3

On this webpage, Daniel Bernstein offers that the curve must be quadratic twisted secure. This means that if the curve has $\#E$ points on $Z_p$ where $\#E=p+1-t$, then the quadratic twist curve has $\#E'=p+1+t$ points. The condition for quadratic twisted secure curves is that the cofactor of a quadratic twist curve is low. For example, the cofactor of a curve is 8 and the cofactor of a quadratic twist curve is 4 in twisted Edwards curves.

If the above condition isn't satisfied, then which attacks can be applied to the curve? Please list all proposed attacks. Are all of the attacks side-channel?

Patriot
  • 3,162
  • 3
  • 20
  • 66
Mahdi Mahdavi
  • 492
  • 2
  • 10

1 Answers1

2

For Edwards curves the arithmetic is typically implemented using Montgomery ladder, and the algorithm works both for the curve and its quadratic twist. (Note that for Weierstrass curves $y^2 = x^3 + ax + b$, the arithmetic formulas depends only on $a$ and so the algorithm works for a larger set of curves - arbitrary $b$).

This allows an adversary to send a point on the twist to the application and it will perform the scalar multiplication on the twist (using the same private key!). If the twist has insecurity against discrete log (=smooth order), then the adversary can recover the private key.

Of course, requiring strong twist is only a precaution against poor implementations - the application should check that the submitted point belongs to the main curve - and then the attack won't work even if the twist is weak.

Fractalice
  • 3,107
  • 13
  • 10