Memory-Efficient Random Order Exponentiation Algorithm

Abstract

Randomizing the execution of the sequence of operations in an algorithm is one of the most frequently considered solutions to improve the security of cryptographic implementations against side-channel analysis. Such an algorithm for public-key cryptography was introduced by Tunstall at ACISP, 2009. In his right-to-left $m$ -ary exponentiation algorithm, the radix- $m$ digits of the exponent are treated in somewhat random order. This randomized solution will inhibit attacks that allow operations to be distinguished from one acquisition. In this article, we present a memory-efficient variant of Tunstall's random-order exponentiation algorithm, making it applicable to modular exponentiations in $(\mathbb {Z}/N \mathbb {Z})^{*}$ (for instance, the RSA cryptosystem). The proposed algorithm requires only $(m + 1)$ memory registers instead of $(m + r)$ , where $r > m$ as recommended in Tunstall's algorithm. Namely, the proposed algorithm saves about half the memory registers. Our analysis shows that our algorithm can be used as a supplement in order to defeat statistical side-channel analysis attacks, especially recent collision-correlation power analysis in the horizontal setting. Last but not least, we present a random order binary implementation, which is the first right-to-left binary implementation resisting attacks in the horizontal setting.