An algorithm to select a secure twisted elliptic curve in cryptography

— Fault attack is a powerful adjacency channel attack technique to break cryptographic schemes. On elliptic curve cryptography (ECC), fault attacks can be divided into three types: safe-error attacks, weak-curve-based attacks, and differential fault attacks. In the paper [1], the author has presented the fault attack on the elliptic curve cryptosystem based on the quadratic twist curve and Proposed criteria to resist elliptic fault attack on the elliptic curve. In this paper, we propose an algorithm to choose a twist secure elliptic curve and evaluate the paths published in cryptographic standards around the world.

The Montgomery scale method is known to be an efficient scalar multiplication algorithm resistant to some adjacency channel attacks. In FDTC 08, Fouque et. [10] described a failure attack based on the twisted curve implemented on the Montgomery scale method. The curve does not use y-coordinates in order to countermeasure against the point verification method. Considering the elliptic curve E defined in p , a random value p x  , corresponding to the coordinates of a point either on the elliptic curve E or on its twisted curve E' with a probability of approximately ½.
While not working with y-coordinates, The Montgomery algorithm works on E elliptic curves like on E' elliptic curves. The goal of the attack is to solve the discrete logarithm problem (DLP) on the twisted curve E' (which is a weak curve), from which it is easy to solve the DLP problem on the original curve E (which is a strong curve).
In the article [1], the authors have clarified the relationship formula between the order of the initial elliptic curve E and its twisted curve E'. And then, the authors presented how to solve the small problem of DLP on the twisted curve E', from which it is easy to get the result of the DLP problem on the original curve E, to get the secret key.
The fault attack model based on the twisted curve E' is as follows: -The attacker modifies the x coordinate of point P to form point P' such that '' PE  .
-The targeted attack is to implement Montgomery scale scalar multiplication when the y coordinate is not used. Performing scalar multiplication with the point P' gives an error ' ' ' Q dP E = .
-Compute mod ( ') d ord P by solving the DLP in the group ' P .
There are two types of twisted curve-based attacks.
The basic attack without countermeasures is when the adversary has the ability to choose the input point P and implements no end-point verification of the scalar multiplication algorithm. The second attack assumes that the attacker cannot choose P and implements the resulting point verification at the end of the scalar multiplication. In this case, the attacker needs to insert two errors. First, an error is inserted into the x-coordinate of the base point P to form the point P'. Then, '' PE  with probability 1/2. Second, at the end of the calculation, an error is inserted into the x coordinate of dP just before the point verification. The attacker then passes the point verification step with a probability 1/2. The error output can be obtained and pass the point verification with probability 1/4.
dP smooth or small, an attacker can solve the discrete logarithm problem using algorithms such as Pohlig-Hellman analysis, Shank's babystep-giant-step method, Pollar  − method to compute mod or ( ') d d P . Repeat the process with enough different points, and using the Chinese Remainder Theorem, we get the value mod or ( ') d d E where the time complexity is the square root of the largest factor of the order of the twisted curve. One of the criteria for dealing with a fault attack is to select an E curve that ensures that it is difficult to solve DLP problem on its twisted curve E' to be able to convert to DLP on the original curve E.
The rest of paper is organized: we first present some basic algorithms in Section II. Section III proposes an algorithm to select a secure twisted elliptic curve. Elliptic curve will be evaluate to meet secure twisted curve criteria in Section IV. We conclude the paper with a conclusion in section V.

A. Elliptic Curve Discrete Logarithm Problem (ECDLP)
Let E be an elliptic curve over a finite field p and point GE  (order n) produces a cyclic group <G>. Let point PG   , find a positive integer x such as P xG To solve ECDLP, it is necessary to check all values of [2,2] xn − . If G is chosen carefully with very large n the solution of the ECDLP is considered infeasible. Solving the ECDLP is considered to be more difficult than solving the DLP on the finite field. Currently, there is no effective algorithm to solve this problem in polynomial time. The current best algorithm for solving ECDLP is Pollard's rho algorithm.
Pollard's rho method [17] Suppose G be a finite group with order N. Divide G to s discrete subset 12 If found 00 ji PP = then we have: This gives d a way to choose the value of k. Normally d will be small, so we can try all possible values until we find Q kP = . In cryptographic applications, N must usually be prime, then 1 d = or dN = . If dN = , e get a trivial relation (the coefficients of both P and Q are multiples of N), then we have to start over. If 1 d = , k will be found.

The effectiveness of Pollard's rho method:
Pollard's method is applicable to any finite group of class N with negligible memory requirements. Average computation time of the Pollardrho algorithm is √ /2. There are several ways to improve the computation time of this algorithm, making the average computation time of the algorithm much lower. J. Bernstein et al. [6] implemented Pollard's rho algorithm using inverse mapping with the average time of the algorithm being √ /4.

Journal of Science and Technology on Information security
Special Issue CS (15) 2022 19 ECDLP can to be unbreakable if the degree of the base point N must be large enough that the ECDLP is secure against the Pollard' rho method.
Currently the most powerful supercomputer in the world Fugaku in Japan has 442,010 petaflop (1 petaflop is equivalent to 15 10 calculations/second) is equivalent to performing approximately 84 2 calculation in one year. Safecurve [14] request N such as √ /4 > 2 100 , to break the ECDLP it is necessary to have minimum of 100 2 computations, and ECDLP is secure in the near future.

Mapping between twisted Edwards curves and Weierstrass curves
From the above two transformations, we have the formula to map an elliptic curve in Edwards form , to short Weierstrass form W , as following: In which | | ≤ 2√ and t is called the trace of the Frobenius mapping at p.
We have + 1 − 2√ ≤ | ( )| ≤ + 1 + 2√ . The algorithm is currently considered to be the most efficient for calculating | ( )| , that is SEA (Schoof-Elkies-Atkin) algorithm [17.2.2, 12]. This algorithm has a time complexity of (log 6 ), and can be reduced (log 4 ). recommend to use such as elliptic curves in ANSI X9.62 [2], NIST [13], Brainpool [8], GOST [11], SECv2 [5], NUMS (Microsoft Nothing Up My Sleeve) [3],… When using these curves, it is not possible to guarantee that it will not be attacked by fault attack on twisted curves. Therefore, before using these curves, it is necessary to verify whether it meets secure twisted curves. Based on proposition 1 and the security criteria to deal with the fault attack based on the above twisted curve, we propose an algorithm to choose a secure twisted elliptic curve as follows: .
The program to select the safe twisted elliptic curve is built on the Visual Stduio C++ 2015 language using the Miracle large number calculation program library [15]. The algorithm for calculating the degree of the curve we use is the SEA algorithm included in the Miracle library. Besides, we use the open source application yafu v1.33 [16] to perform integer parsing.
Based on the proposed algorithm we evaluate the curves of NIST [13], GOST [11], Bainpool [8], SECv2 [5], NUMS [3], and the curves published in [2] . The results of some curves are detailed in the appendix: Based on the evaluation results, we make some evaluation as follows: 1. The Weierstrass curves given in Brainpool all have orders that are prime but the orders of the twisted curves are all composite, of which only the Brainpool P512t1 curve has the order of the twisted curve having a prime divisor greater than 2 200 , the remaining curves are all smaller than 2 200 .

NIST published 12 curves (including 7
Weierstrass curves, 2 Montgomery curves, 3 Edwards curves). There are 5 NIST Weierstrass curves with prime level, but only the NIST P-384 curve has the order of twisted curve as prime, the rest of the curves all have the order of twisted curve which is composite. curve NIST P-256, NIST P-521 has the order of twisted curve with greatest prime divisor greater than 2 200 , the curves NIST P-192, NIST P-224 are less than 2 200 . Weierstrass W-255, Montgomery NIST Curve25519, NIST Edwards25519 curves have form 8q and twisted curve have form 4q', Weierstrass curves W-448, Montgomery NIST Curve448, NIST E448, NIST Edwards448 whose order is 4q and the order of the twisted curve are both 4q', where q and q' are all primes greater than 2 200 . GOST, id-tc26-gost-3410-12-512-paramSetA, id-tc26-gost-3410-12-512-paramSetB) whose order is prime but the order of the twisted curve is composite. In the Weierstrass curves of GOST, only the id-tc26gost-3410-12-512-paramSetB curve has the greatest prime divisor < 2 200 , the remaining curves all have the greatest prime divisor > 2 200 .
As for the GOST Edwards curve (id-tc26-gost-3410-2012-256-paramSetA, id-tc26-gost-3410-12-512-paramSetC) there is a order of the twisted curve of the form 4q, where q is a prime > 2 200 . 4. In the NUMS standard [13], there are 3 Weierstrass curves (numsp256d1, numsp384d1, numsp512d1) and 3 twisted Edwards curves (numsp256t1, numsp384t1, numsp512t1). The order of Weierstrass curves and twisted curves are both prime. The order of Edwards curves and twisted curves are of the form 4q, where q is a large prime and greater than 2 200 .

General Evaluation:
Most of the Weierstrass curves given in the standards (with the exception of the NIST P-384 curve and the NUMS curves) have the order of the twisted curve as a composite, making these curves vulnerable to fault attack on ECC based on twisted curve. In this section, we analyze the probability of Edwards twisted curves satisfied the secure twisted curve standard.
We first analyze how many random curves have small cofactors ( We consider curves with large enough primes p (at least 224 bits), these curves with small cofactors as above will satisfy the requirements √ /4 > 2 100 . In other words, this requirement that the curve must have a small cofactor replaces the requirement that the curve meet the secure requirements against Pollard's rho method.
be the number of elements in the segment [2, ] x . The prime number theorem states that / log xx is a good approximation to (