Singular Curve Point Decompression Attack

Abstract

In this work, we show how to use instruction skip faults to transfers the discrete logarithm problem from a cryptographically strong elliptic curve to a weak singular curve. More specifically, we attack the algorithm that computes from a field element a point on the curve. This algorithm is a building block of point decompression, hashing to curves, and random point sampling. Our attack is most powerful for curves of j-invariant zero that often occur in pairing based cryptography. Therefore, to demonstrate the effectivity of our attack in practice, we perform it on an AVR Xmega A1 for the pairing based Boneh-Lynn-Shacham short signature scheme.