Attacking Exponent Blinding in RSA without CRT

A standard SPA protection for RSA implementations is exponent blinding (see [7]). Fouque et al., [4] and more recently Schindler and Itoh, [8] have described side-channel attacks against such implementations. The attack in [4] requires that the attacker knows some bits of the blinded exponent with certainty. The attack methods of [8] can be defeated by choosing a sufficiently large blinding factor (about 64 bit). In this paper we start from a more realistic model for the information an attacker can obtain by simple power analysis (SPA) than the one that forms the base of the attack in [4]. We show how the methods of [4] can be extended to work in this setting. This new attack works, under certain restrictions, even for long blinding factors (i.e. 64 bit or more).

[1]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.

[2]  Shai Halevi Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings , 2009, CRYPTO.

[3]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[4]  Werner Schindler,et al.  Exponent Blinding Does Not Always Lift (Partial) Spa Resistance to Higher-Level Security , 2011, ACNS.

[5]  C. D. Walter,et al.  Sliding Windows Succumbs to Big Mac Attack , 2001, CHES.

[6]  Mitsuru Matsui,et al.  Cryptographic Hardware and Embedded Systems - CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Proceedings , 2006, CHES.

[7]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[8]  Hovav Shacham,et al.  Available from the IACR Cryptology ePrint Archive as Report 2008/510. Reconstructing RSA Private Keys from Random Key Bits , 2022 .

[9]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[10]  Christophe Clavier,et al.  Horizontal Correlation Analysis on Exponentiation , 2010, ICICS.

[11]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[12]  Frédéric Valette,et al.  Simple Power Analysis and Differential Power Analysis attacks are among the , 2022 .

[13]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[14]  David Naccache,et al.  Cryptographic Hardware and Embedded Systems — CHES 2001 , 2001 .