Evaluating Side-Channel Resistance Using Low Order Rational Points Against Curve25519 and an Associated Quadratic Twist

Keiji Yoshimoto, Yoshinori Uetake, Yuta Kodera, Takuya Kusaka, Yasuyuki Nogami


IoT devices contribute to improving the mechanism of a system as edge devices for data sharing and automation of industrials. However, such devices are often being a target of an attacker due to their simple architecture and the lack of resources so as to protect data confidentiality using cryptosystems. In addition, although Curve25519 has been used in various security protocols and known to work even on IoT devices efficiently, the curve inherits the low order points hidden inside of the Edward curves. In this paper, the authors demonstrate side-channel attacks against Curve25519 by focusing on the points of order 4 and 8. We choose the order 4 point which does not exist on Curve25519, that exists on the twisted curve of Curve25519. More precisely, the rational point used in this paper is given by (x,y)=(-1,0) in affine coordinates. In addition, the order 8 point appears to be a high order rational point. The results reveal that the rational points might be a threat to key extraction and it demands us to find further countermeasures.


Curve25519; Side-channel attack; Invalid curve attack; Twisted Montgomery Curve; Montgomery ladder

Full Text:



  • There are currently no refbacks.