Power attacks in the presence of exponent blinding

Exponent blinding has been known as an effective countermeasure against side-channel attacks on RSA. However, if single power traces reveal some exponent bits with certainty, an attack by Fouque et al. (Power attack on small RSA public exponent. Springer, Berlin, pp 339–353, 2006) applies that recovers the exponent. Since this attack becomes infeasible if some of these assumed exponent bits are incorrect it has not been assumed to be a realistic threat in the context of side-channel attacks. In this paper we present three generic attack variants (basic attack, enhanced attack, alternate attack), which work in the presence of considerable error rates at each bit position, disproving the hypothesis that mere exponent blinding is always sufficient to protect SPA-resistant implementations against any type of power attacks. Simulation experiments confirm that for small blinding factors the basic attack permits error rates of more than $$25~\%$$25%. The enhanced attack allows smaller error rates but requires much less power traces and computations. Unlike the basic attack and the enhanced attack the alternate attack (against ECC and RSA without CRT) cannot effectively be prevented by simply enlarging the blinding factor. This paper extends (Schindler and Itoh, Exponent blinding does not always lift (Partial) SPA resistance to higher-level security. Springer, Berlin, pp 73–90, 2011) by many new results.

[1]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[2]  K. Brown,et al.  Graduate Texts in Mathematics , 1982 .

[3]  Alexander Krüger,et al.  The Schindler-Itoh-attack in Case of Partial Information Leakage , 2012, COSADE.

[4]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[5]  I N Bronstein,et al.  Taschenbuch der Mathematik , 1966 .

[6]  J. H. van Lint,et al.  Introduction to Coding Theory , 1982 .

[7]  Kouichi Itoh,et al.  Collision-Based Power Attack for RSA with Small Public Exponent , 2009, IEICE Trans. Inf. Syst..

[8]  Galin L. Jones On the Markov chain central limit theorem , 2004, math/0409112.

[9]  Kouichi Itoh,et al.  Address-Bit Differential Power Analysis of Cryptographic Schemes OK-ECDH and OK-ECDSA , 2002, CHES.

[10]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[11]  Werner Schindler,et al.  Exponent Blinding Does Not Always Lift (Partial) Spa Resistance to Higher-Level Security , 2011, ACNS.

[12]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[13]  Werner Schindler,et al.  A Combined Timing and Power Attack , 2002, Public Key Cryptography.

[14]  Alexander Meurer,et al.  Correcting Errors in RSA Private Keys , 2010, CRYPTO.

[15]  P. Kocher,et al.  Differential power analysis, advances in cryptology-CRYPTO'99 , 1999 .

[16]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[17]  Benoit Feix,et al.  Simple Power Analysis on Exponentiation Revisited , 2010, CARDIS.

[19]  P. Diaconis Group representations in probability and statistics , 1988 .

[20]  Onur Aciiçmez,et al.  A Vulnerability in RSA Implementations Due to Instruction Cache Analysis and Its Demonstration on OpenSSL , 2008, CT-RSA.

[21]  JaeCheol Ha,et al.  Power Analysis by Exploiting Chosen Message and Internal Collisions - Vulnerability of Checking Mechanism for RSA-Decryption , 2005, Mycrypt.

[22]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[23]  Frédéric Valette,et al.  Simple Power Analysis and Differential Power Analysis attacks are among the , 2022 .