Abstract
Modular inversions are widely employed in public key crypto-systems, and it is known that they imply a bottleneck due to the expensive computation. Recently, a new algorithm for inversions modulo p k was proposed, which may speed up the calculation of a modulus dependent quantity used in the Montgomery multiplication. The original algorithm lacks security countermeasures; thus, a straightforward implementation may expose the input. This is an issue if that input is a secret. In the RSA-CRT signature using Montgomery multiplication, the moduli are secrets (primes p and q). Therefore, the moduli dependent quantities related to p and q must be securely computed. This paper presents a security analysis of the novel method considering that it might be used to compute secrets. We demonstrate that a Side Channel Analysis leads to disclose the data being manipulated. In consequence, a secure variant for inversions modulo 2 k is proposed, through the application of two known countermeasures. In terms of performance, the secure variant is still comparable with the original one.
Highlights
Public key cryptographic schemes often require performing modular inversions, which are known to be expensive operations
In RSA, for example, the secret key is obtained through the inversion of the public key
In ECDSA (Elliptic Curve Digital Signature Algorithm), to generate a digital signature, the per-message random secret is inverted after the scalar multiplication
Summary
Public key cryptographic schemes often require performing modular inversions, which are known to be expensive operations. Derived from Euclid’s method, the Binary Extended Euclidean Algorithm (BEEA) is very efficient as it substitutes multi-precision divisions by right shifts. This is a suitable approach for software and hardware realizations [1]. The new inversion method has a low computational complexity This is a clear advantage, since cryptographic implementations usually manipulate large numbers. A special case of the algorithm is the computation modulo 2k This is especially useful to compute the required modular inverse in a Montgomery multiplication [5]. We focus this work in the analysis of the new inversion method, because a secure version of it may be a suitable candidate to be used in low power devices with cryptographic capabilities
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
