2002
DOI: 10.1007/3-540-36288-6_16
|View full text |Cite
|
Sign up to set email alerts
|

Validation of Elliptic Curve Public Keys

Abstract: We present practical and realistic attacks on some standardized elliptic curve key establishment and public-key encryption protocols that are effective if the receiver of an elliptic curve point does not check that the point lies on the appropriate elliptic curve. The attacks combine ideas from the small subgroup attack of Lim and Lee, and the differential fault attack of Biehl, Meyer and Müller. Although the ideas behind the attacks are quite elementary, and there are simple countermeasures known, the attacks… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
64
0

Year Published

2006
2006
2021
2021

Publication Types

Select...
6
1

Relationship

1
6

Authors

Journals

citations
Cited by 75 publications
(64 citation statements)
references
References 12 publications
0
64
0
Order By: Relevance
“…Parties must also ensure that the Diffie-Hellman contributions they receive are in the expected group and are not the identity element. Otherwise, the implementation may be vulnerable to identity-element [40], small-subgroup [69], or invalid-curve [6] attacks.…”
Section: Secure Messaging Integrationmentioning
confidence: 99%
See 1 more Smart Citation
“…Parties must also ensure that the Diffie-Hellman contributions they receive are in the expected group and are not the identity element. Otherwise, the implementation may be vulnerable to identity-element [40], small-subgroup [69], or invalid-curve [6] attacks.…”
Section: Secure Messaging Integrationmentioning
confidence: 99%
“…Due to its relative novelty, attacks against SIDH are still being discovered [52]. 6 In Section 10, we evaluate the performance of SIDH and New Hope in relation to the core DAKEs. Developers should consider all of these factors when selecting a quantum-resistant KEM.…”
Section: Incorporating Quantum Resistancementioning
confidence: 99%
“…When comparing computational efficiency, we do not take into account publickey validation, which is a necessary procedure to prevent potential leakage of private information similar to invalid-curve attacks [1] and small subgroup attacks [14]; see also [19,21]. Okamoto's protocol is secure in the standard model, but the proof depends on a rather strong assumption of the existence of πPRF family.…”
Section: Comparisonmentioning
confidence: 99%
“…Now to determine T , the adversary computes h(z) = g(u 3 ), where g(U ) is associated with E : V 2 = U 3 + αU + β , and where u 3 and β are defined in (4) and (5). It can be seen that h(z) = h 1 (z)/h 2 (z), where h 1 , h 2 ∈ F p [z] and deg(h 1 ) = 288.…”
Section: Theorem 1 Consider the Division Polynomialsmentioning
confidence: 99%
“…Lim and Lee [18] demonstrated the importance of public-key validation by presenting small-subgroup attacks on some discrete logarithm key agreement protocols that are effective if the receiver of a group element does not verify that the element belongs to the desired group of high order (e.g., a prime-order DSA-type subgroup of F * p ). In [5,3], invalid-curve attacks were designed that are effective on elliptic curve protocols if the receiver of a point does not verify that the point indeed lies on the chosen elliptic curve. Kunz-Jacques et al [15] showed that the zero-knowledge proof proposed in [4] for proving possession of discrete logarithms in groups of unknown order can be broken if a dishonest verifier selects invalid parameters during its interaction with the prover.…”
Section: Introductionmentioning
confidence: 99%