Inner collisions in ECC: Vulnerabilities of complete addition formulas for NIST curves

Abstract

Elliptic curve cryptosystems are built on an underlying additive group, with an addition operation defined as the group operation. The aim of the elliptic curve addition operation is to render an elliptic curve point on the underlying elliptic curve when two ECC points are taken as inputs. However ECC addition formula may not be complete in nature, and may contain exceptional points, for which the addition formula may fail to produce a valid third point. The addition formula for prime order NIST curves were in fact not complete, till Renes et. al. proposed a complete addition formula for the class of prime order NIST curves in their Eurocrypt 2016 paper. The property of completeness ensures a valid third ECC point for any two chosen input points, and thus provides the advantage of using the same formula for both addition and doubling operations. Consequently it is assumed to be inherently side-channel secure, however any practical validation against side-channel protection is not yet present in the literature. In this work we analyse the side-channel protection for this newly constructed unified formula against two horizontal attacks. We show although this new construction is resistant against HCCA, it may be vulnerable to the ROSETTA attack, which exploits inner collisions within field multiplication operations.