Fault-Based Attack on Montgomery’s Ladder Algorithm

• Published in: Journal of cryptology Vol. 24; no. 2; pp. 346 - 374
• Main Authors: Dominguez-Oviedo, Agustin, Hasan, M. Anwar, Ansari, Bijan
• Format: Journal Article
• Language: English
• Published: New York Springer-Verlag 01.04.2011; Springer Nature B.V
• Subjects: Algorithms; Coding and Information Theory; Combinatorics; Communications Engineering; Computational Mathematics and Numerical Analysis; Computer Science; Cryptography; Curves; Embedded systems; Multiplication; Networks; Parameters; Probability Theory and Stochastic Processes; Elliptic curve cryptography; Fault-based attacks; Montgomery ladder; Scalar multiplication
• ISSN: 0933-2790; 1432-1378; 1432-1378
• DOI: 10.1007/s00145-010-9087-5

In this paper we present invalid-curve attacks that apply to the Montgomery ladder elliptic curve scalar multiplication (ECSM) algorithm. An elliptic curve over the binary field is defined using two parameters, a and b . We show that with a different “value” for curve parameter a , there exists a cryptographically weaker group in nine of the ten NIST-recommended elliptic curves over . Thereafter, we present two attacks that are based on the observation that parameter a is not utilized for the Montgomery ladder algorithms proposed by López and Dahab (CHES 1999: Cryptographic Hardware and Embedded Systems, LNCS, vol. 1717, pp. 316–327, Springer, Berlin, 1999 ). We also present the probability of success of such attacks for general and NIST-recommended elliptic curves. In addition we give some countermeasures to resist these attacks.