Relative Doubling Attack Against Montgomery Ladder

  • Sung-Ming Yen
  • Lee-Chun Ko
  • SangJae Moon
  • JaeCheol Ha
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3935)


Highly regular execution and the cleverly included redundant computation make the square-multiply-always exponentiation algorithm well known as a good countermeasure against the conventional simple power analysis (SPA). However, the doubling attack threatens the square-multiply-always exponentiation by fully exploiting the existence of such redundant computation. The Montgomery ladder is also recognized as a good countermeasure against the conventional SPA due to its highly regular execution. Most importantly, no redundant computation is introduced into the Montgomery ladder. In this paper, immunity of the Montgomery ladder against the doubling attack is investigated. One straightforward result is that the Montgomery ladder can be free from the original doubling attack. However, a non-trivial result obtained in this research is that a relative doubling attack proposed in this paper threatens the Montgomery ladder. The proposed relative doubling attack uses a totally different approach to derive the private key in which the relationship between two adjacent private key bits can be obtained as either d i =d i − − 1 or \(d_i \ne d_{i-1}\). Finally, a remark is given to the problem of whether the upward (right-to-left) regular exponentiation algorithm is necessary against the original doubling attack and the proposed relative doubling attack.


Chosen-message attack Cryptography Doubling attack Exponentiation Scalar multiplication Side-channel attack Simple power analysis (SPA) Smart card 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  2. 2.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystem. Commun. of ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Elgamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Miller, V.: Uses of elliptic curve in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986)Google Scholar
  5. 5.
    Koblitz, N.: Elliptic curve cryptosystems. Mathematics of Computation 48(177), 203–209 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  7. 7.
    Fouque, P.-A., Valette, F.: The doubling attack – why upwards is better than downwards. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 269–280. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Joye, M., Yen, S.M.: The Montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291–302. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Yen, S.M., Joye, M.: Checking Before Output May Not be Enough against Fault-Based Cryptanalysis. IEEE Trans. on Computers 49(9), 967–970 (2000)CrossRefzbMATHGoogle Scholar
  10. 10.
    Yen, S.M., Kim, S.J., Lim, S.G., Moon, S.J.: A countermeasure against one physical cryptanalysis may benefit another attack. In: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 414–427. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Gordon, D.M.: A survey of fast exponentiation methods. Journal of Algorithms 27, 129–146 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation 48(177), 243–264 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Yen, S.M., Laih, C.S.: Fast algorithms for LUC digital signature computation. IEE Proc. Computers and Digital Techniques 142(2), 165–169 (1995)CrossRefGoogle Scholar
  14. 14.
    Schramm, K., Wollinger, T., Paar, C.: A new class of collision attacks and its application to DES. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 206–222. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    PKCS #1 v2.1, RSA Cryptography Standard (January 5, 2001),
  16. 16.
    Bellare, M., Rogaway, P.: Optimal asymmetric encryption padding – How to encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)Google Scholar
  17. 17.
    Yen, S.M., Lu, C.C., Tseng, S.Y.: Method for protecting public key schemes from timing, power and fault attacks. U.S. Patent Number US2004/0125950 A1 (July 2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Sung-Ming Yen
    • 1
  • Lee-Chun Ko
    • 1
  • SangJae Moon
    • 2
  • JaeCheol Ha
    • 3
  1. 1.Laboratory of Cryptography and Information Security (LCIS), Dept of Computer Science and Information EngineeringNational Central UniversityChung-LiTaiwan, R.O.C.
  2. 2.School of Electronic and Electrical EngineeringKyungpook National UniversityTaeguKorea
  3. 3.Dept of Computer and InformationKorea Nazarene UniversityChoong NamKorea

Personalised recommendations