Unbridle the Bit-Length of a Crypto-coprocessor with Montgomery Multiplication

Yoshino, Masayuki; Okeya, Katsuyuki; Vuillaume, Camille

doi:10.1007/978-3-540-74462-7_14

Cited by 5 publications

(5 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These techniques are faster than the previous technique proposed by Fischer et al [6] with software approach if C > 1.1c and with hardware approach if C > 3.8c; both of these ratios are satisfied on many platforms [7] due to the difference of computational cost, square order for the multiplications and linear order for the other arithmetic operations. In the case of Montgomery multiplications, the proposal shows better performance than the previous technique proposed by Yoshino et al [20] with the software approach if C > 0.4c, and the proposal with hardware approach is also faster if C > 1.9c: The former ratio is definitely satisfied on most platforms, and the latter is also often satisfied. In the case of bipartite multiplications, our proposal is the only available solution.…”

Section: Comparisonmentioning

confidence: 68%

“…In the case of a pure software approach, our 2 -bit bipartite modular multiplication requires only 12 calls to the multipliers, which is the same calls as the best 2 -bit classical modular multiplications proposed by Chevallier-Mames et al [2] and less calls than 2 -bit Montgomery multiplications proposed by Yoshino et al [20]. The hardware approach for computing the quotient results in half the number of calls compared to the software approach in similar conditions.…”

Section: Remarkable Featuresmentioning

confidence: 75%

“…Later, Fischer et al [6] optimized the scheme for the 2 -bit case and Chevallier-Mames et al [2] showed further improvements. Furthermore, Yoshino et al [20] extended the double-size techniques to Montgomery multiplications.…”

Section: Introductionmentioning

confidence: 98%

See 2 more Smart Citations

Bipartite modular multiplication with twice the bit-length of multipliers

Yoshino

Okeya

Vuillaume

2008

Int. J. Inf. Secur.

Self Cite

View full text Add to dashboard Cite

This paper presents a new technique to compute 2 -bit bipartite multiplications with -bit bipartite multiplication units. Low-end devices such as smartcards are usually equipped with crypto-coprocessors for accelerating the heavy computation of modular multiplications; however, security standards such as NIST and EMV have declared extending the bit length of RSA cryptosystem to resist mathematical attacks, making the multiplier quickly outdated. Therefore, the double-size techniques have been studied this decade to extend the life expectancy of such multipliers. This paper proposes new double-size techniques based on the multipliers implementing either classical or Montgomery modular multiplications, or even both simultaneously (bipartite modular multiplication), in which case one can potentially compute modular multiplications twice faster. Furthermore, in order to get a more realistic estimation than the other works, this paper considers not only the cost of the multiplication, but also the cost of the other arithmetic instructions. In our estimation, the proposal provides comparable results for classical multiplier and Montgomery multiplier, and is the only available method for the bipartite multiplier.

show abstract

Section: Comparisonmentioning

confidence: 68%

Section: Remarkable Featuresmentioning

confidence: 75%

See 1 more Smart Citation

Bipartite modular multiplication with twice the bit-length of multipliers

Yoshino

Okeya

Vuillaume

2008

Int. J. Inf. Secur.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Algorithm 7 shows how to use the mmu instruction and the cmu instruction to build the BU instruction; the correctness is proven in Appendix A.2. Since the cmu instruction based on Algorithm 6 requiring three calls to the Montgomery multiplier is costlier than the mmu instruction requiring only two calls [YOV07a], Algorithm 7 minimizes calls to the cmu instruction, which appears only once in Step 1. mmu instruction. There are two kinds of modular reductions in the other steps: One is to subtract Z from the most significant (left) side, which is based on the cmu instruction, and the other adds Z from the least significant (right) side based on the mmu instruction.…”

Section: How To Build An L-bit Remainder With -Bit Instructionsmentioning

confidence: 99%

“…On the other hand, the Chinese Remainder Theorem is no help for public operations, and double-size techniques without using private keys are necessary. Following Paillier's seminal paper [Pai99], several solutions were proposed for simulating double-size classical modular multiplications with single-size classical modular multipliers [FS03,CJP03], and later, the techniques were adapted in order to simulate double-size Montgomery multiplications with the commonly used single-size Montgomery multiplier [YOV07a]. Finally, the less common but nonetheless promising bipartite multiplier [KT05], which includes a Montgomery and a classical multiplier working in parallel, was taking advantage of for simulating double-size bipartite multiplications [YOV07b].…”

Section: Introductionmentioning

confidence: 99%

A Black Hen Lays White Eggs

Yoshino

Okeya

Vuillaume

2008

Smart Card Research and Advanced Applications

Self Cite

View full text Add to dashboard Cite

This paper proposes novel algorithms for computing doublesize modular multiplications with few modulus-dependent precomputations. Low-end devices such as smartcards are usually equipped with hardware Montgomery multipliers. However, due to progresses of mathematical attacks, security institutions such as NIST have steadily demanded longer bit-lengths for public-key cryptography, making the multipliers quickly obsolete. In an attempt to extend the lifespan of such multipliers, double-size techniques compute modular multiplications with twice the bit-length of the multipliers. Techniques are known for extending the bit-length of classical Euclidean multipliers, of Montgomery multipliers and the combination thereof, namely bipartite multipliers. However, unlike classical and bipartite multiplications, Montgomery multiplications involve modulus-dependent precomputations, which amount to a large part of an RSA encryption or signature verification. The proposed double-size technique simulates double-size multiplications based on single-size Montgomery multipliers, and yet precomputations are essentially free: in an 2048-bit RSA encryption or signature verification with public exponent e = 2 16 + 1, the proposal with a 1024-bit Montgomery multiplier is 1.4 times faster than the best previous technique.

show abstract