Abstract
We analyse timing variations in an implementation of modular multiplication which has certain standard characteristics. This shows that squarings and multiplications behave differently when averaged over a number of random observations. Since power analysis can reveal such data, secret RSA exponents can be deduced if a standard square and multiply exponentiation algorithm is used. No knowledge of the modulus or input is required to do this. The technique generalises to the m-ary and sliding windows exponentiation methods since different multipliers can be distinguished. Moreover, only a small number of observations (independent of the key size and well under 1k) are required to perform the cryptanalysis successfully. Thus, if the modular multiplication algorithm cannot be made any safer, the exponent must be modified on every use.
contact address: Computation Department, UMIST, Manchester, M60 1QD, UK, www.co.umist.ac.uk
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
A. V. Borovik & C. D. Walter, A Side Channel Attack on Montgomery Multiplication, private technical report, Datacard platform7 seven, 24th July 1999.
J.-F. Dhem, F. Koeune, P.-A. Leroux, P. Mestré, J.-J. Quisquater & J.-L. Willems, A practical implementation of the Timing Attack, Proc. CARDIS 1998, Lecture Notes in Computer Science, 1820, Springer-Verlag, 2000, 175–190.
D. E. Knuth, The Art of Computer Programming, vol. 2, Seminumerical Algorithms, 2nd edition, Addison-Wesley, 1981.
Ç. K. Koç, High Radix and Bit Recoding Techniques for Modular Exponentiation, International J. of Computer Mathematics, 40 (1991) no. 3–4, 139–156.
P. Kocher, Timing attack on implementations of Diffie-Hellman, RSA, DSS, and other systems, Proc. Crypto 96 (N. Koblitz, ed.). Lecture Notes in Computer Science, 1109, Springer-Verlag, 1996, 104–113.
P. L. Montgomery, Modular multiplication without trial division, Mathematics of Computation, 44 (1985), no. 170, 519–521.
R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM, 21 (1978), 120–126.
W. Schindler, A Timing Attack against RSA with Chinese Remainder Theorem, Cryptographic Hardware and Embedded Systems (CHES 2000), Christof Paar & Çetin Koç, editors, LNCS 1965, Springer-Verlag, 2000, to appear.
C. D. Walter, Montgomery Exponentiation Needs No Final Subtractions, Electronics Letters, 35, no. 21, October 1999, 1831–1832.
C. D. Walter, An Overview of Montgomery’s Multiplication Technique: How to make it Smaller and Faster, Cryptographic Hardware and Embedded Systems (CHES’ 99), C. Paar & ç. Koç, editors, LNCS 1717, Springer-Verlag, 1999, 80–93.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Walter, C.D., Thompson, S. (2001). Distinguishing Exponent Digits by Observing Modular Subtractions. In: Naccache, D. (eds) Topics in Cryptology — CT-RSA 2001. CT-RSA 2001. Lecture Notes in Computer Science, vol 2020. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45353-9_15
Download citation
DOI: https://doi.org/10.1007/3-540-45353-9_15
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41898-6
Online ISBN: 978-3-540-45353-6
eBook Packages: Springer Book Archive