Keywords

1 Introduction

Elliptic curve cryptography (ECC) was introduced in the 1980s by Miller [44] and Koblitz [38], following the successful application of elliptic curves to integer factorization [39]. Compared to its finite field alternatives, ECC offers shorter keys, higher speeds, and additional structure that enables constructions such as bilinear pairings. ECC rests on the hardness of the elliptic curve discrete logarithm problem (ECDLP), which has remained intractable so far—for well-chosen curves.

Regardless of the theoretical security of elliptic curve cryptosystems, attacks targeting their implementations are numerous. One particularly powerful attack class is the fault attack [12, 13], which consists in injecting faults before or during a cryptographic operation, and inspecting the resulting output to recover key information. Fault attacks directed at elliptic curve scalar multiplication implementations were first published in [9] and further developed in many other works, including [11, 15, 20, 36].

A conceptually simpler attack pointed out by Antipa et al. [1] and extended in several further works [35, 37], the invalid curve attack, exploits implementations that fail to verify that input points to a scalar multiplication belong to the correct elliptic curve, and where point addition and doubling formulas are independent of at least one curve parameter. In such cases, the attacker can query its target with a specially-crafted point outside of the correct elliptic curve. Then, because the formulas used in the scalar multiplication do not depend on all curve parameters, the implementation really computes a normal scalar multiplication by the same scalar, but on a different curve depending on the invalid input point. Choosing invalid points in such a way that the corresponding curves are weak, the attacker can then quickly recover secret keys from observing the outputs (or the hashed outputs) of the scalar multiplications. Although the attack and recommended countermeasures are well-known to cryptographers, recent research has found that a number of widely-used cryptographic libraries in the wild are vulnerable [29].

The attack of Antipa et al. was originally introduced in the context of elliptic curves in Weierstrass form \(y^2 = x^3+ax+b\), where the usual formulas for point addition and doubling are independent of the curve parameter b. Nowadays, however, alternate elliptic curve models and addition laws are gaining prominence: models such as Montgomery [4, 45] and Edwards [7, 18] curves are being proposed for wide Internet usageFootnote 1, and several others are known to have desirable properties for cryptographic applications [10, 33, 34, 40, 53].

Invalid curve attacks generalize directly to those alternate models provided that the crucial property of independence of the arithmetic on at least one curve parameter is satisfied. But many of the newer models for elliptic curves, including Edwards curves, use all parameters in their most common addition formulas. It is thus reasonable to expect, then, that invalid curve attacks would not apply to those curves. In fact, the use of addition formulas depending on all curve parameters was specifically mentioned by Antipa et al. [1] as a possible countermeasure to thwart their attack.

Our Contribution. In this paper, we re-examine the feasibility of invalid curve attacks against newer elliptic curve models like Edwards curves, and find that a new variant of the attack of Antipa et al. will indeed break the security of implementations that do not carry out proper point validation. The new attack works by reducing the problem of finding the secret scalar to solving discrete logarithms not on a weaker elliptic curve, but in the multiplicative group of the base field, which is easy for typical curve sizes.

The idea behind the attack is roughly to let one of the parameters in the curve family vary, and consider the degenerate curves (those of genus 0) among them. On those special curves, the group law degenerates to the multiplicative group (or in rare cases, the additive group), and while in principle the group formulas should still involve the curve parameter that was made to vary, it often ends up being multiplied by the constant zero for all points on the degenerate curve. As a result, the same formulas as for scalar multiplication on the correct curve yield an exponentiation in the degenerate group.

When only a hash value of the result of the scalar multiplication is provided (as in hashed Diffie–Hellman), our new attack is somewhat less flexible than invalid curve attacks, since it is no longer possible to vary the weak curve as done by Antipa et al. However, using a baby-step-giant-step-like time-memory tradeoff, we show that we can still easily break curves over some of the largest fields commonly used for elliptic curve cryptography, such as \(\mathbb {F}_{2^{521}-1}\).

This new attack underscores the importance of point validation even over newer elliptic curve models.

Finally, the properties we exploit in the attack can also be used constructively, to thwart fault attacks. We present a concrete countermeasure, similar to Shamir’s trick [50], that detects faults injected during scalar multiplication particularly efficiently. This is done by lifting the computation on the elliptic curve over \(\mathbb {F}_p\) to the composite order ring \(\mathbb {Z}/pr\mathbb {Z}\) for some small constant r, and making sure that the component modulo r of the lifted curve is degenerate in the sense mentioned above. Then, verifying that the computation modulo r was correct becomes a simple field exponentiation, which is much faster than the usual scalar multiplication. This technique applies to Weierstrass curves as well as newer models.

Organization of the Paper. In Sect. 2, we provide a rundown of some of the most common curve models and addition laws used in elliptic curve cryptography. In Sect. 3, we first recall the traditional invalid curve attack, and then present our extension of it to newer models of elliptic curves using the degenerate curve technique. In Sect. 4, we explain how the new attack can be applied when only a hash of the result of the scalar multiplication is available. And finally, in Sect. 5, we present our concrete fault attack countermeasure using degenerate curves.

2 Elliptic Curve Models

We begin by presenting the elliptic curve forms and respective group laws studied in this paper. This is not an exhaustive list; there are many other addition laws in the literature, and the interested reader can see an overview of many of them in [8]. Every base field \(\mathbb {F}_p\) throughout this paper is assumed to have characteristic \(\ge 5\).

2.1 Weierstrass Model

The canonical short Weierstrass form of an elliptic curve is given by the equation \(y^2 = x^3 + ax + b\), with a point at infinity \(\mathcal {O}= (0 : 1 : 0)\). Addition on Weierstrass curves is derived directly from the chord and tangent method [52, Chapter III.2]:

$$\begin{aligned} \begin{aligned} \begin{aligned} x_3&= \lambda ^2 - x_1 - x_2 \\ y_3&= \lambda (x_1 - x_3) - y_1 \end{aligned}&\quad \text {where } \lambda = {\left\{ \begin{array}{ll} \frac{y_1-y_2}{x_1-x_2} &{} \text{ if } (x_1, y_1) \ne (x_2, \pm y_2), \\ \frac{3x_1^2 + a}{2y_1} &{} \text{ if } (x_1, y_1) = (x_2, y_2). \end{array}\right. } \end{aligned} \end{aligned}$$
(1)

2.2 Twisted Edwards Model

Edwards curves were introduced in 2007 [7, 18]. Here we look at their generalization, twisted Edwards curves [5], which cover more curves. A twisted Edwards curve is defined by the equation \(ax^2 + y^2 = 1 + dx^2y^2\), with neutral affine point \(\mathcal {O}= (0, 1)\). The general complete group law for twisted Edwards curves is

$$\begin{aligned} (x_3, y_3) = \left( \frac{x_1y_2 + y_1x_2}{1 + dx_1x_2y_1y_2}, \frac{y_1y_2 - ax_1x_2}{1 - dx_1x_2y_1y_2} \right) . \end{aligned}$$
(2)

An addition formula, no longer complete, which does not require the d parameter, was found by Hisil, Wong, Carter, and Dawson [25]:

$$\begin{aligned} (x_3, y_3) = {\left\{ \begin{array}{ll} \left( \frac{x_1y_1 + x_2y_2}{y_1y_2 + ax_1x_2}, \frac{x_1y_1 - x_2y_2}{x_1y_2 - y_1x_2}\right) &{} \text {if } (x_1, y_1) \ne (x_2, y_2), (-x_1, -y_1) \\ \left( \frac{2x_1y_1}{y_1^2 + ax_1^2}, \frac{y_1^2 - ax_1^2}{2 - y_1^2 - ax_1^2}\right) &{} \text {if } (x_1, y_1) = (x_2, y_2) \end{array}\right. }. \end{aligned}$$
(3)

2.3 Huff’s Model

Huff curves are a recently rediscovered elliptic curve model [34] previously used in the study of a certain Diophantine equation [27]. They are defined by the equation \(ax(y^2 - 1) = by(x^2 - 1)\), and have the affine neutral point \(\mathcal {O}= (0, 0)\). Huff’s addition formula, complete for points of odd order, is independent of the curve’s parameters:

$$\begin{aligned} (x_3, y_3) = \left( \frac{(x_1 + x_2)(1 + y_1y_2)}{(1 + x_1x_2)(1 - y_1y_2)}, \frac{(y_1 + y_2)(1 + x_1x_2)}{(1 - x_1x_2)(1 + y_1y_2)} \right) . \end{aligned}$$
(4)

2.4 Hessian Model

The Hessian form of an elliptic curve, introduced in [14] (also in [17, 24, 33, 46, 53]), is defined by the equation \(x^3 + y^3 + 1 = 3dxy\), with a point at infinity \(\mathcal {O}= (1, -1, 0)\) as neutral element. The group law is given by

$$\begin{aligned} (x_3, y_3) = {\left\{ \begin{array}{ll} \left( \frac{y_1^2x_2-y_2^2x_1}{x_2y_2-x_1y_1}, \frac{x_1^2y_2-x_2^2y_1}{x_2y_2-x_1y_1} \right) &{} \text {if } (x_1, y_1) \ne (x_2, y_2) \\ \left( \frac{y_1(1 - x_1^3)}{x_1^3 - y_1^3}, \frac{x_1(y_1^3 - 1)}{x_1^3 - y_1^3} \right) &{} \text {if } (x_1, y_1) = (x_2, y_2). \end{array}\right. } \end{aligned}$$
(5)

2.5 Twisted Hessian Model

The twisted Hessian form [6, 8] is defined by equation \(ax^3 + y^3 + 1 = dxy\), with neutral element \(\mathcal {O}= (0, -1)\). Unlike the original Hessian form, twisted Hessian curves have an affine neutral point and complete addition formula

$$\begin{aligned} (x_3, y_3) = \left( \frac{x_1 - y_1^2x_2y_2}{ax_1y_1x_2^2 - y_2}, \frac{y_1y_2^2 - ax_1^2x_2}{ax_1y_1x_2^2 - y_2} \right) . \end{aligned}$$
(6)

2.6 Twisted Jacobi Intersections

Jacobi intersections were suggested by Chudnovsky and Chudnovsky [14], and were among the first competitive candidates for fast single-coordinate arithmeticFootnote 2. Here we present Hisil et al.’s generalization [26], defined by the intersection of \(bs^2 + c^2 = 1\) and \(as^2 + d^2 = 1\), with neutral affine point \(\mathcal {O}= (0, 1, 1)\) and complete addition formula

$$\begin{aligned} (s_3, c_3, d_3) = \left( \frac{s_1c_2d_2 + c_1d_1s_2}{1 - abs_1^2s_2^2}, \frac{c_1c_2 - bs_1d_1s_2d_2}{1 - abs_1^2s_2^2}, \frac{d_1d_2 - as_1c_1s_2c_2}{1 - abs_1^2s_2^2} \right) . \end{aligned}$$
(7)

2.7 Extended Jacobi Quartics

Extended Jacobi quartics [14, 26] are defined by the equation \(y^2 = dx^4 + 2ax^2 + 1\), with \(\mathcal {O}= (0, 1)\) and group law

$$\begin{aligned} (x_3, y_3) = \left( \frac{x_1y_2 + y_1x_2}{1 - dx_1^2x_2^2}, \frac{(1 + dx_1^2x_2^2)(y_1y_2 + 2ax_1x_2) + 2dx_1x_2(x_1^2 + x_2^2)}{(1 - dx_1^2x_2^2)^2} \right) . \end{aligned}$$
(8)

3 Invalid Curve Attacks

3.1 Review of the Weierstrass Curve Case

We begin by describing the classic invalid curve attack against short Weierstrass curves \(E_{a,b}:y^2 = x^3 + ax + b\) over the finite field \(\mathbb {F}_p\). The key insight is that formulas defining the arithmetic on that curve, given by Eq. (1), do not depend on the parameter b of the curve equation. All the curves \(E_{a,b'}\) for all \(b'\) actually share the same addition and doubling formulas.

Now consider a cryptographic device that performs scalar multiplications in \(E_{a,b}(\mathbb {F}_p)\) by a constant secret scalar k, and that, furthermore, does not check that input points actually belong to that curve. An attacker trying to recover k can then query the device on an invalid point \(\widetilde{P} = (\tilde{x}, \tilde{y})\not \in E_{a,b}(\mathbb {F}_p)\). That point belongs to a well-defined curve of the form \(E_{a,b'}\), namely \(E_{a,\tilde{b}}\) with \(\tilde{b} = \tilde{y}^2 - \tilde{x}^3 - a\tilde{x}\). As a result, on input \(\widetilde{P}\), the device actually computes the scalar multiplication \(k\cdot \widetilde{P}\) in the group \(E_{a,\tilde{b}}(\mathbb {F}_p)\) and returns that value.

The discrete logarithm problem in the subgroup \(\langle \widetilde{P} \rangle \) generated by \(\widetilde{P}\) in \(E_{a,\tilde{b}}(\mathbb {F}_p)\) will typically be much easier than in the original group \(E_{a,b}(\mathbb {F}_p)\), and the attacker can even choose the invalid point and curve to make the problem particularly easy. This allows him to efficiently recover k modulo the order of \(\langle \widetilde{P}\rangle \), and then all of k by repeating the process a few times with different invalid curves.

The whole attack can thus be summarized as follows:

  1. 1.

    Find a curve \(E_{a, \tilde{b}}(\mathbb {F}_p)\) and a point \(\widetilde{P}\) on it such that discrete logarithms in \(\langle \widetilde{P}\rangle \) are easy;

  2. 2.

    Query the cryptographic device on \(\widetilde{P}\) to get \(k \cdot \widetilde{P}\);

  3. 3.

    Solve the discrete logarithm in the easy group, revealing \(k\,mod\,{{\mathrm{ord}}}(\widetilde{P})\);

  4. 4.

    Repeat until k is recovered in its entirety.

Finding a curve and point such that discrete logarithms are easy can be done in several different ways. The original approach, inspired by [41], was to use invalid curves containing subgroups of very small orders and an input point in those subgroups; such curves are easy to find, but quite a few queries are needed to recover all of k.

Another approach is to use a curve of smooth order [43]: this is somewhat harder to construct, but may allow a full recovery of k in a single query. Alternatively, using a singular curve [35] yields a discrete logarithm problem in a form of the multiplicative group over \(\mathbb {F}_p\) (or the additive group when \(a=0\)), which is typically easy to solve and again makes the single-query recovery of k possible [28, Sect. 3.7].

The attack also extends to the situation when the cryptographic device only returns a hash of the resulting point of the scalar multiplication (the hashed Diffie–Hellman setting): in that case, the small subgroup approach is typically the most efficient. That is the approach taken by Jager, Schwenk and Somorovsky in their paper attacking ECDH key exchange in actually deployed TLS libraries [29].

3.2 Parameter-Independent Formulas

The invalid curve attack translates easily to the case of alternate curve models for which the addition and doubling formulas are independent of at least one of the curve parameters: when querying the cryptographic device on a point \(\widetilde{P}\) outside of the valid curve E, the computations still amount to a scalar multiplication on a different curve \(\widetilde{E}\) in the same family, obtained by adjusting the independent parameter appropriately.

This is the case for (twisted) Hessian and Huff curves. Additionally, efficient d-less formulas exist for Edwards curves (cf. Eq. (3)), Jacobian quartics and Jacobian intersections [26].

On the other hand, in the case of addition laws depending on all curve parameters, the result of sending an arbitrary invalid input point to the device can no longer be interpreted as a scalar multiplication on a well-defined invalid curve: the attack of Antipa et al. does not generalize directly to that setting.

3.3 Our New Approach: The Degenerate Curve Attack Against Edwards Curves

As is easily observed in Eq. (2), the typical Edwards addition formulas depend on all curve parameters and are therefore not vulnerable to the original invalid curve attack as described above. However, there is one interesting property of this addition law that helps us transfer elliptic curve discrete logarithms to the curve’s underlying field, rendering them solvable by sieve methods [16, 21].

Theorem 1

Let \(E_{a,d}\) be a twisted Edwards curve over \(\mathbb {F}_p\). The subset \(\widetilde{G}\subset \mathbb {F}_p^2\) of the affine plane consisting of points of the form (0, y), \(y\ne 0\), endowed with the addition law defined by the same formula as \(E_{a,d}\), given by Eq. (2), forms a group isomorphic to \(\mathbb {F}_p^*\) under the isomorphism \(y\mapsto (0,y)\).

Proof

The map \(\varphi :\mathbb {F}_p^*\rightarrow \widetilde{G}\), \(y\mapsto (0,y)\) is by definition a bijection. It suffices to check that it is a homomorphism to conclude. But this is indeed the case since adding the points \((0,y_1)\) and \((0,y_2)\) yields, according to Eq. (2):

$$\begin{aligned} \varphi (y_1)+\varphi (y_2) = \left( \frac{0\cdot y_2 + y_1\cdot 0}{1 + d\cdot 0\cdot 0\cdot y_1 y_2}, \frac{y_1 y_2 - a\cdot 0\cdot 0}{1 - d\cdot 0\cdot 0\cdot y_1 y_2} \right) = (0, y_1y_2) = \varphi (y_1y_2) \end{aligned}$$

as required.    \(\square \)

As a result, given a cryptographic device performing scalar multiplications in the group \(E_{a,d}(\mathbb {F}_p)\) without input point validation, as in the original attack of Sect. 3.1, an attacker can send as input an invalid point \(\widetilde{P}\) of the form \((0,\tilde{y})\), and receive as result the scalar multiplication of \(\widetilde{P}\) by the secret k in the group \(\widetilde{G}\), namely \((0,\tilde{y}^k)\). Therefore, recovering k is reduced to solving the discrete logarithm problem in the multiplicative group \(\mathbb {F}_p^*\), which as we have mentioned above is much easier than in \(E_{a,d}(\mathbb {F}_p)\) owing to well-known subexponential attacks.

For elliptic curve sizes used in practice (up to 500 or so bits), the finite field discrete log is easy! By choosing y as a generator of \(\mathbb {F}_p^*\) (which is always a cyclic group), the attacker can thus recover all of k in a single query. This yields our generalization of invalid curve attacks to the case of Edwards curves: we call this attack a degenerate curve attack for reasons that will become apparent shortly.

Remark 1

An obvious but important observation is that, while we have described our attack in affine coordinates, it also works in the (likely) case when the device performs its computation in projective coordinates, using the projective versions of the same group operations. It is straightforward to check, for example, that \((0:Y_1:1)+(0:Y_2:1) = (0:Y_1Y_2:1)\) (and generalizations with other values of the Z-coordinates go through similarly).

One can wonder why, despite the dependence of the group law Eq. (2) on all curve parameters, we can still find an invalid curve in the affine plane where the same formulas induce a group structure. A rough explanation is as follows. First, the y-axis \(Y:x=0\) in the plane is actually a limit (in the usual sense of one-parameter families) of the twisted Edwards curves \(E_{a,d}\) for fixed d: it is the fiber above \(a=\infty \). This is easily seen by rewriting the equation of \(E_{a,d}\) in terms of \(a'=1/a\), as \(x^2 + a'y^2 = a'(1+dx^2y^2)\), and setting \(a'=0\). Since Y is of genus 0, the Edwards group law should degenerate on Y (minus a finite number of points) as the additive or the multiplicative group. The expression of the group law need not a priori be the same as on the original curve \(E_{a,d}\) itself, but it does turn out to be the case, because the only term depending on the parameter a cancels out along \(Y:x=0\).

Now the line Y is not itself singular (although it should perhaps really be seen as the non-reduced double line \(x^2=0\)), but it is where the family degenerates, hence the name of our attack.

3.4 Degenerate Curve Attacks Against Other Models

The idea of the previous attack generalizes easily to other models of elliptic curves, including all of those mentioned in Sect. 2. We now describe those generalizations in affine coordinates below; they of course also work in projective coordinates.

Extended Jacobi Quartics. Let \(E_{a,b}:y^2 = dx^4 + 2ax^2 + 1\) be an extended Jacobi quartic curve over \(\mathbb {F}_p\), and consider the set \(\widetilde{G}\) of points in \(\mathbb {F}_p^2\) of the form (0, y), \(y\ne 0\). Endow this set with the same addition law as \(E_{a,d}\), defined by Eq. (8). It then forms a group isomorphic to \(\mathbb {F}_p^*\) under the isomorphism \(\varphi :y\mapsto (0,y)\). Indeed, this map is a bijection and we have:

$$\begin{aligned} \varphi (y_1)+\varphi (y_2)&= \left( \frac{0\cdot y_2 + y_1\cdot 0}{1 - d\cdot 0\cdot 0}, \frac{(1+d\cdot 0\cdot 0)(y_1 y_2 + 2a\cdot 0\cdot 0) + 2d\cdot 0\cdot 0\cdot 0}{(1 - d\cdot 0\cdot 0)^2} \right) \\ {}&= (0, y_1y_2) = \varphi (y_1y_2), \end{aligned}$$

so \(\varphi \) is an isomorphism as required.

Therefore, we can carry out our attack as before, by sending to a device performing scalar multiplications on \(E_{a,d}\) the invalid input point (0, y) for some generator y of \(\mathbb {F}_p^*\).

In this case, the y-axis appears as the degenerate limit of the family \(E_{a,d}\) for fixed a and varying d, taken for \(d=\infty \).

Twisted Jacobi Intersections. Let \(E_{a,b}:as^2+c^2 = bs^2+d^2 = 1\) be a twisted Jacobi intersection over \(\mathbb {F}_p\), and consider the sets \(\widetilde{G}_1\) and \(\widetilde{G}_2\) of points in \(\mathbb {F}_p^3\) of the form (0, c, 0), \(c\ne 0\), and (0, 0, d), \(d\ne 0\), respectively. Endow both of these sets with the same addition law as \(E_{a,b}\), defined by Eq. (7). Then they form groups isomorphic to \(\mathbb {F}_p^*\) under the isomorphisms \(\varphi _1:c\mapsto (0,c,0)\) and \(\varphi _2:d\mapsto (0,0,d)\) respectively. Indeed, those maps are both bijections and we have:

$$\begin{aligned} \varphi _1(c_1)+\varphi _1(c_2)&= \left( \frac{0\cdot c_2\cdot 0 + c_1\cdot 0\cdot 0}{1 - ab\cdot 0\cdot 0}, \frac{c_1 c_2 - b\cdot 0\cdot 0\cdot 0\cdot 0}{1 - ab\cdot 0\cdot 0}, \frac{0\cdot 0- b\cdot 0\cdot c_1\cdot 0\cdot c_2}{1 - ab\cdot 0\cdot 0} \right) \\ {}&= (0, c_1c_2, 0) = \varphi _1(c_1c_2) \end{aligned}$$

and similarly for \(\varphi _2\) by symmetry.

This provides two families of invalid points using which we can carry out our attack exactly as before.

Twisted Hessian Curves. The case of twisted Hessian curves is somewhat less interesting, since this model has a group law independent of the curve parameter d, and hence the original invalid curve attack applies to it. Nevertheless, we can mention for completeness that our approach generalizes rather directly to those curves as well.

Indeed, if \(E_{a, d}:ax^3+y^3+1=dxy\) is a twisted Hessian curve, the map \(\varphi :y\mapsto (0,-y)\) defines an isomorphism between \(\mathbb {F}_p^*\) and the set of elements of the form (0, y), \(y\ne 0\) in \(\mathbb {F}_p^2\) endowed with the same addition law as \(E_{a,d}\), defined by Eq. (6). Indeed:

$$\begin{aligned} \varphi (y_1)+\varphi (y_2)&= \left( \frac{0 + y_1^2\cdot 0\cdot y_2}{-a\cdot 0\cdot y_1\cdot 0 + y_2}, \frac{-y_1y_2^2 - a\cdot 0\cdot 0}{-a\cdot 0\cdot y_1\cdot 0 + y_2} \right) \\ {}&= (0, -y_1y_2) = \varphi (y_1y_2). \end{aligned}$$

Huff Curves. As with Hessian curves, Huff curves have a parameter-independent group law and hence are not the most relevant setting for us, but we can again extend our attack to them.

For the Huff curve \(E_{a,b}:ax(y^2-1) = by(x^2-1)\) with the group law of Eq. (4), we can consider the set \(\widetilde{G}\) of points in \(\mathbb {F}_p^2\) of the form (0, y). The sum of two such points under the addition law given by the same formula is given by:

$$\begin{aligned} (0,y_1)+(0,y_2)&= \left( \frac{0\cdot (1+y_1y_2)}{1\cdot (1-y_1y_2)}, \frac{(y_1+y_2)\cdot 1}{1\cdot (1+y_1y_2)} \right) = \left( 0, \frac{y_1+y_2}{1+y_1y_2}\right) . \end{aligned}$$

Thus, if we consider the map \(\varphi :\mathbb {F}_p^*\rightarrow \widetilde{G}\) defined outside \(-1\) by \(\varphi (t) = \big (0, (1-t)/(1+t)\big )\), it is easy to check that \(\varphi (t_1)+\varphi (t_2) = \varphi (t_1t_2)\), and therefore we again have a group isomorphic to \(\mathbb {F}_p^*\) to carry out our attack.

Remark 2

It may be worth noting that for some curve models, we are also able to find degenerate curves on which the addition law induces a group structure isomorphic to the twisted form of the multiplicative group (i.e. the subgroup of order \(p+1\) of elements of norm 1 in \(\mathbb {F}_{p^2}^*\)). Huff curves offer a simple concrete example: consider the set of points of the form \((x,x)\in \mathbb {F}_p^2\) with the Huff addition law of Eq. (4). The sum of two such points is given by \((x_1,x_1)+(x_2,x_2) = (x_3,x_3)\) where

$$\begin{aligned} x_3 = \frac{x_1 + x_2}{1 - x_1x_2}. \end{aligned}$$

When \(-1\) is a quadratic nonresidue in \(\mathbb {F}_p\), this is well-known to be the so-called “compressed form” of the twisted multiplicative group [49].

Fig. 1.
figure 1

Basic unauthenticated elliptic curve Diffie–Hellman protocol, under which invalid curve attacks may be mounted. The protocol works over a curve \(E_{a, b}(\mathbb {F}_p)\), with a generator point P of prime order n. \(\text {KDF}(\cdot )\) is an arbitrary key-derivation function taking points of \(E_{a, b}(\mathbb {F}_p)\) as input; E(KM) is taken to be some authenticated encryption primitive, e.g., AES–GCM.

Full size image

4 The Hashed Case

The previous section considered attacks on a cryptographic device that performs elliptic curve scalar multiplications without validation of input points, and returns the actual result of the scalar multiplication. This is a somewhat idealized attack model, however.

One real-world protocol where a similar situation arises is (static) Diffie–Hellman key exchange over elliptic curves, one variant of which is presented in Fig. 1. In an invalid curve attack on that protocol, Bob would send Alice his invalid point B, and Alice would use it to compute the product \(k_A\cdot B\) where \(k_A\) is her static secret key. The resulting point \(k_A\cdot B\) is not directly sent back to Bob, however, but used to derive a key \(K = \text {KDF}(k_A\cdot B)\) used in subsequent communication. In effect, what Bob receives is the image of \(k_A\cdot B\) under a fixed, public one-way function, usually with low collision probability (in Fig. 1, it would be the authentication message M).

We model that situation by considering an oracle which, on input of a point P (still unvalidated), computes the scalar multiplication \(k\cdot P\) by a fixed secret k, and returns the image \(H(k\cdot P)\) of the result under a public hash function H. In that more restrictive setting, degenerate curve attacks are not as devastating as previously described, but we will see that it is often still possible to recover k quite quickly in practice, depending on the smoothness of the order \(p-1\) of \(\mathbb {F}_p^*\) (or of \(p+1\) in the case of degenerate groups isomorphic to the twisted multiplicative group; we will describe the attack in the \(\mathbb {F}_p^*\) case to fix ideas).

The idea is simply to apply the Pohlig–Hellman algorithm [47]. Using the naive variant of the algorithm, the attacker can, for each prime divisor \(\ell \) of \(p-1\), choose a point \(\widetilde{P}\) of order \(\ell \) in the degenerate group, obtain \(H(k\cdot \widetilde{P})\) from the oracle, and perform an exhaustive search in the subgroup \(\langle \widetilde{P}\rangle \) to find the point \(\widetilde{Q}\) such that \(H(k\cdot \widetilde{P})=H(\widetilde{Q})\), revealing k mod \(\ell \). Prime powers are dealt with similarly, and in the end the attacker recovers all of k with only a few oracle queries, in time quasilinear in the largest prime factor \(P_1(p-1)\) of \(p-1\). Furthermore, if a higher query complexity is acceptable, we can use Shanks’ baby-step giant-step time-memory tradeoff [51] to recover k in time quasilinear in \(\sqrt{P_1(p-1)}\), also using a number of queries and a space complexity quasilinear in \(\sqrt{P_1(p-1)}\).

In general, even \(\sqrt{P_1(p-1)}\) need not be much smaller than the complexity of the discrete logarithm problem in the original curve. However, newer models like Edwards curves are often used over special base fields \(\mathbb {F}_p\) with particularly efficient arithmetic. Table 1 lists those efficient primes for usual curve sizes together with the bit size of \(P_1(p-1)\), and we can see that for many of them, the degenerate curve attack is quite efficient: for example, for curves over the Mersenne prime field \(\mathbb {F}_{2^{521}-1}\) (used to construct the highest security elliptic curves, including E-521 [2]), the complexity of an \(\mathbb {F}_p^*\) degenerate curve attack would be around \(O(2^{44})\), which is very practical. And it would be \(O(2^{57.5})\), also quite fast, over \(\mathbb {F}_{2^{448} - 2^{224} - 1}\), the field of definition of Ed448-Goldilocks [22].

Table 1. For primes p suitable for fast elliptic curve cryptography [23], size in bits of the largest prime factor of \(p-1\) and \(p+1\), and complexity of our BSGS-style hashed Diffie–Hellman attack in \(\mathbb {F}_p^*\) (\((p-1)\) attack) and in the twisted multiplicative group (\((p+1)\) attack).
Full size table

5 A Fault Attack Countermeasure

Soon after the announcement of the Bellcore attack on RSA, Shamir proposed a countermeasure [50] that relies on the Chinese remainder theorem to detect faults during modular exponentiation. The basic idea of Shamir is to replace computations modulo a prime p by computations in the ring modulo the composite pr, where r is a small randomly-selected integer, and then compare the result modulo r against an independent equivalent computation modulo r.

While Shamir’s trickFootnote 3 works well on RSA, due to its simple structure, it is trickier to apply this countermeasure to the elliptic curve case. Nevertheless, countermeasures based on Shamir’s trick have been devised. The first one was invented by Blömer, Otto, and Seifert [11] (BOS), and consisted of two elliptic curve scalar multiplications—one over \(\mathbb {Z}/pr\mathbb {Z}\), the other over \(\mathbb {Z}/r\mathbb {Z}\). Baek and Vasyltov [3] suggested the use of the curve \(Y^2Z + pYZ^3 = X^3 + aXZ^4 + BZ^6 \in \mathbb {Z}/pr\mathbb {Z}\), where \(B = y^2 + py - x^3 - ax\), which clearly is equivalent to the original when reduced modulo p. This method is limited to projective coordinates, since not every intermediate result may have an inverse in the extended ring. Their method also has some potential weaknesses owing to its reliance on random integers r instead of adequately selected primes [31]. It has been recently pointed out that the original BOS countermeasure is not correct when coupled with group laws containing exceptions [48], and thus group laws used in BOS-like countermeasures must be test-free.

More recently, Joye [30, 32] proposed a variant of the BOS countermeasure, where one works instead over \(\mathbb {Z}/pr^2\mathbb {Z}\) (resp. \(\mathbb {Z}/r^2\mathbb {Z}\)). To accelerate the second scalar multiplication, Joye takes advantage of the isomorphism between the set of points of \(E(\mathbb {Z}/r^2\mathbb {Z})\) that reduce to the neutral point modulo r, and the additive group \(\mathbb {F}_r^+\). For example, the set of affine points \((\alpha r, 1) \in E(\mathbb {Z}/r^2\mathbb {Z})\), coupled with the Edwards group law, yields the useful identity \(k \cdot (\alpha r, 1) = (k \cdot \alpha r, 1) \pmod {r^2}\), which can be used to detect a fault very efficiently. Our proposed countermeasure is conceptually similar, but takes advantage of the multiplicative and additive identities of degenerate curves described in Sect. 3 instead. The countermeasure is described, in its most general form, in Algorithm 1.

figure a

One can view our proposed countermeasure as the BOS [11] countermeasure coupled with a “shortcut” f(kP) to compute the second scalar multiplication—\(k\cdot P\) in \(E (\mathbb {F}_r)\)—much faster than by using the standard formulas. This shortcut takes different forms depending on which curve shape we are working over. Generically, we begin by picking a curve \(E_r\) over \(\mathbb {F}_r\) for which there is at least one point for which scalar multiplication is easy to compute. Then, the extended curve \(E'\) is the direct product \(E'(\mathbb {Z}/pr\mathbb {Z}) = E(\mathbb {F}_p) \times E_r(\mathbb {F}_r)\), and the countermeasure consists of checking whether \(k \cdot P' \in E'\), reduced modulo r, equals the same multiplication performed independently in \(E_r\). The correctness of this method follows from the correctness of BOS [11]; our concrete contribution is the shortcuts taken to reduce the computation overhead of the scalar multiplication in \(E_r\). The following considers two popular shapes—Weierstrass and Edwards curves—but others are similarly easy to derive.

5.1 Weierstrass Curves

In Weierstrass curves, we may take advantage of the unique singular curve \(y^2 = x^3\). This curve is notable for degenerating into the additive group \(\mathbb {F}_r^+\) via the map \((x, y) \mapsto x / y\) and \(\infty \mapsto 0\), with inverse \(t \mapsto (t^{-2}, t^{-3})\) and \(0 \mapsto \infty \) [28, Sect. 3.7]. This immediately suggests a very efficient shortcut map for \(E_r\):

$$\begin{aligned} f(k, P) = \left( (k t)^{-2}, (k t)^{-3} \right) , \end{aligned}$$

where \(t = x / y\) or \(t = 0\) if \(P = \infty \).

The resulting correctness test only requires a few multiplications modulo r, which is more efficient than both BOS [11] and Baek–Vasyltsov [3], and is comparable with Joye’s approach [30]. Note that the inversions are avoidable by using projective coordinates.

5.2 Edwards Curves

Unlike Weierstrass curves, Edwards curves do not have any additive degeneration. However, we can use the results of Sect. 3.3 to devise a similar countermeasure using a multiplicative degeneration. The shortcut map for \(E_r\) is

$$\begin{aligned} f(k, P) = \left( 0, y^k \right) ~, \end{aligned}$$

where \(P = (0, y)\) for any \(y \notin \{0, 1\}\) that generates the group \(\mathbb {F}_r^{*}\). In this case the computational overhead is larger than in the Weierstrass case—a modular exponentiation modulo r—but is still far cheaper than a scalar multiplication.

5.3 Comparison with Previous Countermeasures

The above methods offer some advantages relatively to previous Shamir-inspired fault attack countermeasures:

  • Only one full-fledged scalar multiplication is required. This is in contrast with Blömer–Otto–Seifert [11, Sect. 8] which requires 2 scalar multiplications—one modulo pr, another modulo r. In the case of Weierstrass curves, our countermeasure is faster than any other targeting the same curve shape.

  • Works both in affine and projective coordinates. This is in contrast with Baek–Vasyltsov [3], which due to working on Weierstrass curves, breaks down when faced with the corner cases in the addition and doubling formulas of those curves.

Although our method may not suit every use case, it is another useful tool for hardened implementations of elliptic curves. It is particularly suitable for implementations of curves over random primes, which hardware implementers tend to favor [42], since multiplication modulo pr is straightforward to implement, and the overhead remains small. On the other hand, highly structured primes, usually very close to a power of 2, would likely suffer a higher performance impact, since modular reduction would no longer be a linear-time operation.