What happens if the Edwards curve isn't quadratic twist secure?

mehdi mahdavi oliaiy

11/13/22, 7:35 AM

On this webpage, Daniel Bernstein offers that the curve must be quadratic twisted secure. This means that if the curve has $\#E$ points on $Z_p$ where $\#E=p+1-t$, then the quadratic twist curve has $\#E'=p+1+t$ points. The condition for quadratic twisted secure curves is that the cofactor of a quadratic twist curve is low. For example, the cofactor of a curve is 8 and the cofactor of a quadratic twist curve is 4 in twisted Edwards curves.

If the above condition isn't satisfied, then which attacks can be applied to the curve? Please list all proposed attacks. Are all of the attacks side-channel?

1 + 2

elliptic-curves

attack

kelalaka

11/13/22, 7:47 AM

[Small subgroup attack (Lim-Lee) applied with a twist to gain information about the private key](https://crypto.stackexchange.com/a/87711/18298). If the twist doesn't have a large prime order, then you will lose many bits of the key. Safecurve explains it well in the [twist page](https://safecurves.cr.yp.to/twist.html)

mehdi mahdavi oliaiy

11/17/22, 10:30 AM

How will we lose many bits of the key? using of Fault attack?

Score:2

Crypto

Fractalice

11/13/22, 12:45 PM

For Edwards curves the arithmetic is typically implemented using Montgomery ladder, and the algorithm works both for the curve and its quadratic twist. (Note that for Weierstrass curves $y^2 = x^3 + ax + b$, the arithmetic formulas depends only on $a$ and so the algorithm works for a larger set of curves - arbitrary $b$).

This allows an adversary to send a point on the twist to the application and it will perform the scalar multiplication on the twist (using the same private key!). If the twist has insecurity against discrete log (=smooth order), then the adversary can recover the private key.

Of course, requiring strong twist is only a precaution against poor implementations - the application should check that the submitted point belongs to the main curve - and then the attack won't work even if the twist is weak.

0 + 2

mehdi mahdavi oliaiy

11/17/22, 8:03 AM

Thank you for your response. Is your mean an invalid point attack (or invalid curve attack)? Are you sure about this which the twist secure just applies for poor implementation? Are there any other attack except implementation?

Fractalice

11/25/22, 7:14 PM

Yes, it is an invalid point attack, which can always be thwarted by checking that the point is on the curve.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What happens if the Edwards curve isn't quadratic twist secure?

TH: จะเกิดอะไรขึ้นหากเส้นโค้ง Edwards ไม่บิดเป็นกำลังสองอย่างปลอดภัย

RO: Ce se întâmplă dacă curba Edwards nu este sigură la răsucirea pătratică?

RU: Что произойдет, если кривая Эдвардса не защищена от квадратичного кручения?

VI: Điều gì xảy ra nếu đường cong Edwards không xoắn bậc hai an toàn?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.