The Montgomery Powering Ladder

Abstract: Abstract. This paper gives a comprehensive analysis of Montgomery powering ladder. Initially developed for fast scalar multiplication on elliptic curves, we extend the scope of Montgomery ladder to any exponentiation in an abelian group. Computationally, the Montgomery ladder has the triple advantage of presenting a Lucas chain structure, of being parallelized, and of sharing a common operand. Furthermore, contrary to the classical binary algorithms, it behaves very regularly, which makes it naturally protecte… Show more

“…2) introduced by Coron [5] were designed to prevent simple side-channel attacks by performing dummy operations. However, such algorithms bring specific weaknesses with respect to so-called safe-error attacks [8].…”

“…Later, Joye et al [8] extended it to exponentiation in any abelian group and pointed out its intrinsic resistance to simple side-channel attacks and safe-error attacks leveraging a slight modification. Let L j = t−1 i=j k i 2 i−j and H j = L j + 1.…”

“…Let L j = t−1 i=j k i 2 i−j and H j = L j + 1. As pointed out in [8], the principle of Montgomery ladder is based Fig. 2.…”

“…3) is intrinsically resistant to simple side-channel attacks. It is also insensitive to safeerror attacks [8]. If a fault is injected at any time during the computation, the result is necessarily faulty.…”

Blinded Fault Resistant Exponentiation

“…2) introduced by Coron [5] were designed to prevent simple side-channel attacks by performing dummy operations. However, such algorithms bring specific weaknesses with respect to so-called safe-error attacks [8].…”

“…Later, Joye et al [8] extended it to exponentiation in any abelian group and pointed out its intrinsic resistance to simple side-channel attacks and safe-error attacks leveraging a slight modification. Let L j = t−1 i=j k i 2 i−j and H j = L j + 1.…”

“…Let L j = t−1 i=j k i 2 i−j and H j = L j + 1. As pointed out in [8], the principle of Montgomery ladder is based Fig. 2.…”

“…3) is intrinsically resistant to simple side-channel attacks. It is also insensitive to safeerror attacks [8]. If a fault is injected at any time during the computation, the result is necessarily faulty.…”

Blinded Fault Resistant Exponentiation

“…The solution is algorithm-independent and can be applied for any scalar multiplication algorithm. Some previous work reported parallel use of modular arithmetic units for accelerating scalar multiplication [7,8,9,10,11,12]. In those papers, point/divisor doubling and addition are reformulated so that they can take advantage of the parallel processing.…”

Superscalar Coprocessor for High-Speed Curve-Based Cryptography

Finite Field Arithmetic