Fault Attacks on Projective-to-Affine Coordinates Conversion
Résumé
At EUROCRYPT 2004, Naccache {\sl et alii} showed that when the result of an elliptic curve scalar multiplication [k] P (computed using a fixed scalar multiplication algorithm, such as double-and-add) is given in projective coordinates, an attacker can recover information on k. The attack is somewhat theoretical, because elliptic curve cryptosystems implementations usually convert scalar multiplication's result back to affine coordinates before outputting [k]P. This paper explains how injecting faults in the final projective-to-affine coordinate conversion enables an attacker to retrieve the projective coordinates of [k]P, making Naccache et alii's attack also applicable to implementations that output points in affine coordinates. As a result, such faults allow the recovery of information about k.