Curious curves

Defcon had a challenge which asked us to supply an anomalous curve which managed to evade being cracked by Smart's attack.
Link to challenge

We have decided to further investigate why exactly some curves evade it with the goal of classifying those.
We have found that when anomalous curves have j=0, an overwhelming number of the point pairs (P,Q) evade Smart's attack. This case does not seem limited to j=0.
However, for certain point pairs, Smart's attack still works for these curves.

We have also found curves for which j != 0, and many points on these curves also evade smart's attack.

If you have any insight into the problem or just want to discuss it, join us at CryptoHack's discord(channel #curious-curves).

Latex formalization work by Ariana:

The above diagram doesn't commute (path from E_0 to F_p).

There is in fact 3 different ways the Smart attack can fail:

• From a Python standpoint the function executes correctly but the returned value is wrong (not the solution to the DLP)
• One of the two lifts is empty and the function cannot proceed (Q_Qp or P_Qp is undefined)
• There is a "negative valuation" error thrown at the last step

Resources:
Original PDF write-up (Ariana)
Updated PDF write-up with context(Jack)

Smart's original article on the attack
StackExchange question asking why the Smart attack fails for a specific instance
StackExchange question about canonical lifts
smart_fails.txt (enumerates (p,a,b) of non-zero j-invariant such that almost all points fool the attack)
spreadsheet (enumerates (p,a,b) for ALL j-invariants such that almost all points fool the attack)