Defeating RSA multiply-always and message blinding countermeasures

Authors:
Marc F. Witteman;Jasper G. J. van Woudenberg;Federico Menarini
Affiliations:
Riscure BV, Delft, The Netherlands;Riscure BV, Delft, The Netherlands;Riscure BV, Delft, The Netherlands
Venue:
CT-RSA'11 Proceedings of the 11th international conference on Topics in cryptology: CT-RSA 2011
Year:
2011

Citing 8
Cited 4

A method for obtaining digital signatures and public-key cryptosystems

Communications of the ACM
Differential Power Analysis

CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems

CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems

CHES '99 Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems
A DPA Attack against the Modular Reduction within a CRT Implementation of RSA

CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation

PKC '02 Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography
Data Dependent Power Use in Multipliers

ARITH '05 Proceedings of the 17th IEEE Symposium on Computer Arithmetic
Power analysis for secret recovering and reverse engineering of public key algorithms

SAC'07 Proceedings of the 14th international conference on Selected areas in cryptography

Improved collision-correlation power analysis on first order protected AES

CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
Localized electromagnetic analysis of cryptographic implementations

CT-RSA'12 Proceedings of the 12th conference on Topics in Cryptology
Defeating with fault injection a combined attack resistant exponentiation

COSADE'13 Proceedings of the 4th international conference on Constructive Side-Channel Analysis and Secure Design
First-order collision attack on protected NTRU cryptosystem

Microprocessors & Microsystems

Quantified Score

Hi-index	0.00

Visualization

Abstract

We introduce a new correlation power attack on RSA's modular exponentiation implementations, defeating both message blinding and multiply-always countermeasures. We analyze the correlation between power measurements of two consecutive modular operations, and use this to efficiently recover individual key bits. Based upon simulation and practical application on a state-of-the-art smart card we show the validity of the attack. Further we demonstrate that cross correlation analysis is efficient on hardware RSA implementations, even in the presence of message blinding and strong hiding countermeasures.