Leakage from Montgomery Multiplication

Modular multiplication P = A×B mod M is a fundamental operation in most public key cryptography. Its efficiency is usually critical in determining the overall efficiency of a system because it is the main component in modular exponentiation and in elliptic curve point multiplication. There are several algorithms which can be chosen for performing modular multiplication, of which those by Barrett [1], Montgomery [6] and Quisquater [2] are the most widely known. Most optimisations which can be applied to one modular multiplication algorithm can also be applied to the others, so that all have the same overall complexity [9]. However, Montgomery’s method is rather more straightforward to implement; generally less work is involved in achieving the optimisations. This chapter delves into certain aspects of Montgomery’s algorithm: it seeks to retain the advantages of simple and efficient code while at the same time addressing the issue of side channel leakage from the final conditional subtraction. We study the main loop and the final conditional subtraction separately in order to determine a fully precise specification for the output and hence determine how much data are leaked through the conditional subtraction side channel. This enables us to fix the leakage very satisfactorily.