IACR News item: 28 December 2015
Samuel Neves, Mehdi Tibouchi
ePrint Report
Invalid curve attacks are a well-known class of attacks against
implementations of elliptic curve cryptosystems, in which an
adversary tricks the cryptographic device into carrying out scalar
multiplication not on the expected secure curve, but on some other,
weaker elliptic curve of his choosing. In their original form, however,
these attacks only affect elliptic curve implementations using
addition and doubling formulas that are independent of at least one
of the curve parameters. This property is typically satisfied for
elliptic curves in Weierstrass form but not for newer models that
have gained increasing popularity in recent years, like Edwards and
twisted Edwards curves. It has therefore been suggested (e.g. in
the original paper on invalid curve attacks) that such alternate
models could protect against those attacks.
In this paper, we dispel that belief and present the first attack of this nature against (twisted) Edwards curves, Jacobi quartics, Jacobi intersections and more. Our attack differs from invalid curve attacks proper in that the cryptographic device is tricked into carrying out a computation not on another elliptic curve, but on a group isomorphic to the multiplicative group of the underlying base field. This often makes it easy to recover the secret scalar with a single invalid computation.
We also show how our result can be used constructively, especially on curves over random base fields, as a fault attack countermeasure similar to Shamir's trick.
In this paper, we dispel that belief and present the first attack of this nature against (twisted) Edwards curves, Jacobi quartics, Jacobi intersections and more. Our attack differs from invalid curve attacks proper in that the cryptographic device is tricked into carrying out a computation not on another elliptic curve, but on a group isomorphic to the multiplicative group of the underlying base field. This often makes it easy to recover the secret scalar with a single invalid computation.
We also show how our result can be used constructively, especially on curves over random base fields, as a fault attack countermeasure similar to Shamir's trick.
Additional news items may be found on the IACR news page.