Invalid curve attacks in a GLS setting

Abstract

In recent years, most speed records for implementations of elliptic curve cryptosystems have been achieved on curves endowed with nontrivial fast endomorphisms, particularly based on the technique introduced by Galbraith, Lin and Scott (GLS). Therefore, studying the security of those curves is of prime importance. In this paper, we examine the applicability of the class of attacks introduced by Biehl et al., known as invalid curve attacks, to cryptographic implementations based on GLS curves. In invalid curve attacks, a cryptographic device that computes a secret scalar multiplication (formula presented) on a certain elliptic curve (formula presented) receives as input an arbitrary “invalid” point (formula presented). Biehl et al. observed that the device then computes the scalar multiplication by k on a different elliptic curve (formula presented), and if that curve is weaker than E, the attacker can use the result to recover information about the secret k. The attack doesn’t readily adapt to the GLS setting, since the device computes the scalar multiplication as (formula presented) where ψ is the efficient endomorphism of the GLS curve E, and if it receives an arbitrary invalid point (formula presented) on a curve (formula presented), the computation of the map ψ yields a point on a completely different curve again, and the scalar multiplication outputs gibberish. We show, however, that a large family of invalid points (formula presented) lie on curve stable under ψ, and using that observation we can modify the attack of Biehl et al. to effectively recover the secrets k1 and k2, although the result of the computation on an invalid point doesn’t have the “correct” discrete logarithm.