Degenerate Curve Attacks
 1 Citations
 890 Downloads
Abstract
Invalid curve attacks are a wellknown class of attacks against implementations of elliptic curve cryptosystems, in which an adversary tricks the cryptographic device into carrying out scalar multiplication not on the expected secure curve, but on some other, weaker elliptic curve of his choosing. In their original form, however, these attacks only affect elliptic curve implementations using addition and doubling formulas that are independent of at least one of the curve parameters. This property is typically satisfied for elliptic curves in Weierstrass form but not for newer models that have gained increasing popularity in recent years, like Edwards and twisted Edwards curves. It has therefore been suggested (e.g. in the original paper on invalid curve attacks) that such alternate models could protect against those attacks.
In this paper, we dispel that belief and present the first attack of this nature against (twisted) Edwards curves, Jacobi quartics, Jacobi intersections and more. Our attack differs from invalid curve attacks proper in that the cryptographic device is tricked into carrying out a computation not on another elliptic curve, but on a group isomorphic to the multiplicative group of the underlying base field. This often makes it easy to recover the secret scalar with a single invalid computation.
We also show how our result can be used constructively, especially on curves over random base fields, as a fault attack countermeasure similar to Shamir’s trick.
Keywords
Elliptic curve cryptography Edwards curves Implementation issues Fault attacks Countermeasures1 Introduction
Elliptic curve cryptography (ECC) was introduced in the 1980s by Miller [44] and Koblitz [38], following the successful application of elliptic curves to integer factorization [39]. Compared to its finite field alternatives, ECC offers shorter keys, higher speeds, and additional structure that enables constructions such as bilinear pairings. ECC rests on the hardness of the elliptic curve discrete logarithm problem (ECDLP), which has remained intractable so far—for wellchosen curves.
Regardless of the theoretical security of elliptic curve cryptosystems, attacks targeting their implementations are numerous. One particularly powerful attack class is the fault attack [12, 13], which consists in injecting faults before or during a cryptographic operation, and inspecting the resulting output to recover key information. Fault attacks directed at elliptic curve scalar multiplication implementations were first published in [9] and further developed in many other works, including [11, 15, 20, 36].
A conceptually simpler attack pointed out by Antipa et al. [1] and extended in several further works [35, 37], the invalid curve attack, exploits implementations that fail to verify that input points to a scalar multiplication belong to the correct elliptic curve, and where point addition and doubling formulas are independent of at least one curve parameter. In such cases, the attacker can query its target with a speciallycrafted point outside of the correct elliptic curve. Then, because the formulas used in the scalar multiplication do not depend on all curve parameters, the implementation really computes a normal scalar multiplication by the same scalar, but on a different curve depending on the invalid input point. Choosing invalid points in such a way that the corresponding curves are weak, the attacker can then quickly recover secret keys from observing the outputs (or the hashed outputs) of the scalar multiplications. Although the attack and recommended countermeasures are wellknown to cryptographers, recent research has found that a number of widelyused cryptographic libraries in the wild are vulnerable [29].
The attack of Antipa et al. was originally introduced in the context of elliptic curves in Weierstrass form \(y^2 = x^3+ax+b\), where the usual formulas for point addition and doubling are independent of the curve parameter b. Nowadays, however, alternate elliptic curve models and addition laws are gaining prominence: models such as Montgomery [4, 45] and Edwards [7, 18] curves are being proposed for wide Internet usage^{1}, and several others are known to have desirable properties for cryptographic applications [10, 33, 34, 40, 53].
Invalid curve attacks generalize directly to those alternate models provided that the crucial property of independence of the arithmetic on at least one curve parameter is satisfied. But many of the newer models for elliptic curves, including Edwards curves, use all parameters in their most common addition formulas. It is thus reasonable to expect, then, that invalid curve attacks would not apply to those curves. In fact, the use of addition formulas depending on all curve parameters was specifically mentioned by Antipa et al. [1] as a possible countermeasure to thwart their attack.
Our Contribution. In this paper, we reexamine the feasibility of invalid curve attacks against newer elliptic curve models like Edwards curves, and find that a new variant of the attack of Antipa et al. will indeed break the security of implementations that do not carry out proper point validation. The new attack works by reducing the problem of finding the secret scalar to solving discrete logarithms not on a weaker elliptic curve, but in the multiplicative group of the base field, which is easy for typical curve sizes.
The idea behind the attack is roughly to let one of the parameters in the curve family vary, and consider the degenerate curves (those of genus 0) among them. On those special curves, the group law degenerates to the multiplicative group (or in rare cases, the additive group), and while in principle the group formulas should still involve the curve parameter that was made to vary, it often ends up being multiplied by the constant zero for all points on the degenerate curve. As a result, the same formulas as for scalar multiplication on the correct curve yield an exponentiation in the degenerate group.
When only a hash value of the result of the scalar multiplication is provided (as in hashed Diffie–Hellman), our new attack is somewhat less flexible than invalid curve attacks, since it is no longer possible to vary the weak curve as done by Antipa et al. However, using a babystepgiantsteplike timememory tradeoff, we show that we can still easily break curves over some of the largest fields commonly used for elliptic curve cryptography, such as \(\mathbb {F}_{2^{521}1}\).
This new attack underscores the importance of point validation even over newer elliptic curve models.
Finally, the properties we exploit in the attack can also be used constructively, to thwart fault attacks. We present a concrete countermeasure, similar to Shamir’s trick [50], that detects faults injected during scalar multiplication particularly efficiently. This is done by lifting the computation on the elliptic curve over \(\mathbb {F}_p\) to the composite order ring \(\mathbb {Z}/pr\mathbb {Z}\) for some small constant r, and making sure that the component modulo r of the lifted curve is degenerate in the sense mentioned above. Then, verifying that the computation modulo r was correct becomes a simple field exponentiation, which is much faster than the usual scalar multiplication. This technique applies to Weierstrass curves as well as newer models.
Organization of the Paper. In Sect. 2, we provide a rundown of some of the most common curve models and addition laws used in elliptic curve cryptography. In Sect. 3, we first recall the traditional invalid curve attack, and then present our extension of it to newer models of elliptic curves using the degenerate curve technique. In Sect. 4, we explain how the new attack can be applied when only a hash of the result of the scalar multiplication is available. And finally, in Sect. 5, we present our concrete fault attack countermeasure using degenerate curves.
2 Elliptic Curve Models
We begin by presenting the elliptic curve forms and respective group laws studied in this paper. This is not an exhaustive list; there are many other addition laws in the literature, and the interested reader can see an overview of many of them in [8]. Every base field \(\mathbb {F}_p\) throughout this paper is assumed to have characteristic \(\ge 5\).
2.1 Weierstrass Model
2.2 Twisted Edwards Model
2.3 Huff’s Model
2.4 Hessian Model
2.5 Twisted Hessian Model
2.6 Twisted Jacobi Intersections
2.7 Extended Jacobi Quartics
3 Invalid Curve Attacks
3.1 Review of the Weierstrass Curve Case
We begin by describing the classic invalid curve attack against short Weierstrass curves \(E_{a,b}:y^2 = x^3 + ax + b\) over the finite field \(\mathbb {F}_p\). The key insight is that formulas defining the arithmetic on that curve, given by Eq. (1), do not depend on the parameter b of the curve equation. All the curves \(E_{a,b'}\) for all \(b'\) actually share the same addition and doubling formulas.
Now consider a cryptographic device that performs scalar multiplications in \(E_{a,b}(\mathbb {F}_p)\) by a constant secret scalar k, and that, furthermore, does not check that input points actually belong to that curve. An attacker trying to recover k can then query the device on an invalid point \(\widetilde{P} = (\tilde{x}, \tilde{y})\not \in E_{a,b}(\mathbb {F}_p)\). That point belongs to a welldefined curve of the form \(E_{a,b'}\), namely \(E_{a,\tilde{b}}\) with \(\tilde{b} = \tilde{y}^2  \tilde{x}^3  a\tilde{x}\). As a result, on input \(\widetilde{P}\), the device actually computes the scalar multiplication \(k\cdot \widetilde{P}\) in the group \(E_{a,\tilde{b}}(\mathbb {F}_p)\) and returns that value.
The discrete logarithm problem in the subgroup \(\langle \widetilde{P} \rangle \) generated by \(\widetilde{P}\) in \(E_{a,\tilde{b}}(\mathbb {F}_p)\) will typically be much easier than in the original group \(E_{a,b}(\mathbb {F}_p)\), and the attacker can even choose the invalid point and curve to make the problem particularly easy. This allows him to efficiently recover k modulo the order of \(\langle \widetilde{P}\rangle \), and then all of k by repeating the process a few times with different invalid curves.
 1.
Find a curve \(E_{a, \tilde{b}}(\mathbb {F}_p)\) and a point \(\widetilde{P}\) on it such that discrete logarithms in \(\langle \widetilde{P}\rangle \) are easy;
 2.
Query the cryptographic device on \(\widetilde{P}\) to get \(k \cdot \widetilde{P}\);
 3.
Solve the discrete logarithm in the easy group, revealing \(k\,mod\,{{\mathrm{ord}}}(\widetilde{P})\);
 4.
Repeat until k is recovered in its entirety.
Finding a curve and point such that discrete logarithms are easy can be done in several different ways. The original approach, inspired by [41], was to use invalid curves containing subgroups of very small orders and an input point in those subgroups; such curves are easy to find, but quite a few queries are needed to recover all of k.
Another approach is to use a curve of smooth order [43]: this is somewhat harder to construct, but may allow a full recovery of k in a single query. Alternatively, using a singular curve [35] yields a discrete logarithm problem in a form of the multiplicative group over \(\mathbb {F}_p\) (or the additive group when \(a=0\)), which is typically easy to solve and again makes the singlequery recovery of k possible [28, Sect. 3.7].
The attack also extends to the situation when the cryptographic device only returns a hash of the resulting point of the scalar multiplication (the hashed Diffie–Hellman setting): in that case, the small subgroup approach is typically the most efficient. That is the approach taken by Jager, Schwenk and Somorovsky in their paper attacking ECDH key exchange in actually deployed TLS libraries [29].
3.2 ParameterIndependent Formulas
The invalid curve attack translates easily to the case of alternate curve models for which the addition and doubling formulas are independent of at least one of the curve parameters: when querying the cryptographic device on a point \(\widetilde{P}\) outside of the valid curve E, the computations still amount to a scalar multiplication on a different curve \(\widetilde{E}\) in the same family, obtained by adjusting the independent parameter appropriately.
This is the case for (twisted) Hessian and Huff curves. Additionally, efficient dless formulas exist for Edwards curves (cf. Eq. (3)), Jacobian quartics and Jacobian intersections [26].
On the other hand, in the case of addition laws depending on all curve parameters, the result of sending an arbitrary invalid input point to the device can no longer be interpreted as a scalar multiplication on a welldefined invalid curve: the attack of Antipa et al. does not generalize directly to that setting.
3.3 Our New Approach: The Degenerate Curve Attack Against Edwards Curves
As is easily observed in Eq. (2), the typical Edwards addition formulas depend on all curve parameters and are therefore not vulnerable to the original invalid curve attack as described above. However, there is one interesting property of this addition law that helps us transfer elliptic curve discrete logarithms to the curve’s underlying field, rendering them solvable by sieve methods [16, 21].
Theorem 1
Let \(E_{a,d}\) be a twisted Edwards curve over \(\mathbb {F}_p\). The subset \(\widetilde{G}\subset \mathbb {F}_p^2\) of the affine plane consisting of points of the form (0, y), \(y\ne 0\), endowed with the addition law defined by the same formula as \(E_{a,d}\), given by Eq. (2), forms a group isomorphic to \(\mathbb {F}_p^*\) under the isomorphism \(y\mapsto (0,y)\).
Proof
As a result, given a cryptographic device performing scalar multiplications in the group \(E_{a,d}(\mathbb {F}_p)\) without input point validation, as in the original attack of Sect. 3.1, an attacker can send as input an invalid point \(\widetilde{P}\) of the form \((0,\tilde{y})\), and receive as result the scalar multiplication of \(\widetilde{P}\) by the secret k in the group \(\widetilde{G}\), namely \((0,\tilde{y}^k)\). Therefore, recovering k is reduced to solving the discrete logarithm problem in the multiplicative group \(\mathbb {F}_p^*\), which as we have mentioned above is much easier than in \(E_{a,d}(\mathbb {F}_p)\) owing to wellknown subexponential attacks.
For elliptic curve sizes used in practice (up to 500 or so bits), the finite field discrete log is easy! By choosing y as a generator of \(\mathbb {F}_p^*\) (which is always a cyclic group), the attacker can thus recover all of k in a single query. This yields our generalization of invalid curve attacks to the case of Edwards curves: we call this attack a degenerate curve attack for reasons that will become apparent shortly.
Remark 1
An obvious but important observation is that, while we have described our attack in affine coordinates, it also works in the (likely) case when the device performs its computation in projective coordinates, using the projective versions of the same group operations. It is straightforward to check, for example, that \((0:Y_1:1)+(0:Y_2:1) = (0:Y_1Y_2:1)\) (and generalizations with other values of the Zcoordinates go through similarly).
One can wonder why, despite the dependence of the group law Eq. (2) on all curve parameters, we can still find an invalid curve in the affine plane where the same formulas induce a group structure. A rough explanation is as follows. First, the yaxis \(Y:x=0\) in the plane is actually a limit (in the usual sense of oneparameter families) of the twisted Edwards curves \(E_{a,d}\) for fixed d: it is the fiber above \(a=\infty \). This is easily seen by rewriting the equation of \(E_{a,d}\) in terms of \(a'=1/a\), as \(x^2 + a'y^2 = a'(1+dx^2y^2)\), and setting \(a'=0\). Since Y is of genus 0, the Edwards group law should degenerate on Y (minus a finite number of points) as the additive or the multiplicative group. The expression of the group law need not a priori be the same as on the original curve \(E_{a,d}\) itself, but it does turn out to be the case, because the only term depending on the parameter a cancels out along \(Y:x=0\).
Now the line Y is not itself singular (although it should perhaps really be seen as the nonreduced double line \(x^2=0\)), but it is where the family degenerates, hence the name of our attack.
3.4 Degenerate Curve Attacks Against Other Models
The idea of the previous attack generalizes easily to other models of elliptic curves, including all of those mentioned in Sect. 2. We now describe those generalizations in affine coordinates below; they of course also work in projective coordinates.
Therefore, we can carry out our attack as before, by sending to a device performing scalar multiplications on \(E_{a,d}\) the invalid input point (0, y) for some generator y of \(\mathbb {F}_p^*\).
In this case, the yaxis appears as the degenerate limit of the family \(E_{a,d}\) for fixed a and varying d, taken for \(d=\infty \).
This provides two families of invalid points using which we can carry out our attack exactly as before.
Twisted Hessian Curves. The case of twisted Hessian curves is somewhat less interesting, since this model has a group law independent of the curve parameter d, and hence the original invalid curve attack applies to it. Nevertheless, we can mention for completeness that our approach generalizes rather directly to those curves as well.
Remark 2
4 The Hashed Case
The previous section considered attacks on a cryptographic device that performs elliptic curve scalar multiplications without validation of input points, and returns the actual result of the scalar multiplication. This is a somewhat idealized attack model, however.
One realworld protocol where a similar situation arises is (static) Diffie–Hellman key exchange over elliptic curves, one variant of which is presented in Fig. 1. In an invalid curve attack on that protocol, Bob would send Alice his invalid point B, and Alice would use it to compute the product \(k_A\cdot B\) where \(k_A\) is her static secret key. The resulting point \(k_A\cdot B\) is not directly sent back to Bob, however, but used to derive a key \(K = \text {KDF}(k_A\cdot B)\) used in subsequent communication. In effect, what Bob receives is the image of \(k_A\cdot B\) under a fixed, public oneway function, usually with low collision probability (in Fig. 1, it would be the authentication message M).
We model that situation by considering an oracle which, on input of a point P (still unvalidated), computes the scalar multiplication \(k\cdot P\) by a fixed secret k, and returns the image \(H(k\cdot P)\) of the result under a public hash function H. In that more restrictive setting, degenerate curve attacks are not as devastating as previously described, but we will see that it is often still possible to recover k quite quickly in practice, depending on the smoothness of the order \(p1\) of \(\mathbb {F}_p^*\) (or of \(p+1\) in the case of degenerate groups isomorphic to the twisted multiplicative group; we will describe the attack in the \(\mathbb {F}_p^*\) case to fix ideas).
The idea is simply to apply the Pohlig–Hellman algorithm [47]. Using the naive variant of the algorithm, the attacker can, for each prime divisor \(\ell \) of \(p1\), choose a point \(\widetilde{P}\) of order \(\ell \) in the degenerate group, obtain \(H(k\cdot \widetilde{P})\) from the oracle, and perform an exhaustive search in the subgroup \(\langle \widetilde{P}\rangle \) to find the point \(\widetilde{Q}\) such that \(H(k\cdot \widetilde{P})=H(\widetilde{Q})\), revealing k mod \(\ell \). Prime powers are dealt with similarly, and in the end the attacker recovers all of k with only a few oracle queries, in time quasilinear in the largest prime factor \(P_1(p1)\) of \(p1\). Furthermore, if a higher query complexity is acceptable, we can use Shanks’ babystep giantstep timememory tradeoff [51] to recover k in time quasilinear in \(\sqrt{P_1(p1)}\), also using a number of queries and a space complexity quasilinear in \(\sqrt{P_1(p1)}\).
For primes p suitable for fast elliptic curve cryptography [23], size in bits of the largest prime factor of \(p1\) and \(p+1\), and complexity of our BSGSstyle hashed Diffie–Hellman attack in \(\mathbb {F}_p^*\) (\((p1)\) attack) and in the twisted multiplicative group (\((p+1)\) attack).
p  \(\log _2 P_1(p1)\)  \((p1)\) attack  \(\log _2 P_1(p + 1)\)  \((p+1)\) attack 

\(2^{191}  19 \)  90  \(O(2^{45})\)  93  \(O(2^{46.5})\) 
\(2^{196}  15 \)  64  \(O(2^{32})\)  165  \(O(2^{82.5})\) 
\(2^{216}  2^{108}  1\)  107  \(O(2^{53.5})\)  19  \(O(2^{9.5})\) 
\(2^{221}  3 \)  73  \(O(2^{36.5})\)  42  \(O(2^{21})\) 
\(2^{224}  2^{96} + 1 \)  46  \(O(2^{23})\)  157  \(O(2^{78.5})\) 
\(2^{226}  5 \)  127  \(O(2^{63.5})\)  49  \(O(2^{24.5})\) 
\(2^{230}  27 \)  101  \(O(2^{50.5})\)  136  \(O(2^{68})\) 
\(2^{251}  9 \)  235  \(O(2^{117.5})\)  70  \(O(2^{35})\) 
\(2^{255}  19 \)  236  \(O(2^{118})\)  95  \(O(2^{47.5})\) 
\(2^{266}  3 \)  37  \(O(2^{17.5})\)  125  \(O(2^{62.5})\) 
\(2^{285}  9 \)  237  \(O(2^{118.5})\)  60  \(O(2^{30})\) 
\(2^{291}  19 \)  259  \(O(2^{129.5})\)  114  \(O(2^{57})\) 
\(2^{322}  2^{161}  1\)  133  \(O(2^{66.5})\)  64  \(O(2^{32})\) 
\(2^{336}  3 \)  166  \(O(2^{83})\)  214  \(O(2^{107})\) 
\(2^{338}  15 \)  166  \(O(2^{83})\)  204  \(O(2^{102})\) 
\(2^{369}  25 \)  192  \(O(2^{96})\)  252  \(O(2^{126})\) 
\(2^{383}  31 \)  88  \(O(2^{44})\)  97  \(O(2^{48.5})\) 
\(2^{389}  21 \)  247  \(O(2^{123.5})\)  311  \(O(2^{155.5})\) 
\(2^{401}  31 \)  48  \(O(2^{24})\)  209  \(O(2^{104.5})\) 
\(2^{416}  2^{208}  1\)  60  \(O(2^{30})\)  96  \(O(2^{48})\) 
\(2^{448}  2^{224}  1\)  115  \(O(2^{57.5})\)  49  \(O(2^{24.5})\) 
\(2^{450}  2^{225}  1\)  88  \(O(2^{44})\)  54  \(O(2^{27})\) 
\(2^{452}  3 \)  88  \(O(2^{44})\)  266  \(O(2^{133})\) 
\(2^{468}  17 \)  209  \(O(2^{104.5})\)  164  \(O(2^{82})\) 
\(2^{480}  2^{240}  1\)  163  \(O(2^{81.5})\)  36  \(O(2^{18})\) 
\(2^{489}  21 \)  263  \(O(2^{131.5})\)  260  \(O(2^{130})\) 
\(2^{495}  31 \)  158  \(O(2^{79})\)  319  \(O(2^{159.5})\) 
\(2^{521}  1 \)  88  \(O(2^{44})\)  1  \(O(2^{0.5})\) 
5 A Fault Attack Countermeasure
Soon after the announcement of the Bellcore attack on RSA, Shamir proposed a countermeasure [50] that relies on the Chinese remainder theorem to detect faults during modular exponentiation. The basic idea of Shamir is to replace computations modulo a prime p by computations in the ring modulo the composite pr, where r is a small randomlyselected integer, and then compare the result modulo r against an independent equivalent computation modulo r.
While Shamir’s trick^{3} works well on RSA, due to its simple structure, it is trickier to apply this countermeasure to the elliptic curve case. Nevertheless, countermeasures based on Shamir’s trick have been devised. The first one was invented by Blömer, Otto, and Seifert [11] (BOS), and consisted of two elliptic curve scalar multiplications—one over \(\mathbb {Z}/pr\mathbb {Z}\), the other over \(\mathbb {Z}/r\mathbb {Z}\). Baek and Vasyltov [3] suggested the use of the curve \(Y^2Z + pYZ^3 = X^3 + aXZ^4 + BZ^6 \in \mathbb {Z}/pr\mathbb {Z}\), where \(B = y^2 + py  x^3  ax\), which clearly is equivalent to the original when reduced modulo p. This method is limited to projective coordinates, since not every intermediate result may have an inverse in the extended ring. Their method also has some potential weaknesses owing to its reliance on random integers r instead of adequately selected primes [31]. It has been recently pointed out that the original BOS countermeasure is not correct when coupled with group laws containing exceptions [48], and thus group laws used in BOSlike countermeasures must be testfree.
One can view our proposed countermeasure as the BOS [11] countermeasure coupled with a “shortcut” f(k, P) to compute the second scalar multiplication—\(k\cdot P\) in \(E (\mathbb {F}_r)\)—much faster than by using the standard formulas. This shortcut takes different forms depending on which curve shape we are working over. Generically, we begin by picking a curve \(E_r\) over \(\mathbb {F}_r\) for which there is at least one point for which scalar multiplication is easy to compute. Then, the extended curve \(E'\) is the direct product \(E'(\mathbb {Z}/pr\mathbb {Z}) = E(\mathbb {F}_p) \times E_r(\mathbb {F}_r)\), and the countermeasure consists of checking whether \(k \cdot P' \in E'\), reduced modulo r, equals the same multiplication performed independently in \(E_r\). The correctness of this method follows from the correctness of BOS [11]; our concrete contribution is the shortcuts taken to reduce the computation overhead of the scalar multiplication in \(E_r\). The following considers two popular shapes—Weierstrass and Edwards curves—but others are similarly easy to derive.
5.1 Weierstrass Curves
The resulting correctness test only requires a few multiplications modulo r, which is more efficient than both BOS [11] and Baek–Vasyltsov [3], and is comparable with Joye’s approach [30]. Note that the inversions are avoidable by using projective coordinates.
5.2 Edwards Curves
5.3 Comparison with Previous Countermeasures

Only one fullfledged scalar multiplication is required. This is in contrast with Blömer–Otto–Seifert [11, Sect. 8] which requires 2 scalar multiplications—one modulo pr, another modulo r. In the case of Weierstrass curves, our countermeasure is faster than any other targeting the same curve shape.

Works both in affine and projective coordinates. This is in contrast with Baek–Vasyltsov [3], which due to working on Weierstrass curves, breaks down when faced with the corner cases in the addition and doubling formulas of those curves.
Although our method may not suit every use case, it is another useful tool for hardened implementations of elliptic curves. It is particularly suitable for implementations of curves over random primes, which hardware implementers tend to favor [42], since multiplication modulo pr is straightforward to implement, and the overhead remains small. On the other hand, highly structured primes, usually very close to a power of 2, would likely suffer a higher performance impact, since modular reduction would no longer be a lineartime operation.
Footnotes
References
 1.Antipa, A., Brown, D.R.L., Menezes, A., Struik, R., Vanstone, S.A.: Validation of elliptic curve public keys. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 211–223. Springer, Heidelberg (2002)CrossRefGoogle Scholar
 2.Aranha, D.F., Barreto, P., Pereira, G., Ricardini, J.E.: A note on highsecurity generalpurpose elliptic curves. Cryptology ePrint Archive, Report 2013/647 (2013). http://eprint.iacr.org/
 3.Baek, Y.J., Vasyltsov, I.: How to prevent DPA and fault attack in a unified way for ECC scalar multiplication – ring extension method. In: Dawson, E., Wong, D.S. (eds.) ISPEC 2007. LNCS, vol. 4464, pp. 225–237. Springer, Heidelberg (2007). http://dx.doi.org/10.1007/9783540721635_18 CrossRefGoogle Scholar
 4.Bernstein, D.J.: Curve25519: new DiffieHellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
 5.Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 6.Bernstein, D.J., Chuengsatiansup, C., Kohel, D., Lange, T.: Twisted Hessian curves. In: Lauter, K., RodríguezHenríquez, F. (eds.) LatinCrypt 2015. LNCS, vol. 9230, pp. 269–294. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 7.Bernstein, D.J., Lange, T.: Faster addition and doubling on elliptic curves. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 29–50. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 8.Bernstein, D.J., Lange, T.: Explicitformulas database (2015). https://hyperelliptic.org/EFD/. Accessed 1 May 2015
 9.Biehl, I., Meyer, B., Müller, V.: Differential fault attacks on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
 10.Billet, O., Joye, M.: The Jacobi model of an elliptic curve and sidechannel analysis. In: Fossorier, M.P.C., Høholdt, T., Poli, A. (eds.) AAECC 2003. LNCS, vol. 2643, pp. 34–42. Springer, Heidelberg (2003). https://eprint.iacr.org/2002/125 CrossRefGoogle Scholar
 11.Blömer, J., Otto, M., Seifert, J.P.: Sign change fault attacks on elliptic curve cryptosystems. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.P. (eds.) FDTC 2006. LNCS, vol. 4236, pp. 36–52. Springer, Heidelberg (2006). http://dx.doi.org/10.1007/11889700_4 CrossRefGoogle Scholar
 12.Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of checking cryptographic protocols for faults. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 37–51. Springer, Heidelberg (1997)Google Scholar
 13.Boneh, D., DeMillo, R.A., Lipton, R.J.: On the importance of eliminating errors in cryptographic computations. J. Cryptol. 14(2), 101–119 (2001)CrossRefMathSciNetzbMATHGoogle Scholar
 14.Chudnovsky, D.V., Chudnovsky, G.V.: Sequences of numbers generated by addition in formal groups and new primality and factorization tests. Adv. Appl. Math. 7(4), 385–434 (1986). http://dx.org/10.1016/01968858(86)900230 CrossRefMathSciNetzbMATHGoogle Scholar
 15.Ciet, M., Joye, M.: Elliptic curve cryptosystems in the presence of permanent and transient faults. Des. Codes Crypt. 36(1), 33–43 (2005). http://dx.org/10.1007/s1062300311608 CrossRefMathSciNetzbMATHGoogle Scholar
 16.Coppersmith, D., Odlyzko, A.M., Schroeppel, R.: Discrete logarithms in \(GF(p)\). Algorithmica 1(1), 1–15 (1986). http://dx.org/10.1007/BF01840433 CrossRefMathSciNetzbMATHGoogle Scholar
 17.Desboves, A.: Résolution, en nombres entries et sous la forme la plus générale, de l’équation cubique, homogène, à trois inconnues. Nouvelles annales de mathématiques, journal des candidats aux écoles polytechnique et normale 5(3), 545–579 (1886). http://www.numdam.org/item?id=NAM_1886_3_5__545_0 Google Scholar
 18.Edwards, H.M.: A normal form for elliptic curves. Bull. Am. Math. Soc. 44(3), 393–422 (2007). http://dx.org/10.1090/S0273097907011536 CrossRefzbMATHGoogle Scholar
 19.ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31, 469–472 (1985)CrossRefMathSciNetzbMATHGoogle Scholar
 20.Fouque, P., Lercier, R., Réal, D., Valette, F.: Fault attack on elliptic curve Montgomery ladder implementation. In: Breveglieri, L., Gueron, S., Koren, I., Naccache, D., Seifert, J. (eds.) 2008 Fifth International Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2008, Washington, DC, USA, 10 August 2008, pp. 92–98. IEEE Computer Society (2008). http://dx.org/10.1109/FDTC.2008.15
 21.Gordon, D.M.: Discrete logarithms in \(GF(p)\) using the number field sieve. SIAM J. Discret. Math. 6(1), 124–138 (1993). http://dx.org/10.1137/0406010 CrossRefzbMATHGoogle Scholar
 22.Hamburg, M.: Ed448Goldilocks. In: Workshop on Elliptic Curve Cryptography Standards (2015)Google Scholar
 23.Harris, B., et al.: The Pareto frontiers of sleeveless primes. The Curves mailing list, October 2014. https://moderncrypto.org/mailarchive/curves/2014/000324.html
 24.Hesse, O.: Über die Elimination der Variabeln aus drei algebraischen Gleichungen vom zweiten Grade mit zwei Variabeln. Journal für die reine und angewandte Mathematik 28, 68–96 (1844). http://resolver.sub.unigoettingen.de/purl?GDZPPN002144069 CrossRefMathSciNetzbMATHGoogle Scholar
 25.Hisil, H., Wong, K.K.H., Carter, G., Dawson, E.: Twisted Edwards curves revisited. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 326–343. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 26.Hisil, H., Wong, K.K., Carter, G., Dawson, E.: An exploration of affine group laws for elliptic curves. J. Math. Cryptol. 5(1), 1–50 (2011). http://dx.org/10.1515/jmc.2011.005 CrossRefMathSciNetzbMATHGoogle Scholar
 27.Huff, G.B.: Diophantine problems in geometry and elliptic ternary forms. Duke Math. J. 15(2), 443–453 (1948)CrossRefMathSciNetzbMATHGoogle Scholar
 28.Husemöller, D.: Elliptic Curves, Graduate Texts in Mathematics, vol. 111, 2nd edn. Springer, New York (2004)Google Scholar
 29.Jager, T., Schwenk, J., Somorovsky, J.: Practical invalid curve attacks on TLSECDH. In: Pernul, G., Y A Ryan, P., Weippl, E. (eds.) ESORICS. LNCS, vol. 9326, pp. 407–425. Springer, Heidelberg (2015). doi: 10.1007/9783319241746_21 CrossRefGoogle Scholar
 30.Joye, M.: Faultresistant calculcations on elliptic curves, June 2013. http://www.google.com/patents/US8457303, US Patent 8,457,303
 31.Joye, M.: On the security of a unified countermeasure. In: Breveglieri, L., Gueron, S., Koren, I., Naccache, D., Seifert, J. (eds.) 2008 Fifth International Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2008, Washington, DC, USA, 10 August 2008, pp. 87–91. IEEE Computer Society (2008). http://dx.org/10.1109/FDTC.2008.8
 32.Joye, M.: Elliptic curve cryptosystems in the presence of faults. In: Fischer, W., Schmidt, J. (eds.) 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography, Los Alamitos, CA, USA, 20 August 2013, p. 73. IEEE Computer Society (2013). http://conferenze.dei.polimi.it/FDTC13/shared/FDTC2013keynote2.pdf
 33.Joye, M., Quisquater, J.J.: Hessian elliptic curves and sidechannel attacks. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 402–410. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 34.Joye, M., Tibouchi, M., Vergnaud, D.: Huff’s model for elliptic curves. In: Hanrot, G., Morain, F., Thomé, E. (eds.) ANTSIX. LNCS, vol. 6197, pp. 234–250. Springer, Heidelberg (2010). http://dx.doi.org/10.1007/9783642145186_20 CrossRefGoogle Scholar
 35.Karabina, K., Ustaoğlu, B.: Invalidcurve attacks on (hyper)elliptic curve cryptosystems. Adv. Math. Commun. 4(3), 307–321 (2010). http://cryptolounge.net/pdf/KarUst10.pdf CrossRefMathSciNetzbMATHGoogle Scholar
 36.Kim, T., Tibouchi, M.: Bitflip faults on elliptic curve base fields, revisited. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 163–180. Springer, Heidelberg (2014)Google Scholar
 37.Kim, T., Tibouchi, M.: Invalid curve attacks in a GLS setting. In: Tanaka, K., Suga, Y. (eds.) IWSEC 2015. LNCS, vol. 9241, pp. 41–55. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 38.Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987). http://dx.org/10.1090/S00255718198708661095 CrossRefMathSciNetzbMATHGoogle Scholar
 39.Lenstra Jr., H.W.: Factoring integers with elliptic curves. Ann. Math. 126(3), 649–673 (1987). http://www.jstor.org/stable/1971363 Google Scholar
 40.Liardet, P., Smart, N.P.: Preventing SPA/DPA in ECC systems using the Jacobi form. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 391–401. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 41.Lim, C.H., Lee, P.J.: A key recovery attack on discrete logbased schemes using a prime order subgroup. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997)CrossRefGoogle Scholar
 42.Lochter, M., Merkle, J., Schmidt, J.M., Schütze, T.: Requirements for standard elliptic curves. Cryptology ePrint Archive, Report 2014/832 (2014). http://eprint.iacr.org/2014/832
 43.Menezes, A.: Another look at HMQV. J. Math. Cryptol. 1, 47–64 (2007). http://dx.org/10.1515/JMC.2007.004 CrossRefMathSciNetzbMATHGoogle Scholar
 44.Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
 45.Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987). http://www.ams.org/journals/mcom/198748177/S00255718198708661137/ CrossRefzbMATHGoogle Scholar
 46.Mumford, D.: On the equations defining Abelian varieties. I. Inventiones Math. 1(4), 287–354 (1966). http://dash.harvard.edu/handle/1/3597241 CrossRefMathSciNetzbMATHGoogle Scholar
 47.Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over GF\((p)\) and its crytographic significance. IEEE Trans. Inf. Theory 24, 106–110 (1978)CrossRefMathSciNetzbMATHGoogle Scholar
 48.Rauzy, P., Moreau, M., Guilley, S., Najm, Z.: Using modular extension to provably protect ECC against fault attacks. Cryptology ePrint Archive, Report 2015/882 (2015). http://eprint.iacr.org/2015/882
 49.Rubin, K., Silverberg, A.: Compression in finite fields and torusbased cryptography. SIAM J. Comput. 37(5), 1401–1428 (2008)CrossRefMathSciNetzbMATHGoogle Scholar
 50.Shamir, A.: How to check modular exponentiation, May 1997. (presented at the rump session of EUROCRYPT 1997)Google Scholar
 51.Shanks, D.: Class number, a theory of factorization, and genera. In: Lewis, D.J. (ed.) 1969 Number Theory Institute. Proceedings of Symposia in Pure Mathematics, vol. 20, pp. 415–440. American Mathematical Society, Providence, Rhode Island (1971)CrossRefGoogle Scholar
 52.Silverman, J.H.: The Arithmetic of Elliptic Curves, Graduate Texts in Mathematics, vol. 106, 2nd edn. Springer, New York (2009). http://www.math.brown.edu/jhs/AECHome.html CrossRefGoogle Scholar
 53.Smart, N.P.: The Hessian form of an elliptic curve. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 118–125. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 54.Straus, E.G.: Addition chains of vectors (problem 5125). Am. Math. Monthly 71(7), 806–808 (1964). http://www.jstor.org/stable/2310929 MathSciNetGoogle Scholar