Exact analysis of montgomery multiplication

Hisayoshi Sato, Daniel Schepers, Tsuyoshi Takagi

Research output: Contribution to journalArticle

9 Citations (Scopus)

Abstract

The Montgomery multiplication is often used for efficient implementations of public-key cryptosystems. This algorithm occasionally needs an extra subtraction in the final step, and the correlation of these subtractions can be considered as an invariant of the algorithm. Some side channel attacks on cryptosystems using Montgomery Multiplication has been proposed applying the correlation estimated heuristically. In this paper, we theoretically analyze the properties of the final subtraction in Montgomery multiplication. We investigate the distribution of the outputs of multiplications in the fixed length interval included between 0 and the underlying modulus. Integrating these distributions, we present some proofs with a reasonable assumption for the appearance ratio of the final subtraction, which have been heuristically estimated by previous papers. Moreover, we present a new invariant of the final subtraction: x · y with y = 3z mod m, where m is the underlying modulus. Finally we show a possible attack on elliptic curve cryptosystems using this invariant. Keywords: timing attack, elliptic curve cryptosystem, Montgomery multiplication, randomization.

Original languageEnglish
Pages (from-to)290-304
Number of pages15
JournalLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume3348
Publication statusPublished - Dec 1 2004

Fingerprint

Montgomery multiplication
Subtraction
Cryptography
Elliptic Curve Cryptosystem
Invariant
Modulus
Timing Attack
Side Channel Attacks
Public-key Cryptosystem
Cryptosystem
Randomisation
Efficient Implementation
Multiplication
Attack
Interval
Output

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Exact analysis of montgomery multiplication. / Sato, Hisayoshi; Schepers, Daniel; Takagi, Tsuyoshi.

In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Vol. 3348, 01.12.2004, p. 290-304.

Research output: Contribution to journalArticle

@article{0a3ee303e82f45e297604b2622b7a9ac,
title = "Exact analysis of montgomery multiplication",
abstract = "The Montgomery multiplication is often used for efficient implementations of public-key cryptosystems. This algorithm occasionally needs an extra subtraction in the final step, and the correlation of these subtractions can be considered as an invariant of the algorithm. Some side channel attacks on cryptosystems using Montgomery Multiplication has been proposed applying the correlation estimated heuristically. In this paper, we theoretically analyze the properties of the final subtraction in Montgomery multiplication. We investigate the distribution of the outputs of multiplications in the fixed length interval included between 0 and the underlying modulus. Integrating these distributions, we present some proofs with a reasonable assumption for the appearance ratio of the final subtraction, which have been heuristically estimated by previous papers. Moreover, we present a new invariant of the final subtraction: x · y with y = 3z mod m, where m is the underlying modulus. Finally we show a possible attack on elliptic curve cryptosystems using this invariant. Keywords: timing attack, elliptic curve cryptosystem, Montgomery multiplication, randomization.",
author = "Hisayoshi Sato and Daniel Schepers and Tsuyoshi Takagi",
year = "2004",
month = "12",
day = "1",
language = "English",
volume = "3348",
pages = "290--304",
journal = "Lecture Notes in Computer Science",
issn = "0302-9743",
publisher = "Springer Verlag",

}

TY - JOUR

T1 - Exact analysis of montgomery multiplication

AU - Sato, Hisayoshi

AU - Schepers, Daniel

AU - Takagi, Tsuyoshi

PY - 2004/12/1

Y1 - 2004/12/1

N2 - The Montgomery multiplication is often used for efficient implementations of public-key cryptosystems. This algorithm occasionally needs an extra subtraction in the final step, and the correlation of these subtractions can be considered as an invariant of the algorithm. Some side channel attacks on cryptosystems using Montgomery Multiplication has been proposed applying the correlation estimated heuristically. In this paper, we theoretically analyze the properties of the final subtraction in Montgomery multiplication. We investigate the distribution of the outputs of multiplications in the fixed length interval included between 0 and the underlying modulus. Integrating these distributions, we present some proofs with a reasonable assumption for the appearance ratio of the final subtraction, which have been heuristically estimated by previous papers. Moreover, we present a new invariant of the final subtraction: x · y with y = 3z mod m, where m is the underlying modulus. Finally we show a possible attack on elliptic curve cryptosystems using this invariant. Keywords: timing attack, elliptic curve cryptosystem, Montgomery multiplication, randomization.

AB - The Montgomery multiplication is often used for efficient implementations of public-key cryptosystems. This algorithm occasionally needs an extra subtraction in the final step, and the correlation of these subtractions can be considered as an invariant of the algorithm. Some side channel attacks on cryptosystems using Montgomery Multiplication has been proposed applying the correlation estimated heuristically. In this paper, we theoretically analyze the properties of the final subtraction in Montgomery multiplication. We investigate the distribution of the outputs of multiplications in the fixed length interval included between 0 and the underlying modulus. Integrating these distributions, we present some proofs with a reasonable assumption for the appearance ratio of the final subtraction, which have been heuristically estimated by previous papers. Moreover, we present a new invariant of the final subtraction: x · y with y = 3z mod m, where m is the underlying modulus. Finally we show a possible attack on elliptic curve cryptosystems using this invariant. Keywords: timing attack, elliptic curve cryptosystem, Montgomery multiplication, randomization.

UR - http://www.scopus.com/inward/record.url?scp=35048814088&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=35048814088&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:35048814088

VL - 3348

SP - 290

EP - 304

JO - Lecture Notes in Computer Science

JF - Lecture Notes in Computer Science

SN - 0302-9743

ER -