Fault-Based Attack on Montgomery ’ s Ladder ECSM Algorithm

In this report we present invalid-curve attacks that apply to the Montgomery ladder elliptic curve scalar multiplication (ECSM) algorithm. An elliptic curve over the binary field is defined using two parameters, namely a and b. We show that with a different “value” for curve parameter a, there exists a cryptographically weaker group in nine of the ten NIST-recommended elliptic curves over F2m . Thereafter, we present two attacks that are based on the observation that parameter a is not utilized for the Montgomery ladder algorithms proposed by López and Dahab [13]. We also present the probability of success of such attacks for general and NIST-recommended elliptic curves. In addition we give some countermeasures to resist this attack.

[1]  D. Shanks Class number, a theory of factorization, and genera , 1971 .

[2]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[3]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[4]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[5]  R. Schoof Elliptic Curves Over Finite Fields and the Computation of Square Roots mod p , 1985 .

[6]  Hans-Georg Rück A note on elliptic curves over finite fields , 1987 .

[7]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[8]  Takakazu Satoh,et al.  Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves , 1998 .

[9]  Igor A. Semaev,et al.  Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p , 1998, Math. Comput..

[10]  Ricardo Dahab,et al.  Fast Multiplication on Elliptic Curves over GF(2m) without Precomputation , 1999, CHES.

[11]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[12]  Scott A. Vanstone,et al.  Improving the parallelized Pollard lambda search on anomalous binary curves , 2000, Math. Comput..

[13]  Nigel P. Smart,et al.  Constructive and destructive facets of Weil descent on elliptic curves , 2002, Journal of Cryptology.

[14]  G. Frey Applications of Arithmetical Geometry to Cryptographic Constructions , 2001 .

[15]  Alfred Menezes,et al.  Analysis of the GHS Weil Descent Attack on the ECDLP over Characteristic Two Finite Fields of Composite Degree , 2001, INDOCRYPT.

[16]  Alfred Menezes,et al.  Validation of Elliptic Curve Public Keys , 2003, Public Key Cryptography.

[17]  Takakazu Satoh,et al.  Fast computation of canonical lifts of elliptic curves and its application to point counting , 2003 .

[18]  Marc Joye,et al.  Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults , 2005, Des. Codes Cryptogr..

[19]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[20]  M. Anwar Hasan,et al.  Algorithm-level Error Detection for ECSM , 2009 .

[21]  By J. M. Pollard Monte Carlo Methods for Index Computation (mod p) , 2010 .