Chosen base‐point side‐channel attack on Montgomery ladder with x ‐only coordinate: with application to secp256k1

This study revisits the side‐channel security of the elliptic curve cryptography (ECC) scalar multiplication implemented with Montgomery ladder. Focusing on a specific implementation that does not use the y ‐coordinate for point addition (ECADD) and point doubling (ECDBL), the authors show that Montgomery ladder on Weierstrass curves is vulnerable to a chosen base‐point attack. Unlike the normal implementation with y ‐coordinate, in the scenario of this study, the chosen base‐point strategy will not lead to operations with two same inputs during the ECADD and/or ECDBL. Instead, by choosing a suitable base‐point, one will find that there are operations that share a common operand; while it is not the case if the base‐point is not chosen correctly. This results in the recovery of the secret (fixed) scalar. They also experiment the methods of shared operand detection on a real‐world SoC, where a secp256k1 dedicated Montgomery ladder scalar multiplication with x ‐only coordinate is implemented, to show the efficiency of the scalar recovery attack. Naturally, the attack can be generalised to other Weierstrass curves when they contain special points.