Efficient and Side-channel Resistant RSA Implementation For 8-bit AVR Microcontrollers

The RSA algorithm is the most widely used publickey cryptosystem today, but difficult to implement on embedded devices due to the computation-intense nature of its underlying arithmetic operations. Different techniques for efficient software implementation of the RSA algorithm have been proposed; these range from high-level approaches, such as exploiting the Chinese Remainder Theorem (CRT), down to smart optimizations of the low-level modular arithmetic (e.g. hybrid multiplication). In the present paper we introduce a new variant of the hybrid method for multiple-precision multiplication that optimizes both memory accesses and register allocation. The inner loop of our improved hybrid method saves about 7.8% in execution time compared to the original one of Gura et al. We combine our hybrid method with the Separated Operand Scanning (SOS) Montgomery multiplication into the HSOS method, a new technique to perform long-integer modular arithmetic. Our practical results, obtained on an ATmega128 microcontroller, show that the HSOS method outperforms other modular multiplication techniques for typical operand lengths used in RSA. A 1024-bit private-key operation can be carried out in less than 76 . 106 clock cycles when taking advantage of the CRT and m-ary exponentiation method, which represents a new speed record for RSA on 8-bit controllers. We also protected our RSA implementation against power analysis attacks via the integration of low-cost countermeasures. These countermeasures increased the execution time of the private-key operation by just 12% compared to an unprotected version.