International Journal of Internet, Broadcasting and Communication

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

Montgomery Multiplier with Very Regular Behavior

  • Yoo-Jin Baek (Department of Information Security, Woosuk University)
  • Received : 2023.12.06
  • Accepted : 2024.01.12
  • Published : 2024.02.29
Download PDF
⟨ Previous Next ⟩

Abstract

As listed as one of the most important requirements for Post-Quantum Cryptography standardization process by National Institute of Standards and Technology, the resistance to various side-channel attacks is considered very critical in deploying cryptosystems in practice. In fact, cryptosystems can easily be broken by side-channel attacks, even though they are considered to be secure in the mathematical point of view. The timing attack(TA) and the simple power analysis attack(SPA) are such side-channel attack methods which can reveal sensitive information by analyzing the timing behavior or the power consumption pattern of cryptographic operations. Thus, appropriate measures against such attacks must carefully be considered in the early stage of cryptosystem's implementation process. The Montgomery multiplier is a commonly used and classical gadget in implementing big-number-based cryptosystems including RSA and ECC. And, as recently proposed as an alternative of building blocks for implementing post quantum cryptography such as lattice-based cryptography, the big-number multiplier including the Montgomery multiplier still plays a role in modern cryptography. However, in spite of its effectiveness and wide-adoption, the multiplier is known to be vulnerable to TA and SPA. And this paper proposes a new countermeasure for the Montgomery multiplier against TA and SPA. Briefly speaking, the new measure first represents a multiplication operand without 0 digits, so the resulting multiplication operation behaves in a very regular manner. Also, the new algorithm removes the extra final reduction (which is intrinsic to the modular multiplication) to make the resulting multiplier more timing-independent. Consequently, the resulting multiplier operates in constant time so that it totally removes any TA and SPA vulnerabilities. Since the proposed method can process multi bits at a time, implementers can also trade-off the performance with the resource usage to get desirable implementation characteristics.

Keywords

References

  1. National Institute of Standards and Technology, Submission requirements and evaluation criteria for the Post-Quantum Cryptography standardization process, http://csrc.nist.gov/groups/ST/post-quantumcrypto/documents/call-for-proposals-final-dec-2016.pdf
  2. P. Kocher, J. Jaffe, and B. Jun, "Differential Power Analysis," Lecture Notes in Computer Science, Vol. 1666, pp. 388-397, August 1999. DOI: https://doi.org/10.1007/3-540-48405-1_25
  3. P. Kocher, "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems," Lecture Notes in Computer Science, Vol. 1109, pp. 104-113, August 1996. DOI: https://doi.org/10.1007/3-540-68697-5_9
  4. D. Boneh and D. Brumley, "Remote Timing Attacks Are Practical," Computer Networks, Vol. 48, Issue 5, pp. 701-716, August 2005. DOI: https://doi.org/10.1016/j.comnet.2005.01.010
  5. P. Montgomery, "Speeding the Pollard and Elliptic Curve Methods for Factorizations," Mathematics of Computation, Vol. 48, No. 177, pp. 243-264, January 1987. DOI: https://doi.org/10.1090/S0025-5718-1987-0866113-7
  6. D. Boneh, R. DeMillo, and R. Lipton, "On the Importance of Checking Cryptographic Protocols for Faults," Lecture Notes in Computer Science, Vol. 1233, pp. 37-51, May 1997. DOI: https://doi.org/10.1007/3-540-69053-0_4
  7. M.R. Albrecht, C. Hanser, A. Hoeller, T. Poppelmann, F. Virdia, and A. Wallner, "Implementing RLWEbased Schemes Using an RSA Co-Processor," IACR Transactions on Cryptographic Hardware and Embedded Systems, Vol. 2019, Issue 1, pp. 169-208, November 2018. DOI: https://doi.org/10.13154/tches.v2019.i1.169-208
  8. J. Coron, "Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems," Lecture Notes in Computer Science, Vol. 1717, pp. 292-302, September 1999. DOI: https://doi.org/10.1007/3-540-48059-5_25
  9. A. Boscher, R. Naciri, and E. Prouff, "CRT RSA Algorithm Protected Against Fault Attacks," Lecture Notes in Computer Science, Vol. 4462, pp. 229-243, May 2007. DOI: https://doi.org/10.1007/978-3-540-72354-7_19
  10. M. Joye, "Highly Regular m-ary Powering Ladders," Lecture Notes in Computer Science, Vol. 5867, pp. 350-363, August 1999. DOI: https://doi.org/10.1007/978-3-642-05445-7_22
  11. M. Joye and M. Tunstall, "Exponent Recoding and Regular Exponentiation Algorithms,", Lecture Notes in Computer Science, Vol. 5580, pp. 334-349, June 2009. DOI: https://doi.org/10.1007/978-3-642-02384-2_21
  12. B. Moller, "Securing Elliptic Curve Point Multiplication against Side-Channel Attacks," Lecture Notes in Computer Science, Vol. 2200, pp. 324-334, October 2001. DOI: https://doi.org/10.1007/3-540-45439-X_22
  13. C. Vuillaume and K. Okeya, "Flexible Exponentiation with Resistance to Side-Channel Attacks," Lecture Notes in Computer Science, Vol. 3989, pp. 268-283, June 2006. DOI: https://doi.org/10.1007/11767480_18
  14. B. Chevallier-Mames, M. Ciet, and M. Joye, "Low-Cost Solutions for Preventing Simple Side-Channel Analysis: Side-Channel Atomicity," IEEE Transactions on Computers, Vol. 53, Issue 6, pp. 760-768, June 2004. DOI: https://doi.org/10.1109/TC.2004.13
  15. R. Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of the ACM, Vol. 21, No. 2, pp. 120-126, February 1978. DOI: https://doi.org/10.1145/359340.359342
  16. A.J. Menezes, P.C. van Oorschot and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997.
  17. G. Hachez and J.-J. Quisquater, "Montgomery Exponentiation with no Final Subtractions: Improved Results," Lecture Notes in Computer Science, Vol. 1965, pp. 293-301, August 2000. DOI: https://doi.org/10.1007/3-540-44499-8_23
  18. C. Walter, "Montgomery Exponentiation Needs No Final Subtractions," Electronics Letters, Vol. 35, Issue 21, pp. 1831-1832, October 1999. DOI: https://doi.org/10.1049/el:19991230