ECDSA Passive Attacks, Leakage Sources, and Common Design Mistakes

Elliptic Curves Cryptography (ECC) tends to replace RSA for public key cryptographic services. ECC is involved in many secure schemes such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, Elliptic Curve Integrated Encryption Scheme (ECIES), and Elliptic Curve Digital Signature Algorithm (ECDSA). As for every cryptosystem, implementation of such schemes may jeopardize the inherent security provided by the mathematical properties of the ECC. Unfortunate implementation or algorithm choices may create serious vulnerabilities. The elliptic curve scalar operation is particularly sensitive among these schemes. This article surveys passive attacks against well-spread elliptic curve scalar multiplication algorithms highlighting leakage sources and common mistakes that can be used to attack the ECDSA scheme. Experimental results are provided to illustrate and demonstrate the effectiveness of each vulnerability. Finally, the article describes the link between partial leakage and lattice attack in order to understand and demonstrate the impact of small leakages on the security of ECDSA. An example of side channel and lattice attack combination on NIST P-256 is provided in the case where the elliptic curve scalar multiplication is not protected against DPA/CPA and a controllable device is not accessible.