Is there twist security for Weierstrass ECC in mbedtls?


I’ve looked over the code to find if there are counter-measures taken for Twist security [1] in mbedtls. I have found mbedtls_ecp_point_read_binary() where some checks according to [2] are done, but I could not find the step 3.5 (Check that P = (xP ; yP ) satisfies the defining equation of the elliptic curve) of Section 2.3.4 in the code.

I see some checks in ecp_check_pubkey_sw() but I am not sure if those are the checks needed to satisfy [1].

We want to use the brainpool curves, especially brainpoolP256t1 which would otherwise be insecure if the checks in [1] are not satisfied.

Thank you!


Sorry, second link [2] is

Hi @mduellps
Thank you for your question!
The short answer to your question is, yes. There is Twist security in Mbed TLS.
The long answer:

  • ecp_check_pubkey_sw() does exactly step 3.5 in Section 2.3.4.
  • This function is called before every multiplication, so it is stricter than just within mbedtls_ecp_point_read_binary()
  • having said that, we may consider adding this check inmbedtls_ecp_point_read_binary(), for compatibility and catching errors earlier.
  • Bernstein’s Twist security is a property of the curve and not the implementation, there is not much Mbed TLS can do about it. One of the requirements Twist security means for a curve is, that it is secure even if the implementation doesn’t do the above check.
  • The attack Bernstein refers to there only works on curves that don’t have twist security if we don’t do the above mentioned check. Since we do this check, the other curves that we do support are secure against twist attacks as well.
  • Note that Mbed TLS does not support brainpoolP256t1 . We support brainpoolP256r1.
    Mbed TLS Team member

These are great news! Thank you very much for the reply!