CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems
CHES '99 Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems
Efficient Generation of Prime Numbers
CHES '00 Proceedings of the Second International Workshop on Cryptographic Hardware and Embedded Systems
Riemann's hypothesis and tests for primality
Journal of Computer and System Sciences
Fast generation of prime numbers on portable devices: an update
CHES'06 Proceedings of the 8th international conference on Cryptographic Hardware and Embedded Systems
Power attack on small RSA public exponent
CHES'06 Proceedings of the 8th international conference on Cryptographic Hardware and Embedded Systems
Resistance of randomized projective coordinates against power analysis
CHES'05 Proceedings of the 7th international conference on Cryptographic hardware and embedded systems
A New Side-Channel Attack on RSA Prime Generation
CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
To infinity and beyond: combined attack on ECC using points of low order
CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
RSA key generation: new attacks
COSADE'12 Proceedings of the Third international conference on Constructive Side-Channel Analysis and Secure Design
Generating provable primes efficiently on embedded devices
PKC'12 Proceedings of the 15th international conference on Practice and Theory in Public Key Cryptography
Hi-index | 0.00 |
A side-channel analysis of a cryptographic algorithm generally concentrates on the encryption or decryption phases, rarely on the key generation phase. In this paper, we show that, when not properly implemented, the fast prime generation algorithm proposed by Joye and Paillier at CHES 2006 is susceptible to side-channel analysis; its main application is the generation of RSA key-pairs for embedded platforms like smart-cards. Our attack assumes that some parity bit can be recovered through SPA when it appears in a branch condition. Our attack can be combined with Coppersmith's theorem to improve its efficiency; we show that for 1024-bit RSA moduli, one can recover the factorization of roughly 1/1000 of the RSA moduli.