Attacking Exponent Blinding in RSA without CRT
A standard SPA protection for RSA implementations is exponent blinding (see ). Fouque et al.,  and more recently Schindler and Itoh,  have described side-channel attacks against such implementations. The attack in  requires that the attacker knows some bits of the blinded exponent with certainty. The attack methods of  can be defeated by choosing a sufficiently large blinding factor (about 64 bit).
In this paper we start from a more realistic model for the information an attacker can obtain by simple power analysis (SPA) than the one that forms the base of the attack in . We show how the methods of  can be extended to work in this setting. This new attack works, under certain restrictions, even for long blinding factors (i.e. 64 bit or more).
KeywordsSPA RSA exponent blinding
Unable to display preview. Download preview PDF.
- 3.Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal Correlation Analysis on Exponentiation. Cryptology ePrint Archive, Report 2010/394 (2010), http://eprint.iacr.org/2010/394
- 5.Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest We Remember: Cold Boot Attacks on Encryption Keys. In: 2008 USENIX Security Symposium (2008), http://www.usenix.org/events/sec08/tech/full_papers/halderman/halderman.pdf
- 7.Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar