Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Sliding Windows Succumbs to Big Mac Attack
CHES '01 Proceedings of the Third International Workshop on Cryptographic Hardware and Embedded Systems
CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
Lest we remember: cold boot attacks on encryption keys
SS'08 Proceedings of the 17th conference on Security symposium
Reconstructing RSA Private Keys from Random Key Bits
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Exponent blinding does not always lift (partial) spa resistance to higher-level security
ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
Power attack on small RSA public exponent
CHES'06 Proceedings of the 8th international conference on Cryptographic Hardware and Embedded Systems
| Hi-index | 0.00 |
A standard SPA protection for RSA implementations is exponent blinding (see [7]). Fouque et al., [4] and more recently Schindler and Itoh, [8] have described side-channel attacks against such implementations. The attack in [4] requires that the attacker knows some bits of the blinded exponent with certainty. The attack methods of [8] can be defeated by choosing a sufficiently large blinding factor (about 64 bit). In this paper we start from a more realistic model for the information an attacker can obtain by simple power analysis (SPA) than the one that forms the base of the attack in [4]. We show how the methods of [4] can be extended to work in this setting. This new attack works, under certain restrictions, even for long blinding factors (i.e. 64 bit or more).