Paper 2025/076
Decompose and conquer: ZVP attacks on GLV curves
Abstract
While many side-channel attacks on elliptic curve cryptography can be avoided by coordinate randomization, this is not the case for the zero-value point (ZVP) attack. This attack can recover a prefix of static ECDH key but requires solving an instance of the dependent coordinates problem (DCP), which is open in general. We design a new method for solving the DCP on GLV curves, including the Bitcoin secp256k1 curve, outperforming previous approaches. This leads to a new type of ZVP attack on multiscalar multiplication, recovering twice as many bits when compared to the classical ZVP attack. We demonstrate a $63\%$ recovery of the private key for the interleaving algorithm for multiscalar multiplication. Finally, we analyze the largest database of curves and addition formulas with over 14 000 combinations and provide the first classification of their resistance against the ZVP attack.
Note: This preprint has not undergone peer review or any post-submission improvements or corrections.
Metadata
- Available format(s)
-
PDF
- Category
- Attacks and cryptanalysis
- Publication info
- Published elsewhere. Minor revision. ACNS - Applied Cryptography and Network Security
- Keywords
- dependent coordinates problemelliptic curve cryptographyGLV curveside-channel attacksZVP attack
- Contact author(s)
-
vojtechsu @ mail muni cz
vlada sedlacek @ mail muni cz
syso @ mail muni cz - History
- 2025-01-18: approved
- 2025-01-17: received
- See all versions
- Short URL
- https://ia.cr/2025/076
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2025/076,
author = {Vojtěch Suchánek and Vladimír Sedláček and Marek Sýs},
title = {Decompose and conquer: {ZVP} attacks on {GLV} curves},
howpublished = {Cryptology {ePrint} Archive, Paper 2025/076},
year = {2025},
url = {https://eprint.iacr.org/2025/076}
}
