Current ECC and Attack

Current ECC example

  • 256-bit recommended ECC: secp256r1
  • y2 = x3 + ax + b (mod p), order: r
  • p=115792089210356248762697446949407573530086143415290314195533631308867097853951
  • r=115792089210356248762697446949407573529996955224135760342422259061068512044369
  • a=115792089210356248762697446949407573530086143415290314195533631308867097853948
  • b=41058363725152142129326129780047268409114441015993725554835256314039467401291
  • Curve(point): Q=(Qx,Qy)
  • Qx=16541727030050892680385349564201081932869449059327187742219090186981013979132
  • Qy=25818268083887228378207107542437174286775255751119128378977759983362344375837

Invalid Curve Attack (ICA) example

  • 256-bit recommended ECC: secp256r1.
  • Invalid Curve : Replace Q=(Qx,Qy) with attack.
  • Qx=57896044605178124381348723474703786765043071707645157097766815654433548926972
  • Qy=57684798960610185562186990909005320688004873483451899562987949717691690412694
  • Invariant coefficient: p, a
  • Changed coefficient : b, r
  • b=10106
  • r=115792089210356248762697446949407573529658708695050940591319239710041960297572

Fast decoding with Invalid Curve Attack

  • The original order r of secp256r1 is a prime number.
  • Attack will change the order r and factor it.
  • r=115792089210356248762697446949407573529658708695050940591319239710041960297572
  • r=4131922108816065318184839304391204672993390200611861937431296502157*42370421023549
  • r=4131922108816065318184839304391204672993390200611861937431296502157*42370421023549
  • Changed from the problem of prime order to the decoding of ECC for each factor
  • 256-bit decryption –> 2,11,22,43,45,45,46,46 bits decryption
  • 256-bit can be decrypted in 1 to 2 minutes by ρ method

Learning λmethod instantly deciphers

  • The learning λ method can be speeded up in proportion to the learning time.
  • It takes about a thousand times faster than the ρ method if it is learned for one day.
  • With 4Ghz personal computer, 0.01 second decoding is the limit.