The art of computer programming, volume 2 (3rd ed.): seminumerical algorithms
The art of computer programming, volume 2 (3rd ed.): seminumerical algorithms
Distinguishing Exponent Digits by Observing Modular Subtractions
CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
Precise Bounds for Montgomery Modular Multiplication and Some Potentially Insecure RSA Moduli
CT-RSA '02 Proceedings of the The Cryptographer's Track at the RSA Conference on Topics in Cryptology
A Practical Implementation of the Timing Attack
CARDIS '98 Proceedings of the The International Conference on Smart Card Research and Applications
A Combined Timing and Power Attack
PKC '02 Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography
Power attack on small RSA public exponent
CHES'06 Proceedings of the 8th international conference on Cryptographic Hardware and Embedded Systems
On the optimization of side-channel attacks by advanced stochastic methods
PKC'05 Proceedings of the 8th international conference on Theory and Practice in Public Key Cryptography
Recovering Secret Keys from Weak Side Channel Traces of Differing Lengths
CHES '08 Proceeding sof the 10th international workshop on Cryptographic Hardware and Embedded Systems
| Hi-index | 0.00 |
Side channel leakage from smart cards has been of concern since their inception and counter-measures are routinely employed. So a number of standard and reasonable assumptions are made here regarding an implementation of RSA in a cryptographic token which may be subjected to non-invasive side-channel cryptanalysis. These include blinding the re-usable secret key, input whitening, and using an exponentiation algorithm whose operation sequence partially obscures the key. The working hypothesis is that there is limited side channel leakage which only distinguishes very imprecisely between squarings and multiplications. For this typical situation, a method is described for recovering the private exponent, and, realistically, it does not require an excessive number of traces. It just requires the modulus to be public and the public exponent not to be too large. The attack is computationally feasible unless parameters are appropriately adjusted. It reveals that longer keys are much more vulnerable than shorter ones unless blinding is proportional to key length. A further key conclusion is that designers must assume that the information theoretic level of leakage from smart cards can be transformed into usable key information by adversaries whatever counter-measures are put in place.