AbstractIn a recent paper devoted to fault analysis of elliptic curve-based signature schemes, Takahashi et al. (TCHES 2018) described several attacks, one of which assumed an equidistribution property that can be informally stated as follows: given an elliptic curve E over 𝔽q in Weierstrass form and a large subgroup H ⊂ E(𝔽q) generated by G(xG, yG), the points in E(𝔽q) whose x-coordinates are obtained from xG by randomly flipping a fixed, sufficiently long substring of bits (and rejecting cases when the resulting value does not correspond to a point in E(𝔽q)) are close to uniformly distributed among the cosets modulo H. The goal of this note is to formally state, prove and quantify (a variant of) that property, and in particular establish sufficient bounds on the size of the subgroup and on the length of the substring of bits for it to hold. The proof relies on bounds for character sums on elliptic curves established by Kohel and Shparlinski (ANTS–IV).
Equidistribution Among Cosets of Elliptic Curve Points in Intervals
