In this paper we present invalid-curve attacks that apply to the Montgomery ladder elliptic curve scalar multiplication (ECSM) algorithm. An elliptic curve over the binary field is defined using two parameters, a and b. We show that with a different "value" for curve parameter a, there exists a cryptographically weaker group in nine of the ten NIST-recommended elliptic curves over Thereafter, we present two attacks that are based on the observation that parameter a is not utilized for the Montgomery ladder algorithms proposed by Lpez and Dahab (CHES 1999: Cryptographic Hardware and Embedded Systems, LNCS, vol. 1717, pp. 316-327, Springer, Berlin, 1999). We also present the probability of success of such attacks for general and NIST-recommended elliptic curves. In addition we give some countermeasures to resist these attacks.

• 出版日期2011-4