Cryptology ePrint Archive: Report 2018/798

Recovering Secrets From Prefix-Dependent Leakage

Houda Ferradi and Rémi Géraud and Sylvain Guilley and David Naccache and Mehdi Tibouchi

Abstract: We discuss how to recover a secret bitstring given partial information obtained during a computation over that string, assuming the computation is a deterministic algorithm processing the secret bits sequentially. That abstract situation models certain types of side-channel attacks against discrete logarithm and RSA-based cryptosystems, where the adversary obtains information not on the secret exponent directly, but instead on the group or ring element that varies at each step of the exponentiation algorithm.

Our main result shows that for a leakage of a single bit per iteration, under suitable statistical independence assumptions, one can recover the whole secret bitstring in polynomial time. We also discuss how to cope with imperfect leakage, extend the model to $k$-bit leaks, and show how our algorithm yields attacks on popular cryptosystems such as (EC)DSA.

Category / Keywords: implementation / Galton--Watson process, discrete logarithm problem, cryptanalysis

Original Publication (with major differences): MATHCRYPT 2018

Date: received 31 Aug 2018, last revised 14 Oct 2018

Contact author: mehdi tibouchi at normalesup org

Available format(s): PDF | BibTeX Citation

Version: 20181015:025749 (All versions of this report)

Short URL: ia.cr/2018/798


[ Cryptology ePrint archive ]