[curves] Twist security for elliptic curves

Watson Ladd watsonbladd at gmail.com
Thu Jun 18 19:43:14 PDT 2015

On Thu, Jun 18, 2015 at 2:55 PM, Alexandre Anzala-Yamajako
<anzalaya at gmail.com> wrote:
> Apologies if this has been raised before.
> Has anobody had time to read this paper already :
> http://eprint.iacr.org/2015/577
> According to the authors the PointOnCurve check needs to be done even if the curve is twist-secure and they describe an attack if it was forgotten.
> Here is the full abstract :
> Several authors suggest that the use of twist secure Elliptic Curves automatically leads to secure implementations. We argue that even for twist secure curves a point validation has to be performed. We illustrate this with examples where the security of EC-algorithms is strongly degraded, even for twist secure curves.
> We show that the usual blindig countermeasures against SCA are insufficient (actually they introduce weaknesses) if no point validation is performed, or if an attacker has access to certain intermediate points. In this case the overall security of the system is reduced to the length of the blinding parameter. We emphazise that our methods work even in the case of a very high identification error rate during the SCA-phase.

I was extremely unimpressed with the paper, which shows the opposite
from the introduction. In the paper it's assumed that we have an
implementation which will operate on the curve or on the twist.
Without twist security, this implementation is obviously broken. With
twist security, they need an SCA attack, which is only possible
because the blinding length is shorter than the scalar. The paper
summarizes this as twist security being harmful, by arguing that the
necessary checks are removed by using a twist-secure curve. But one
could also summarize this as twist security turning an easy to mount

I'm unaware of anyone making the claims attributed in the paper. All
DJB has said is that twist security removes the need for point
validation on the Montgomery ladder without SCA considerations, and
that's all that his implementations claim also. (Yes, they are
resistant to timing attacks, but that's a slightly different set of
considerations: there is nothing claimed about EM side channels).
Furthermore, I'm unaware of protocols that can be attacked with what
is in this paper: most points are hashed, and signatures do not take
attacker-controlled input.

Using large blinding factors solves this problem, and was proposed
when the question of side-channel resistance for special primes was
discussed in the CFRG.

Watson Ladd

> --
> Alexandre Anzala-Yamajako
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves

"Man is born free, but everywhere he is in chains".

More information about the Curves mailing list