Reduce-by-Feedback: Timing Resistant and DPA-Aware Modular Multiplication Plus: How to Break RSA by DPA Michael Vielhaber Hochschule Bremerhaven, FB2, An der Karlstadt 8, D–27568 Bremerhaven, Germany Universidad Austral de Chile, Instituto de Matem´aticas, Casilla 567, Valdivia, Chile vielhaber@gmail.com Abstract. We (re-) introduce the Reduce-By-Feedback scheme given by Vielhaber (1987), Benaloh and Dai (1995), and Jeong and Burleson (1997). We show, how to break RSA, when implemented with the standard version of Reduce-by-Feedback or Montgomery multiplication, by Differ- ential Power Analysis. We then modify Reduce-by-Feedback to avoid this attack. The modification is not possible for Montgomery multiplication. We show that both the original and the modified Reduce-by-Feedback algorithm resist timing attacks. Furthermore, some VLSI-specific implementation details (delayed carry adder, re-use of MUX tree and logic) are provided. Keywords: Reduce-by-Feedback, modular multiplication, Montgomery multiplication, timing analysis, differential power analysis. 1 Introduction RSA, Diffie-Hellman (over F p ), and elliptic curve schemes (over F p ) use modular multiplication as their computational kernel. This is usually implemented as Montgomery multiplication [12] (1985), which is fast and has timing independent of the values. Montgomery treats the bits of the first factor to be multiplied from the LSB towards the left, and works with the residue classes [x · (2 L ) -1 ] mod N , where [x] are the standard residue classes, and L is the length (in bits) of the operands, e.g. L = ⌈log 2 (N )⌉. There exists, however, an algorithm that avoids the mapping from [x] to [x · (2 L ) -1 ] mod N , by working the bits of the first factor from MSB downwards to the right: Reduce-by-Feedback [15,16,20] (1987) (Sections 3 and 4). The Reduce-by-Feedback algorithm preserves the immunity against timing attacks (Section 5), the constant shift amount of 1,2,3, or 4 bits per clock cycle, depending on the implementation effort, and all other advantages of Montgomery multiplication. E. Prouff and P. Schaumont (Eds.): CHES 2012, LNCS 7428, pp. 463–475, 2012. c  International Association for Cryptologic Research 2012