Editing Elliptic-curve cryptography (section)

=== Side-channel attacks ===
Unlike most other [[Discrete Logarithm|DLP]] systems (where it is possible to use the same procedure for squaring and multiplication), the EC addition is significantly different for doubling (''P'' = ''Q'') and general addition (''P'' ≠ ''Q'') depending on the coordinate system used. Consequently, it is important to counteract [[side-channel attack]]s (e.g., timing or [[Power analysis|simple/differential power analysis attacks]]) using, for example, fixed pattern window (a.k.a. comb) methods{{clarify|date=December 2011}}<ref>{{cite report |first1=M. |last1=Hedabou |first2=P. |last2=Pinel |first3=L. |last3=Beneteau |url=http://eprint.iacr.org/2004/342.pdf |title=A comb method to render ECC resistant against Side Channel Attacks |year=2004 |publisher=IACR Cryptology ePrint Archive}}</ref> (note that this does not increase computation time). Alternatively one can use an [[Edwards curve]]; this is a special family of elliptic curves for which doubling and addition can be done with the same operation.<ref>{{cite web | url=http://blog.cr.yp.to/20140323-ecdsa.html | title=Cr.yp.to: 2014.03.23: How to design an elliptic-curve signature system}}</ref> Another concern for ECC-systems is the danger of [[Differential fault analysis|fault attacks]], especially when running on [[smart card]]s.<ref>See, for example, {{Cite book |first1=Ingrid |last1=Biehl |first2=Bernd |last2=Meyer |first3=Volker |last3=Müller |title=Advances in Cryptology — CRYPTO 2000 |chapter=Differential Fault Attacks on Elliptic Curve Cryptosystems |series=[[Lecture Notes in Computer Science]] |volume=1880 |year=2000 |pages=131–146 |doi=10.1007/3-540-44598-6_8 |isbn=978-3-540-67907-3 |url=http://www.iacr.org/archive/crypto2000/18800131/18800131.pdf }}</ref>