fault Attack
Boyd et al. applies this idea to the field of password-
authenticated exchange [4] to avoid partition attack, Möller First, we present the fault attack on a non-secure imple-
to the field of public key encryption [16] and Chevassut et mentation. In this case, the public point P can be chosen by
al. to the field of randomness extraction for the Internet Key the adversary and we will see that with a well chosen point,
Exchange protocol [6]. Of course, real implementations of the result of the computation d.P is enough to recover the
these protocols must resist to side-channel attacks and in secret exponent d. Note that this first attack may not ap-
this context, one especially must take care how the switch ply in real applications but it helps to understand the more
between a curve and its quadratic twist is implemented. sophisticated one. Finally, if a countermeasure is imple-
With the Montgomery’s ladder powering algorithm, there is mented during the computation, we will see that there are
no need of the switch and thus this difficulty can be easily two ways of recovering the value d with very few faults.
erased.
According to [12], it is the more efficient implementation 3.1. Basic attack without Countermeasure
secure against simple power analysis. Various implementa-
tions of the Montgomery ladder are available but the most If the computation is not protected against fault attacks
interesting is when y-coordinate is not used. Moreover, ac- (it is still possible as Montgomery ladder was said to be se-
cording to [2], this implementation seems very efficient as cure against fault attack), the attacker can choose a point P
well to defeat fault attacks thanks to a single verification which is not on the curve but on its twist. This can be eas-
that the point is on the curve (a verification that x3 + ax + b ily done as half of the possible values of x correspond to a
point on the curve and the other values of x give points on the result of the computation before the verification. In this
the twist. We have seen in section 2 that a Montgomery ex- case, the abscissa x of the result d.P can be changed by the
ponentiation works either on the curve or on its twist. This attacker to a points Q with abscissa x ⊕ , denoted d.P ⊕ ,
can be an advantage in some case but usually, no property which belongs to the curve with a probability 1/2. So with
is required on the twist as this appears in section 4. So with a very high probability, the attacker obtains such a result,
usual constraints, the twist of an elliptic curve is weak, i.e. his main problem is that the value  is unknown. According
the number of points on the twist is smooth. So the attacker to [5], the attacker can assume that the fault only modifies
can choose a point P which is on the twist. In this case, a register of small size s, 8 or 16 bits, with respect to n, the
the computation gives the value d.P . With this value, the bitsize of the order. The attacker can guess the value of 
attacker is able with classical algorithms, such as ρ-method and for each guess, try to find the associated d value. Un-
and Pohlig-Hellman, to compute the value d mod ord(Ẽ) fortunately, this attack makes his computation effort larger
with a time complexity which is given by the square root with a factor 2s · n/s that makes the attack unfeasible for
of the largest factor of the twist order. If we assume that large registers. In fact, this basic attack can be improved
the number of points on the twist is random, then according easily to have the same complexity as in the previous sec-
to [15] fact 3.7, the size of the largest factor is smaller than tion. For this purpose, the attacker just needs to collect two
ord(Ẽ)2/3 with probability at least 1/2 and the complexity faulty results associated to the same message with different
of the attack is about ord(Ẽ)1/3 , which is feasible for typi- values for . With those results, he can see which registers
cal sizes of elliptic curves used in crypto-applications. Once have been modified. For example, the two results look like
the value is computed, there is only one or two possibilities x⊕ and x⊕0 , that is written in basis 2s : x1 , x2 , . . ., xi ⊕,
for d as the order of the curve and the order of its twist are . . ., xn/s and x1 , x2 , . . ., xj ⊕ 0 , . . ., xn/s . Consequently,
roughly of the same size. So with only one message, an he has only two possibilities for the result, x1 , x2 , . . ., xi ,
attacker is able to retrieve easily the secret scalar d. . . ., xj , . . ., xn/s or x1 , x2 , . . ., xi ⊕ , . . ., xj ⊕ 0 , . . .,
xn/s , and he can retrieve the value of d easily.
3.2. The Classical Countermeasure So with only two faulty results (a faulty result happens
with probability one half), the attacker is able to retrieve the
To avoid the previous attack, countermeasures can be im- secret key by solving one discrete logarithm on the twist of
plemented. According to [2], a verification that the point the initial curve.
belongs to the curve is sufficient and may prevent fault at-
tacks. So in the following, we assume that the scalar product 3.4. Fault attack with a fixed point
checks if the point d.P is on the curve. The verification can
be done at the beginning or at the end of the computation In the previous attacks, the adversary is able to choose
or at both but this changes nothing to our attack. So we can the value of the point P . In some specific applications,
decide that the protected algorithm is described in Fig. 3. this may not be the case. For example, the point can be
stored in the card as described in [2]. In that case, the at-
Input: a point P with abscissa x, a scalar d tack still works but it needs more faults to retrieve the secret
Output: d.P exponent. Precisely, the attacker injects a fault at the be-
Compute d.P ginning of the computation (he modifies the point P ) and
if d.P is on the curve, i.e. x3 + ax + b is a square, then at the end of the computation to bypass the final verifi-
return d.P cation. In this way, he can collect equations of the form
else return Error d · (P ⊕ i ) = Qi ⊕ 0 i for i = 1, 2, . . . , f . In a first ap-
proximation, we can assume that the attacker is lucky, so the
Figure 3. Secure implementation effect of the fault on P always gives a point on the twist.
Once the faulty results collected, the attacker must find
Note that verifying whether a point is on a curve is equiv- the values for i and 0i . Of course he can try all the possi-
alent to check whether x3 +ax+b is a square. Respectively, ble values and solve the discrete logarithm on the twist and
if x3 + ax + b is not a square than the point is on the twist. check if the result is true on the curve but this not very effi-
We see in the sequel the impact of a fault during each step cient. So the main idea is to use multiple results to eliminate
of the algorithm. the wrong values for i and 0i . Once a unique possibility re-
mains for each value, the attacker is in the same condition
3.3. Fault attack with chosen points. than in the previous attack and he can solve the discrete log-
arithm with one point on the twist.
If the verification process is implemented in order to re- In order to find the solution, the attacker works in a
sist to the previous attack, the attacker can try to modify small subgroup of the twist which order is t. For each
possible value of d mod t, the attacker verifies whether the
pair (i , 0i ) is a solution of the previous equation. For the Values P1363 X9.62 NIST Strength Security
right value of d mod t, a solution exists (linked with the secp IPSEC X9.63
effect of the fault). For a wrong value, the probability to 112r1 c/c/r 56 27
find a solution is roughly |C|.|D|/t where C and D re- 112r2 c/c/c 56 31
spectively denote the set of all possible values for  and 0 .
128r1 c/c/c 64 37
To find only one solution for d mod t, the method should
128r2 c/c/c 64 59
be applied a sufficient number of time, depending on the
value t. After f faults, the number of possible solutions 160k1 c/r/c c/r 80 59
is t.(|C|.|D|/t)f . So if the attacker chooses f and t such 160r1 c/c/r c/c 80 59
that t.(|C|.|D|/t)f < 1, he is able to find a unique solution 160r2 c/c/c c/r 80 62
d mod t with the associated values (i , 0i ) for all the faulty 192k1 c/c/r c/r 96 69
results collected. With all of this information, he can solve 192r1 c/c/c r/r r 96 48
the DLog problem d · P 0 = Q0 in the twist of the curve. The 224k1 c/c/c c/r 112 56
complexity of the first step of the attack is f.t.|C|.|D| = 224r1 c/c/c c/r r 112 59
f · t · 22s · n2 /s2 with (22f s · n2f )/(s2f · tf −1Q) < 1. The 256k1 c/c/c c/r 128 50
attack can be optimized if t is smooth e.g. t = tk . In this 256r1 c/c/c r/r r 128 121
case, the computation can be done in all the small subgroups
and the complexity is then 384r1 c/c/c c/r r 192 193∗
521r1 c/c/c c/r r 256 231
X We put in bold font, all the securities below 260 since
f· tk · 22s · (n2 /s2 ).
such a computation can be performed. Only one parameter
k
leads to a prime number of the order of the twist where we
put a ’*’. The mention ’r’ denotes parameters explicitly rec-
Numerical examples for these complexities are given in the ommended in the standard, while the mention ’c’ denotes
next section. parameters in conformance with the standard. The column
“Strength” refers to the standard [21].
If the attacker is not lucky, he has to collect more faulty With the curve secp256k1, the order of the twist is
results in order to have f equations with P ⊕ i on the twist
(roughly 2f faulty results which need 4f experiments to be 3 × 197 × 1559 × 96769 × 146849 × 2587814237219×
obtained). If the attacker is not able to distinguish inter- 375925338294461779×
esting faulty results from others, he can run the previous 101009178936527559588563023359.
algorithms on all the experiments and keep only the value
d mod t which is valid for the highest number of experi- So on implementations without protections, the attacker can
ments. The remaining candidates can be eliminated by en- compute the discrete logarithm in the twist with a cost of
larging the value t. 250 and retrieve the secret scalar for n = 256. The details
of all the attacks described previously with this curve, im-
plemented first on 8 bits registers where the fault produces
all possible values on 8 bits, secondly implemented on 16
4. Concrete Example with Standardized Pa- bits registers where the fault produces all possible values on
rameters of Elliptic Curves 16 bits and finally implemented on 32 bits registers where
the fault moves a register to zero:

In this section, we compute for the different curve pa- Register |C| or |D| f t preprocess
rameters, proposed by the NIST in [9] and by the consor- 8-bit 213 4 3 · 197 · 1559 · 96769 247
tium SECG [21], the security of the curve according to our > 235 = (226 )4/3
attack. We evaluate the security as half of the size of the 16-bit 220 6 3 · 197 · 1559 · 96769· 261
larger factor of the group order of the twist. The order of 146849 > (240 )6/5
the twist can be deduced from the order of the original el- 32-bit 23 2 3 · 197 > 26 215
liptic curve thanks to the following equation: ord(Ẽ) =
p + 1 − ord(E) where p is the number of field elements In this example we can see that in the two cases, with less
in the finite field where the curve is defined. than 6 faulty results (which can be obtained with less than
24 experiments ) and an overall complexity smaller than 250 [8] J. S. Coron. Resistance against Differential Power Analysis
(except the middle one), the attacker can retrieve the secret for Elliptic Curve Cryptosystems. In Springer-Verlag, editor,
scalar. CHES’99, LNCS, pages 292–302, 1999.
[9] Federal Information Processing Standards Publication FIPS
186-2. Digital Signature Standard (DSS), appendix 6: "Rec-
5. Conclusion ommended Elliptic Curves for Federal Government Use".
Technical report, NIST, January 27 2000.
In this paper, we have presented a very powerful fault [10] P. A. Fouque and F. Valette. The Doubling Attack - Why Up-
attack on the Montgomery ladder implementation when the wards Is Better than Downwards. In Springer-Verlag, editor,
y-coordinates is not used. The attack needs only few faults CHES’03, LNCS, pages 269–280, 2003.
[11] L. Goubin. A Refined Power-Analysis Attack on Elliptic
in a very classical and realistic fault model. The major prob-
Curve Cryptosystems. In Springer-Verlag, editor, PKC’03,
lem of the implementation we studied is that the probability LNCS, pages 199–210, 2003.
to belong to the curve for a random point is very high (due [12] T. Izu, B. Möller, and T. Takagi. Improved Elliptic Curve
to the use of the abscissa only). In that case, the verifica- Multiplication Methods Resistant against Side Channel At-
tion that the point is on the curve is not efficient. A basic tacks. In Springer-Verlag, editor, INDOCRYPT ’02, LNCS,
countermeasure can be to repeat the verification a sufficient pages 296–313, 2002.
number of time during the computation to lower the prob- [13] M. Joye and S. M. Yen. The Montgomery Powering Lad-
ability of success of the attacker. For example, if n = 160 der. In Springer-Verlag, editor, CHES’02, LNCS, pages
the verification of the intermediate point can be done every 291–302, 2002.
[14] B. S. Kaliski. One-Way Permutations on Elliptic Curves. J.
five steps of the Montgomery ladder, that gives a probabil-
160 Cryptology, 3(3):187–199, 1991.
ity of success for the attacker of 2− 5 = 2−32 . It is not [15] A. Menezes, P. van Oorschot, and S. Vanstone. Handbook
clear whether this countermeasure can be defeated but it is of Applied Cryptography. CRC Press, 1997.
a challenge to find a more efficient countermeasure to avoid [16] B. Möller. A Public-Key Encryption Scheme with Pseudo-
this attack. It is still possible to choose elliptic curves such Random Ciphertexts. In ESORICS’04, volume 3193 of
that the order of the twist is prime [6] but despite it is less LNCS, pages 335–351. Springer-Verlag, 2004.
efficient and harder to realize, faults on the parameters of [17] P. L. Montgomery. Speeding the Pollard and Elliptic Curve
the curve as described in [2] might be still valid. Methods of Factorization. Math. Comp, 48(177):243–264,
jan 1987.
[18] S. C. Pohlig and M. E. Hellman. An Improved Algorithm for
5.1. References
Computing Logarithms over GF(p) and its Cryptographic
Significance. IEEE Transactions on Information Theory, IT–
References 24(1):106–110, january 1978.
[19] J. M. Pollard. Monte Carlo Methods for Index Computation
[1] I. Biehl, B. Meyer, and V. Müller. Differential Fault Attacks (mod p). Mathematics of Computation, 32(143):918–924,
on Elliptic Curve Cryptosystems. In Springer-Verlag, editor, July 1978.
CRYPTO, LNCS, pages 131–146, 2000. [20] J. Silverman. The arithmetic of elliptic curves, volume 106
[2] J. Blömer, M. Otto, and J.-P. Seifert. Sign Change Fault At- of Graduate Texts in Mathematics. Springer-Verlag, New
tacks on Elliptic Curve Cryptosystems. In Springer-Verlag, York, 1986. Corrected reprint of the 1986 original.
editor, FDTC ’06, LNCS, pages 36–52, 2006. [21] Standards for Efficient Cryptography Group (SECG). SEC
[3] D. Boneh, R. DeMillo, and R. Lipton. On the Importance 2: Recommended Elliptic Curve Domain Parameters. Tech-
of Eliminating Errors in Cryptographic Computations. J. nical report, SECG, 2000.
Cryptology, 14(2):101–119, 2001. [22] P. Zimmerman and B. Dodson. 20 years of ECM. In Pro-
[4] C. Boyd, P. Montague, and K. Nguyen. Elliptic Curve ceedings of ANTS VII, July 2006.
Based Password Authenticated Key Exchange Protocols. In
Springer-Verlag, editor, ACISP ’01, LNCS, pages 487–501,
2001.
[5] E. Brier, B. Chevallier-Mames, M. Ciet, and C. Clavier. Why
One Should Also Secure RSA Public Key Elements. In
Springer-Verlag, editor, CHES ’06, LNCS, pages 324–338,
2006.
[6] O. Chevassut, P.-A. Fouque, P. Gaudry, and D. Pointcheval.
The Twist-AUgmented Technique for Key Exchange. In
Springer-Verlag, editor, PKC ’06, LNCS, pages 410–426,
2006.
[7] M. Ciet and M. Joye. Elliptic Curve Cryptosystems in the
Presence of Permanent and Transient Faults. Des. Codes
Cryptography, 36(1):33–43, 2005.