Chosen base-point side-channel attack on Montgomery ladder with x-only coordinate: With application to secp256k1

This study revisits the side-channel security of the elliptic curve cryptography (ECC) scalar multiplication implemented with Montgomery ladder. Focusing on a specific implementation that does not use the y-coordinate for point addition (ECADD) and point doubling (ECDBL), the authors show that Montgomery ladder on Weierstrass curves is vulnerable to a chosen basepoint attack. Unlike the normal implementation with y-coordinate, in the scenario of this study, the chosen base-point strategy will not lead to operations with two same inputs during the ECADD and/or ECDBL. Instead, by choosing a suitable base-point, one will find that there are operations that share a common operand; while it is not the case if the base-point is not chosen correctly. This results in the recovery of the secret (fixed) scalar. They also experiment the methods of shared operand detection on a real-world SoC, where a secp256k1 dedicated Montgomery ladder scalar multiplication with x-only coordinate is implemented, to show the efficiency of the scalar recovery attack. Naturally, the attack can be generalised to other Weierstrass curves when they contain special points.