Paper 2017/170

Error-free protection of EC point multiplication by modular extension

Martin Seysen


An implementation of a point multiplication function in an elliptic-curve cryptosystem can be attacked by fault injections in order to reveal the secret multiplier. A special kind of such an attack is the sign-change fault attack. Here the result of a point multiplication is changed in such a way that it is still a point on the curve. A well-known countermeasure against this kind of attack is to perform the point multiplication on a modular extension of the main curve by a small curve. Then the result is checked against the result of the same point multiplication recalculated on the small curve. The problem with this countermeasure is that the point at infinity on the small curve may be reached as an intermediate result with a non-negligible probability. In this case the comparison with the result on the small curve is either faulty or meaningless. We propose a variant of the modular extension countermeasure where the point at infinity is never reached as an intermediate result on the main or on the small curve.

Available format(s)
Publication info
Preprint. MINOR revision.
elliptic curvepoint multiplicationmodulus extension
Contact author(s)
m seysen @ gmx de
2017-02-27: received
Short URL
Creative Commons Attribution


      author = {Martin Seysen},
      title = {Error-free protection of EC point multiplication by modular extension},
      howpublished = {Cryptology ePrint Archive, Paper 2017/170},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.