Such access might be granted to an adversary by a poor software implementation that does not erase the $Z$ coordinate of $P$ from the computer's memory or by a computationally-constrained secure token that sub-contracts the affine conversion of $P$ to the external world.
From a wider perspective, our result proves that the choice of representation of elliptic curve points {\sl can reveal} information about their underlying discrete logarithms, hence casting potential doubt on the appropriateness of blindly modelling elliptic-curves as generic groups.
As a conclusion, our result underlines the necessity to sanitize $Z$ after the affine conversion or, alternatively, randomize $P$ before releasing it out.
Category / Keywords: Date: received 15 Sep 2003 Contact author: nigel at cs bris ac uk Available formats: Postscript (PS) | Compressed Postscript (PS.GZ) | BibTeX Citation Version: 20030917:212235 (All versions of this report) Discussion forum: Show discussion | Start new discussion