Using Templates to Attack Masked Montgomery Ladder Implementations of Modular Exponentiation

2009 ◽  
pp. 1-13 ◽  
Author(s):  
Christoph Herbst ◽  
Marcel Medwed
Keyword(s):  
Modular Exponentiation ◽  
Montgomery Ladder

scholarly journals Timing attacks and local timing attacks against Barrett’s modular multiplication algorithm

2021 ◽  
Author(s):  
Johannes Mittmann ◽  
Werner Schindler
Keyword(s):  
Side Channel ◽  
Modular Exponentiation ◽  
Modular Multiplication ◽  
Multiplication Algorithm ◽  
Diffie Hellman ◽  
Mathematical Difficulties ◽  
Execution Times ◽  
Stochastic Properties ◽  
Timing Attacks ◽  
Theoretical Results

AbstractMontgomery’s and Barrett’s modular multiplication algorithms are widely used in modular exponentiation algorithms, e.g. to compute RSA or ECC operations. While Montgomery’s multiplication algorithm has been studied extensively in the literature and many side-channel attacks have been detected, to our best knowledge no thorough analysis exists for Barrett’s multiplication algorithm. This article closes this gap. For both Montgomery’s and Barrett’s multiplication algorithm, differences of the execution times are caused by conditional integer subtractions, so-called extra reductions. Barrett’s multiplication algorithm allows even two extra reductions, and this feature increases the mathematical difficulties significantly. We formulate and analyse a two-dimensional Markov process, from which we deduce relevant stochastic properties of Barrett’s multiplication algorithm within modular exponentiation algorithms. This allows to transfer the timing attacks and local timing attacks (where a second side-channel attack exhibits the execution times of the particular modular squarings and multiplications) on Montgomery’s multiplication algorithm to attacks on Barrett’s algorithm. However, there are also differences. Barrett’s multiplication algorithm requires additional attack substeps, and the attack efficiency is much more sensitive to variations of the parameters. We treat timing attacks on RSA with CRT, on RSA without CRT, and on Diffie–Hellman, as well as local timing attacks against these algorithms in the presence of basis blinding. Experiments confirm our theoretical results.

scholarly journals Stochastic methods defeat regular RSA exponentiation algorithms with combined blinding methods

2021 ◽  
Vol 15 (1) ◽  
pp. 408-433
Author(s):  
Margaux Dugardin ◽  
Werner Schindler ◽  
Sylvain Guilley
Keyword(s):  
State Of The Art ◽  
Stochastic Methods ◽  
Rsa Algorithm ◽  
Montgomery Ladder ◽  
Channel Information ◽  
Probability Mass ◽  
The Cost ◽  
Noisy Measurements ◽  
Mass Functions ◽  
Larger Sample

Abstract Extra-reductions occurring in Montgomery multiplications disclose side-channel information which can be exploited even in stringent contexts. In this article, we derive stochastic attacks to defeat Rivest-Shamir-Adleman (RSA) with Montgomery ladder regular exponentiation coupled with base blinding. Namely, we leverage on precharacterized multivariate probability mass functions of extra-reductions between pairs of (multiplication, square) in one iteration of the RSA algorithm and that of the next one(s) to build a maximum likelihood distinguisher. The efficiency of our attack (in terms of required traces) is more than double compared to the state-of-the-art. In addition to this result, we also apply our method to the case of regular exponentiation, base blinding, and modulus blinding. Quite surprisingly, modulus blinding does not make our attack impossible, and so even for large sizes of the modulus randomizing element. At the cost of larger sample sizes our attacks tolerate noisy measurements. Fortunately, effective countermeasures exist.

A Benchmarking of the Effectiveness of Modular Exponentiation Algorithms using the library GMP in C language

2020 ◽  
Author(s):  
Tran Quy Ban ◽  
Tran Thi Thuy Nguyen ◽  
Vu Thanh Long ◽  
Pham Dang Dung ◽  
Bui Thanh Tung
Keyword(s):  
Modular Exponentiation ◽  
C Language

Compression on the Twisted Jacobi Intersection

2021 ◽  
Vol 181 (4) ◽  
pp. 303-312
Author(s):  
Robert Dryło
Keyword(s):  
Elliptic Curves ◽  
Scalar Multiplication ◽  
Not Given ◽  
Montgomery Ladder ◽  
Standard Models

Formulas for doubling, differential addition and point recovery after compression were given for many standard models of elliptic curves, and allow for scalar multiplication after compression using the Montgomery ladder algorithm and point recovery on a curve after this multiplication. In this paper we give such formulas for the twisted Jacobi intersection au2 + v2 = 1, bu2 + w2 = 1. To our knowledge such formulas were not given for this model or for the Jacobi intersection. In projective coordinates these formulas have cost 2M +2S +6D for doubling and 5M + 2S + 6D for differential addition, where M; S; D are multiplication, squaring and multiplication by constants in a field, respectively, choosing suitable curve parameters cost of D may be small.

Sign in / Sign up

Export Citation Format

Share Document