The Montgomery Powering Ladder

  • Marc Joye
  • Sung-Ming Yen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2523)


This paper gives a comprehensive analysis of Montgomery powering ladder. Initially developed for fast scalar multiplication on elliptic curves, we extend the scope of Montgomery ladder to any exponentiation in an abelian group. Computationally, the Montgomery ladder has the triple advantage of presenting a Lucas chain structure, of being parallelized, and of sharing a common operand. Furthermore, contrary to the classical binary algorithms, it behaves very regularly, which makes it naturally protected against a large variety of implementation attacks.


Exponentiation algorithms Montgomery powering ladder constrained environments cryptographic implementations fault attacks side-channel attacks 


  1. 1.
    IEEE Std 1363-2000. IEEE Standard Specifications for Public-Key Cryptography. IEEE Computer Society, August 29, 2000.Google Scholar
  2. 2.
    G.B. Agnew, R.C. Mullin, and S.A. Vanstone. An implementation of elliptic curve cryptosystems over F2155. IEEE Journal on Selected Areas in Communications, 11(5):804–813, June 1993.CrossRefGoogle Scholar
  3. 3.
    Éric Brier and Marc Joye. Weierstra\ elliptic curves and side-channel attacks. In D. Naccache and P. Paillier, editors, Public Key Cryptography, volume 2274 of Lecture Notes in Computer Science, pages 335–345. Springer-Verlag, 2002.CrossRefGoogle Scholar
  4. 5.
    Richard Crandall and Carl Pomerance. Prime Numbers: A Computational Perspective. Springer-Verlag, 2001.Google Scholar
  5. 6.
    Wieland Fischer, Christophe Giraud, Erik Woodward Knudsen, and Jean-Pierre Seifert. Parallel scalar multiplication on general elliptic curves over Fp hedged against non-differential side-channel attacks. Report 2002/007, Cryptology ePrint Archive, January 2002.Google Scholar
  6. 7.
    Daniel M. Gordon. A survey of fast exponentiation methods. Journal of Algorithms, 27:129–146, 1998.zbMATHCrossRefMathSciNetGoogle Scholar
  7. 8.
    Tetsuya Izu and Tsuyoshi Takagi. A fast parallel elliptic curve multiplication resistant against side channel attacks. In D. Naccache and P. Paillier, editors, Public Key Cryptography, volume 2274 of Lecture Notes in Computer Science, pages 280–296. Springer-Verlag, 2002.CrossRefGoogle Scholar
  8. 9.
    Marc Joye and Jean-Jacques Quisquater. Efficient computation of full Lucas sequences. Electronics Letters, 32(6):537–538, March 1996.CrossRefGoogle Scholar
  9. 10.
    Marc Joye, Jean-Jacques Quisquater, Sung-Ming Yen, and Moti Yung. Observability analysis: Detecting when improved cryptosystems fail. In B. Preneel, editor, Topics in Cryptology-CT-RSA 2002, volume 2271 of Lecture Notes in Computer Science, pages 17–29. Springer-Verlag, 2002.CrossRefGoogle Scholar
  10. 11.
    Paul Kocher, Joshua Jaffe, and Benjamin Jun. Differential power analysis. In M. Wiener, editor, Advances in Cryptology-CRYPTO’99, volume 1666 of Lecture Notes in Computer Science, pages 388–397. Springer-Verlag, 1999.CrossRefGoogle Scholar
  11. 12.
    Paul C. Kocher. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In N. Koblitz, editor, Advances in Cryptology-CRYPTO’96, volume 1109 of Lecture Notes in Computer Science, pages 104–113. Springer-Verlag, 1996.Google Scholar
  12. 13.
    Julio López and Ricardo Dahab. Fast multiplication on elliptic curves over GF(2m) without precomputation. In Ç.K. Koç and C. Paar, editors, Cryptographic Hardware and Embedded Systems, volume 1717 of Lecture Notes in Computer Science, pages 316–327. Springer-Verlag, 1999.CrossRefGoogle Scholar
  13. 14.
    Thomas S. Messerges, Ezzy A. Dabbish, and Robert H. Sloan. Power analysis attacks of modular exponentiation in smartcards. In Ç.K. Koç and C. Paar, editors, Cryptographic Hardware and Embedded Systems (CHES’ 99), volume 1717 of Lecture Notes in Computer Science, pages 144–157. Springer-Verlag, 1999.CrossRefGoogle Scholar
  14. 15.
    Atsuko Miyaji, Takatoshi Ono, and Henri Cohen. Efficient elliptic curve exponentiation. In Y. Han, T. Okamoto, and S. Qing, editors, Information and Communications Security (ICICS’ 97), volume 1334 of Lecture Notes in Computer Science, pages 282–290. Springer-Verlag, 1997.CrossRefGoogle Scholar
  15. 16.
    Peter L. Montgomery. Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation, 48(177):243–264, January 1987.zbMATHCrossRefMathSciNetGoogle Scholar
  16. 17.
    Peter L. Montgomery. Evaluating recurrences of form Xm+n = f(Xm,Xn,Xm-n) via Lucas chains. Unpublished manuscript, January 1992.Google Scholar
  17. 18.
    Katsuyuki Okeya, Hiroyuki Kurumatani, and Kouichi Sakurai. Elliptic curves with the Montgomery form and their cryptographic applications. In H. Imai and Y. Zheng, editors, Public Key Cryptography, volume 1751 of Lecture Notes in Computer Science, pages 238–257. Springer-Verlag, 2000.Google Scholar
  18. 19.
    Katsuyuki Okeya and Kouichi Sakurai. Efficient elliptic curve cryptosystems from a scalar multiplication algorithm with recovery of the y-coordinate on a Montgomeryform elliptic curve. In Ç.K. Koç, D. Naccache, and C. Paar, editors, Cryptographic Hardware and Embedded Systems-CHES 2001, volume 2162 of Lecture Notes in Computer Science, pages 126–141. Springer-Verlag, 2001.CrossRefGoogle Scholar
  19. 20.
    P. Smith. Cryptography without exponentiation. Dr. Dobb’s Journal, (4):26–30, April 1994.Google Scholar
  20. 21.
    Peter J. Smith and Michael J.J. Lennon. LUC: A new public key system. In E.G. Douglas, editor, Ninth IFIP Symposium on Computer Security, pages 103–117. Elsevier Science Publishers, 1993.Google Scholar
  21. 22.
    Tzong-Chen Wu and Yuh-Shihng Chang. Improved generalisation of commonmultiplicand algorithm of Yen and Laih. Electronics Letters, 31(20):1738–1739, September 1995.CrossRefGoogle Scholar
  22. 23.
    Sung-Ming Yen. Improved common-multiplicand multiplication and fast exponentiation by exponent decomposition. IEICE Trans. Fundamentals, E80-A(6):1160–1163, June 1997.MathSciNetGoogle Scholar
  23. 24.
    Sung-Ming Yen and Marc Joye. Checking before output may not be enough against fault-based cryptanalysis. IEEE Trans. on Computers, 49(9):967–970, September 2000.CrossRefGoogle Scholar
  24. 25.
    Sung-Ming Yen, Seung-Joo Kim, Seon-Gan Lim, and Sang-Jae Moon. A countermeasure against one physical cryptanalysis may benefit another attack. In K. Kim, editor, Information Security and Cryptology-ICISC 2001, volume 2288 of Lecture Notes in Computer Science, pages 414–427. Springer-Verlag, 2002.Google Scholar
  25. 26.
    Sung-Ming Yen and Chi-Sung Laih. Common-multiplicand multiplication and its application to public-key cryptography. Electronics Letters, 29(17):1583–1584, August 1993.CrossRefGoogle Scholar
  26. 27.
    Sung-Ming Yen and Chi-Sung Laih. Fast algorithms for LUC digital signature computation. IEE Proc.-Comput. Digit Tech., 142(2):165–169, March 1995.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Marc Joye
    • 1
  • Sung-Ming Yen
    • 2
  1. 1.Parc d’Activités de GémenosGemplus Card International, Card Security GroupGémenos CedexFrance
  2. 2.Laboratory of Cryptography and Information Security (LCIS) Dept of Computer Science and Information EngineeringNational Central UniversityChung-LiTaiwan 320, ROC

Personalised recommendations