Montgomery inversion

Special Issue on Montgomery Arithmetic

Abstract

Multiplicative inversion in finite fields is an essential operation in many cryptographic applications such as elliptic curve and pairing-based cryptography. While the classical extended Euclidean algorithm involves expensive division operations, the binary extended Euclidean and Kaliski’s algorithms use simple shift, addition and subtraction operations. The Montgomery inverse operation is applied when the Montgomery multiplication operation is used for fast arithmetic. As the inversion operation is applied to sensitive data, a constant-time inversion algorithm is useful against a class of side-channel attacks. In this paper, we show different ways of computing the Montgomery inverse of a given integer and compare their complexity in terms of the number of additions/subtractions and shift operations. We also propose a simple parallel algorithm to compute Montgomery inverse, which can be useful in multi-core processors where data sharing among cores is relatively inexpensive. Finally, we propose two efficient constant-time Montgomery inversion algorithms, which are useful as countermeasures against side-channel attacks.

Keywords

Multiplicative inverse Extended Euclidean algorithm Montgomery inverse Constant-time implementation Parallelization 

References

  1. 1.
    Rivest, R.L., Shamir, A., Adleman, A.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1976)MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22, 644–654 (1976)MathSciNetCrossRefMATHGoogle Scholar
  3. 3.
    National Institute for Standards and Technology. FIPS PUB 186-4 Digital Signature Standard (DSS). doi:10.6028/NIST.FIPS.186-4 (2013)
  4. 4.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48(177), 203–209 (1987)MathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) Crypto 1985. Lecture Notes in Computer Science, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  6. 6.
    Menezes, A.J.: Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, Boston (1993)CrossRefMATHGoogle Scholar
  7. 7.
    Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: The 2000 Symposium on Cryptography and Information Security, Okinawa, Japan, pp. 135–148 (2000)Google Scholar
  8. 8.
    Montgomery, P .L.: Modular multiplication without trial division. Math. Comput. 44(170), 519–521 (1985)MathSciNetCrossRefMATHGoogle Scholar
  9. 9.
    Savaş, E., Koç, Ç.K.: The Montgomery modular inverse—revisited. IEEE Trans. Comput. 49(7), 763–766 (2000)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Euclid Thirteen Books of Euclids Elements, vol. 2, Books 3–9, 2nd edn, Translated by T. L. Heath. Dover Publications (1956)Google Scholar
  11. 11.
    Stein, J.: Computational problems associated with Racah algebra. J. Comput. Phys. 1, 397–405 (1967)CrossRefMATHGoogle Scholar
  12. 12.
    Knuth, D.E.: The Art of Computer Programming, vol. 2, 2nd edn. Addison-Wesley, Reading (1981)MATHGoogle Scholar
  13. 13.
    Kaliski Jr., B.S.: The Montgomery inverse and its applications. IEEE Trans. Comput. 44(8), 1064–1065 (1995)CrossRefMATHGoogle Scholar
  14. 14.
    Kobayashi, T., Morita, H.: Fast modular inversion algorithm to match any operand unit. IEICE Trans. Fundam. E82–A(5), 733–740 (1999)Google Scholar
  15. 15.
    Savaş, E., Koç, Ç.K.: Architecture for unified field inversion with applications in elliptic curve cryptography. In: Proceedings of the 9th IEEE International Conference on Electronics, Circuits and Systems—ICECS 2002, vol. 3, pp. 1155–1158. Dubrovnik, Croatia (2002)Google Scholar
  16. 16.
    Lórenz, R.: New algorithm for classical modular inverse. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems, LNCS, pp. 57–70. Springer, Berlin (2002)Google Scholar
  17. 17.
    Tenca, A.F., Tawalbeh, L.A.: An algorithm for unified modular division in GF(p) and GF(2\(^{n}\)) suitable for cryptographic hardware. IEE Electron. Lett. 40(5), 304–306 (2004)Google Scholar
  18. 18.
    Gutub, A.A.-A., Tenca, A.F., Savaş, E., Koç, Ç.K.: Scalable and unified hardware to compute Montgomery inverse in \({GF}(p)\) and \(GF(2^n)\). In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems, LNCS, pp. 485–500. Springer, Berlin (2002)Google Scholar
  19. 19.
    Savaş, E., Naseer, M., Gutub, A.A.-A., Koç, Ç.K.: Efficient unified Montgomery inversion with multibit shifting. IEE Process. Comput. Digit. Tech. 152(4), 489–498 (2005)CrossRefGoogle Scholar
  20. 20.
    Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: ASIACRYPT 1998, pp. 51–65Google Scholar
  21. 21.
    Bos, J.W.: Constant time modular inversion. J. Cryptogr. Eng. 4(4), 275–281 (2014)CrossRefGoogle Scholar
  22. 22.
    Gutub, A.A.-A., Tenca, A.F., Koçs, Ç.K.: Scalable VLSI architecture for GF(p) Montgomery modular inverse computation. In: IEEE Computer Society Annual Symposium on VLSI, ISVLSI’02, pp. 46–51. Pittsburgh, Pennsylvania, USA, April 25–26 (2002)Google Scholar
  23. 23.
    Gutub, A.A.-A., Tenca, A.F.: Efficient scalable hardware architecture for Montgomery inverse computation in GF(\(p\)). In: IEEE Workshop on Signal Processing Systems (SIPS’03), pp. 93–98. Seoul, Korea, August 27–29 (2003)Google Scholar
  24. 24.
    Gutub, A.A.-A., Tenca, A.F.: Efficient scalable VLSI architecture for Montgomery inversion in GF( p). Integr. VLSI J. 37(2), 103–120 (2004)CrossRefGoogle Scholar
  25. 25.
    Gutub, A.A.-A., Savaş, E., Kalganova, T.: Scalable VLSI design for fast GF(p) Montgomery inverse computation. In: IEEE International Conference on Computer and Communication Engineering (ICCCE ’06). Kuala Lumpur, Malaysia (2006)Google Scholar
  26. 26.
    Gutub, A.A.-A.: High speed hardware architecture to compute galois fields GF(p) montgomery inversion with scalability features. IET Comput. Digit. Tech. 1(4), 389–396 (2007)CrossRefGoogle Scholar
  27. 27.
    Zi-bin, D., Fan, Q., Xiao-hui, Y.: Scalable hardware architecture for montgomery inversion computation in dual-field. In: 2009 WASE International Conference on Information Engineering, pp. 206–209. Taiyuan, Chanxi (2009)Google Scholar
  28. 28.
    Chen, C., Qin, Z.: Efficient algorithm and systolic architecture for modular division. Int. J. Electron. 98(6), 813–823 (2011)CrossRefGoogle Scholar
  29. 29.
    Murat, E., Kardaş, S., Savaş, E.: Scalable and efficient FPGA implementation of Montgomery inversion. In: Proceedings of the 2011 Workshop on Lightweight Security and Privacy: Devices, Protocols, and Applications, LIGHTSEC’11, pp. 61–68 (2011)Google Scholar
  30. 30.
    Liu, Z., Wenger, E., Großschädl, J.: MoTE-ECC: energy-scalable elliptic curve cryptography for wireless sensor networks. In: ACNS 2014, pp. 361–379Google Scholar
  31. 31.
    Ishii, M., Detrey, J., Gaudry, P., Inomata, A., Fujikawa, K.: Fast Modular arithmetic on the Kalray MPPA-256 processor for an energy-efficient implementation of ECM. IACR Cryptol. ePrint Arch. 2016, 365 (2016)Google Scholar
  32. 32.
    Aranha, D.F., Fuentes-Castañeda, L., Knapp, E., Menezes, A., Rodríguez-Henríquez, F.: Implementing Pairings at the 192-Bit Security Level, pp. 177–195. Pairing (2012)Google Scholar
  33. 33.
    De Win, E., Mister, S., Preneel, B., Wiener, M.: On the performance of signature schemes based on elliptic curves. In: Buhler, J.P. (ed) Algorithmic Number Theory: Third International Symposium, ANTS-III, pp. 252–266. Portland, Oregon, USA, June 21–25, Springer, Berlin (1998)Google Scholar
  34. 34.
    Fouque, P.-A., Tibouchi, M.: Indifferentiable hashing to Barreto–Naehrig curves. In: LATINCRYPT 2012, pp. 1–17Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2017

Authors and Affiliations

  1. 1.Sabancı UniversityIstanbulTurkey
  2. 2.University of California Santa BarbaraSanta BarbaraUSA

Personalised recommendations