On Thu, Jun 18, 2015 at 2:55 PM, Alexandre Anzala-Yamajako <[email protected]> wrote: > > Apologies if this has been raised before. > Has anobody had time to read this paper already : > http://eprint.iacr.org/2015/577 > According to the authors the PointOnCurve check needs to be done even if the > curve is twist-secure and they describe an attack if it was forgotten. > > Here is the full abstract : > Several authors suggest that the use of twist secure Elliptic Curves > automatically leads to secure implementations. We argue that even for twist > secure curves a point validation has to be performed. We illustrate this with > examples where the security of EC-algorithms is strongly degraded, even for > twist secure curves. > > We show that the usual blindig countermeasures against SCA are insufficient > (actually they introduce weaknesses) if no point validation is performed, or > if an attacker has access to certain intermediate points. In this case the > overall security of the system is reduced to the length of the blinding > parameter. We emphazise that our methods work even in the case of a very high > identification error rate during the SCA-phase.
I was extremely unimpressed with the paper, which shows the opposite from the introduction. In the paper it's assumed that we have an implementation which will operate on the curve or on the twist. Without twist security, this implementation is obviously broken. With twist security, they need an SCA attack, which is only possible because the blinding length is shorter than the scalar. The paper summarizes this as twist security being harmful, by arguing that the necessary checks are removed by using a twist-secure curve. But one could also summarize this as twist security turning an easy to mount attack I'm unaware of anyone making the claims attributed in the paper. All DJB has said is that twist security removes the need for point validation on the Montgomery ladder without SCA considerations, and that's all that his implementations claim also. (Yes, they are resistant to timing attacks, but that's a slightly different set of considerations: there is nothing claimed about EM side channels). Furthermore, I'm unaware of protocols that can be attacked with what is in this paper: most points are hashed, and signatures do not take attacker-controlled input. Using large blinding factors solves this problem, and was proposed when the question of side-channel resistance for special primes was discussed in the CFRG. Sincerely, Watson Ladd > > > > > -- > Alexandre Anzala-Yamajako > > > > _______________________________________________ > Curves mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/curves > -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
