Cryptology ePrint Archive: Report 2017/554

Trapping ECC with Invalid Curve Bug Attacks

Renaud Dubois

Abstract: In this paper we describe how to use a secret bug as a trapdoor to design trapped ellliptic curve E(Fp). This trapdoor can be used to mount an invalid curve attack on E(Fp). E(Fp) is designed to respect all ECC security criteria (prime order,high twist order, etc.) but for a secret exponent the point is projected on another unsecure curve. We show how to use this trap with a particular type of time/memory tradeoff to break the ECKCDSA veri cation process for any public key of the trapped curve. The process is highly undetectable : the chosen defender e ort is quadratic in the saboter computational e ort. This work provides a concrete hardly detectable and easily deniable example of cryptographic sabotage. While this proof of concept is very narrow, it highlights the necessity of the Full Verifiable Randomness of ECC

Category / Keywords: public-key cryptography / Bug Attacks, Fault Attacks, ECC, Invalid Curve Attack, ECKCDSA, Kleptography, NSA, Paranoia, Verifiable Randomness, Sabotage-resilient Cryptography

Date: received 7 Jun 2017

Contact author: renaud dubois at thalesgroup com

Available format(s): PDF | BibTeX Citation

Version: 20170608:195447 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]