Cryptology ePrint Archive: Report 2016/597

Correlated Extra-Reductions Defeat Blinded Regular Exponentiation - Extended Version

Margaux Dugardin; Sylvain Guilley; Jean-Luc Danger; Zakaria Najm; Olivier Rioul

Abstract: Walter & Thomson (CT-RSA '01) and Schindler (PKC '02) have shown that extra-reductions allow to break RSA-CRT even with message blinding. Indeed, the extra-reduction probability depends on the type of operation: square, multiply, or multiply with a constant. Regular exponentiation schemes can be regarded as protections, as the operation sequence does not depend on the secret.

In this article, we show that there exists a strong negative correlation between extra-reductions of two consecutive operations, provided that the first one feeds the second one. This allows to mount successful attacks even against blinded asymmetrical computations with a regular exponentiation algorithm (such as Square-and-Multiply Always or Montgomery Ladder). We put forward various attack strategies depending on the context (e.g., known modulus or not, known extra-reduction detection probability, etc.), and implement them on two devices (single core ARM Cortex-M4 and dual core ARM Cortex M0-M4)

Category / Keywords: side-channel analysis, Montgomery modular multiplication, extra-reduction leakage, message blinding, regular exponentiation

Original Publication (with minor differences): IACR-CHES-2016

Date: received 6 Jun 2016, last revised 9 Jan 2017

Contact author: margaux dugardin59 at gmail com

Available format(s): PDF | BibTeX Citation

Note: Some precisions, especially that the modulus need not be prime (as in RSA without CRT), and that a global timing attack would not be successful, as we should be able to attribute an extra-reduction to one targeted multiplication/square.

Version: 20170110:005848 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]