Cryptology ePrint Archive: Report 2010/394

Horizontal Correlation Analysis on Exponentiation

Christophe Clavier and Benoit Feix and Georges Gagnerot and Mylene Roussellet and Vincent Verneuil

Abstract: Power Analysis has been widely studied since Kocher et al. presented in 1998 the initial Simple and Diff erential Power Analysis (SPA and DPA). Correlation Power Analysis (CPA) is nowadays one of the most powerful techniques which requires, as classical DPA, many execu- tion curves for recovering secrets. We introduce in this paper a technique in which we apply correlation analysis using only one execution power curve during an exponentiation to recover the whole secret exponent manipulated by the chip. As in the Big Mac attack from Walter, longer keys may facilitate this analysis and success will depend on the arithmetic coprocessor characteristics. We present the theory of the attack with some practical successful results on an embedded device and analyze the efficiency of classical countermeasures with respect to our attack. Our technique, which uses a single exponentiation curve, cannot be pre vented by exponent blinding. Also, contrarily to the Big Mac attack, it applies even in the case of regular implementations such as the square and multiply always or the Montgomery ladder. We also point out that DSA and Diffie-Hellman exponentiations are no longer immune against CPA. Then we discuss the efficiency of known countermeasures, and we fi nally present some new ones.

Category / Keywords: Public Key Cryptography, Side-Channel Analysis, Horizontal and Vertical Power Analysis, Exponentiation, Arithmetic Coprocessors.

Publication Info: ICICS 2010 (extended version)

Date: received 12 Jul 2010, last revised 29 Nov 2010

Contact author: bfeix at insidefr com

Available format(s): PDF | BibTeX Citation

Note: This is the extented version of the ICICS 2010 paper.

Version: 20101129:141334 (All versions of this report)

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]