[Cryptography] Low-order points on secp256r1?
Dominik Pantůček
dominik.pantucek at trustica.cz
Sat Mar 31 18:36:01 EDT 2018
Hi Ondrej,
On 03/31/2018 03:27 AM, Ondrej Mikle wrote:
> I'm reading the following paper: https://eprint.iacr.org/2018/298
>
> In appendix A (page 14), it states, there is a point of order 5 on secp256r1.
> How is that possible when secp256r1 curve group has prime order and the cofactor
> is 1?
the curve y^2=x^3+ax+(b-1) where a and b are taken from secp256r1
parameters does not have a prime order. The right hand side of the
equation is the same as in secp256r1 -1 (minus one). Apparently the
research tried to validate the responses to invalid curve parameters /
points used for key exchange.
Cheers,
Dominik
More information about the cryptography
mailing list