Score:2

What happens if the Edwards curve isn't quadratic twist secure?

ro flag

On this webpage, Daniel Bernstein offers that the curve must be quadratic twisted secure. This means that if the curve has $\#E$ points on $Z_p$ where $\#E=p+1-t$, then the quadratic twist curve has $\#E'=p+1+t$ points. The condition for quadratic twisted secure curves is that the cofactor of a quadratic twist curve is low. For example, the cofactor of a curve is 8 and the cofactor of a quadratic twist curve is 4 in twisted Edwards curves.

If the above condition isn't satisfied, then which attacks can be applied to the curve? Please list all proposed attacks. Are all of the attacks side-channel?

kelalaka avatar
in flag
[Small subgroup attack (Lim-Lee) applied with a twist to gain information about the private key](https://crypto.stackexchange.com/a/87711/18298). If the twist doesn't have a large prime order, then you will lose many bits of the key. Safecurve explains it well in the [twist page](https://safecurves.cr.yp.to/twist.html)
mehdi mahdavi oliaiy avatar
ro flag
How will we lose many bits of the key? using of Fault attack?
Score:2
in flag

For Edwards curves the arithmetic is typically implemented using Montgomery ladder, and the algorithm works both for the curve and its quadratic twist. (Note that for Weierstrass curves $y^2 = x^3 + ax + b$, the arithmetic formulas depends only on $a$ and so the algorithm works for a larger set of curves - arbitrary $b$).

This allows an adversary to send a point on the twist to the application and it will perform the scalar multiplication on the twist (using the same private key!). If the twist has insecurity against discrete log (=smooth order), then the adversary can recover the private key.

Of course, requiring strong twist is only a precaution against poor implementations - the application should check that the submitted point belongs to the main curve - and then the attack won't work even if the twist is weak.

mehdi mahdavi oliaiy avatar
ro flag
Thank you for your response. Is your mean an invalid point attack (or invalid curve attack)? Are you sure about this which the twist secure just applies for poor implementation? Are there any other attack except implementation?
Fractalice avatar
in flag
Yes, it is an invalid point attack, which can always be thwarted by checking that the point is on the curve.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.