Timing attack against implementation of a parallel algorithm for modular exponentiation

Abstract

We describe a parallel algorithm for modular exponentiation y ≡ xk mod n. Then we discuss timing attacks against an implementation of the proposed parallel algorithm for modular exponentiation. When we have two processors, which perform modular exponentiation, an exponent k is scattered into two partial exponents k(0) and k(1), where k(0) and k(1) are derived by bitwise AND operation from k such that k(0) = k ∧ (0101⋯01)2 and k(1) = k ∧(1010 ⋯10)2. Two partial modular exponentiations y0 ≡ xk(0) mod n and y1 ≡ xk(1) mod n are performed in parallel using two processors. Then we can obtain y by computing y ≡ y0y1 mod n. In general, the hamming weight of k(0) and k(1) are smaller than that of k. Thus fast computation of modular exponentiation y ≡ xk mod n can be achieved. Moreover we show a timing attack against an implementation of this algorithm. We perform a software simulation of the attack and analyze security of the parallel implementation. © Springer-Verlag Berlin Heidelberg 2003.