Journal of Cryptographic Engineering

, Volume 4, Issue 4, pp 275–281 | Cite as

Constant time modular inversion

  • Joppe W. Bos
Short Communication


Simple power analysis is a common technique to attack software implementations, especially in the realm of public-key cryptography. An effective countermeasure to protect an implementation is to ensure constant (worst-case) runtime. In this paper we show how to modify an algorithm by Kaliski to compute the Montgomery inverse such that it can compute both the classical and Montgomery modular inverse in constant time. We demonstrate the effectiveness by comparing it to the approach based on Fermat’s little theorem as used in the current simple power analysis resistant implementations in cryptography. Our implementation on the popular 32-bit ARM platform highlights the practical benefits of this algorithm.


Elliptic Curf Elliptic Curve Cryptography Modular Multiplication Bilinear Pairing Modular Exponentiation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Beagle Board: BeagleBoard-xM System Reference Manual (2013).
  2. 2.
    Bernstein, D.J.: Curve25519: New Diffie–Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) Public key cryptography—PKC 2006. Lecture notes in computer science, vol. 3958, pp. 207–228. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Boneh, D., Franklin, M.K.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) Advances in Cryptology—CRYPTO 2001. Lecture Notes in Computer Science, vol. 2139, pp. 213–229. Springer, Berlin (2001)Google Scholar
  4. 4.
    Bos, J.W., Costello, C., Hisil, H., Lauter, K.: Fast cryptography in genus 2. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. Lecture notes in computer science, vol. 7881, pp. 194–210. Springer, Berlin (2013). doi: 10.1007/978-3-642-38348-9_12
  5. 5.
    Bos, J.W., Costello, C., Hisil, H., Lauter, K.: High-performance scalar multiplication using 8-dimensional GLV/GLS decomposition. In: Bertoni, G., Coron, J.S. (eds.) Cryptographic hardware and embedded systems—CHES 2013. Lecture Notes in Computer Science, vol. 8086, pp. 331–348. Springer, Heidelberg (2013)Google Scholar
  6. 6.
    Bos, J.W., Costello, C., Longa, P., Naehrig, M.: Selecting elliptic curves for cryptography: an efficiency and security analysis. Cryptology ePrint Archive, Report 2014/130 (2014).
  7. 7.
    Bos, J.W., Kaihara, M.E., Kleinjung, T., Lenstra, A.K., Montgomery, P.L.: Solving a 112-bit prime elliptic curve discrete logarithm problem on game consoles using sloppy reduction. Int. J. Appl. Cryptogr. 2(3), 212–228 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Brent, R.P.: Analysis of the binary Euclidean algorithm. In: Traub, J.F. (ed.) New Directions and Recent Results in Algorithms and Complexity, pp. 321–355. Academic Press, New York (1976)Google Scholar
  9. 9.
    Faz-Hernández, A., Longa, P., Sanchez, A.H.: Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV-GLS curves. In: Benaloh, J. (ed.) Topics in Cryptology—CT-RSA 2014. The Cryptographers’ Track at the RSA Conference 2014. Lecture Notes in Computer Science, vol. 8366, pp. 1–27. Springer, Berlin (2014)Google Scholar
  10. 10.
    Guyot, A.: OCAPI: architecture of a VLSI coprocessor for the GCD and the extended GCD of large numbers. In: IEEE Symposium on Computer Arithmetic, pp. 226–231. IEEE, New York (1991)Google Scholar
  11. 11.
    Joux, A.: A one round protocol for tripartite Diffie-Hellman. J. Cryptol. 17(4), 263–276 (2004)MathSciNetzbMATHGoogle Scholar
  12. 12.
    Kaliski Jr, B.S.: The Montgomery inverse and its applications. IEEE Trans. Comput. 44(8), 1064–1065 (1995)CrossRefzbMATHGoogle Scholar
  13. 13.
    Knuth, D.E.: Seminumerical Algorithms. The Art of Computer Programming, 3rd edn. Addison-Wesley, Reading (1997)Google Scholar
  14. 14.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Computat. 48(177), 203–209 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) Crypto 1996. Lecture Notes in Computer Science, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  16. 16.
    Lenstra, A.K., Verheul, E.R.: Selecting cryptographic key sizes. J. Cryptol. 14(4), 255–293 (2001)MathSciNetzbMATHGoogle Scholar
  17. 17.
    Longa, P., Sica, F.: Four-dimensional Gallant-Lambert-Vanstone scalar multiplication. In: Wang, X., Sako, K. (eds.) ASIACRYPT, Lecture Notes in Computer Science, vol. 7658, pp. 718–739. Springer, Berlin (2012)Google Scholar
  18. 18.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) Crypto 1985. Lecture Notes in Computer Science, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  19. 19.
    Montgomery, P.L.: Modular multiplication without trial division. Math. Computat. 44(170), 519–521 (1985)CrossRefzbMATHGoogle Scholar
  20. 20.
    Naccache, D., Smart, N.P., Stern, J.: Projective coordinates leak. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT. Lecture Notes in Computer Science, vol. 3027, pp. 257–267. Springer, Berlin (2004)Google Scholar
  21. 21.
    Naehrig, M., Niederhagen, R., Schwabe, P.: New software speed records for cryptographic pairings. In: Abdalla, M., Barreto, P.S. (eds.) Progress in Cryptology—LATINCRYPT 2010. Lecture Notes in Computer Science, vol. 6212, pp. 109–123. Springer, Berlin (2010)CrossRefGoogle Scholar
  22. 22.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) Topics in Cryptology—CT-RSA 2006, The Cryptographers’ Track at the RSA Conference 2006. Lecture Notes in Computer Science, vol. 3860, pp. 1–20. Springer, Berlin (2006)Google Scholar
  23. 23.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978) Google Scholar
  24. 24.
    Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: The 2000 Symposium on Cryptography and Information Security, Okinawa, Japan, pp. 135–148 (2000)Google Scholar
  25. 25.
    Savas, E., Koç, Ç.K.: The Montgomery modular inverse-revisited. IEEE Trans. Comput. 49(7), 763–766 (2000)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Scholz, A.: Aufgabe 253. Jahresbericht der deutschen Mathematiker-Vereingung 47, 41–42 (1937)Google Scholar
  27. 27.
    Stein, J.: Computational problems associated with Racah algebra. J. Comput. Phys. 1(3), 397–405 (1967)CrossRefzbMATHGoogle Scholar
  28. 28.
    Tromer, E., Osvik, D.A., Shamir, A.: Efficient cache attacks on AES, and countermeasures. J. Cryptol. 23(1), 37–71 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    U.S. Department of Commerce/National Institute of Standards and Technology: Digital Signature Standard (DSS). FIPS-186-3 (2009).
  30. 30.
    Walter, C.D.: Montgomery exponentiation needs no final subtractions. Electron. Lett. 35(21), 1831–1832 (1999)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.NXP SemiconductorsLeuvenBelgium

Personalised recommendations