A Hole in the Ladder: Interleaved Variables in Iterative Conditional Branching (Extended Version)

TL;DR

This paper analyzes interleaved variables in iterative conditional branch algorithms like Montgomery ladder, formalizes their properties, and introduces new fault-injection attacks and more secure algorithms for cryptographic operations.

Contribution

It formalizes semi-interleaved and fully-interleaved ladder properties and develops novel fault-injection attacks, improving security analysis and design of cryptographic algorithms.

Findings

New fault-injection attacks against Montgomery ladder

Formalization of semi- and fully-interleaved ladder properties

Proposed more secure algorithms for modular exponentiation and scalar multiplication

Abstract

The iterative conditional branchings appear in various sensitive algorithms, like the modular exponentiation in the RSA cryptosystem or the scalar multiplication in ellipticcurve cryptography. In this paper, we abstract away the desirable security properties achieved by the Montgomery ladder, and formalize systems of equations necessary to obtain what we call the semi-interleaved and fully-interleaved ladder properties. This fruitful approach allows us to design novel fault-injection attacks, able to obtain some/all bits of the secret against different ladders, including the common Montgomery ladder. We also demonstrate the generality of our approach by applying the ladder equations to the modular exponentiation and the scalar multiplication, both in the semi-and fully-interleaved cases, thus proposing novel and more secure algorithms.