### Abstract

The Montgomery multiplication is often used for efficient implementations of public-key cryptosystems. This algorithm occasionally needs an extra subtraction in the final step, and the correlation of these subtractions can be considered as an invariant of the algorithm. Some side channel attacks on cryptosystems using Montgomery Multiplication has been proposed applying the correlation estimated heuristically. In this paper, we theoretically analyze the properties of the final subtraction in Montgomery multiplication. We investigate the distribution of the outputs of multiplications in the fixed length interval included between 0 and the underlying modulus. Integrating these distributions, we present some proofs with a reasonable assumption for the appearance ratio of the final subtraction, which have been heuristically estimated by previous papers. Moreover, we present a new invariant of the final subtraction: x · y with y = 3z mod m, where m is the underlying modulus. Finally we show a possible attack on elliptic curve cryptosystems using this invariant. Keywords: timing attack, elliptic curve cryptosystem, Montgomery multiplication, randomization.

Original language | English |
---|---|

Pages (from-to) | 290-304 |

Number of pages | 15 |

Journal | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |

Volume | 3348 |

Publication status | Published - Dec 1 2004 |

### Fingerprint

### All Science Journal Classification (ASJC) codes

- Theoretical Computer Science
- Computer Science(all)

### Cite this

*Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)*,

*3348*, 290-304.

**Exact analysis of montgomery multiplication.** / Sato, Hisayoshi; Schepers, Daniel; Takagi, Tsuyoshi.

Research output: Contribution to journal › Article

*Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)*, vol. 3348, pp. 290-304.

}

TY - JOUR

T1 - Exact analysis of montgomery multiplication

AU - Sato, Hisayoshi

AU - Schepers, Daniel

AU - Takagi, Tsuyoshi

PY - 2004/12/1

Y1 - 2004/12/1

N2 - The Montgomery multiplication is often used for efficient implementations of public-key cryptosystems. This algorithm occasionally needs an extra subtraction in the final step, and the correlation of these subtractions can be considered as an invariant of the algorithm. Some side channel attacks on cryptosystems using Montgomery Multiplication has been proposed applying the correlation estimated heuristically. In this paper, we theoretically analyze the properties of the final subtraction in Montgomery multiplication. We investigate the distribution of the outputs of multiplications in the fixed length interval included between 0 and the underlying modulus. Integrating these distributions, we present some proofs with a reasonable assumption for the appearance ratio of the final subtraction, which have been heuristically estimated by previous papers. Moreover, we present a new invariant of the final subtraction: x · y with y = 3z mod m, where m is the underlying modulus. Finally we show a possible attack on elliptic curve cryptosystems using this invariant. Keywords: timing attack, elliptic curve cryptosystem, Montgomery multiplication, randomization.

AB - The Montgomery multiplication is often used for efficient implementations of public-key cryptosystems. This algorithm occasionally needs an extra subtraction in the final step, and the correlation of these subtractions can be considered as an invariant of the algorithm. Some side channel attacks on cryptosystems using Montgomery Multiplication has been proposed applying the correlation estimated heuristically. In this paper, we theoretically analyze the properties of the final subtraction in Montgomery multiplication. We investigate the distribution of the outputs of multiplications in the fixed length interval included between 0 and the underlying modulus. Integrating these distributions, we present some proofs with a reasonable assumption for the appearance ratio of the final subtraction, which have been heuristically estimated by previous papers. Moreover, we present a new invariant of the final subtraction: x · y with y = 3z mod m, where m is the underlying modulus. Finally we show a possible attack on elliptic curve cryptosystems using this invariant. Keywords: timing attack, elliptic curve cryptosystem, Montgomery multiplication, randomization.

UR - http://www.scopus.com/inward/record.url?scp=35048814088&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=35048814088&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:35048814088

VL - 3348

SP - 290

EP - 304

JO - Lecture Notes in Computer Science

JF - Lecture Notes in Computer Science

SN - 0302-9743

ER -