Fault-Based Attack on Montgomery’s Ladder Algorithm

In this paper we present invalid-curve attacks that apply to the Montgomery ladder elliptic curve scalar multiplication (ECSM) algorithm. An elliptic curve over the binary field is defined using two parameters, a and b. We show that with a different “value” for curve parameter a, there exists a cryptographically weaker group in nine of the ten NIST-recommended elliptic curves over $\mathbb{F}_{2^{m}}$. Thereafter, we present two attacks that are based on the observation that parameter a is not utilized for the Montgomery ladder algorithms proposed by López and Dahab (CHES 1999: Cryptographic Hardware and Embedded Systems, LNCS, vol. 1717, pp. 316–327, Springer, Berlin, 1999). We also present the probability of success of such attacks for general and NIST-recommended elliptic curves. In addition we give some countermeasures to resist these attacks.

[1]  Marc Joye,et al.  Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults , 2005, Des. Codes Cryptogr..

[2]  Helmut Hasse The Class Number , 1980 .

[3]  M. Anwar Hasan,et al.  Fault Attacks on Elliptic Curve Cryptosystems , 2012, Fault Analysis in Cryptography.

[4]  Marc Joye,et al.  Weierstraß Elliptic Curves and Side-Channel Attacks , 2002, Public Key Cryptography.

[5]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[6]  Arnaud Tisserand,et al.  Error Detection for Borrow-Save Adders Dedicated to ECC Unit , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[7]  M. Anwar Hasan,et al.  Algorithm-level Error Detection for ECSM , 2009 .

[8]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[9]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[10]  I. Koren,et al.  Fault Diagnosis and Tolerance in Cryptography , 2006 .

[11]  Denis Réal,et al.  Fault Attack on Elliptic Curve Montgomery Ladder Implementation , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[12]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[13]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[14]  Takakazu Satoh,et al.  Fast computation of canonical lifts of elliptic curves and its application to point counting , 2003 .

[15]  Tibor Juhas The use of elliptic curves in cryptography , 2007 .

[16]  Ricardo Dahab,et al.  Fast Multiplication on Elliptic Curves over GF(2m) without Precomputation , 1999, CHES.

[17]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[18]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[19]  Hans-Georg Rück A note on elliptic curves over finite fields , 1987 .

[20]  Salvatore Pontarelli,et al.  Error detection in addition chain based ECC Point Multiplication , 2009, 2009 15th IEEE International On-Line Testing Symposium.

[21]  Scott A. Vanstone,et al.  Improving the parallelized Pollard lambda search on anomalous binary curves , 2000, Math. Comput..

[22]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[23]  G. Frey Applications of Arithmetical Geometry to Cryptographic Constructions , 2001 .

[24]  Anja Becker,et al.  Methods of Fault Analysis Attacks on Elliptic Curve Cryptosystems , 2006 .

[25]  Kouichi Sakurai,et al.  Efficient Elliptic Curve Cryptosystems from a Scalar Multiplication Algorithm with Recovery of the y-Coordinate on a Montgomery-Form Elliptic Curve , 2001, CHES.

[26]  Arto Salomaa,et al.  Public-Key Cryptography , 1991, EATCS Monographs on Theoretical Computer Science.

[27]  Alfred Menezes,et al.  Validation of Elliptic Curve Public Keys , 2003, Public Key Cryptography.

[28]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[29]  Nigel P. Smart,et al.  Constructive and destructive facets of Weil descent on elliptic curves , 2002, Journal of Cryptology.

[30]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[31]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[32]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[33]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[34]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[35]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[36]  Ramesh Karri,et al.  Register Transfer Level Concurrent Error Detection in Elliptic Curve Crypto Implementations , 2007 .

[37]  Igor A. Semaev,et al.  Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p , 1998, Math. Comput..

[38]  R. Schoof Elliptic Curves Over Finite Fields and the Computation of Square Roots mod p , 1985 .

[39]  Dhiraj K. Pradhan,et al.  IEEE International On-Line Testing Symposium , 2008 .

[40]  Israel Koren,et al.  Workshop on fault diagnosis and tolerance in cryptography , 2004, International Conference on Dependable Systems and Networks, 2004.

[41]  Jean-Pierre Seifert,et al.  Sign Change Fault Attacks on Elliptic Curve Cryptosystems , 2006, FDTC.

[42]  M. Anwar Hasan,et al.  Error Detection and Fault Tolerance in ECSM Using Input Randomization , 2009, IEEE Transactions on Dependable and Secure Computing.

[43]  Alfred Menezes,et al.  Analysis of the GHS Weil Descent Attack on the ECDLP over Characteristic Two Finite Fields of Composite Degree , 2001, INDOCRYPT.

[44]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1987, Journal of Cryptology.

[45]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[46]  Takakazu Satoh,et al.  Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves , 1998 .