Abstract
Even theoretically secure cryptosystems, digital signatures, etc. may not be secure after being implemented on the Internet of Things (IoT) devices and PCs because of Side-Channel Attack (\(\text{ SCA }\)). Since RSA key generation and ECDSA need \(\text{ GCD }\) computations or modular inversions, which are often computed by Binary Euclidean Algorithm (\(\text{ BEA }\)) or Binary Extended Euclidean Algorithm (\(\text{ BEEA }\)), the \(\text{ SCA }\) weakness of \(\text{ BEA }\) and \(\text{ BEEA }\) becomes serious. For countermeasures, the Constant-Time GCD (CT-\(\text{ GCD }\)) and Constant-Time Modular Inversion (\(\text{ CTMI }\)) algorithms are good choices. Modular inversion based on Fermat’s Little Theorem (\(\text{ FLT }\)) can work in constant time but it is not efficient for general inputs. Two \(\text{ CTMI }\) algorithms, named \(\text{ BOS }\) and \(\text{ BY }\) in this paper, are proposed by Joppe W. Bos and Bernstein, Yang respectively, which are based on the idea of \(\text{ BEA }\). However, \(\text{ BOS }\) has complicated computations during one iteration and \(\text{ BY }\) uses more iterations. Small number of iterations and simple computations during one iteration are good characteristics of a constant-time algorithm. Based on this view, this paper proposes new short-iteration CT-\(\text{ GCD }\) and \(\text{ CTMI }\) algorithms over \({\mathbb F}_{p}\) borrowing a simple idea of \(\text{ BEA }\). Our algorithms are evaluated from the theoretical point of view. Compared with \(\text{ BOS }\), \(\text{ BY }\) and the improved version of \(\text{ BY }\), our short-iteration algorithms are experimentally demonstrated to be faster than theirs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Acıiçmez, O., Gueron, S., Seifert, J.-P.: New branch prediction vulnerabilities in OpenSSL and necessary software countermeasures. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 185–203. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77272-9_12
Aldaya, A.C., Sarmiento, A.J.C., Sánchez-Solano, S.: SPA vulnerabilities of the binary extended Euclidean algorithm. J. Cryptogr. Eng. 7(4), 273–285 (2017)
Aldaya, A.C., Márquez, R.C., Sarmiento, A.J.C., Sánchez-Solano, S.: Side-channel analysis of the modular inversion step in the RSA key generation algorithm. Int. J. Circ. Theory Appl. 45(2), 199–213 (2017)
Aldaya, A.C., García, C.P., Tapia, L.M.A., Brumley, B.B.: Cache-timing attacks on RSA key generation. Cryptology ePrint Archive (2018)
Bernstein, D.J., Yang, B.Y.: Fast constant-time GCD computation and modular inversion. IACR Trans. Cryptogr. Hardw. Embed. Syst. 340–398 (2019)
Bos, J.W.: Constant time modular inversion. J. Cryptogr. Eng. 4(4), 275–281 (2014). https://doi.org/10.1007/s13389-014-0084-8
Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 13–28. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36400-5_3
Duc, A., Faust, S., Standaert, F.X.: Making masking security proofs concrete (or how to evaluate the security of any leaking device), extended version. J. Cryptol. 32(4), 1263–1297 (2019)
de la Fe, S., Park, H.B., Sim, B.Y., Han, D.G., Ferrer, C.: Profiling attack against RSA key generation based on a Euclidean algorithm. Information 12(11), 462 (2021)
Kaliski, B.S.: The Montgomery inverse and its applications. IEEE Trans. Comput. 44(8), 1064–1065 (1995)
Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44(170), 519–521 (1985)
Sarna, S., Czerwinski, R.: RSA and ECC universal, constant time modular inversion. In: AIP Conference Proceedings, vol. 2343, p. 050004. AIP Publishing LLC (2021)
Sen, X., et al.: To construct high level secure communication system: CTMI is not enough. China Commun. 15(11), 122–137 (2018)
Wuille, P., Maxwell, G., roconnor-blockstream: Safegcd-bounds. Github (2021). https://github.com/sipa/safegcd-bounds
Yarom, Y., Falkner, K.: FLUSH+ RELOAD: A high resolution, low noise, L3 cache side-channel attack. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 719–732 (2014)
Acknowledgements
This work is partially supported by the JSPS KAKENHI Grant Number JP21H03443, Innovation Platform for Society 5.0 at MEXT, and JST Next Generation Researchers Challenging Research Program JPMJSP2138.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Jin, Y., Miyaji, A. (2023). Short-Iteration Constant-Time GCD and Modular Inversion. In: Buhan, I., Schneider, T. (eds) Smart Card Research and Advanced Applications. CARDIS 2022. Lecture Notes in Computer Science, vol 13820. Springer, Cham. https://doi.org/10.1007/978-3-031-25319-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-25319-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25318-8
Online ISBN: 978-3-031-25319-5
eBook Packages: Computer ScienceComputer Science (R0)