Timing Attack against Implementation of a Parallel Algorithm for Modular Exponentiation

  • Yasuyuki Sakai
  • Kouichi Sakurai
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2846)


We describe a parallel algorithm for modular exponentiation y ≡ x k mod n. Then we discuss timing attacks against an implementation of the proposed parallel algorithm for modular exponentiation. When we have two processors, which perform modular exponentiation, an exponent k is scattered into two partial exponents k (0) and k (1), where k (0) and k (1) are derived by bitwise AND operation from k such that \(k^{(0)}=k \wedge(0101...01)_{2}\) and \(k^{(1)}=k \wedge(1010...10)_{2}\). Two partial modular exponentiations y0 ≡ x k 0 mod n and y1 ≡ x k 1 mod n are performed in parallel using two processors. Then we can obtain y by computing y ≡ y0y1 mod n. In general, the hamming weight of k (0) and k (1) are smaller than that of k. Thus fast computation of modular exponentiation y ≡ x k mod n can be achieved. Moreover we show a timing attack against an implementation of this algorithm. We perform a software simulation of the attack and analyze security of the parallel implementation.


Parallel modular exponentiation Montgomery multiplication Side channel attack Timing attack RSA cryptosystems 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BDF98]
    Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  2. [DKLMQW98]
    Dhem, J.F., Koeune, F., Leroux, P.A., Mestré, P., Quisquater, J.J.: A practical implementation of the timing attack. In: Schneier, B., Quisquater, J.-J. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 175–190. Springer, Heidelberg (1998)Google Scholar
  3. [GG02]
    Garcia, J.M.G., Garcia, R.M.: Parallel algorithm for multiplication on elliptic curves. Cryptology ePrint Archive, Report 2002/179 (2002), http://eprint.iacr.org
  4. [HQ00]
    Hachez, G., Quisquater, J.J.: Montgomery exponentiation with no final subtractions: Improved Results. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 293–301. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  5. [IT02]
    Izu, T., Takagi, T.: Fast parallel elliptic curve multiplications resistant to side channel attacks. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 335–345. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. [IYTT02]
    Itoh, K., Yajima, J., Takenaka, M., Torii, N.: DPA countermeasures by improving the window method. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 303–317. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. [KJJ99]
    Kocher, P.C., Jaffe, J., Job, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
  8. [Ko96]
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  9. [Mo85]
    Montgomery, P.L.: Modular multiplication without trial division. Math. Comp. 44(170), 519–521 (1885)CrossRefGoogle Scholar
  10. [OS00]
    Okeya, K., Sakurai, K.: Power analysis breaks elliptic curve cryptosystems even secure against the timing attack. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 178–190. Springer, Heidelberg (2000)Google Scholar
  11. [Sc00]
    Schindler, W.: A timing attack against RSA with the Chinese Remainder Theorem. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 109–124. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  12. [SQK01]
    Schindler, W., Quisquater, J.-J., Koeune, F.: Improving divide and conquer attacks against cryptosystems by better error detection correction strategies. In: Proc. of 8th IMA International Conference on Cryptography and Coding, pp. 245–267 (2001)Google Scholar
  13. [Wa99]
    Walter, C.D.: Montgomery exponentiation needs no final subtractions. Exercises in Computer Systems Analysis 35(21), 1831–1832 (1999)CrossRefGoogle Scholar
  14. [WT01]
    Walter, C.D., Thompson, S.: Distinguishing exponent digits by observing modular subtractions. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 192–207. Springer, Heidelberg (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Yasuyuki Sakai
    • 1
  • Kouichi Sakurai
    • 2
  1. 1.Mitsubishi Electric CorporationKanagawaJapan
  2. 2.Kyushu UniversityFukuokaJapan

Personalised recommendations