Tags: crypto ecc
Rating: 1.5
tl;dr
Smart attack only works if `y/x` for `pP` in the lifted curve does not have a negative valuation at `p`, and by using anomalous curves of the form `y^2=x^3+a`, we can force the lifted curve in the attack implementation to have this flaw
Primes of the form `p=12s^2+6s+1` have anomalous curves of the form `y^2=x^3+a`. Furthermore there are only `6` possible traces(since `p%3=1`, otherwise there is only one possible trace, namely `0`) for such curves hence by randomly guessing `a`, one is easily found.
