Exponent blinding does not always lift (partial) spa resistance to higher-level security

Authors:
Werner Schindler;Kouichi Itoh
Affiliations:
Bundesamt für Sicherheit in der Informationstechnik, Bonn, Germany;Fujitsu Laboratories Ltd., KamiKodanaka, Nakahara-ku, Kawasaki, Japan
Venue:
ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
Year:
2011

Citing 10
Cited 4

Differential Power Analysis

CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems

CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
A Combined Timing and Power Attack

PKC '02 Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography
Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems

CHES '99 Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems
Address-Bit Differential Power Analysis of Cryptographic Schemes OK-ECDH and OK-ECDSA

CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
A vulnerability in RSA implementations due to instruction cache analysis and its demonstration on OpenSSL

CT-RSA'08 Proceedings of the 2008 The Cryptopgraphers' Track at the RSA conference on Topics in cryptology
Correcting errors in RSA private keys

CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Power analysis by exploiting chosen message and internal collisions – vulnerability of checking mechanism for RSA-Decryption

Mycrypt'05 Proceedings of the 1st international conference on Progress in Cryptology in Malaysia
Power attack on small RSA public exponent

CHES'06 Proceedings of the 8th international conference on Cryptographic Hardware and Embedded Systems
Simple power analysis on exponentiation revisited

CARDIS'10 Proceedings of the 9th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Application

Attacking exponent blinding in RSA without CRT

COSADE'12 Proceedings of the Third international conference on Constructive Side-Channel Analysis and Secure Design
The schindler-itoh-attack in case of partial information leakage

COSADE'12 Proceedings of the Third international conference on Constructive Side-Channel Analysis and Secure Design
Defeating with fault injection a combined attack resistant exponentiation

COSADE'13 Proceedings of the 4th international conference on Constructive Side-Channel Analysis and Secure Design
High-order timing attacks

Proceedings of the First Workshop on Cryptography and Security in Computing Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Exponent blinding is known as a secure countermeasure against side-channel attacks. If single power traces reveal some exponent bits, an attack by Fouque et al. applies that recovers the exponent. However, this attack becomes infeasible if some of the guessed bits are incorrect. Thus, the attack was not assumed to be a realistic threat. In this paper we present two variants of a novel generic attack, which works for considerable error rates at each bit position, disproving the hypothesis that mere exponent blinding is always sufficient. We confirmed experimentally that our attack permits up to 28% (RSA case) or 23% (ECC case) error bits.