Invalid-curve Attack

Practical Invalid Curve Attacks

ECDHにおいてpP == qPとなるPがlarge orderなE上ではなくorder5なE'上の点（clientがserverに強制）とすると、serverのprivate keyを5 iterで算出できる。

blog post: Invalid curve attacks, explained

https://vnhacker.blogspot.com/2018/09/invalid-curve-attacks-explained.html

slide: Practical Invalid Curve Attacks on TLS-ECDH

https://www.owasp.org/images/4/4c/Practical_Invalid_Curve_Attacks_on_TLS-ECDH_-_Juraj_Somorovsky.pdf

Invalid curve attack: finding low order points

https://crypto.stackexchange.com/questions/71065/invalid-curve-attack-finding-low-order-points

You could have invented that Bluetooth attack

https://blog.trailofbits.com/2018/08/01/bluetooth-invalid-curve-points/

Cryptographic Right Answers: almost certainly don’t want to be using it in the first place

https://latacora.singles/2018/04/03/cryptographic-right-answers.html

Breaking the Bluetooth Pairing – The Fixed Coordinate Invalid Curve Attack

Our attack exploits improper validation of ECDH public keys by introducing the Fixed Coordinate Invalid Curve Attack. It is a MitM attack that modifies the public keys in a way that lets the attacker deduce the shared secret.

#Cryptography