Paper 2015/577

Twist Insecurity

Manfred Lochter and Andreas Wiemers

Abstract

Several authors suggest that the use of twist secure Elliptic Curves automatically leads to secure implementations. We argue that even for twist secure curves a point validation has to be performed. We illustrate this with examples where the security of EC-algorithms is strongly degraded, even for twist secure curves. We show that the usual blindig countermeasures against SCA are insufficient (actually they introduce weaknesses) if no point validation is performed, or if an attacker has access to certain intermediate points. In this case the overall security of the system is reduced to the length of the blinding parameter. We emphazise that our methods work even in the case of a very high identification error rate during the SCA-phase.

Note: I'll be out of office for some days. If necessary you can reach me under manfred.lochter@gmx.de or contact andreas.wiemers@bsi.bund.de

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
Twist securitydeterministic ECDSAECDHrandom blindingSCA
Contact author(s)
manfred lochter @ bsi bund de
History
2015-06-17: received
Short URL
https://ia.cr/2015/577
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/577,
      author = {Manfred Lochter and Andreas Wiemers},
      title = {Twist Insecurity},
      howpublished = {Cryptology ePrint Archive, Paper 2015/577},
      year = {2015},
      note = {\url{https://eprint.iacr.org/2015/577}},
      url = {https://eprint.iacr.org/2015/577}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.