How to Secure SM2 Elliptic Curve Operations with Constant‑Time Techniques

Background

Blockchain adoption by ordinary users raises the need to protect chain security and user assets. Infrastructure builders must support national commercial cryptographic standards, especially the SM2 elliptic‑curve public‑key algorithm, SM3 hash, and SM4 block cipher.

Side‑Channel Risks

During scalar multiplication the classic “double‑and‑add” algorithm tests each bit of the scalar, causing observable differences between point‑doubling and point‑addition operations. Timing, power, or electromagnetic variations can leak the private key.

Pre‑computed lookup tables used to accelerate signing or symmetric‑cipher operations (e.g., SM4) can leak secret information through cache‑based side channels.

Side‑Channel Attack Examples

2003 – Boneh and Brumley recovered an RSA private key over the network (http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf).

2016 – Genkin et al. extracted an ECDH private key from a nearby laptop using electromagnetic leakage (https://eprint.iacr.org/2016/129.pdf).

If a private key is exposed, the security guarantees of the entire blockchain collapse.

Constant‑Time Principle

Constant‑time implementations ensure that execution time does not depend on secret data. This requires avoiding data‑dependent branches and protecting table‑lookup accesses, because cache hits/misses affect timing. Even the inversion step in elliptic‑curve signing must avoid the classic extended Euclidean algorithm and instead use a Fermat‑based method.

Elliptic‑Curve Basics

SM2 defines a 256‑bit prime‑order curve. The base point G has the following coordinates (hex):

Gx: 32C4AE2C1F1981195F9904466A39C9948FE30BBFF2660BE1715A4589334C74C7
Gy: BC3736A2F4F6779C59BDCEE36B692153D0A9877CC62A474002DF32E52139F0A0

Scalar multiplication [x]P is performed by repeated addition of P. The double‑and‑add method scans the scalar bits from most‑significant to least‑significant, doubling each iteration and adding when the current bit is 1.

Double‑And‑Add Scalar Multiplication

func scalarMult(q *SM2Point, x scalar) (*SM2Point, error) {
    out := NewSM2Point()
    for _, bit := range x.bits { // high‑to‑low
        out.Double(out)
        if bit == 1 {
            out.Add(out, q)
        }
    }
    return out, nil
}

On average this requires 128 point‑additions and 256 doublings. To reduce work, implementations often store pre‑computed multiples of the base point G (e.g., [2]G, [4]G, …, [2^255]G) in a table. Accessing this table reveals which bits of the scalar are 1, enabling an attacker to reconstruct the private key.

Constant‑Time Selection Function

func selectU64(out *uint64, m, x, y uint64) {
    a := m * 0xffffffffffffffff
    *out = ((a & y) | (^a & x))
}

The selector m is forced to be either all‑zero or all‑ones, eliminating data‑dependent branches.

Constant‑Time Scalar‑Base Multiplication

func scalarBaseMultSafe(x scalar) (*SM2Point, error) {
    out := NewSM2Point()
    for i, bit := range x.bits {
        selected := NewSM2Point()
        for idx := 0; idx < 256; idx++ {
            m := cteq(i, idx) & bit // constant‑time equality
            selectPoint(&selected, m, zero, precomputed[idx])
        }
        out.Add(out, selected)
    }
    return out, nil
}

cteq

is a constant‑time byte‑equality function (e.g., subtle.ConstantTimeByteEq in Go). The inner loop processes every table entry, ensuring that each point participates in the computation and that the execution pattern does not depend on the secret scalar.

Defensive Technique Highlights

Limit sensitive selectors (e.g., m) to 0 or 1 and avoid conditional branches.

Force both operands of the selection operation to be processed so the compiler cannot eliminate the unused path.

Apply the same constant‑time principle to higher‑level elliptic‑curve operations such as inversion.

References

David Brumley and Dan Boneh. “Remote timing attacks are practical.” USENIX Security Symposium, Aug 2003. http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf

Daniel Genkin, Lev Pachmanov, Itamar Pipman, Eran Tromer. “ECDH Key‑Extraction via Low‑Bandwidth Electromagnetic Attacks on PCs.” https://eprint.iacr.org/2016/129.pdf