Abstract
Side-channel attacks on RSA aim at recovering the secret exponent by processing multiple power or electromagnetic traces. The exponent blinding is the main countermeasure which avoids the application of classical forms of side-channel attacks, like SPA, DPA, CPA and template attacks. Horizontal attacks overcome RSA countermeasures by attacking single traces. However, the processing of a single trace is limited by the amount of information and the leakage assessment using labeled samples is not possible due to the exponent blinding countermeasure. In order to overcome these drawbacks, we propose a side-channel attack framework based on a semi-parametric approach that combines the concepts of unsupervised learning, horizontal attacks, maximum likelihood estimation and template attacks in order to recover the exponent bits. Our method is divided in two main parts: learning and attacking phases. The learning phase consists of identifying the class parameters contained in the power traces representing the loop of the exponentiation. We propose a leakage assessment based on unsupervised learning to identify points of interest in a blinded exponentiation. The attacking phase executes a horizontal attack based on clustering algorithms to provide labeled information. Furthermore, it computes confidence probabilities for all exponent bits. These probabilities indicate how much our semi-parametric approach is able to learn about the class parameters from the side-channel information.
To demonstrate the power of our framework we attack the private exponent \(d_{p}\) of the 1024-bit RSA-CRT implementation protected by the SPA, 32-bit message blinding, and 64-bit exponent blinding countermeasures; the implementation runs on a 32-bit STM32F4 microcontroller.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that message and modulus blinding affect only the exponentiation input, but not the algorithm itself. Therefore, since horizontal attacks exploit the exponentiation algorithm structure, the aforementioned countermeasures are expected to be ineffective.
- 2.
Horizontal cross-correlation has not been yet successfully applied to RSA to the best of our knowledge.
- 3.
Observe that our framework can be also used to attack another exponentiation algorithms, square-and-multiply always [12], for instance. In this case, however, the framework needs to be applied to the whole exponentiation iteration at once and not to single modular multiplications.
- 4.
References
Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. Commun. ACM 21(2), 120â126 (1978)
Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203â209 (1987)
Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417â426. Springer, Heidelberg (1986)
Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243â264 (1987)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104â113. Springer, Heidelberg (1996)
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388â397. Springer, Heidelberg (1999)
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16â29. Springer, Heidelberg (2004)
Fouque, P.-A., Valette, F.: The doubling attack â why upwards is better than downwards. In: Walter, C.D., Koç, Ă.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 269â280. Springer, Heidelberg (2003)
Bajard, J.-C., Imbert, L., Liardet, P.-Y., Teglia, Y.: Leak resistant arithmetic. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 62â75. Springer, Heidelberg (2004)
CourrĂšge, J.-C., Feix, B., Roussellet, M.: Simple power analysis on exponentiation revisited. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 65â79. Springer, Heidelberg (2010)
Homma, N., Miyamoto, A., Aoki, T., Satoh, A., Shamir, A.: Comparative power analysis of modular exponentiation algorithms. IEEE Trans. Comput. 59(6), 795â807 (2010)
Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ă.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292â302. Springer, Heidelberg (1999)
Dupaquis, V., Venelli, A.: Redundant modular reduction algorithms. In: Prouff, E. (ed.) CARDIS 2011. LNCS, vol. 7079, pp. 102â114. Springer, Heidelberg (2011)
Joye, M., Yen, S.-M.: The Montgomery powering ladder. In: Kaliski Jr., B.S., Koç, Ă.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 291â302. Springer, Heidelberg (2003)
Chari, S., Rao, J.R., Rohatgi, P.: Template attacks. In: Kaliski, B.S., Koc, C.K., Paar, C. (eds.) CHESâ02. LNCS, vol. 2523, pp. 13â28. Springer, Heidelberg (2002)
Walter, C.D.: Sliding windows succumbs to big mac attack. In: Koç, Ă.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 286â299. Springer, Heidelberg (2001)
Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., LĂłpez, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46â61. Springer, Heidelberg (2010)
Clavier, C., Feix, B., Gagnerot, G., Giraud, C., Roussellet, M., Verneuil, V.: ROSETTA for single trace analysis. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 140â155. Springer, Heidelberg (2012)
Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal and vertical side-channel attacks against secure RSA implementations. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 1â17. Springer, Heidelberg (2013)
Bauer, A., Jaulmes, Ă.: Correlation analysis against protected SFM implementations of RSA. In: Paul, G., Vaudenay, S. (eds.) INDOCRYPT 2013. LNCS, vol. 8250, pp. 98â115. Springer, Heidelberg (2013)
Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal collision correlation attack on elliptic curves. Reasearch Gate (2014)
Heyszl, J., Ibing, A., Mangard, S., Santis F., Sigl, G.: Clustering algorithms for non-profiled single-execution attacks on exponentiations. IACR Cryptology ePrint Archive, vol. 2013, p. 438, 2013 (2013)
Perin, G., Imbert, L., Torres, L., Maurine, P.: Attacking randomized exponentiations using unsupervised learning. In: Prouff, E. (ed.) COSADE 2014. LNCS, vol. 8622, pp. 144â160. Springer, Heidelberg (2014)
Bauer, S.: Attacking exponent blinding in RSA without CRT. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 82â88. Springer, Heidelberg (2012)
Batina, L., Gierlichs, B., Lemke-Rust, K.: Differential cluster analysis. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 112â127. Springer, Heidelberg (2009)
Batina, L., Gierlichs, B., Prouff, E., Rivain, M., Standaert, F.X., Charvillon, N.V.: Mutual information analysis: a comprehensive study. J. Cryptology 24(2), 269â291 (2011)
Meynard, O., RĂ©al, D., Flament, F., Guilley, S., Homma N., Danger, J.L.: Enhancement of simple electro-magnetic attacks by pre-characterization in frequency domain and demodulation techniques. In: Proceedings of Design, Automation and Test in Europe (DATE), pp. 1004â1009. IEEE (2011)
KrĂ€mer, J., Nedospasov, D., Seifert, J.-P.: Weaknesses in current RSA signature schemes. In: Kim, H. (ed.) ICISC 2011. LNCS, vol. 7259, pp. 155â168. Springer, Heidelberg (2012)
Mather, L., Oswald, E., Bandenburg, J., WĂłjcik, M.: Does my device leak information? An a priori statistical power analysis of leakage detection tests. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 486â505. Springer, Heidelberg (2013)
Jaffe, J., Rohatgi, P., Witteman, M.: Efficient side-channel testing for public key algorithms: RSA case study, report (2011)
Alpaydin, E.: Introduction to Machine Learning, 3rd edn. The MIT Press, London (2014)
Hanley, N., Kim, H.S., Tunstall, M.: Exploiting collisions in addition chain-based exponentiation algorithms using a single trace. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 429â446. Springer, Heidelberg (2015)
Duda, R.O., Hart, P.E., Stork, D.G.: Pattern Classification, 2nd edn. Wiley-Interscience, New York (2001)
Bishop, C.M.: Pattern Recognition and Machine Learning (Information Science and Statistics). Springer, USA (2007)
Goodwill, G., Jun, B., Jaffe, J., Rohatgi, P.: A testing methodology for side channel resistance validation. In: Non-Invasive Attack Testing Workshop â NIAT (2011)
Bauer, S.: Attacking exponent blinding in RSA without CRT. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 82â88. Springer, Heidelberg (2012)
Heninger, N., Shacham, H.: Reconstructing RSA private keys from random key bits. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 1â17. Springer, Heidelberg (2009)
EMV, EMVCo Security Evaluation Process, Security Guidelines, Version 0.5, March 2005
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Perin, G., Chmielewski, Ć. (2016). A Semi-Parametric Approach for Side-Channel Attacks on Protected RSA Implementations. In: Homma, N., Medwed, M. (eds) Smart Card Research and Advanced Applications. CARDIS 2015. Lecture Notes in Computer Science(), vol 9514. Springer, Cham. https://doi.org/10.1007/978-3-319-31271-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-31271-2_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31270-5
Online ISBN: 978-3-319-31271-2
eBook Packages: Computer ScienceComputer Science (R0)