[Cryptography] Low-order points on secp256r1?
Antonio Sanso
asanso at adobe.com
Tue Apr 3 05:25:06 EDT 2018
hi Dominik
> On Apr 1, 2018, at 12:36 AM, Dominik Pantůček <dominik.pantucek at trustica.cz> wrote:
>
> Hi Ondrej,
>
> On 03/31/2018 03:27 AM, Ondrej Mikle wrote:
>> I'm reading the following paper: https://eprint.iacr.org/2018/298
>>
>> In appendix A (page 14), it states, there is a point of order 5 on secp256r1.
>> How is that possible when secp256r1 curve group has prime order and the cofactor
>> is 1?
> the curve y^2=x^3+ax+(b-1) where a and b are taken from secp256r1
> parameters does not have a prime order. The right hand side of the
> equation is the same as in secp256r1 -1 (minus one). Apparently the
> research tried to validate the responses to invalid curve parameters /
> points used for key exchange.
one of the author of the paper here.
This is indeed correct. One of the things we tried is invalid curve attack
regards
antonio
>
>
> Cheers,
> Dominik
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
More information about the cryptography
mailing list