and we have

.net Framework code 128a integration on .netgenerate, create code 128b none with .net projects

(abR)R' = 6 . 64 = 384 = 68 (mod 79).

read code-128c for .netUsing Barcode recognizer for VS .NET Control to read, scan read, scan image in VS .NET applications.

We can directly verify that this is the correct answer since

VS .NET Crystal barcode creation on .netgenerate, create bar code none for .net projects

ab (mod N )

VS .NET bar code reader on .netUsing Barcode recognizer for .NET Control to read, scan read, scan image in .NET applications.

6 1 . 5 = 305 = 68 (mod 79).

Control code 128 barcode data on c#to insert code128b and code 128 code set c data, size, image with .net c# barcode sdk

Montgomery multiplication is certainly more work than it is worth in the simple example considered above. However, suppose that instead of ~0x1puting ab (mod N ) , we want to compute ad (mod N). Then to use the

Control barcode code 128 image on .netusing asp.net aspx toattach code 128a on asp.net web,windows application

7.4 R S A IMPLEMENTATIONATTACKS

Control code128b image with visual basicusing .net toaccess code 128 code set a in asp.net web,windows application

Montgomery algorithm, we must pay the price of converting a into Montgomery form, but having done so, all of the multiplications required in the computation of ad (mod N ) can be computed using (7.18) and (7.19) (and extra reductions, as required), without any expensive division operations. The final result must be converted from Montgomery form back into nonMontgomery form, which requires one additional mod N operation. The bottom line is that only two expensive mod N operations are required, since the multiplications are all computed in Montgomery form which only requires efficient mod R operations. With respect to the timing attacks discussed below, the extra reduction step provides a crucial timing difference that an attacker can exploit in some circumstances. Other tricks are also used to speed up modular exponentiation. Of these, the sliding window and Karatsuba multiplication are the most significant. A sliding window is a straightforward time-memory trade-off applied to the repeated squaring algorithm. That is, instead of processing each bit individually, we process the bits in blocks (say, blocks of five consecutive bits) and use pre-computed tables containing the required factors. Karatsuba multiplication [76] is the most efficient method to multiply two numbers with the same number of digits-assuming that addition is much cheaper than multiplication. The work factor for Karatsuba multiplication is multiplications, where n is the number of bits on the order of nlog2 = n1.585 in each of the numbers to be multiplied, whereas normal long multiplication has a work factor on the order of n2. The Karatsuba algorithm is based on a simple observation. The naive approach to computing the product (a0 a1 . 10)(b, bl . 10) is

3 Of 9 Barcode printing with .netuse visual studio .net ansi/aim code 39 creator toaccess 3 of 9 with .net

+ + (a0+ a1 . lo)@, + bl . 10) = aobo + (a& + U l b 0 ) l O + albl .102,

Barcode 3 Of 9 integrating for .netuse visual studio .net crystal 3 of 9 maker toinclude 3 of 9 on .net

which requires four multiplications to determine the coefficients of the powers of ten. However, the same can be accomplished with just three multiplications. since

Visual .net 1d barcode creator on .netgenerate, create 1d barcode none in .net projects

+ a1 . 10)(bo + bl . 10)

Generate matrix barcode in .netusing .net vs 2010 torender matrix barcode for asp.net web,windows application

= aobo

.net Vs 2010 Crystal code 2/5 maker on .netgenerate, create industrial 2 of 5 none on .net projects

+ [(a0+ a l ) ( b o + b l )

Visual Studio .NET ean 128 encoder on vbuse visual studio .net ean / ucc - 14 creation todisplay gs1-128 on visual basic

~ o b o ~ l b l ] l O albl . lo2 (7.20) -

Control qr code iso/iec18004 size with .netto compose qr bidimensional barcode and qr code 2d barcode data, size, image with .net barcode sdk

and this is the essential idea behind Karatsuba multiplication. The Karatsuba technique can be used for numbers of any magnitude. For example, suppose that we want to find the product

PDF417 barcode library in vb.netgenerate, create pdf-417 2d barcode none in visual basic projects

( c ~ c1 . l o

Control upc code data on excelupc-a data with excel spreadsheets

+ c2 . lo2 + c : .~103)(do+ dl . l o + d2 . lo2 + d 3 . lo3).

decode 3 of 9 with .netUsing Barcode scanner for .net vs 2010 Control to read, scan read, scan image in .net vs 2010 applications.

We can rewrite the first term a s

Control qr code jis x 0510 image for javause java qr code integration toproduce qr code 2d barcode with java

where Co = co second term as

ANSI/AIM Code 128 printer in .netusing barcode generator for ms reporting service control to generate, create uss code 128 image in ms reporting service applications.

PUBLIC K E Y ATTACKS

Control barcode pdf417 data in .netto print pdf 417 and pdf-417 2d barcode data, size, image with .net barcode sdk

+ c1 . 10 and C1 = c2 + c3 . 10. Similarly, we can rewrite the

product is given by

+ dl 10) + (d2 + d3.10)102 = Do + D1 . l 0 2 , where Do = do + d l . 10 and D1 = d2 + d3 . 10. In this case, the Karatsuba

+c 1

+ = C o ~+ [(coC ~ ) ( + a ) cono c 1 ~ l ] 1 0+ c l ~l o 4 . o + D ~ 2 . ,

102)(Do D1 102)

Here, the three products involving the Ci and 0 3 are computed as in (7.20). Consequently, given any product, we can recursively apply the Karatsuba multiplication technique. At each step in the recursion, three multiplications are required, and the numbers are half as big as at the previous step. A straightforward analysis yields the claimed work factor of n1.585. Note that the Karatsuba algorithm holds if the base 10 (or l o 2 ) is replaced by any other base. Also, the algorithm is most efficient if the two numbers to be multiplied are of about the same magnitude. At this point, we have more than enough background to discuss the three timing attacks mentioned above. First, we consider Kocher s attack, which only applies to systems that use repeated squaring, but not CRT or Montgomery multiplication. Kocher s attack has been successfully applied to smartcards. Then we discuss Sdiindler s method, which can be used when CRT and Montgomery multiplication are employed. Finally, we present the justifiably famous Brumley-Boneh attack, which succeeds against RSA as implemented in a version of OpenSSL in a realistic scenario (over a network). The OpenSSL implementation of RSA is highly optimized, using CRT, Montgomery multiplication, sliding windows and Karatsuba s algorithm. As of this writing, the Brurnley-Boneh attack stands as the greatest success in the relatively young field of timing attacks. We note in passing that timing attacks have recently been directed at symmetric ciphers [la] but, to date, these have proven far less of a realistic threat than timing attacks on public kcy cryptosystenis.