Degenerate curve attacks: extending invalid curve attacks to Edwards curves and other models

Degenerate curve attacks: extending invalid curve attacks to Edwards curves and other models

For access to this article, please select a purchase option:

Buy article PDF
(plus tax if applicable)
Buy Knowledge Pack
10 articles for $120.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Your details
Why are you recommending this title?
Select reason:
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

Invalid curve attacks are a well known attack class targeting elliptic curve arithmetic implementations. In such attacks, the adversary tricks the cryptographic device into carrying out scalar multiplications on a weaker curve instead of on the expected, secure curve. The original approach of Antipa et al., however, only affects elliptic curve implementations using addition and doubling formulas that are independent of at least one of the curve parameters. This property is satisfied for elliptic curves in Weierstrass form, but not newer, increasingly popular models such as (twisted) Edwards curves. It has, therefore, been suggested that invalid curve attacks would not be applicable against these alternate models. In this study, the authors demonstrate that this is not the case, and present the first attack of this nature against (twisted) Edwards curves, Jacobi quartics, Jacobi intersections, and more. They also extend the analysis to characteristic 2 models, namely binary Huff, Edwards, and Lambda coordinates. They also show that our result may be used constructively as a fault attack countermeasure inspired by Shamir's trick, particularly on curves over random base fields.

Related content

This is a required field
Please enter a valid email address