ECC, Montgomery Curve cofactor bigger than 1

Asked Jan 27 '24 at 17:11

Active Jan 27 '24 at 17:11

Viewed 46 times

I read that in elliptical curve cryptography, the order of the Montgomery Curve is a multiple of 8, this mean that we can't have cofactor one curves which can be problematic in some corner cases because always has a cofactor bigger than 1. When the cofactor is not 1, it means that the subgroup of prime order is only a subset of the curve. This leads to a situation where not all points on the curve can be used for cryptographic operations. Verifying the curve equation alone is not enough to ensure that a point is on the appropriate subgroup.

So, what I can't understand are as following:

What vulnerabilities can arise if the order is not a multiple of 8?
What issue is caused when the resulting points not fall into the correct subgroup? How can the attackers exploit this problem?
Why we can't have cofactor one ? does this mean that the points exist in the group that the base point (Generator point) generates doesn't have all the point of the curve ? does this a problem ?
the three least significant bits (LSB) of the scalar are set to 0, that mean the scalar is also a multiple of 8? Does this have any connection to the order of the curve being a multiple of 8?

Would be very thankful if someone could explain it simply.

asked Jan 27 '24 at 17:11

Nawras Hussein

A bit broad question and all have an answer. Curve25519 Key Validation, Summarize the mathematical problem at the heart of breaking a Curve25519 public key. Besides, Montgomery Curves order is multiple of 4 not 8, the Curve25519 has 8. – kelalaka Jan 27 '24 at 17:21
In 1), it looks like there's an extra negation. Are you asking what vulnerabilities can arise if the curve's order is not a prime? – fgrieu Jan 27 '24 at 17:22
We can have cofactor 1 as prime curves where they don't have the fast Mongomery arithmetic they have a little slower Joye-Yen ladder 2) Lim Lim Lee attack

kelalaka

Jan 27 '24 at 17:28

Yes, with *8, one guarantees that the selected random is either identity or has an order of the large subgroup. 3+) Whats the reason for using elliptic curves of order |E| = fr

– kelalaka Jan 27 '24 at 17:31

Can you read the posts and limit your question? – kelalaka Jan 27 '24 at 17:35

@fgrieu , what are the problematics that may happen when the order of the 25519 Curve is a multiple of 8 ? – Nawras Hussein Jan 27 '24 at 18:04

@kelalaka , I saw ( Curve25519 Key Validation, Summarize the mathematical problem at the heart of breaking a Curve25519 public key) but it still unclear for me, also 2) Lim Lim Lee attack is in Chinese Language, I hope that you have a resource in English. – Nawras Hussein Jan 27 '24 at 18:08

It is not Chinese, it is Korean, with a little search here it is Lim Lee What is unclear for you? You had a broad question... – kelalaka Jan 27 '24 at 18:15

@kelalaka, one another question please, when the cofactor bigger than one, does this mean that the points exist in the subgroup generated by the base point (Generator point) doesn't have all the point of the curve and this makes the search for private key (scalar) easier ? or I am missing something? – Nawras Hussein Jan 27 '24 at 18:22

Let us continue this discussion in chat. – Nawras Hussein Jan 27 '24 at 18:32

Not a clear comment. Lim-Lee attack leaks part of the key. This is why we remove these points. Well, 1,2, and 3 are also easier to search. – kelalaka Jan 27 '24 at 18:36

ECC, Montgomery Curve cofactor bigger than 1

0 Answers0