# Timing Attack against Implementation of a Parallel Algorithm for Modular Exponentiation

• Yasuyuki Sakai
• Kouichi Sakurai
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2846)

## Abstract

We describe a parallel algorithm for modular exponentiation y ≡ x k mod n. Then we discuss timing attacks against an implementation of the proposed parallel algorithm for modular exponentiation. When we have two processors, which perform modular exponentiation, an exponent k is scattered into two partial exponents k (0) and k (1), where k (0) and k (1) are derived by bitwise AND operation from k such that $$k^{(0)}=k \wedge(0101...01)_{2}$$ and $$k^{(1)}=k \wedge(1010...10)_{2}$$. Two partial modular exponentiations y0 ≡ x k 0 mod n and y1 ≡ x k 1 mod n are performed in parallel using two processors. Then we can obtain y by computing y ≡ y0y1 mod n. In general, the hamming weight of k (0) and k (1) are smaller than that of k. Thus fast computation of modular exponentiation y ≡ x k mod n can be achieved. Moreover we show a timing attack against an implementation of this algorithm. We perform a software simulation of the attack and analyze security of the parallel implementation.

### Keywords

Parallel modular exponentiation Montgomery multiplication Side channel attack Timing attack RSA cryptosystems

## Preview

### References

1. [BDF98]
Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)
2. [DKLMQW98]
Dhem, J.F., Koeune, F., Leroux, P.A., Mestré, P., Quisquater, J.J.: A practical implementation of the timing attack. In: Schneier, B., Quisquater, J.-J. (eds.) CARDIS 1998. LNCS, vol. 1820, pp. 175–190. Springer, Heidelberg (1998)Google Scholar
3. [GG02]
Garcia, J.M.G., Garcia, R.M.: Parallel algorithm for multiplication on elliptic curves. Cryptology ePrint Archive, Report 2002/179 (2002), http://eprint.iacr.org
4. [HQ00]
Hachez, G., Quisquater, J.J.: Montgomery exponentiation with no final subtractions: Improved Results. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 293–301. Springer, Heidelberg (2000)
5. [IT02]
Izu, T., Takagi, T.: Fast parallel elliptic curve multiplications resistant to side channel attacks. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 335–345. Springer, Heidelberg (2002)
6. [IYTT02]
Itoh, K., Yajima, J., Takenaka, M., Torii, N.: DPA countermeasures by improving the window method. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 303–317. Springer, Heidelberg (2002)
7. [KJJ99]
Kocher, P.C., Jaffe, J., Job, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)Google Scholar
8. [Ko96]
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
9. [Mo85]
Montgomery, P.L.: Modular multiplication without trial division. Math. Comp. 44(170), 519–521 (1885)
10. [OS00]
Okeya, K., Sakurai, K.: Power analysis breaks elliptic curve cryptosystems even secure against the timing attack. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 178–190. Springer, Heidelberg (2000)Google Scholar
11. [Sc00]
Schindler, W.: A timing attack against RSA with the Chinese Remainder Theorem. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 109–124. Springer, Heidelberg (2000)
12. [SQK01]
Schindler, W., Quisquater, J.-J., Koeune, F.: Improving divide and conquer attacks against cryptosystems by better error detection correction strategies. In: Proc. of 8th IMA International Conference on Cryptography and Coding, pp. 245–267 (2001)Google Scholar
13. [Wa99]
Walter, C.D.: Montgomery exponentiation needs no final subtractions. Exercises in Computer Systems Analysis 35(21), 1831–1832 (1999)
14. [WT01]
Walter, C.D., Thompson, S.: Distinguishing exponent digits by observing modular subtractions. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 192–207. Springer, Heidelberg (2001)