Decompose and conquer: ZVP attacks on GLV curves [CRoCS wiki]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.
====== Decompose and conquer: ZVP attacks on GLV curves  ======
~~NOTOC~~

<grid>
<col xs="12" sm="8" lg="8">
<TEXT size="large">

\_{{fa>user}}\_\_//Authors:// [[:publications:authors:vojtech-suchanek|Vojtech Suchanek]], [[:publications:authors:vladimir-sedlacek|Vladimir Sedlacek]],  [[:publications:authors:marek-sys|Marek Sys]]

{{fa>user-circle-o}}\_//Primary contact:// Vojtech Suchanek %%<%%<vojtechsu@mail.muni.cz>%%>%%

{{fa>bullhorn}}\_//Conference:// [[http://acns2025.fordaysec.de/| International Conference on Applied Cryptography and Network Security 2025]]

</TEXT>
</col>

<col xs="12" sm="4" lg="4">
<TEXT align="right">

<button type="warning" icon="fa fa-fw fa-file-pdf-o">[[http://acns2025.fordaysec.de/accepted-papers/|PDF (not yet)]]</button>
\_
<button icon="fa fa-fw fa-file-image-o">[[http://acns2025.fordaysec.de/accepted-papers/|Slides (not yet)]]</button>
\_
<button collapse="bibtex" icon="fa fa-fw fa-file-code-o">BiBTeX</button>
</TEXT>
</col>
</grid>

<collapse id="bibtex" collapsed="false">
  @misc{cryptoeprint:2025/076,
      author = {Vojtěch Suchánek and Vladimír Sedláček and Marek Sýs},
      title = {Decompose and conquer: {ZVP} attacks on {GLV} curves},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/076},
      year = {2025},
      url = {https://eprint.iacr.org/2025/076}
      }
</collapse>

<panel type="default" title="Abstract">
While many side-channel attacks on elliptic curve cryptography can be avoided by coordinate randomization, this is not the case for the zero-value point (ZVP) attack. This attack can recover a prefix of static ECDH key but requires solving an instance of the dependent coordinates problem (DCP), which is open in general. We design a new method for solving the DCP on GLV curves, including the Bitcoin secp256k1 curve, outperforming previous approaches. This leads to a new type of ZVP attack on multiscalar multiplication, recovering twice as many bits when compared to the classical ZVP attack. We demonstrate a 63% recovery of the private key for the interleaving algorithm for multiscalar multiplication. Finally, we analyze the largest database of curves and addition formulas with over 14,000 combinations and provide the first classification of their resistance against the ZVP attack.
</panel>