Elliptic-curve cryptography is now a common choice by practitioners, implementing cryptographic primitives that require a group of large prime order. However, for some elliptic curves, the prime order group is a subgroup of a larger composite-order group. Two such examples are Curve25519 and the pairing friendly curve BLS12-381.
Protocols that are implemented with these curves are susceptible to small subgroup attacks where a point from the composite-order group is used instead of the prime-order group. Such attacks were previously demonstrated in the wild for Curve25519, e.g. CryptoNote double spend vulnerability.
In this talk, we focus on small subgroup attacks in implementations that are based on threshold cryptography: proactive secret sharing, distributed key generation, and threshold signatures. Such protocols involve interaction between distrusting parties, usually with a requirement to communicate elliptic curve points. Due to the overhead in complexity, we notice that implementers occasionally forget to "sanitize" inputs, .i.e. the received points. We look at applications such as consensus, distributed randomness beacon, cryptocurrency wallet, and proof-of-stake validator. We show how injecting small order subgroup elements can bypass the security for cryptographic primitives used in threshold cryptography such as verifiable secret sharing, sigma protocols, and digital signatures. We discuss the potential damage of our attacks on the mentioned applications and demonstrate it is possible with little effort to break "liveness" for some critical real world systems.