Attacking Randomized Exponentiations Using Unsupervised Learning

Countermeasures to defeat most of side-channel attacks on exponentiations are based on randomization of processed data. The exponent and the message blinding are particular techniques to thwart simple, collisions, differential and correlation analyses. Attacks based on a single (trace) execution of exponentiations, like horizontal correlation analysis and profiled template attacks, have shown to be efficient against most of popular countermeasures. In this paper we show how an unsupervised learning can explore the remaining leakages caused by conditional control tests and memory addressing in a RNS-based implementation of the RSA. The device under attack is protected with the exponent blinding and the leak resistant arithmetic. The developed attack combines the leakage of several samples over the segments of the exponentiation in order to recover the entire exponent. We demonstrate how to find the points of interest using trace pre-processing and clustering algorithms. This attack can recover the exponent using a single trace.

[1]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.

[2]  Éliane Jaulmes,et al.  Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations , 2013, CT-RSA.

[3]  Jianying Zhou,et al.  Information and Communications Security , 2013, Lecture Notes in Computer Science.

[4]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[5]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[6]  Christoph Herbst,et al.  Using Templates to Attack Masked Montgomery Ladder Implementations of Modular Exponentiation , 2008, WISA.

[7]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[8]  Shigeo Abe DrEng Pattern Classification , 2001, Springer London.

[9]  Mridul Nandi,et al.  Progress in Cryptology - INDOCRYPT 2012 , 2012, Lecture Notes in Computer Science.

[10]  Einar Snekkenes,et al.  Modified Template Attack Detecting Address Bus Signals of Equal Hamming Weight , 2009 .

[11]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[12]  C. D. Walter,et al.  Sliding Windows Succumbs to Big Mac Attack , 2001, CHES.

[13]  Marc Joye,et al.  Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity , 2004, IEEE Transactions on Computers.

[14]  Ricardo Dahab,et al.  Fast Multiplication on Elliptic Curves over GF(2m) without Precomputation , 1999, CHES.

[15]  Jean-Louis Lanet,et al.  Smart Card Research and Advanced Application, 9th IFIP WG 8.8/11.2 International Conference, CARDIS 2010, Passau, Germany, April 14-16, 2010. Proceedings , 2010, CARDIS.

[16]  Marc Joye,et al.  Cryptographic Hardware and Embedded Systems - CHES 2004 , 2004, Lecture Notes in Computer Science.

[17]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2003 , 2003, Lecture Notes in Computer Science.

[18]  David G. Stork,et al.  Pattern Classification , 1973 .

[19]  David G. Stork,et al.  Pattern Classification (2nd ed.) , 1999 .

[20]  Alfred Menezes,et al.  Guide to Elliptic Curve Cryptography , 2004, Springer Professional Computing.

[21]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[22]  Jean-Sébastien Coron,et al.  Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems , 1999, CHES.

[23]  Emmanuel Prouff Constructive Side-Channel Analysis and Secure Design , 2014, Lecture Notes in Computer Science.

[24]  Éliane Jaulmes,et al.  Correlation Analysis against Protected SFM Implementations of RSA , 2013, INDOCRYPT.

[25]  Kouichi Itoh,et al.  Address-Bit Differential Power Analysis of Cryptographic Schemes OK-ECDH and OK-ECDSA , 2002, CHES.

[26]  Frédéric Valette,et al.  The Doubling Attack - Why Upwards Is Better than Downwards , 2003, CHES.

[27]  Sven Bauer,et al.  Attacking Exponent Blinding in RSA without CRT , 2012, COSADE.

[28]  William P. Marnane,et al.  Using templates to distinguish multiplications from squaring operations , 2011, International Journal of Information Security.

[29]  Jean-Claude Bajard,et al.  An RNS Montgomery Modular Multiplication Algorithm , 1998, IEEE Trans. Computers.

[30]  Christophe Clavier,et al.  ROSETTA for Single Trace Analysis , 2012, INDOCRYPT.

[31]  Laurent Imbert,et al.  Electromagnetic Analysis on RSA Algorithm Based on RNS , 2013, 2013 Euromicro Conference on Digital System Design.

[32]  Andreas Ibing,et al.  Clustering Algorithms for Non-profiled Single-Execution Attacks on Exponentiations , 2013, CARDIS.

[33]  Christophe Clavier,et al.  Horizontal Correlation Analysis on Exponentiation , 2010, ICICS.

[34]  Laurent Imbert,et al.  Leak Resistant Arithmetic , 2004, CHES.

[35]  Nicolas Guillermin A coprocessor for secure and high speed modular arithmetic , 2011, IACR Cryptol. ePrint Arch..

[36]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[37]  Ed Dawson,et al.  Topics in Cryptology – CT-RSA 2013 , 2013, Lecture Notes in Computer Science.

[38]  Serge Vaudenay,et al.  Progress in Cryptology – INDOCRYPT 2013 , 2013, Lecture Notes in Computer Science.

[39]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[40]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[41]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[42]  David Naccache,et al.  Cryptographic Hardware and Embedded Systems — CHES 2001 , 2001 .