[curves] Twist security for elliptic curves

Alexandre Anzala-Yamajako anzalaya at gmail.com
Thu Jun 18 14:55:35 PDT 2015

Apologies if this has been raised before.
Has anobody had time to read this paper already :
According to the authors the PointOnCurve check needs to be done even if
the curve is twist-secure and they describe an attack if it was forgotten.

Here is the full abstract :
Several authors suggest that the use of twist secure Elliptic Curves
automatically leads to secure implementations. We argue that even for twist
secure curves a point validation has to be performed. We illustrate this
with examples where the security of EC-algorithms is strongly degraded,
even for twist secure curves.

We show that the usual blindig countermeasures against SCA are insufficient
(actually they introduce weaknesses) if no point validation is performed,
or if an attacker has access to certain intermediate points. In this case
the overall security of the system is reduced to the length of the blinding
parameter. We emphazise that our methods work even in the case of a very
high identification error rate during the SCA-phase.

Alexandre Anzala-Yamajako
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20150618/57ff0e05/attachment.html>

More information about the Curves mailing list