Invalid Curve Attacks in a GLS Setting

In recent years, most speed records for implementations of elliptic curve cryptosystems have been achieved on curves endowed with nontrivial fast endomorphisms, particularly based on the technique introduced by Galbraith, Lin and Scott GLS. Therefore, studying the security of those curves is of prime importance. In this paper, we examine the applicability of the class of attacks introduced by Biehli¾?et al., known as invalid curve attacks, to cryptographic implementations based on GLS curves. In invalid curve attacks, a cryptographic device that computes a secret scalar multiplication $$P\mapsto kP$$Pi¾?kP on a certain elliptic curve $$E/{\mathbb F}_q$$E/Fq receives as input an arbitrary "invalid" point $$\widetilde{P}\not \in E{\mathbb F}_q$$P~i¾?EFq. Biehli¾?et al. observed that the device then computes the scalar multiplication by k on a different elliptic curve $$\widetilde{E}/{\mathbb F}_q$$E~/Fq, and if that curve is weaker than E, the attacker can use the result to recover information about the secret k. The attack doesn't readily adapt to the GLS setting, since the device computes the scalar multiplication as $$P\mapsto k_1P + k_2\psi P$$Pi¾?k1P+k2i¾?P where $$\psi $$i¾? is the efficient endomorphism of the GLS curve E, and if it receives an arbitrary invalid point $$\widetilde{P}$$P~ on a curve $$\widetilde{E}\ne E$$E~i¾?E, the computation of the map $$\psi $$i¾? yields a point on a completely different curve again, and the scalar multiplication outputs gibberish. We show, however, that a large family of invalid points $$\widetilde{P}$$P~ lie on curve stable under $$\psi $$i¾?, and using that observation we can modify the attack of Biehli¾?et al. to effectively recover the secrets $$k_1$$k1 and $$k_2$$k2, although the result of the computation on an invalid point doesn't have the "correct" discrete logarithm.

[1]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[2]  M. Scott,et al.  Endomorphisms for Faster Elliptic Curve Cryptography on a Large Class of Curves , 2011, Journal of Cryptology.

[3]  Tanja Lange,et al.  Faster Addition and Doubling on Elliptic Curves , 2007, ASIACRYPT.

[4]  Patrick Longa,et al.  Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves , 2014, CT-RSA.

[5]  Marc Joye,et al.  Efficient Arithmetic on Hessian Curves , 2010, Public Key Cryptography.

[6]  Tanja Lange,et al.  Twisted Edwards Curves , 2008, AFRICACRYPT.

[7]  M. Anwar Hasan,et al.  Fault Attacks on Elliptic Curve Cryptosystems , 2012, Fault Analysis in Cryptography.

[8]  Alfred Menezes,et al.  Validation of Elliptic Curve Public Keys , 2003, Public Key Cryptography.

[9]  Noboru Kunihiro,et al.  Better Lattice Constructions for Solving Multivariate Linear Equations Modulo Unknown Divisors , 2013, ACISP.

[10]  Mehdi Tibouchi,et al.  Bit-Flip Faults on Elliptic Curve Base Fields, Revisited , 2014, ACNS.

[11]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[12]  Alfred Menezes,et al.  On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols , 2006, INDOCRYPT.

[13]  Marc Joye,et al.  Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults , 2005, Des. Codes Cryptogr..

[14]  Ed Dawson,et al.  Twisted Edwards Curves Revisited , 2008, IACR Cryptol. ePrint Arch..

[15]  Zhongxing Ye,et al.  Credit Risky Securities Valuation under a Contagion Model with Interacting Intensities , 2011, J. Appl. Math..

[16]  Denis Réal,et al.  Fault Attack on Elliptic Curve Montgomery Ladder Implementation , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[17]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[18]  Tao Zhan,et al.  Analysis of the Fault Attack ECDLP over Prime Field , 2011, J. Appl. Math..

[19]  Mehdi Tibouchi,et al.  Huff's Model for Elliptic Curves , 2010, ANTS.

[20]  K. Dickman On the frequency of numbers containing prime factors of a certain relative magnitude , 1930 .

[21]  Berkant Ustaoglu,et al.  Invalid-curve attacks on (hyper)elliptic curve cryptosystems , 2010, Adv. Math. Commun..

[22]  Ernst-Ulrich Gekeler The Distribution of Group Structures on Elliptic Curves over Finite Prime Fields , 2006 .

[23]  Scott A. Vanstone,et al.  Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms , 2001, CRYPTO.

[24]  Jean-Sébastien Coron,et al.  Fault Attacks Against emv Signatures , 2010, CT-RSA.

[25]  Patrick Longa,et al.  Four-Dimensional Gallant-Lambert-Vanstone Scalar Multiplication , 2012, ASIACRYPT.

[26]  Eric Bach,et al.  Asymptotic semismoothness probabilities , 1996, Math. Comput..