minimum requirements for evaluating side-channel attack resistance of rsa, dsa and diffie

Minimum Requirements for Evaluating Side-Channel Attack Resistance

of RSA, DSA and Diffie-Hellman Key Exchange

ImplementationsPart of AIS 46

Bundesamt für Sicherheit in der InformationstechnikPostfach 20 03 6353133 Bonn

Tel.: +49 22899 9582-111E-Mail: [email protected]: https://www.bsi.bund.de© Bundesamt für Sicherheit in der Informationstechnik 2013

mailto:[email protected]

History of changes:

Version Date Authors Comment

1.0 14.01.13 Dirk Feldhusen, SRC Security Research & Consulting GmbH

[email protected]

Guntram Wicke, T-Systems GEI GmbH

[email protected]

Arnold Abromeit, TÜV Informationstechnik GmbH

[email protected]

Lex Schoonen, brightsight bv

[email protected]

BSI, Zertifizierungsstelle

[email protected]

final version

Bundesamt für Sicherheit in der Informationstechnik 3 / 91








Table of Contents

1 Introduction.................................................................................................................................6

2 Side-Channel Analysis................................................................................................................72.1 Comparative SCA (CSCA)................................................................................................................7

2.2 Local Timing.....................................................................................................................................7

2.3 Differential SCA................................................................................................................................8

2.4 Template SCA...................................................................................................................................8

2.5 Cryptanalytic Attack..........................................................................................................................9

2.6 Logical SCA......................................................................................................................................9

2.7 (Differential) FA..............................................................................................................................10

3 Modular Exponentiation (RSA, DSA, DH)..............................................................................123.1 Algorithms for Modular Exponentiation..........................................................................................12

3.2 Modular Multiplication Methods.....................................................................................................15

3.3 Target of the Attack.........................................................................................................................16

3.4 Preconditions of the Attack.............................................................................................................16

3.5 Attacks without Blinding.................................................................................................................19

3.6 Attacks without Base Blinding or Modulus Blinding......................................................................25

3.7 Attacks without Exponent Blinding.................................................................................................27

3.8 Attacks with Blinding......................................................................................................................34

4 RSA...........................................................................................................................................444.1 Security Recommendations.............................................................................................................44

4.2 General Side-channel Attacks on RSA............................................................................................45

4.3 RSA Straight...................................................................................................................................48

4.4 RSA-CRT........................................................................................................................................52

4.5 RSA Key Generation.......................................................................................................................61

4.6 RSA Signature Verification.............................................................................................................63

5 DSA...........................................................................................................................................665.1 Security Recommendations.............................................................................................................67

5.2 Template Generation.......................................................................................................................67

5.3 Side-Channel Attacks on DSA........................................................................................................67

6 Diffie-Hellman Key Exchange..................................................................................................74

7 Glossary....................................................................................................................................76

8 Literature...................................................................................................................................788.1 Considered Literature......................................................................................................................78

8.2 Literature Not Considered...............................................................................................................84

8.3 Background Literature.....................................................................................................................86

8.4 Further Literature............................................................................................................................88

4 / 91 Bundesamt für Sicherheit in der Informationstechnik

List of Tables

Table 1: Side-channel attacks on modular exponentiation without blinding.....................................24

Table 2: Side-channel attacks on modular exponentiation without base or modulus blinding..........26

Table 3: Side-channel attacks on modular exponentiation without exponent blinding......................33

Table 4: Side-channel attacks on modular exponentiation protected by blinding..............................43

Table 5: General side-channel attacks on RSA..................................................................................47

Table 6: Side-channel attacks on RSA-straight..................................................................................51

Table 7: Side-channel attacks on RSA-CRT......................................................................................60

Table 8: Side-channel attacks on RSA key generation.......................................................................62

Table 9: Side-channel attacks on RSA signature verification............................................................65

Table 10: Side-channel attacks on DSA.............................................................................................73

Table 11: Side-channel attacks on Diffie-Hellman key exchange.....................................................75

Table 12: Glossary..............................................................................................................................77

Table 13: Considered Literature.........................................................................................................84

Table 14: Literature not considered....................................................................................................86

Table 15: Background literature.........................................................................................................88

Table 16: Further literature.................................................................................................................91


Introduction

1 Introduction

This document gives an overview of relevant literature about side-channel attacks on implementations of either integer factorization cryptography or discrete logarithm cryptography. In particular, implementations of RSA signature generation and verification as well as decryption and encryption, Diffie-Hellman key exchange (i.e. generation of a common secret) and DSA signature generation and verification are covered. Side-channel attacks consist either in passive attacks on implementations, i.e. disclosing secret data by analyzing physical observables during the computation, or active attacks, which perturb the computation to obtain information about the secret data. The considered attacks are classified according to which cryptographic system is attacked and which counter measure can be employed to thwart the attack. Side-channel attacks on modular exponentiation, which is a central part of every cryptographic system treated in this document, are considered in an extra chapter. For easy reference every attack is labeled with an identifier.

A general overview about side-channel attacks can be found in [ECC-guide] and is therefore not included in this document. Only a classification of the side-channel attack is included as it is used to classify the attacks discussed.

This document shall be considered as a guideline rather than a checklist containing all possible requirements of a vulnerability assessment of a Target Of Evaluation (TOE). A TOE will have its own implementation of the employed cryptographic system and the evaluator is responsible for adapting and extending the side-channel attacks treated in this guideline. Especially side-channel attacks can be combined with purely cryptanalytic attacks, some of which are treated as Security Recommendations in this document.

Drafts of this paper have been discussed with the BSI and evaluation facilities. The authors thank all contributors for their valuable comments.


Side-Channel Analysis

2 Side-Channel Analysis

A comprehensive treatment of side-channel analysis can be found in chapter 2 of [ECC-guide] and is not reproduced here. Here only an overview about different categories of side-channel attacks is given in the following list. In the following, the power consumption is mentioned as the 'classical' type of passive side channel. In most cases, the considered attack scenario also applies to other side-channels as for instance electromagnetic emanation. The attacks discussed in the chapters below are categorized as follows:

2.1 Comparative SCA (CSCA)

Comparative SCA aims at the detection of similar patterns by comparing traces. Techniques as averaging and subtraction for detection of collisions are used. Another approach is 'horizontal' correlation analysis, which covers correlation analysis within a single trace.

- Distinguishing s from m (squarings from multiplications): If squaring operations and multiplications have different patterns, they are likely to be distinguishable by side-channel analysis. In this case the secret exponent can be read on the curve. Classical countermeasures consist of using so-called regular algorithms like the square and multiply always algorithm or Montgomery ladder algorithms, where the pattern of squarings and multiplications is independent of the secret exponent, or the atomicity principle, which tries to make squarings and multiplications indistinguishable, and leads to regular power curves.

- Collision between s or m patterns (squaring or multiplication patterns)

- This technique compares two segments of power consumption data (within a single execution or in two different executions) and uses the result to determine whether the values operated on were the same or different. For example, when we perform two multiplications a×b and c×d, we expect the power consumption curves to be similar when a = c and b = d, and different in all other cases.

- The multiply-always algorithm always executes squares and multiplications in turn, which protects the algorithm from attacks aiming at distinguishing s from m. However, if two operations share one operand, there is still a relation between the two, which could be detected by 'horizontal' correlation analysis.

2.2 Local Timing

Local timing attacks analyze the timing of intermediate operations.

- Distinguishing s from m (squarings from multiplications): Standard modular multiplication algorithms could make conditional subtractions of the modulus to keep the result within a fixed upper bound. The need for a final subtraction to obtain a result less than the modulus could be different for squarings and multiplications (e.g. Montgomery modular multiplication). This can be used to differentiate between squarings and multiplications.

- [AKS06] Branch Prediction Analysis (BPA) and Simple Branch Prediction Analysis (SBPA) use branch prediction as a side channel. If there are conditional branches in a software implementation, a branch prediction unit predicts the most likely execution path and executes it



before the branch condition is checked to improve performance. If the prediction is wrong, the correct path will have to be processed after the condition is checked. So there are optional calculations and branch prediction leaks in timing.

2.3 Differential SCA

- These analyses make use of the relationship between the manipulated data and the power consumption/radiation. Since this leakage is very small, hundreds to thousands of curves and statistical treatment are generally required to learn a single bit of the exponent. Usual countermeasures consist of randomizing the modulus, the message, and/or the exponent.DPA attacks predict intermediate values, which occur during the execution of a cryptographic algorithm. With these predicted values and a power model of the device under attack, a hypothetical power consumption is calculated and matched to the measured traces. The best match indicates the best prediction for the intermediate values, and therefore the bits of the key which are included in the prediction.

- The address-bit DPA is a typical example of DPA which analyzes a correlation between addresses of registers and power consumption.

- The address-bit DPA is based on the dependency of addresses of registers on the private key.

- The analysis is based on the fact that if we load the same data from different addresses of registers, the power consumption will change in accordance with a difference of Hamming weights of addresses.

- The power consumption changes when different data are loaded from different addresses of registers. If the influence of data in a difference of power traces is reduced, a secret key can be revealed by watching a difference of addresses. Indeed, the influence of data is reduced by averaging the power traces and the averaged power trace only depends on a difference of Hamming weights of register addresses. This is the basic idea of an address-bit DPA. The attack will be successful if there is a close dependence between a secret key and the addresses of accessed registers.

- Instead of using the difference of means of the segments, also their correlation coefficient could reveal the information.

- In general, every operation with the secret data as the private exponent can leak information. This applies also to loading of the secret key including an integrity check and masking or demasking operation of the exponent, which also have to be examined.

2.4 Template SCA

Template attacks are a special case of SPA attacks. The attacker has to collect only one measurement trace of the device under attack, but he has to have a device which behaves similarly concerning the side-channel leakage. This device is used to build templates for the attacked operations in the implementation. For building the templates, several traces have to be measured for each attacked operation and data value. In the template matching phase each template is matched to the single measured trace. The attacker can derive the secret key from the template which fits best.



- There are several variations of template attacks as template based DPA, which speeds up a classical DPA by using template based analysis.

2.5 Cryptanalytic Attack

Partial information about secret data provided in a first step by side-channel leakage can possibly be exploited by a following cryptanalytic attack revealing the full information.

2.6 Logical SCA

- Pure Global Timing: Pure global timing attacks are attacks, where only the execution time of the whole attacked algorithm is exploited as a side-channel.

- The timing measurement might be obtained by passively eavesdropping on an interactive protocol, since an attacker could record the messages received by the target and measure the amount of time taken to respond.

- Blinding mechanisms such as base and exponent blinding have been effective algorithmic countermeasures against side-channel attacks. Both seem to prevent pure global timing attacks, since no pure timing attack is presently known defeating either base or exponent blinding (see [SI11]).

- Remote timing attacks can be practical. In [BB03] [BT11] results are demonstrated that timing attacks against network servers are practical and therefore security systems should defend against them.

- (Logical) FA:The device under attack is assumed to be a black-box interacting with the outside world according to a predefined protocol. The black-box contains secret keys that are inaccessible to the outside world. For example, a CA may be viewed as a black-box that issues certificates on demand. The CA’s private key is stored inside the box. The adversary’s goal is to interact with the black-box and extract the secret keys stored in it using only the values output by the box. The assumption is that, on rare occasions, errors within the box machinery (either hardware or software) cause it to output incorrect values ([BDL01]).Environments, where the FA may apply (see [BDL01]), include

- Certificate AuthorityA certificate authority (CA) issues certificates to various entities. During certificate generation, the CA uses its private key to sign the data contained in the certificate. The CA’s private key is highly guarded since anyone possessing the private key could issue fake certificates. Suppose that during certificate generation a rare computer error on the CA’s machine (hardware or software) results in a certificate containing an erroneous CA signature. Such invalid certificates can completely expose the CA’s private key. At the extreme, a single erroneous certificate is sufficient to recover the CA’s private key. Note that typically the user is alerted whenever an invalid certificate is received, at which point the user could try to exploit this certificate to attack the CA’s key.



- Trusted third parties (e.g. banks), where thousands of signatures are produced each day. If, for some reason or other, a single signature is faulty, then the security of the whole system may be compromised, see [JLQ99].

- Web Server:A web server uses a secret key to authenticate itself to a web browser and to establish a secure session with the browser. Suppose that during key exchange, a rare computer error on the web server causes it to miscalculate. The resulting value sent to the browser can completely expose the server’s private key.

- Obfuscated Keys:Several software products contain an embedded secret key. The secret key is “hidden” in the software so that it is supposedly hard to extract from the executable. For example, several software audio players running on desktop computers contain a secret key used to defend against music piracy. The embedded key is used to decrypt encrypted music sent to the user. To extract the embedded key, an attacker could randomly add a single instruction to the decryption code, thus causing the decryption process to malfunction. The invalid decryptions produced might expose the secret key embedded in the player. This attack extracts the secret key without reverse engineering the software.

2.7 (Differential) FA

In the fault-based cryptanalysis model, it is assumed, that if an adversary has physical access to a tamper-proof device, he may purposely induce a certain type of fault into the device. Based on a set of incorrect outputs from a device, due to the presence of faults, an adversary may extract the secret key embedded in the tamper-proof device. One can differentiate between different kinds of faults:

- Latent Faults:Latent errors are hardware or software bugs, that are difficult to catch. As an example, consider Intel’s floating point division bug. A crypto library using a faulty floating point unit for multi-precision arithmetic may, on rare occasions, generate incorrect values. Similarly, latent software bugs in the multi-precision package could also lead to incorrect results.

- Transient Faults: Transient faults are random hardware glitches that cause the processor to miscalculate. These may be caused by power glitches, high temperature, static electricity, etc.. A transient error that takes place during signature generation will result in an invalid signature.

- Induced Faults:If an adversary has physical access to a device, he may try to induce hardware faults purposely. For instance, one may attempt to attack a tamper-resistant device by deliberately causing it to malfunction. See the discussion by Anderson and Kuhn [1] for examples of tampering with tamper resistant devices. Fortunately, most smart-cards have built-in sensors to detect various forms of tampering. Hence, it is likely that the cost of inducing useful faults is higher than the potential gains.

The feasibility of a hardware fault-based cryptanalysis can be measured from the following viewpoints:



- Controllability of Fault Location: If a fault is to be induced into a register, it will require more or less precise controllability of fault location since a register is often implemented as a very narrow shape of silicon area.

- Timing Precision of Introducing Faults:A fault can be introduced into a hardware with a very precise timing controllability (e.g., when one or a few bits are accessed); a loose timing controllability (e.g., during only a percentage of the period of an operation); or minimized timing controllability (e.g., during the whole period of an operation).

- Fault Type Assumed:There are three different types of faults:

- Stuck at 1 or 0 fault, which prevents a bit from changing its value.

- Bit flipping fault (with or without preferred direction), which changes the value of a bit.

- Random faults (especially those without precise specification of location and time) are generally considered as practical models and are easier to induce.

- Number of Bits of Fault Occurred: Generally speaking, it is more difficult to induce a single-bit fault (or limited number of faulty bits) precisely than to induce a general type of fault with any number of faulty bits.


Modular Exponentiation (RSA, DSA, DH)

3 Modular Exponentiation (RSA, DSA, DH)

The calculation of S=M d mod N given a basis M, a modulus N and an exponent d is called modular exponentiation. Modular exponentiation with a private exponent is the main component of the considered cryptographic algorithms, i.e. RSA decryption and signature generation use modular exponentiation with a private exponent d and a composite module, DSA signature generation uses modular exponentiation with an ephemeral exponent and a prime module and Diffie-Hellman key exchange uses modular exponentiation with a private exponent and a prime module.

For harmonizing the notation, the standard notation for RSA signature generation is used, i.e. the modular exponentiation is denoted as S=M d mod N , with M the base, S the result of the exponentiation, d the exponent and N the modulus. If the exponent d is secret, it is also called private exponent. Otherwise, the exponent is denoted by e and called public exponent.

The attack scenarios listed in the following sections target the private exponent, but depending on the context also the input as well as the output could be relevant for an attack, e.g. the output of a RSA decryption or a DH key exchange. These attack scenarios are covered in the following chapters referring to the individual algorithms.

3.1 Algorithms for Modular Exponentiation

An algorithm for modular exponentiation takes M, d and N as input and calculates S=M d mod N . These algorithms start with M and perform several modular squarings and

modular multiplications according to the bit pattern of d. In the following the most important algorithms for modular exponentiation are introduced.

3.1.1 Binary Exponentiation Algorithm

The binary method performs modular multiplications and modular squarings sequentially according to the bit pattern of the exponent. There are two variations of the algorithm. The left-to-right binary method starts at the exponent’s most significant bit (msb) and works downward. The right-to-left binary method, on the other hand, starts at the exponent’s least significant bit (lsb) and works upward.

First the left-to-right binary method is considered. Let d be the exponent with real bit length n, i.e. d has got n bits and the msb of d is one, d =(1 d n−2 d n−3... d 0)2 . The algorithm uses one variable R, which is initialized by R=M. Then starting from the second most significant bit down to the lsb every bit of d is considered. For every bit of d, the variable R is squared. If the considered bit is 1, R will be multiplied by M afterwards. Otherwise only the squaring is performed. The following table shows the pseudo code of the left-to-right binary method:

expl(M, d, N)

{ R=M

for (i = n-2 down to 0)

{ R = R2 mod N

if (i-th bit of d is 1)



R = R*M mod N

}

Return R

}

In the right-to-left binary method two variables R, S are used: R is initialized as 1 and S is initialized as M. Now every bit of d is considered from the lsb up to the msb. If the considered bit is 1, R will be multiplied with S and afterwards S will be squared. Otherwise only S will be squared. This method requires extra memory to store the S variable. The following table shows the pseudo code of the right-to-left binary method:

exp2(M, d, N)

{ R=1

S=M

for (i = 0 to n-1)

{ if (i-th bit of d is 1)

R = R*S mod N

S = S2 mod N

}

Return R

}

3.1.2 Regularized Binary Exponentiation Algorithm

The optional multiplication at the i-th iteration step of the binary exponentiation could leak information about the i-th bit of the exponent. An attacker which is able to distinguish between squarings and multiplications by SSCA can easily find out the whole key. A common counter measure against this threat is to perform the multiplication always ('square-and-multiply-always'), but discard the result if the i-th bit is 0 (dummy-multiplication). Thereby, the regularized pattern of squarings and multiplications carries no information about the single bits of the exponent.

3.1.3 m-ary Window Method

The m-ary window method with m=2k is an extension of the binary left-to-right exponentiation algorithm which processes one m-ary digit, i.e. k bits, of the exponent in each iteration cycle. In a preparatory step, the 2nd up to (k-1)th powers of the base are computed and stored. In each iteration step k squarings and a multiplication with one of the precomputed powers depending on the k considered bits are performed.

This exponentiation method can be also regularized by inserting a dummy-multiplication for the case of a zero m-ary digit.



3.1.4 Sliding Window Method

The sliding window method is a variation of the m-ary window method which reduces the number of multiplications by skipping zeros in the binary representation of the exponent. There are two methods, the 'Constant Length Non-zero Window' (CLNW) and 'Variable Length Non-zero Window' (VLNW), see [FKM06].

3.1.5 Randomized Addition Chains

An addition chain of the exponent d is a finite sequence of natural numbers a0, a1, …, an with a0=1 and an=d, such that for every index k with 1≤k≤n, there are indices i and j with 1≤i≤j<k and ak=ai+aj. Algorithms for modular exponentiation method are based on addition chains. They start with M=M a 0 and then calculate all M a k mod N by M a k=M a i∗M a j mod n . In the end

M a n=M d mod N is calculated.

As a countermeasure against SCA the addition chain of the exponent which the exponentiation method is based on can be randomized. A randomization technique for modular exponentiation is MIST, see [W02].

There are more techniques for randomized addition chains in the case of Elliptic Curve Cryptography (ECC), where the multiplication of a point on the elliptic curve with a scalar is based on an addition chain of the scalar. Many of these techniques are not based on addition chains, but on addition-subtraction chains. For the definition of addition-subtraction chains, see [CJ01]. ECC algorithms based on addition-subtraction chains require point subtractions, which can be efficiently implemented. On the other hand in the case of modular exponentiation an algorithm based on addition-subtraction chains would require modular divisions, which are expensive. So not all randomization techniques for ECC can be easily transferred to modular exponentiation. For instance in [HM02] a randomized binary signed digit recoding of the exponent is proposed as an SCA counter measure in the context of ECC and requires point subtraction. In [YCM04] chapter 4 further improvements of this technique are introduced. [FMP04] and [PL04] discuss possible attacks, which can reveal information about the exponent. Another randomization technique in the case of ECC based on addition-subtraction chains is Oswald-Aigner ([OA01] ).

A sound analysis of the randomization is necessary. In particular the evaluator shall examine, whether there are still dependencies on the secret exponent. This could be revealed by advanced stochastic methods like hidden Markov models, see [KW03] and [GNS05].

For further literature see [C04], [KHM05], [W02a], [W03a], [W03b] and [W04].

Since these techniques are rather complex concerning their security evaluation, but rarely used in real-world implementations, they are not considered in detail here.

3.1.6 Montgomery Powering Ladder

The Montgomery powering ladder is another algorithm for modular exponentiation. Let d be the exponent with real bit-length n, i.e. d has got n bits and the msb is one. Two variables R, S are used. The variable R is initialized as 1 and the variable S is initialized as M. Then from the second most significant bit down to the lsb every bit of d considered. If the considered bit is 1, the variable R will be multiplied with the variable S and S will be squared. Otherwise the variable S will be



multiplied with the variable R and R will be squared. At the end of the algorithm R=M d mod Nholds. The following table is pseudo code of the Montgomery powering ladder:

exp3(M, d, N)

{ R=M

S=M2

for (i = n-2 down to 0)

{ if (i-th bit of d is 1)

R = R*S mod N

S = S2 mod N

if(i-th bit of d is 0)

S = S*R mod N

R = R2 mod N

}

Return R

}

For further reading see [JY02] and [M87].

3.1.7 Exponent Recoding

Some exponentiation methods as in chapter 3.1.5 require to replace the binary representation of the given exponent with a representation to another form of representation. An alternative form of representation commonly used in the context of ECC is the non-adjacent form (NAF). Here an

integer N is represented as N=∑i=0

n−1ni 2

i , where n i∈{−1,0 ,1 } and two non-zero values ni

cannot be adjacent. The NAF-representation is unique. In general transforming an exponent from one representation to another is called “exponent recoding.”

3.2 Modular Multiplication Methods

The algorithms for modular exponentiation consist of several modular multiplications and squarings. So the elementary operation of modular exponentiation is modular multiplication, i.e. the calculation of a*b mod N given a, b and N. A modular multiplication can be calculated by long integer multiplication followed by modular reduction, which requires an integer division and therefore is expensive.

There are more efficient methods as

- Montgomery method by using other representatives for the module Z N=ℤ/(N∗ℤ) for simplifying the reduction using a Montgomery constant R, see [M85],



- Barret method and Quisquater method interleaving the multiplication and the reduction, see [H04],

- ZDN multiplication using an 3-operand adder, see [FS04].Most published attacks targeting the modular multiplication assume, that the Montgomery method (see e.g. [S00]) is used. Other implementation methods are secure against attack paths using special properties of the Montgomery method, but there are other potential vulnerabilities, see [KNS11].

Typically the modular multiplication is implemented in the hardware using a k-bit multiplier to speed up the calculation. Typical values for k are k=8, 16 or 32.

3.3 Target of the Attack

Since modular exponentiation is used in many different cryptographic algorithms the attack may have different targets. Possible assets can be the exponent d, if it is private, the base M, which is a plaintext in the case of RSA encryption and the result of the modular exponentiation, e.g. in the case of a Diffie-Hellman key exchange. The assets the attacker tries to find out is called target of the attack.

Also the word target is used for different parts of the implementations, whose properties the attacker might exploit for his attack. He can either use properties of the implementation of the exponentiation, which is a series of modular multiplications and squarings or he can use properties of the implementation of the single modular multiplications. In the first cases the modular exponentiation is the target of the attack and in the second case the modular multiplication. So there are the following five possible targets of the attack.

- Private exponent d

- Base M or randomized base M' (see chapter 3.4.1.1.)

- Result Md

- Modular exponentiation with d: The attack uses properties of the implementation of the exponentiation.

- Modular multiplication: The attack only uses properties of the implementation of the modular multiplication.

3.4 Preconditions of the Attack

Side-channel attacks depend strongly on the targeted implementation. Especially not every side-channel attack against modular exponentiation is applicable to all implementations. There are two important kinds of preconditions for an attack: the countermeasures, which are employed to protect the implementation and the abilities of the attacker, e.g. the ability to choose the base freely.

3.4.1 Countermeasures

An important countermeasure against SCA is blinding. Blinding means replacing an intermediate value v by an randomized value v*m or v+m where m is an random value. In the case of modular exponentiation the exponent, the base and the modulus may be blinded (see chapter 3.4.1.1.). Other countermeasures are side-channel atomic (see chapter 3.4.1.2.) and randomized addressing.



3.4.1.1 Blinding

3.4.1.1.1 Exponent blinding

Exponent blinding replaces the exponent d by a randomized exponent d'. There are several methods of exponent blinding:

- Classical exponent blinding replaces d by d '=d+ r∗φ(N ) for a random number r, such thatM d

≡M d ' mod N holds.

- Exponent splitting divides the exponent into two or more parts like d=(d−r)+r and calculates the result by two modular exponentiations and one modular multiplication

M d≡M d −r

∗M r mod N .

Note that exponent blinding with mask of bit length log2(r) could be possibly surmounted with 2 log2r /2 traces due to birthday paradox.

3.4.1.1.2 Modulus blinding

In modulus blinding the modulus N is randomized by N'=r*N with a random number r.

3.4.1.1.3 Base blinding

Base blinding replaces the base M by a randomized base M' and the modulus N by an extended Modulus N'. The computation should not take place in (ZN)∗, since the blinding would be removed for all the intermediate states during the execution of the algorithm.

For instance, an additive base blinding can be performed by M '=M + r 1∗N and N '=r 2∗Nwith random numbers r 1 and r 2 combining base blinding and modulus blinding. The bit length of the modulus is therefore increased by multiplying it by a random value so that the computation takes place in (Zr2*N)∗. The actual entropy of this blinding method is about −0.75 , where is the bit length of r 1 and r 2 , see the remark in ch. 4.4. in [CFG10]. Another blinding method extends the modulus by a constant factor.

3.4.1.1.4 “No blinding”

Possible preconditions of an attack are the presence or absence of exponent blinding, base blinding or modulus blinding. Attack scenarios with the precondition, that there is no blinding can possibly be adapted to scenarios, where the blinding is partially or completely ineffective, e.g. because of a masking value with low entropy (<16 bits) or a blinding which does not hide all bits of d efficiently. A partially or completely ineffective blinding could be assessed as 'no blinding' if the partial information is sufficient for the attack.

In this context “no blinding” means either no blinding at all or an ineffective blinding as just described.

3.4.1.2 Side-channel Atomic Algorithms

So called side-channel equivalent instructions are designed to be indistinguishable through side-channel analysis. For example a modular squaring and a modular exponentiation could be made side-channel equivalent, when for the calculation of x2 mod N an instruction for modular



multiplication with input (x, x, N) is used. But even if the same code is executed, two instructions could possibly still be distinguished by side-channels.

An algorithm is called side-channel atomic, if it consists of side-channel equivalent blocks. This is a countermeasure against side-channel analysis.

3.4.1.3 Identifiers

Of course the three types of blinding can be combined. There are attacks which have the precondition, that certain kinds of blinding is not applied. Other attacks try to bypass a certain kind of blinding. We will categorize the attacks depending on which kinds of blinding the attack has as a precondition. We will distinguish eight different preconditions and therefore use the following identifiers:

ME: Modular exponentiation with no blinding

ME_B: Modular exponentiation with no exponent and modulus blinding (with basis blinding)

ME_E: Modular exponentiation with no basis and modulus blinding (with exponent blinding)

ME_M: Modular exponentiation with no exponent and basis blinding (with modulus blinding)

ME_BE: Modular exponentiation with no modulus blinding (with basis and exponent blinding)

ME_BM: Modular exponentiation with no exponent blinding (with basis and modulus blinding)

ME_ME: Modular exponentiation with no basis blinding (with exponent and modulus blinding)

ME_BME: Modular exponentiation with basis, modulus and exponent blinding

At the time of writing of this document there were known no attacks against implementations with preconditions ME_BE and ME_ME to the authors.

An attack with the precondition, that a certain type of blinding is not implemented, can still be feasible, if a blinding with low entropy is used. The evaluator has to examine the blinding carefully in any case.

3.4.2 Abilities of the Attacker

Some attacks have the precondition that the attacker has certain knowledge about the TOE and can choose the inputs of the TOE. Such preconditions are the following

3.4.2.1 Modular exponentiation algorithm is known

This is a precondition for many attacks. In some cases the attacker might be able to gain this information by side-channel analysis, especially by a differential SCA on intermediate values, see attack ME_1/ZEMD in chapter 3.5. However, there are only a few common approaches to implement modular exponentiation algorithms, so it is likely an adversary can determine this information.



3.4.2.2 Known/fixed/chosen base M

In some attack scenarios the attacker has to know M. In other attack scenarios he has to force the TOE to exponentiate the same base several times or even to choose M freely. Even if randomized paddings, such as OAEP, are employed to avoid chosen ciphertext attacks, side-channel attacks with preconditions about the base M can still be possible. This is the case if the padding is checked after the running of the decryption process. Under this condition the modular exponentiation is always executed. Thus the attacker can monitor side-channel during the execution and mount the side-channel attack.

3.4.2.3 Known/fixed/chosen exponent d

In many implementations the exponent d will be secret and a possible target of the attack. But in some attacks the attacker has to know the exponent or has even to be able to choose it. Sometimes a fixed exponent is necessary, which might have to be known to the attacker. But even if the exponent is secret, it is possible, that the attacker has to be able to make the TOE exponentiate chosen or known exponents as well. Such a situation could occur in a smartcard system that supports the ISO7816 standard “external authenticate” command. Whereas the “internal authenticate” command causes the smartcard to use its secret key, the “external authenticate” command can be used to make the smartcard use the public key associated with a particular smartcard reader. It is assumed that the exponent bits of this public key would be known to the attacker. Also some situations might allow the smartcard to accept new exponents that can be supplied by an untrusted entity. Also, the smartcard does not have unlimited memory, so it is impossible for it to keep a history of previous values it has exponentiated. Thus, the card cannot know, if it is being repeatedly asked to exponentiate a constant value.

3.4.2.4 Samples

For template attacks the attacker has to build templates of the attacked operations in the profiling phase. Thus it is a precondition, that the attacker has a device with similar side-channel behavior to the TOE, which is not protected against side-channel analysis. This is especially a threat to a TOE, where primitives which do not manipulate secret data are implemented without countermeasures. If insecure and secure primitives share the same hardware, an attacker could exploit the insecure primitives to build templates for secure primitives.

3.5 Attacks without Blinding

First we consider attacks, where the algorithm used for modular exponentiation is not protected against side-channel analysis by any kind of blinding, i.e. neither the base nor the exponent nor the modulus is blinded. The evaluator shall examine, if one of these attacks on the TOE is feasible. With each attack an identifier is associated of the form ME_x/ ABC, where ME means that this is an attack on modular exponentiation without blinding (see chapter 3.4.1.3.), x is a consecutive number and ABC is the usual name of the attack in the literature. If there is no usual name, the identifier will just be of the form ME_x.

Given an implementation without blinding the Zero-Exponent, Multiple-Data (ZEMD) Attack (ME_1/ZEMD) is possible, in which the attacker records several power traces and calculates the



correlation between the power trace and an intermediate value which depends on a part of the secret exponent d. For this attack the cryptographic device has to exponentiate several bases Mi known to the attacker. Also the attacker must know the modulus N.

Also there are several forms of comparative SCA applicable in this situation: In the Multiple-Exponent, Zero-Data (MESD) attack (ME_2/MESD) M is exponentiated using the secret exponent d. Then the attacker guesses successively the bits of d. For each bit he exponentiates M twice according to the two possibilities and compared the observed side-channel with the observation from the exponentiation with d to determine which guess is correct. The base must be fixed for all calculations. So the attacker must be able to exponentiate a fixed M by the secret exponent d and by chosen exponents, but he does not have to know M.

In ME_5 the attacker must be able to choose the base freely. He chooses M=N-1, such that all powers of M are 1 or N-1. He tries to find out the value of R, which is 1 or N-1, after each iteration cycle of the attacked algorithm and can find out the secret key. In the attack ME_6 the attacker exponentiates two different bases M1 and M2, which are in a certain relationship, by the secret exponent d. The attacker finds out, where operations during the exponentiation of M1 are located that have the same input as an operation during the exponentiation of M2, which gives him information about d. Typical versions of this attack for the left-to-right-binary-algorithm is the doubling attack, which chooses the bases x and x2 as bases, and the Yen attack, which chooses x and N-x as bases.

ME_3 is a local timing attack: the attacker first exponentiates M with the secret exponent d and observes the timing pattern, e.g. if the the optional division of the Montgomery multiplication is performed. Then he successively guesses the bits of d and compares the corresponding timing patterns with the observed ones and excludes wrong assumptions. It is possible, that the attacker makes a wrong guess, which he notices later. In this case backtracking is necessary.

ME_4 is a logical side-channel analysis. The adversary exponentiates different bases Mi using d and collects the corresponding timing. He guesses the exponents di of the intermediate values Mi

d at the i-th calculation step and exponentiates the Mi using the possible candidates. Subtracting the measured timing for the correct candidate decreases the timing variance, whereas it increases in the other cases.

The following table gives an overview about the above mentioned attacks and explicitly states the preconditions of each attack. In this table each row contains a description of one of the attacks discussed above. The first column contains the identifier of the attack. The second column contains the preconditions of the attack (see chapter 3.4.). For all attacks in this table it is a precondition, that neither exponent blinding nor base blinding nor modulus blinding is used to protect the exponentiation from SCA. Further preconditions for the single attacks are to be found in each row. The third column contains the category (see chapter 2) and the target (see chapter 3.3) of the attack, separated by a virgule. The fourth column contains a short description of the attack. If there are further remarks, they also can be found in the fourth column, separated by a virgule from the short description. The fifth column gives references for the attack.



Identifier Precondition: No exponent, no base and no modulus blinding

Category / Target Short description / Remark Reference

ME_1 / ZEMD

Modular exponentiation of

• several known Mi

• with private d and

• known N

Differential SCA;

/

Private exponent d;

Exponentiation with d

DPA on intermediate values determines the secret exponent step by step (ch. 5.4 (ZEMD) [MDS99])

CPA on intermediate values determines the secret exponent (ch. 4.1 or 4.2, [AFV07])

/

If the exponentiation algorithm is not known, the intermediate values, which are exponents of Mi by a fixed exponent, can be guessed step by step (first considering all low exponents, then taking products of determined intermediate values).

If the Montgomery multiplication is used, the constant, typically a power of 2 greater then the modulus, has to be guessed in the same way, if not known.

[MDS99]

[AFV07]

ME_2 / MESD


• a fixed but possible unknown M

• with private d and with chosen exponents and

• unknown N

Comparative SCA;

Collision between s or m patterns

/

Private exponent d;


Exponentiate M using d and collect the corresponding average power signal SM. The adversary guesses the intermediate values

M d i at the i-th calculation step and asks the card to exponentiate M using d i . If the guess is wrong, then the average power signal will differ from SM at this location.

[MDS99]ch. 5.3

ME_3 Modular exponentiation of

• known Mi Local Timing;

Distinguishing s from m

Attacker successively guesses the intermediate values resp. the factors of the modular multiplications, compares the corresponding timing patterns with the observed ones and

[WT01]ch. 3.3






• known N

Timing of modular multiplications can be observed

Timing of modular multiplications depends on arguments

Known modular multiplication algorithm (i.e. timing pattern)

/

Private exponent d;


excludes wrong assumptions.

/

Very small sample size is sufficient to recover the secret key when the local timing can be detected with high success rate. 1000 samples is clearly enough by results of ch. 4 in [WT01].

The modular multiplication algorithm considered in [WT01] is the Montgomery modular multiplication with optional final subtraction.

ME_4 Modular exponentiation of

• chosen Mi

• with private d and with chosen exponents and

• known N

Timing of modular multiplications depends on arguments

Logical SCA;

Timing

/

Private exponent d;


Exponentiate different Mi using d and collect the corresponding timing. The adversary guesses the exponents d i of the intermediate values M i

d i at the i-th calculation step and exponentiates the Mi using the possible candidates. Subtracting the measured timing for the correct candidate decreases the timing variance, whereas it increases in the other cases.

/

The number of measurements could be reduced if the attacker chose inputs known to have extreme timing characteristics at the exponent locations of interest.

Measurement errors which are large relative to the total

[K96]ch. 5

[DKL98]





modular exponentiation time standard deviation could be compensated by a higher number of measurements.

In [DKL98] 350,000 samples were needed for a bit length of 512.

ME_5 Modular exponentiation (single trace) of

• chosen M=N-1


• known N (or multiple of the module as

N= p⋅q in case of the modular exponentiations for RSA CRT)

Optimal for left-to-right binary (square-multiply-always) exponentiation method

Comparative SCA:


/

Private exponent d;


Base M=N −1 where N is the modulus has the special property that all its modular powers are either 1 or −1. By observing on a single collected power trace, the attacker can try to identify the value at the end of each iteration (it can only be either 1 or n−1).

/

Since the square-multiply-always algorithm performs regularly such that each iteration has one modular squaring followed by a modular multiplication, it would be much easier to identify the beginning and the end of all iterations and this benefits this attack.

For other exponentiation methods only partial information leaks by this attack, e.g. the least significant bit for right-to-left binary exponentiation.

This attack scenario can be generalised by considering two related inputs M 1 ,M 2=x ,N−x as by ME_6.

[YLMH05]

ME_6 Modular exponentiation (at least two traces) of

Comparative SCA: Detecting collisions between traces with pairs M1 and M2 of related input ,e.g.

[FV03]





• several chosen Mi


• unknown N

Known exponentiation method


/

Private exponent d;


M 1 ,M 2=x , x2 for left-to-right binary method: If key bit di is 0, a collision between a squaring operation at i+1-th cycle in power trace of x and squaring operation at i-th cycle in that of x2 can be generated (“doubling attack”, [FV03])

or more generally M 1 ,M 2=xa , xb with chosen a and b

reveals information about the exponent by detecting collisions ([HMA08]).

By a careful choice of a and b this method can be adapted to several exponentiation methods as right-to-left binary exponentiation, m-ary window as well as sliding window method. However, for each iteration cycle of the exponentiation different pairs a and b as well as M1 and M2 would be necessary in the general case.

Dummy multiplications inserted as a SPA countermeasure for left-to-right binary method could be detected by the backward estimation technique described in [HMA08].

/

The attack scenario described in [FV03] is originally designed against ECC scalar multiplication.

[YLMH05]

[HMA08]

Table 1: Side-channel attacks on modular exponentiation without blinding



3.6 Attacks without Base Blinding or Modulus Blinding

One can distinguish between vertical and horizontal SCA. Vertical SCA covers classical CSCA and DSCA techniques, where at least two power traces are required. For horizontal SCA only one power trace is needed and correlations within a single trace are analyzed.

An example for a horizontal CPA is the attack ME_E_1/ horizontal CPA. It can be mounted, if the implementation is not protected by base blinding or modulus blinding. Here the attacker is assumed to know M. He tries to find the operations in an implementation of the square-and-multiply algorithm, where a multiplication with M is executed and guesses the bits of d successively. It is assumed that the multiplication is implemented in the scholar method using several k-bit multipliers. Let as be the intermediate value of the left-to-right binary algorithm after the s-th iteration cycle (see chapter 3.1.1.). If modular squarings and multiplications are not distinguished, then s'=s+dn-1+dn-2+...+dn-s multiplications have been performed so far. The attacker has already found out the first s bits, so he knows s'. If dn-s-1=1 the (s'+2)-th multiplication is as

2*M and otherwise it is as

2*as2. So a multiplication with M is performed, if and only if dn-s-1=1. The attacker

collects one power trace C, identifies the portion Cs'+2 corresponding to the (s'+2)-th multiplication and therein the segments C i , j

s ' + 2 of the k-bit multipliers. To decide, whether M is one of the factors of the multiplication, the attacker can for example compute the correlation between the series H(Mi) of Hamming weights of k-bit words of M and the series C i , j

s ' + 2 . Variations of this attacks also work for other exponentiation algorithms and when dummy operations are inserted.

An overview over the attack is given in the following table, which is arranged like table 1 in chapter 3.5.



Identifier Precondition: No base and no modulus blinding


ME_E_1 / horizontal CPA 1

Modular exponentiation (single trace) of

• known M


• known N

Modular multiplication realized with k-bit multiplier

Known modular multiplication algorithm

Known exponentiation method (without dummy multiplications)

Comparative SCA;

Distinguishing s from m;

Patterns of k-bit multiplier distinguishable

/

Private exponent d;

Modular multiplication

Assuming a simple square-and-multiply is used as exponentiation method1. Each exponent bit is recovered by determining whether the processing of this bit involves a multiplication by the base M or not. This can be done by computing the correlation factor on several segments extracted from a single execution curve with e.g. Hamming weight H(Mj) or Hamming weight of intermediate results with Mj of each k-bit multiplication. The segments correspond each to a single call of the k-bit multiplier.

/

CPA Variation of [W01], see ME_BME_2 / Big Mac Attack for similar attack scenario.

Usual exponent blinding is not sufficient as countermeasure.

The efficiency of the attack increases with the exponent length and decreases with the multiplier size.

This attack can be adapted to other exponentiation methods, since only the different possible intermediate values at each step of the exponentiation have to be known.

See ME_BME_5 for adaptation to base / modulus blinding with low entropy.

[CFG10]

Table 2: Side-channel attacks on modular exponentiation without base or modulus blinding

1 In [CFG10] it is assumed that square and multiply are indistinguishable operations



3.7 Attacks without Exponent Blinding

In this section implementations are treated, which may be protected by modulus blinding and by base blinding, but do not employ exponent blinding. We will give an overview about the attacks and use identifiers of the form ME_BM_x/abc.

In the single-exponent, multiple-data (SEMD) attack (ME_BM_1/SEMD) the attacker makes the TOE exponentiate several random bases M1, M2, …, ML by the secret exponent d and a known exponent e. He collects side-channel observations S1, S2, …, SL, P1, P2, …, PL where Si(j) is the side-channel observation of the computation of Mi

d at the point in time j and Pi(j) is the side-channel observation of the computation of Mi

e at the point in time j.

The attacker calculates: D( j)=∑i=1

LS i( j)−∑i=1

LP i( j) .

If the k-th bit of e and d is the same, then at the point in time, where this bit is processed, D(j) will be close to zero. But if the k-th bit of e is different from the k-th bit of d, then D(j) will be different from zero. So the attacker concludes where d and e differ and and determines d from the knowledge of e. This approach can also be used for an address-bit DPA (ME_BM_7/ADPA with SEMD). Here a peak in D(j) can be observed, if different addresses are used in the exponentiation with d and the exponentiation with e. This can depend on the exponent, for example it is plausible, that other addresses are used for the results of dummy operations.

Another form of address-bit DPA is the zero-exponent, multiple-data attack (ME_BM_8 /ADPA with ZEMD). Several random bases have to be exponentiated by d. Then the average power trace is calculated. This average power trace is decomposed into segments S[i], where S[i] corresponds to the processing of the i-th bit di of d. The two bits di and dj of d are compared by computing D[i,j]=S[i]-S[j]. If di and dj are the same, D[i,j] will be close to zero. Otherwise there will be a peak in D[i,j].

In some algorithms for modular multiplications an optional modular reduction step is required. For instance, the Montgomery multiplication provides a result A which fulfills the modular equivalence

A≡ xy (mod N ) but ranges in twice the module range, i.e. only 0≤A≤2N is fulfilled. This means if A≥N , N has to be subtracted form A to get the correct result xy mod N . The attacker might be able to find out from the execution time of the modular exponentiation, if such a subtraction is performed. The attack ME_BM_2 uses the fact, that the probability for an optional subtraction in a modular squaring is N/3R, while in the case of a modular multiplication the probability is N/4R, where R is the Montgomery constant. Thus several power traces can be recorded and modular squarings and multiplications can be distinguished from the frequency of optional subtractions.

The horizontal cross-correlation attack (ME_BM_3/(horizontal) cross-correlation) replaces each squaring and each multiplication by a single sample, e.g. by adding all measurement values. Then several power traces are recorded and the correlation between two adjacent columns is calculated. A dummy multiplication shares one operand with the squaring performed after, so high correlations can detect dummy multiplications.

There are several fault attacks on implementations without exponent blinding to be considered. In ME_BM_4 the attacker tries to flip one bit of the secret exponent and gets a faulty result S=M

d

instead of the right result S=M d . He can find the correct value of the flipped bit di by the formulas:



SS≡M

d−d≡{M 2 j

mod N if d j=01

M 2 j mod N if d j=1}and

S e

M≡{ M e 2

j

mod N if d j=01

M e2j mod N if d j=1}

The computational safe-error attack (ME_BM_5/C SEA) is used to detect dummy multiplications. The attacker tries to introduce faults to a modular multiplication making the result wrong. If the multiplication is a dummy multiplication the wrong result will be discarded and the result of the modular exponentiation will be correct, while inducing faults in a necessary operation yields an incorrect result of the modular exponentiation.

The memory computational safe-error attack (ME_BM_6/M SEA) is used to distinguish modular multiplications and squarings. Suppose the values a and b in two registers A and B are multiplied and a*b mod N is stored in A. For the multiplication a k-bit multiplier is used. Let

a=(an−1 , an−2 , ... , a0)2k be the representations of a with base 2k. To calculate a*b mod N the cryptographic device might calculate an-1*b, an-2*b, …, a0*b in this order. Now the attacker introduces fault to an-1 after an-1*b has already been calculated. Then an-1 is not needed any more for the calculation of a*b mod N and a is replaced by the correct result of a *b mod N. Thus the fault is only temporarily and does not change the result of the modular exponentiation. Now suppose a*a mod N is calculated and the TOE calculates an-1*a, an-2*a, …, a0*a in this order. Introducing fault after the calculation of an-1*a changes a and thus affects the calculations of an-2*a, an-3*a, …, a0*a as well. So a*a mod N is computed incorrectly and the error changes the result of the modular exponentiation. This enables the attacker to distinguish between squarings and multiplications.



Identifier Precondition: No exponent blinding


ME_BM_1 / SEMD


• random Mi

• with private d and with another known exponent and

• unknown N

Binary Exponentiation algorithm (without dummy multiplications)

Comparative SCA:


/

Private exponent d;


Use d and the known exponent to exponentiate random values, calculate their average signals and subtract. The result can be used to determine the exact location of the squares and multiplies in the private exponent and identify identical sub-steps

/

Base blinding may not be sufficient as countermeasure

[MDS99]ch. 5.2

ME_BM_2 Modular exponentiation of

• different unknown Mi


• unknown N

Montgomery Multiplication with conditional modular reduction

Timing or other variations enable all or almost all occurrences of the conditional subtraction to be observed

Local timing;


/

Private exponent d;


If a presence or absence of an extra modular subtraction can be detected for each individual multiplication, the frequency of subtraction for each multiplication or squaring can be computed and used to differentiate between squaring and multiplication.

The probability that an extra reduction takes place can be approximated by N/3R for squarings and N/4R for ordinary multiplications, where R is the Montgomery constant.

Furthermore the technique is generalized to m-ary exponentiation methods.

[WT01], [S02]






ME_BM_3 / (horizontal) Cross-correlation


• unknown Mi

• with private d

• unknown N

Multiply-always binary exponentiation algorithm

Modular operations (s and m) are distinguishable

Comparative SCA:


/

Private exponent d;


Acquire several thousand traces of an RSA 2048 bit signing with a private key. Then use a compression mechanism where each pair of square-multiply operations is represented by a single sample. The resulting trace set yields 2048 samples per trace. Compute correlation between adjacent columns in the compressed trace set, and plot the correlation between samples and their direct neighbors. By 'horizontal' correlation analysis, the dummy multiplications are identified, revealing the secret exponent.

/

The basic hypothesis is that modular operations with a factor in common have a significant higher correlation. Also address bit leakage as considered in ME_BM_7 /ADPA with SEA could generate a higher correlation.

This could be also exploited for other exponentiation techniques as well as ECC scalar multiplication.

[MWW11]

ME_BM_4 Modular exponentiation of

• known M, but not during operation

• with private d

Differential FA

/

Private exponent d;


By taking the quotient of the correct and faulty result, the value of the respective bit of the secret exponent could be retrieved by formula 6 in [JQB97], ch. 3.1:

[JQB97]





• known N

Binary exponentiation

Single bits of the private exponent can be modified by fault injection

Pairs of correct and faulty result are available or alternatively one faulty RSA signature and the signed message

SS≡M

d−d≡{M 2 j

mod N if d j=01

M 2 j mod N if d j=1}/

For RSA only one faulty signature is required to recover a flipped bit by formula 7 in [JQB97], ch. 3.1 :

S e

M≡{ M e 2

j

mod N if d j=01

M e2j mod N if d j=1}

ME_BM_5 / C SEA2


• unknown Mi

• with private d

• unknown N

Modular exponentiation use dummy multiplications, i.e. multiply- always binary exponentiation

Faulty results of exponentiation are

Differential FA;


/

Private exponent d;


Dummy multiplications are detected by introducing faults. Since the result of the dummy multiplications are discarded, faults on these multiplications do not influence the correctness of the overall result.

By this the bits of the secret exponent are revealed.

/

Fault checking by checking of the correctness of the result is no effective counter measure.

[YKL01]

2 Computational safe-error attack or just C safe-error attack





detectable

ME_BM_6 / M SEA3


• unknown Mi

• with private d

• unknown N

Modular operations are done by iteration of the interleaved modular multiplication procedure which use a common register for squaring and multiplications.

Modifying arbitrary bits of the common register during squaring will damage the correctness but not during multiplication.

Faulty results of exponentiation are detectable

Differential FA;


/

Private exponent d;


Private key bits leak through the information whether or not the hardware device produces a faulty output.

A modular multiplication of two registers A and B is performed, the result is stored in A. Depending on the implementation of the multiplication, for instance an injected fault on the most significant words of A at the end of the computation does not modify the result and the fault is corrected by overwriting A.

Contrary, a squaring of A which is stored in A is modified to an incorrect result by the same type of fault injection.

/

Fault checking by checking of the correctness of the result is no effective countermeasure.

[YJ00]

ME_BM_7 / No randomized addressing Differential SCA; Use d and the known exponent to exponentiate random values, [IIT02]

3 Memory safe-error attack or just M safe-error attack





ADPA with SEMD Modular exponentiation of

• random unknown Mi

• with private d and with chosen exponent and

• unknown N

Exponentiation algorithm is known

Comparative SCA;


/

Private exponent d;


calculate their average signals and subtract. The private key could be revealed by observing a difference in the signal caused by different addresses of registers, if these addresses depend on the private key.

/

Influence of data is erased by averaging the power traces and the averaged power trace only depends on a difference of register addresses.

[IIT03]

ME_BM_8 / ADPA with ZEMD

No randomized addressing



• with private d

• unknown N

Exponentiation algorithm is known

Differential SCA;

Comparative SCA;


/

Private exponent d;


Power traces on various random unknown bases M with unknown private key d are measured and average trace S is obtained. Then, the average trace is decomposed into segments Sd[i] for each bit di and differences of the Sd[i] are computed. A difference of Sd[i] determines the values of di, if the addresses of registers depend on the private key.

/

Influence of data is reduced by averaging the power traces and the averaged power trace only depends on a difference of Hamming weights of register addresses.

Instead of using the difference of means of the segments, also their correlation coefficient could reveal the information as in ME_BM_3 /(horizontal) cross-correlation analysis

[IIT02]

[IIT03]

Table 3: Side-channel attacks on modular exponentiation without exponent blinding



3.8 Attacks with Blinding

In this section attacks against implementations protected by base blinding, exponent blinding and modulus blinding are treated. We will use the identifier M_BME_x for these attacks. In this scenario a vertical DPA is not possible, because at every execution of the algorithm different intermediate values are used. Thus attacks against these implementations work with a single power trace (M_BME_1 – M_BME_6) or attack the blinding itself (M_BME_7 and M_BME_8).

In the attack ME_BME_1 the attacker tries to distinguish modular squarings and multiplications from a single trace by a cross-correlation attack. He needs a power trace Sm[j] of a multiplication. Given a power trace Se[j] of the whole exponentiation the attacker computes the cross-correlation

trace Sc [ j ]=∑t=0

WS m[ t ]+ Se [ j+ t ] . For every modular operation (modular multiplication or

modular squaring) with power signal Se[j], Se[j+1], …, Se[j+W] the attacker decides for a multiplication, if max(Sc[j], Sc[j+1], …, Sc[j+W]) is above a certain threshold and for a squaring otherwise.

The so-called Big Mac Attack (M_BME_2 / Big Mac Attack) tries to find out, whether two modular multiplications share one operand. The multiplications consist of several calls of the k-bit multiplier. For a multiplication of a and b all k-bit words of a have to be multiplied with all k-bit words of b. The attacker can average over all k-bit multipliers where a certain k-bit word of one argument is used. The average traces can be compared to the average traces of another multiplication, e.g. by euclidean distance.

The average Hamming weight of the result of a modular multiplication with different operands is different from the average result of a modular squaring. The attack M_BME_3 uses this fact to create templates to distinguish between operations of both kinds.

Some optimized methods of modular exponentiation require to transform the private exponent from binary representation to another representation, e.g. NAF. This step is called exponent recoding. It has also side-channel leakage, which is exploited in ME_BME_4. In exponent recoding a case disambiguation is used. Each exponent has got a unique sequence of conditional branches. The attacker finds out the operations performed for exponent recoding. He uses this information to find out the sequence of conditional branches and the private exponent.

The attack ME_BME_5 has been described already in section 3.6. labeled with the identifier ME_E_1 / horizontal CPA 1. It is mentioned in this section again, because blinding with low entropy might not be sufficient as a countermeasure. If the known base M is replaced by a mask M*r a horizontal CPA on the computation of (M*r)2 can reveal r. After that the attack can be mounted as described in section 3.6. A 32-bit randomization is seen to be sufficient as a countermeasure today.

ME_BME_6 is an attack on implementations of modular exponentiation protected by multiplicative base blinding. The base M is replaced by r*M for a random number r. The template attack on an integer multiplication r*M is realized with several k-bit multipliers rj*Mj. By a template analysis the attacker can find out the Hamming weights of the input values rj and the partial results rj*Mj. This eliminates in a sieving phase possible candidates for rj.

ME_BME_7 is an attack on additive exponent blinding. Before the modular exponentiation, the private exponent d is replaced by the blinded exponent d '=d+ r j∗φ(N ) for a random number rj. The addition is implemented with several k-bit adders, which might produce carries. The number of set carry flags might leak in power consumption. In this case the attacker can calculate the average



number of set carry flags for several traces. Since r j∗φ(N ) is random, the average will only depend on d. Therefor the attacker can gain information about d, especially about the most significant bit of each k-bit word of d.

The Schindler-Itoh-attack (ME_BME_8) targets an implementation protected by dummy multiplication and additive exponent blinding. The attacker might be able to distinguish between necessary multiplications and dummy multiplications with a certain error rate: He guesses the bits of d and some bits might be guessed wrong, The attacker does not know the positions of the wrong guesses and the number of wrong guesses is too high to correct her guessing errors by brute force. In this case the attacker might apply the Schindler-Itoh-attack. In a first step the attacker guesses the blinded exponents v j=d + r j∗φ(N ) with a certain error rate. The erroneous exponents are denoted by v j . In the second step he finds several u-tuples of indices i1 , i2 , ... , iu , j1 , j2 ,... , j u

such that there is a collision of sums of masks, i.e. r i1+ r i2

+ ...+ r i u=r j1

+ r j 2+ ...+ r ju

. A typical value for u is 2, 3 or 4. The attacker can detect the collision by a low Hamming weight of the NAF representation of v i1

v i2 ... v i u

− v j 1 v j 2... v ju

. The collisions yield a system of linear equations in the masks. The attacker can solve this system and gets r j+ c for each mask r j and a fixed constant c. In the third step the attacker computes v i− v j= ri−r jN for a small δ and solves for φ(N ) .



Identifier Precondition Category / Target Short description / Remark Reference

ME_BME_1 Modular exponentiation (single trace) of

• unknown Mi


• unknown N

Binary Exponentiation (without dummy multiplications)

Local timing;

Simple SCA;


/

Private Exponent d;


Cross correlation of power trace with a pattern of a single multiplication is used to distinguish squaring and multiplication by different correlation coefficient or timing (difference between local maxima of correlation trace).

/

(Horizontal) cross-correlation signal could yield the timing of all intermediate operations.

[MDS99]ch. 5.1 (cross correlation)

ME_BME_2 / Big Mac Attack

Modular exponentiation (single trace) of

• unknown M


• unknown N


Exponentiation algorithm is known.

Comparative SCA;



/

Private exponent d;

Modular multiplication

It is tested whether two full modular multiplications realized with k-bit multiplier (in one modular exponentiation) have one factor in common. This can be achieved by averaging (all segments of each full modular multiplication where a considered k-bit factor is used) and comparing (e.g. Euclidean distance) the power traces of the cycles of the k-bit multiplier during long integer multiplications.

/

Exponent blinding and base blinding are not sufficient as countermeasure since the analysis could be performed on a single trace.

It could be adapted to other exponentiation methods, where modular multiplications with one factor in common are used: binary (left-to-right), m-ary and sliding windows methods of exponentiation.

[W01]




The efficiency of the attack increases with the exponent length and decreases with the multiplier size.

Attack only verified by simulation in the paper [W01], see [SW05] and [CFG10] for experimental results.

ME_BME_3 Modular exponentiation of

• unknown but random and uniformly distributed Mi

• with private d and with known exponent and

• unknown N

The same function (k-bit partial multiplier) is used for multiplication and squaring.

Side-channel atomic square and multiply algorithm

Template SCA;



/

Private exponent d;


A template analysis is used to distinguish squarings from ordinary multiplications rather than directly recovering an intermediate value. The templates are generated by characterizing the difference in expected Hamming weight of the result of the k-bit partial multiplier during a multiplication and squaring operation given random uniformly distributed bases.

/

Attacker does not need a device where all the bases and private keys can be changed to arbitrary values. Attacker can use an identical device with a known key, or a verification function that uses the same operations under the assumption that the templates are transferable.

[HTM11] treats case k=32.

[HTM11]

ME_BME_4 No exponent blinding during exponent recoding

Exponentiation of

• unknown Mi


Differential SCA;

/

Private exponent d;

Exponent recoding of d

The exponent recoding of a given private exponent has got a unique sequence of conditional branches, while the converse is not true. [SS04] shows how to get the private exponent from the determined sequence of conditional branches under certain conditions.

/

[SS04]




Exponentiation method requires preliminary exponent recoding with conditional branches during the computation

Exponent recoding method is known

Conditional branches of exponent recoding can be distinguished by simple SCA.

Considered exponent representations in [SS04] are width-w NAF and signed/unsigned fractional window representation targeting mainly ECC implementations.


• known M


• known N

• base and module blinding with low entropy (e.g. <32 bit)



Differential SCA;

/

Randomized Base M';


A value of the module is represented by k-bit words. Let l be the number of k-bit words.

The t-th modular multiplication of the exponentiation is assumed as a multiplication of factors a and b. The trace is divided in l2 segments C i , j

t which correspond to the partial k-bit multiplication of the k-bit words ai and bj.

The horizontal CPA computes the correlation between C i , j

t and the Hamming weight of a i∗b j (or only a i

resp. b j ) which involves l2 (or l) values for the correlation testing the hypothesis about a and b.

Thereby the exponent is determined bit by bit.

/

Exponent blinding is not sufficient as countermeasure since

[CFG10]




analysis is performed on a single trace

Base and modulus blinding with low entropy is not sufficient, since the value of the random mask could be determined by the horizontal CPA extending the tested hypotheses by those about the random masks, see ch. 4.4 of [CFG10] (see the remark about the actual entropy of randomization). A random mask with 32 bits entropy is considered in [CFG10] as secure against this analysis method.

[CFG10] treats case k=16 and l=32 (i.e. the module N has bit length 512).


• known M

• multiplicative base blinding

Modular multiplication realized with k-bit multiplier with k ≤ 16

Template SCA;


/

masking value r for multiplicative base blinding

The considered modular exponentiation uses a Montgomery ladder together with a multiplicative base blinding (see [FV06]), calculating r*M as a first step.

This multiplication is targeted by a template analysis on the partial k-bit multiplications ri*Mj providing the Hamming weights of the input operands ri and the result of the partial products.

This information is used to recover the exact values of the processed words in a so-called sieving phase. The sieving phase filters out impossible candidates for the unknown operand.

Hamming weights are allowed to have a certain tolerance.

/

[HM07]

[MH10]




The largest word size [HM07] successfully attacked in their experiments was 16. An attack on a partial multiplier with k=32 is considered as infeasible in [MH10].

Attack also allows to recover the used random blinding value after observing the blinding operation and hence to unmask the whole computation.

ME_BME_7 Additive Exponent blinding of the form d'=d+r*φ(N)

Addition is detectable in the side-channel trace and the value of the carry flag of the adder leaks

Template SCA

on carry flag of adder

/

Private exponent d;

Exponent blinding

The blinded exponent is computed by an addition of the fixed secret exponent and a masking value, which is uniformly distributed. The addition is performed for instance by an 8-bit adder, where the value of the carry flag leaks. The frequency of setting the carry flag correlates to the value of the most significant bits of each of the 8-bit words of the exponent.

[FRVD08]

ME_BME_8 /Schindler-Itoh (enhanced)



• with private d with (classical) exponent blinding

• unknown N

Exponentiation algorithm is S & aM4

Additive Exponent blinding

Simple SCA

/

Private exponent d;

Exponentiation with d or value φ(N) used for exponent blinding

Let the blinded exponents be denoted by v j :=d + r j∗y .

Step 1:Guess the blinded exponent bits of vj on basis of the corresponding power traces by vj. Some of the guessed bits may be wrong and the attacker does not know the positions of the wrong guesses.

Step 2:Estimate rj (modulo a constant) for each vj by solving a system of linear equations (see ch. 3.3 and 3.4 of [SI11], the system of linear equations is generated by searches for

[SI11]

4 Attack method might be also applied to other exponentiation methods




of the form d'=d+r*φ(N)

Exponent randomization with less than 64 random bits, i.e. bit length of r<64

Blinded exponent bits can be guessed by SPA with an error rate εb ≤ 13%

collisions of sums of (typically 2, 3 or 4) random masks. These are detected by low Hamming weight of the NAF of the difference of the partial sums of the corresponding guesses.

Step 3:Compute vj–vi=(rj–ri)*y+“small delta” for several (i,j) and solve for y.

Step 4:In case of RSA and y=φ(N), knowledge of y is enough to break the crypto system. Otherwise, get d with knowledge of y.

/

Only a small number of power traces to find the private key is needed and cannot effectively be prevented by limiting the number of operations with the target key. Instead, large blinding factors are necessary.

Base blinding might not prevent the attack, since the address of the factors of the multiplication could leak.

Application to other exponentiation methods as regularized 2-bit window method could not be excluded, since also partial information from SPA (e.g. distinguishing the 2-bit value '00' from the other 3 ones) would suffice to detect collisions.

ME_BME_9 /Schindler-Itoh

Modular exponentiation of Simple SCA Let the blinded exponents be denoted by v j :=d + r j∗y . The attack is also applicable to other exponent blinding

[SI11]




(basic) • random unknown Mi

• with private d with (classical) exponent blinding

• unknown N

Exponentiation algorithm is S & aM5

Exponent blinding

Exponent randomization with less than 64 random bits, i.e. bit length of r<64

Blinded exponent bits can be guessed by SPA with an error rate εb ≤ 28%

/

Private exponent d;

Exponentiation with d or value φ(N) used for exponent blinding

methods.

Step 1:Guess the blinded exponent bits of vj on basis of the corresponding power traces by vj. Some of the guessed bits may be wrong and the attacker does not know the positions of the wrong guesses.

Step 2:Find collisions between vj , i.e. different indexes i and j with equal blinding value ri = rj resp. blinded exponents vi = vj . These are detected by low Hamming distance of the NAF of the corresponding guesses. At least one collision between 3 indexes is required for proceeding the attack.

Step 3:For the identified collision, correct the errors of the guesses by majority decision for each bit of vj .

Step 4:In case of RSA and y=φ(N) in case of additive exponent blinding, knowledge of y is enough to break the crypto system. Otherwise, get d with knowledge of y.

/

The size of the blinding factors affects the number of traces required for finding a collision with sufficient probability. Therefore, large blinding factors are an effective counter measure.

5 Attack method might be also applied to other exponentiation methods




Base blinding might not prevent the attack, since the address of the factors of the multiplication could leak.

Application to other exponentiation methods as regularized 2-bit window method could not be excluded, since also partial information from SPA (e.g. distinguishing the 2-bit value '00' from the other 3 ones) would suffice to detect collisions.

Table 4: Side-channel attacks on modular exponentiation protected by blinding


RSA

4 RSA

RSA is a public key crypto system based on integer factorization. A key is generated by the following steps:

1. Select two primes p and q

2. Compute N=p*q and φ(N )=( p−1)∗(q−1)

3. Choose e such that 1< e<φ(N ) and gcd (e ,φ(N ))=1

4. Compute d with 1< d<φ(N ) and ed≡1(modφ(N ))

5. Publish (N,e) as public key

6. Keep ( p ,q ,φ(N ) , d ) as private key

N is called modulus, e is called public exponent and d is called the private exponent. A message M is encrypted by C = Me mod N using the public key and decrypted by M = Cd mod N = Med mod N using the private exponent.

RSA can also be used as a signature system: A message M can be signed by S=Md mod N. This signature will be accepted, if M=Se mod N.

The most important part of RSA decryption is the modular exponentiation, which has been treated in chapter 3. Especially the attacks discussed in sections 3.5 to 3.8 have to be considered in the RSA case. In this chapter side-channel attacks that attack especially RSA are discussed. Section 4.1. contains security recommendations about purely cryptanalytic attacks, which the evaluator has to take into account.

Remark: The definition accords the original paper [RSA78]. Instead of φ(N), the number λ(N)=LCM(p-1,q-1) could be used for deriving a private exponent d' in step 4 as specified by PKCS#1 v2.1. The number d' could be smaller than d, but has also the desired property of decrypting all cipher texts.

4.1 Security Recommendations

A cryptographic system based on RSA must also be resistant against purely cryptanalytic attacks like message recovery attacks, which extract the e-th root without using the private exponent, the description of the attacks below can also be found in Boneh's survey paper [B99]:

- Hastad's Broadcast Attack (see [H85]):One message M is encrypted with the same public exponent e, but different moduli Ci = Me mod Ni and sent to a number of parties. An attacker can recover M from Ci and Ni as soon as the number of parties is greater than e. The attack is feasible only when a small e is used.

- Franklin-Reiter Related Message Attack (see [CFPR96]):Let N, e=3 be a public key. Suppose M1, M2 from ℤN

* are two distinct messages satisfying M1=f(M2) mod N for some publicly known linear polynomial f from ℤn [ x ] . Given C1=M1

e, C2=M2

e attacker can easily recover M1 and M2.

- Coppersmith's Short Pad Attack (see [C97]):An RSA encryption of two messages M1=M||pad1, M2=M||pad2 with public exponent e is


RSA

vulnerable, if the length of pad1 and pad2 is at most n/e2. For e=3, the two messages agree over eight-ninths of their length.

These attacks are not implementation attacks and the evaluator is not necessarily able to determine from the evaluation of a single TOE, whether one of these attacks is feasible.

4.2 General Side-channel Attacks on RSA

In many cases it is possible to gain some information by side-channel attacks, i.e. some bits of the private key. There are some cryptanalytic attacks on RSA which reveal the whole private key if some bits are know. It is possible to factorize N in polynomial time under one of the following three conditions:

- A fraction of the most significant bits or least significant bits of the private exponent is available. For small e only about log2(N)/4 least significant bits of private exponent d must be known (see [E01], [EJMW05], [BM03], [BDF98]).

- Some amount of randomly located bits from the least (respectively most) significant halves of both primes is known (see [MSG10]).

- Some amount of randomly located bits from the private RSA CRT exponents dp = d mod (p-1) resp. dq=d mod (q-1) is known (see [P05] ch. 6, approximately 310 bits are known out of each 512-bit exponent).

We will give an overview about side-channel attacks on RSA, except for attacks on the modular exponentiation step. These are especially attacks on the padding. For the considered attacks the identifier R_x is used.

Typically the RSA operation uses padding schemes to encode the message before the modular exponentiation to counter cryptological weaknesses due to the homomorphic properties of the modular exponentiation. According to PKCS#1 v1.5 the first two bytes of the encoded message are 0x00 and 0x02. The TOE will check thedecrypted ciphertext, if it starts with these two bytes and will put out an error message otherwise. The padding oracle attack (R_2) uses this fact to find out the plaintext M=Cd mod N. The attacker must be able to choose cipher texts, which the TOE decrypts, and to recognize the error messages. He asks the TOE to decrypt the message C*f e for several integers f. If the TOE does not put out an error message, the attacker will know that the first two bits of M*f are indeed 0x00 and 0x02 and thus 2B≤M∗ f mod N< 3B , where B=28 (k−2)

and k is the byte-length of N. This way the attacker can find out M via nested intervals. This attack can also be extended to SSL/TLS protocols, see [KPR03].

A similar attack is possible on the RSA padding according to RSAES-OAEP. Here the first byte of the encoded message is 0x00 and the attacker asks the TOE to decrypt the message C*f e for several integers f and gets the information, whether 2B≤M∗ f mod N holds.

The RSA-based signature and encryption algorithm specified by EMV Co can be attacked with a similar approach. Here the fact that a correct padded messaged begins with the byte 0x7F is used to gain access to a partial decryption oracle, which can be used to forge a signature on a freely chosen message, see [DLPSS11].


RSA


R_1 / partial key exposure attack

RSA

• with private d,

• p, q are primes of nearly same bit size

• known public exponent e

Fraction of bits of d or of the primes is known

Cryptanalytic Attack

/

Private exponent d;

factorization of N;

Factorization of N in polynomial time under the condition that

• a fraction of the most significant bits or least significant bits of the private exponent is available. For small e only about log2(N)/4 least significant bits of private exponent d must be known (see [E01], [EJMW05], [BM03], [BDF98])

• some amount of randomly located bits from the least (respectively most) significant halves of both primes is known (see [MSG10])

• some amount of randomly located bits from the private RSA CRT exponents d p , q=d mod p−1 resp.q−1 is known (see [P05] ch. 6, approximately 310 bits are known out of each 512-bit exponent)

[E01]

[EJMW05]

[BM03]

[BDF98]

[MSG10]

[P05]

[J07]

R_2 / Padding Oracle Attack

RSA decryption

• with private d,

• known ciphertext C, for which the decrypted message M=Cd mod N is searched

• decrypted message needs not to be known for any chosen ciphertext except for the information that the encoding of M corresponds to padding format (Padding Oracle)

• known public exponent e

Logical SCA;

(Timing)

/

Message M;

Padding of RSA decryption

Attack on RSA Padding according to PKCS#1 v1.5 (see [B98])

• Error message is used as oracle giving information about the decrypted message M' whether 2*B <= M' < 3*B is fulfilled for a constant B.

• By multiplying the ciphertext C by f e with a chosen number f, the correct format of (C*f e)d = M*f mod N to PKCS#1 v1.5 can be determined by several answers of the oracle.

• Attack relies on the facts that the first two bytes (0x00, 0x02) of the PKCS #1 format are constant, and that these two bytes are known with certainty when ciphertext C is accepted.

[B98]

[M01]

[S09]

[HN04]

[A09]

[KPR03]

[BFK+12]


RSA


Attack on RSA Padding according to RSAES-OAEP (see [M01])

• Error message is used as oracle giving information about the decrypted message M' whether M' < B is fulfilled for a constant B.

• By multiplying the ciphertext C by f e with a chosen number f, the correct format of (C*f e)d = M*f mod N to RSAES-OAEP can be determined by several answers of the oracle.

/

See [BFK+12] for an improvement of this attack method.

See also [HN04] for cryptologic properties of modular exponentiation for both the RSA problem (extracting e-th root) and the discrete logarithm problem.

An oracle providing information about another bit of the message (not only the msb as in this case) could also be used for an RSA decryption with chosen cipher text modifications (e.g. see [S09])

These attacks work even when the protocol includes strong authentication at a later step.

An oracle could also be provided by a physical side-channel instead of a logical side-channel.

Table 5: General side-channel attacks on RSA


RSA

4.3 RSA Straight

Now we will consider side-channel attacks on implementations of RSA-straight, i.e. RSA without using the Chinese Remainder Theorem. For theses attacks the identifier RS_x is used.

The attack RS_1 is a differential fault attack on the binary exponentiation. For a chosen m with 1≤m≤n, n=log2(N), l random messages M1, M2, …,Ml are signed, where l=(n/m)*log2(2*n). A typical value for m is for instance m=log2(2n) such that l = n. During the computation a fault is induced at a single random point on each input and flips one bit. The attacker gets faulty signatures S'

i. This enables one to recover the secret exponent d. Let ki be the value of the counter in the exponentiation algorithm, when the fault has occurred. The indices are sorted according to the point of time when the fault was induced so that 0≤k 1≤k 2≤...≤k ln . Note that the values ki are unknown for the attacker. With probability of at least 0.5 the inequality ki+1-ki < m holds for all i=1,...,l. If the attacker has found d n−1 , d n−2 ,... , d k i

he tries to expose the bits of d in positions ki - 1,ki -2,…,ki-1.. Since even the length of ki+1-ki is unknown, all possible lengths has to been tried. So for all possible values r = ki-ki-1 < m all possible hypotheses uk i−1 , uk i−2 ,...uk i−1

for the vector

d k i−1 , d k i−2 , ... , d k i−1are tried. Given a hypothesis he computes w=∑ j=k i

n−1d j 2

j∑ j=k i−1

k i−1u j 2

j .

The attacker checks, whether an hypothesis is true by checking, if b∈{0,1... , N } exists such that (S'

j ± (2b )*Mjw)e mod N = Mj holds (assuming a right-to-left binary method). This condition always

holds for a correct hypothesis and is very unlikely to hold for a wrong hypothesis. The computation requires O((2mn3log2

2(n))/m2) modular exponentiations. The choice of m has to balance the number of required faulty signatures against the computation effort.The attack RS_2 is a fault attack, where a fault is introduced to the modulus N. The attacker generates faulty couples (Mi , Si') corresponding to unknown moduli Ni' ≠ N related by Si'=Mi

d mod Ni. The inputs Mi and the outputs Si' are known to the attacker, while the moduli Ni are unknown and modeled as uniformly distributed over the integers less than 2n. From (Mi, Si'), private key d is retrieved offline, by progressively determining d mod rk , where rk is a small prime power. When the product R=∏k rk exceeds the modulus N (and so the unknown φ(N)), d can be recovered by means of the Chinese Remainder Theorem.

The attack RS_3 is an attack on window techniques. These are vulnerable by SPA, which can reveal partial information about d. For e=3 and e=216+1 this information can be uses to recover all bits of d. Several power traces are collected, each revealing some bits of a blinded exponent

v i=d+ r i∗φ(N ) . We have d∗e=1+ k∗φ(N ) Since N is an approximation for φ(N ) ,

d can be approximated by d~⌊ 1k∗Ne ⌋ and

vi can be approximated by v i∼ ⌊ 1+ k∗Ne ⌋+ ri∗N .

In a first step k and ri is determined. In fact for e=3 it is known, that k=2. Then φ(N) and d are guessed byte by byte and the guesses are verified by checking their consistency with the bytes guessed before and with the partial information about the blinded exponents the attacker has acquired by side-channel analysis.


RSA


RS_1 No exponent blindingNo message blinding

RSA of

• random known Mi

• with private d, p, q

Binary exponentiation algorithm is known

At least n faulty RSA signatures with single register bit flip at one random iteration during the exponentiation

Differential FA

/

Private key d;


Sign random but known messages M1,...,Ml and collect the responses until sufficiently many erroneous signatures S'

i are generated. The pairs (Mi, S'

i) are then used to deduce d by checking if one of the S'i satisfy (S'j ± (2b )*Mj

w)e mod N = Mj

for special b and w.

/

No need to obtain the correct signature of any of the messages

No need to obtain multiple signatures of the same message.

If both the erroneous and correct signature of each message Mi could be obtained, then the attack algorithm can be simplified to (S'

j ± (2b )*Mjw) mod N = Sj

thus saving the need for an RSA encryption on every invocation of the test.

See ME_BM_4

[BDL96]

[BDL01]

chapter 2.3

RS_2 No integrity protection of public keys

No message blinding

RSA of

• uniformly distributed known Mi


Differential FA;

Logical SCA

/

Private key d;

Exponentiation (modified modulus) with d

Generate some fault couples (Mi, S'i) corresponding to unknown moduli Ni ≠ N, related by S'i = Mi

d mod Ni. Input Mi

and output S'i are known to the attacker while N'i is unknown and modeled as uniformly distributed over the integers less than 2n.

From (Mi, S'i), private key d is retrieved offline, by progressively determining d mod rk , rk dividing small prime powers pa (see [BCC06], proposition 1). When the product R = ∏k rk exceeds the modulus N (and so unknown φ(n)), d can be recovered by means of the Chinese Remainder

[BCC06]


RSA


• (unknown) modified modulus N'

Device's fault model defining how modulus N can be modified into N' during FA might be known.

FA modifies the modulus before an RSA exponentiation

Theorem.

/

For a 1024 bit modulus about 60,000 faults are necessary.

By choosing a fault model 'random-data random-location faults'6 (e.g. during transfer of modulus from EEPROM to RAM), about 1,100 faults for a 1024 bit modulus are necessary.

RS_3 Exponent blinding of the form d' = d+r*φ(N) with r about 32 bit or lower

RSA of

• random Mi

• known modulus N

• known low public exponent e (e.g. e=3 or 216+1)


Sliding window exponentiation (CLNW: Constant Length Non-zero Window; VLNW: Variable Length Non-zero Window)

Simple SCA;

/

Private key d;

Sliding window exponentiation

The sliding window technique is vulnerable against SPA which gives partial information about the exponent d'.

Record some power curves which correspond to the exponentiation of a message with the unknown blinded private key vi = d+ri*φ(N) associated to an unknown short value ri.

Approximation of φ(N) by N and equation d∗e=1k∗N with 0 < k < e give approximations of

d and di:

d~⌊ 1k∗Ne ⌋ , v i∼ ⌊ 1+ k∗N

e ⌋+ ri∗N

In case of low public exponent (e=3 or e=216+1) it is possible to exploit the result of the SPA about di to determine the mask values ri together with k (for e=3 it is known that k=2) and thereafter the full private exponent.

[FKM06]

[SI11]

6 random data of limited length (e.g. byte length) appears at a random location within the modulus


RSA


implementation not protected against SPA

Squares and multiplications can be distinguished.

thereafter the full private exponent.

/

The attack is more efficient on larger modulus size.

Assumption of [FKM06] is that several non-consecutive bits of blinded exponent can be perfectly revealed from a single power trace with no error bits.

In ch. 2 of [SI11] the assumption of perfectly revealed bits of blinded exponent is relaxed to identical error rate εb for all bit positions and traces, see ME_BME_8 /Schindler-Itoh.

Table 6: Side-channel attacks on RSA-straight


RSA

4.4 RSA-CRT

The private RSA operation S=Md can be calculated efficiently with two modular exponentiations over the two primes each. The results can be combined using the Chinese Reminder Theorem (CRT) to get the right result. First Sp = Md mod p = (M mod p)d mod(p-1) mod p and Sq = Md mod q = (M mod q)d mod(q-1) mod q are computed. We have S=a*Sp + b*Sq mod N for some constants a and b. Using Garner's algorithm S = Sq + ((Sp − Sq) (q∗ −1 mod p) mod p) q∗ can be computed.

In the following we will use the identifier RC_x for side-channel attacks on RSA-CRT.

The attack RC_1 exploits timing differences of the Montgomery multiplication. In some cases an optional subtraction is performed as last step of the Montgomery multiplications. In this case more computing time is consumed. The probability of the final subtraction for the modular multiplication with a fixed factor x=M is

x mod p2∗R

, where R is the Montgomery constant.

Thus the time T(M) consumed by the exponentiation of M grows linear with increasing M and has a discontinuity, where M is a multiple of p. Thus by T(u1)-T(u2) it can be determined, whether an interval set {u1+1, u1+2, …, u2} contains p. So the attacker can find a decreasing sequence of nested intervals each containing p. Once he found an interval subset small enough he computes gcd(u,N) for all u in this interval and factorizes N.

The attack RC_2 also exploits the timing discontinuity at p and q, which are caused by the frequency of modular reductions as in RC_1 or by the choice of different multiplication routines. Here the attacker finds out the half most significant bits of q by nested intervals and factorizes N using Coppersmith's algorithm. The nested intervals can be built as follows. If the attacker has already found out the most significant bits qn-1, qn-2, …, qi+1 he defines the integer g=(qn-1, qn-2, …, qi+1, 0, 0, …, 0)2 and the integer ghi=(qn-1, qn-2, …, qi+1, 1, 0, …, 0)2. If qi=1, g<ghi<q holds and if qi=0, g<q<ghi holds. Thus qi can be detected by T (g hi R

−1 mod N )−T (gR−1 mod N ) .

The attacks above do not work for implementations protected by exponent blinding. Attack RC_9 is a generalization, which can be applied in this case.

In Garner's algorithm an optional addition is performed, if Sp-Sq is negative. Novak's attack (RC_3 / Novak) exploits the fact, that the attacker can find out whether this addition is performed by SPA. This attack scenario applies only to RSA decryption. As we harmonize the notation for input and output of the modular exponentiation, the ciphertext is denoted M as input for the decryption, and the plaintext is denoted S as output of the decryption. For a given plaintext S define diff(S) to be 1, if an optional addition occurs during the modular exponentiation of S and to be 0 otherwise. Now if diff(S-1)=0 and diff(S)=1, then S is a multiple of p. Here p>q is assumed. This way the attacker can find a multiple of p and factorize N. The attack RC_4 extends this approach to a known message attack, which enables an attack also to the RSA signature generation. Here the attacker has not to be able to choose the message, but only has to know the message M. If the RSA modulus N=p*q is such that q<p/2k, the RSA factors p and q can be recovered by performing 60*2k signatures on average by applying lattice techniques.

The Recombination Attack (RC_5 / Recombination) is a correlation power analysis on the recombination step. Here a CPA on the integer multiplication x∗ p with x~S / p is performed, where S is the result of the modular exponentiation. Hypotheses on approximate guesses on prime p are tested, which leads to a full exposure of p.


RSA

The modular reduction using equidistant data attack (RC_6 /MRED) is an attack on one of the two primes. It gives different series of equidistant messages M, M-1*(256)k, M-2*(256)k, ..., M-l*(256)k

as input. Such series are taken for k=0, 1, ... until k reaches the size of the prime to be attacked. The basic assumption of the attack is that the distance of the messages equals the distance of the intermediate data after the reduction step at least for a subgroups of measurements. Now every series of measurements corresponding to one series of messages is used to reveal one byte of the remainder after the modular reduction by DPA. Determining the remainder byte by byte let the difference to M approach to a multiple of the prime modulus.

The Bellcore attack (RC_7 / Bellcore) is a fault attack. Firstly the attacker asks the TOE to exponentiate the message M without inducing faults and obtains S. Then the attacker asks the TOE to exponentiate M again and induces a fault during the computation of Sp, while the computation of Sq is correctly. The attacker obtains a faulty result S'. Then we have gcd S−S ' ,N =q .

The Lenstra attack (RC_8 / Lenstra) is an improvement of the Bellcore attack. Here only the faulty result is required. The attacker finds q by gcd S ' e , M =q . Hence the TOE does not have to exponentiate the same message twice. This idea also works, if the attacker does not induce faults actively, but exploits bugs. This is called Shamir's bug attack (see [BCS08]). Suppose the TOE uses a k-bit multiplier, which multiplies the two k-bit words a and b incorrectly due to a bug. The attacker then chooses c with p<c<q. This can be achieved by taking c≈√ N . He now chooses the message M by changing the two least significant words of c to a and b respectively . With high probability M fulfills p<M<q. Now the attacker asks the TOE to exponentiate M. At the beginning of the computation M is reduced modulo p and modulo q. Because p<M, the value of the least significant words are probably changed during the reduction modulo p and the computation of Sp is correct. Because M<q, the reduction modulo q does not change M. So a and b are multiplied during the computation of Sq and the attacker contains a wrong result. While fault attacks are usually relevant for smart cards only, attacks like Shamir's bug attack are also a threat for RSA implementations on a PC.

The attack RC_10 is an SCA against implementation protected by multiplicative modulus blinding. As a first step the TOE performs the modular reduction M mod (r1*p) for a random integer r1.. The

attacker finds out the quotient ⌊ M(r1∗ p) ⌋ by SPA. If he knows an approximation M'≈M, he can

factor N using lattice reduction. For the attack r1 must not be too big and M and N must have similar bit length. [K04] tested RSA moduli of different bit lengths up to 2048. For the bit lengths of

n ,⌈M−M ' ⌉ , r1/2 in the ratio 16 : 2 : 1, the attack was applied successfully.


RSA


RC_1 No exponent blinding;No message blinding


• adaptive chosen Mi


• known N

Montgomery Multiplication with optional modular reduction is used

Exponentiation method involves modular multiplications with M

Logical SCA;

Timing

/

Private exponent d;


The optional reduction step leaks via the global timing T(M) of the RSA-CRT computation, which consists mainly of two modular exponentiations with modules p and q. This information can be gathered and allows to reconstruct one of the prime modules.

The decisions are based on the respective time differences T(M2)-T(M1) for different bases M1 and M2. The probability of the conditional final modular subtraction for the modular multiplication with a fixed factor x=M can be approximated

byx mod p

2R, where R is the Montgomery constant and p

the prime modulus (see [SST04]). So, an integer multiple of p can be detected as a 'discontinuity' of the timing T(M).

First an interval set has to be found which contains an integer multiple of p or q. Then a sequence of decreasing interval subsets has to be determined, each of which containing an integer multiple of p or q. As soon as the actual subset is small enough gcd(M, N) is calculated for all u contained in this subset. If all decisions were correct then a factorisation of N is found.

/

In [S00] the considered exponentiation method is square and multiply form left-to-right, which involves about log2(N)/2 modular multiplications with M. The attack could be extended to other exponentiation methods as m-ary window methods, but with a higher number of measured timings.

[S00]

[SST04]


RSA


RC_2 No exponent blinding;No message blinding


• chosen Mi

• with private d

• known N

Timing of modular multiplication depends on factors (Montgomery multiplication with optional final subtraction).

Exponentiation algorithm (optional sliding window) is known.

Logical SCA;

Timing

/

Private exponent d;


Time variance in modular exponentiation could be caused by

• Schindler’s observation on the number of extra reductions in a Montgomery reduction that as M approaches either factor p or q from below, the number of extra reductions during the exponentiation algorithm greatly decreases (see [S00])

• timing difference due to the choice of multiplication routine, e.g. OpenSSL implements two multiplication routines: Karatsuba and “normal”. OpenSSL uses the faster Karatsuba multiplication when multiplying two numbers with an equal number of words.

Both effects result in a discontinuity at p or q (or multiples of them). The attack exposes the factorization of the RSA modulus N=p*q with q<p by using the timing of the modular exponentiations of chosen values for a binary search of q. 7

See ch. 3.1 in [BB03] how to get more significant time differences for sliding window exponentiation.

/

[ASK05] improves the attack of [BB03] by a factor of 10

[BB03]

[ASK05]

RC_3 / Novak

No prime blinding in recombination step;No message blinding in recombination step

Simple SCA

/

CRT

In RSA using Garner’s algorithm for CRT the difference Sp-Sq may be negative for an input M and an additional conversion to least positive residue is required. This conditional addition can produce an optional pattern in a

[N02]

7 Once the upper half of the binary representation of q is known, the modulus N could be factored by the Coppersmith method (see R_1).


RSA


RSA decryption


• adaptive chosen Mi


RSA CRT recombination: Garner's method with optional addition

Conditional addition in CRT recombination is detectable with simple SCA.

Recombination power trace and is used for the attack.

Adaptive chosen ciphertext attack:By choosing the plaintext S, encrypting it with the public key8 and using it as an input M for decryption with RSA CRT in order to identify conditional addition, the factorization of the modulus can be obtained from n/2 traces with n='bit length of the modulus N'.

/

The attack RC_4 extends this approach to a known message attack in the context of RSA signature generation.

RC_4 No message blinding in recombination step;No prime blinding


• known Mi

• with private d

• private p and q are required to have different bit lengths, e. g. about 10 bits for 1024 bits modulus

RSA CRT Recombination: Garner's

Simple SCA

/

factorisation of N;

CRT Recombination

In RSA using Garner’s algorithm for CRT the difference Sp-Sq may be negative for a message and an additional conversion to least positive residue is required. This conditional addition can produce an optional pattern in a power trace and is used for the known message attack.

If the RSA modulus N=p*q is such that q<p/2k, the RSA factors p and q can be recovered by performing 60*2k

signatures on average by applying lattice techniques.

[FMP03]

8 In such way the output of the RSA CRT decryption can be controlled


RSA


method with optional addition

Conditional addition in CRT recombination is detectable with simple SCA

RC_5 / Recombination

No prime blinding in recombination step;No message blinding in recombination step


• unknown Mi


• known S

RSA CRT Recombination: Garner's method

Differential SCA

/

CRT Recombination

Correlation on integer multiplication x∗ p with x~ Sp

where S is the result of the private key operation. Hypotheses on approximate guesses on prime p are tested which lead to a full exposure of p.

/

Take account of [AFV07] chap. 5: reverse engineering of modular multiplication.

[AFV07]

RC_6 / MRED9

No message blinding in modular reduction;No prime blinding in modular reduction

Differential SCA

/

CRT modular reduction

Chosen cipher text (or better input to secret key operation) to obtain information about primes by leakage of remainder of modular reduction.

MRED describes a DPA attack on the modular reduction step with one of the primes. Instead of using random messages the attacker chooses equidistant messages (e.g. M,

[BLW02]

9 Modular Reduction using Equidistant Data


RSA



• chosen known Mi


M-1*(256)k ,M-2*(256)k,...,M-l*(256)k). The basic assumption of the attack is that the distance of the messages equals the distance of the intermediate data after the reduction step.

/

Chap 3.3 introduces CPA.

RC_7 / 'Bellcore Attack'


• unknown but constant M


One correct RSA CRT (--> S) and one faulty RSA CRT with fault on one of Sp or Sq computation (--> S') or on q−1 mod p

Faulty signature is detectable

Logical SCA;

Differential FA

/

Prime modulus of exponentiation

Without loss of generality, hardware fault occurs during computation of S'p (i.e. Sp ≠ S'p mod p) but no fault occurs during computation of S'q (i.e. S'q=Sq mod q). Applying recombination on S'p and S'q gives faulty signature S' for M.

Then gcd(S-S' N) = q

/

Simple countermeasures are not sufficient against practical attacks (see [ABF02]).

A faulty S'p could be also induced by a fault during loading the prime modulus p. A fault on q−1 mod p also provides a faulty S' after the recombination step.

[BDL96]

[BDL01]chapter 2.2

[ABF02]

RC_8 / 'Lenstra Attack'


• known M


One faulty RSA CRT with fault on one of Sp or Sq computation (--> S') or on q−1 mod p

Logical SCA;

Differential FA

/


Slight modification of [BDL96],

Without loss of generality, hardware fault occurs during computation of S'p (i.e. Sp ≠ S'

p mod p) but no fault occurs during computation of S'

q (i.e. S'q=Sq mod q). Applying

recombination on S'p and S'q gives faulty signature S' for M.

Then gcd( (S')e – M, N) = q

[JLQ99]


RSA


Faulty signature is detectable /

As long as the entire signed message M is known, a single interaction with the black-box resulting in an invalid signature is sufficient for factoring the modulus.

Simple countermeasures are not sufficient against practical attacks (see [ABF02]).

Padding the message with unpredictable numbers is an efficient counter measure.

RC_9 Modular exponentiation of

• chosen Mi

Montgomery Multiplication with conditional modular reduction

Number of final subtractions leaks

Logical SCA;

Timing

/


The frequency of the conditional final modular subtraction for the modular multiplication with a fixed factor x can be

approximated byx mod p

2R, where R is the Montgomery

constant and p the prime modulus (see also ME_BM_2).

With known input message Mi to both modular exponentiations this formula leaks information about the prime p by the formula

M i∗R mod p

p≈

ni− nmin

nmax − nmin

, for i=0,…,k-1

where ni is the total number of counted subtractions during the whole exponentiation Mi mod p. nmax=maxi ni and nmin=mini ni

are maximal and minimal number of subtractions during k observations. .

By appropriately choosing Mi the prime p could be

[TMSK05]

[H09]


RSA


/

RC_9 is a generalization of RC_1 and RC_2 for implementations with exponent blinding.

A local timing attack with distinguishing squares from multiplications by SPA gives a higher precision counting the conditional subtractions.

A refined model of the optional modular reduction step of Montgomery multiplication allows application of 'hidden number problem' to obtain modulus extending the methods of [TMSK05].

RC_10 No message randomization;Blinded modules r1*p and r2*q with r1, r2 random numbers


• approximation M' of M is known (M' ≈ M)

• with private d

Either value S'p=M' mod (p*r1) or S'q=M' mod (q*r2) is detectable with simple SCA.

Simple SCA

/

factorisation of N;

CRT modular reduction of M

The integer division has strong leakage revealing the quotient.

A simple SCA on the modular reduction of M' mod (r1*p)

reveals the quotient ⌊ M 'r1∗ p⌋ . By applying lattice

reduction techniques the modulus N=p*q can be factorized.

/

[K04] tested RSA moduli of different bit lengths up to 2048. For the bit lengths of n ,⌈M−M ' ⌉ , r1/2 in the ratio 16 : 2 : 1, the attack was applied successfully.

[K04]

Table 7: Side-channel attacks on RSA-CRT


RSA

4.5 RSA Key Generation

The key generation requires two randomly chosen primes p and q. These are mostly generated by choosing a random number and applying a probabilistic primality test. Given these primes and e, which is part of the public key and assumed to be known, all RSA parameters can be calculated.

As noted in [H12], it is vitally important to the security of the keys that they are generated using random inputs with sufficient entropy. Otherwise, an adversary may be able to guess those inputs and thus recover the keys without having to laboriously factor the modulus N.

Security evaluation must also take into account purely cryptanalytic attacks, i.e. factoring attacks, using special properties of p and q, like a small difference between p and q (see [We02]).

In the following we will use the identifier RKG_x for theses attacks.

A possible algorithm to generate the primes p and q starts with an odd random number v and performs trial divisions by small odd primes from a set T. If none of the elements of T divide v a probabilistic primality test is applied. If v is not prime, v is incremented by two and the algorithm starts again. The attack RKG_1 exploits the fact, that this algorithm prefers primes after a long prime gap. It is assumed that the attacker can find out the number of trial divisions by side-channels. From this information he can conclude p mod s and q mod s, where s is the product of small primes from the set T. Using the LLL-Algorithm he can calculate the two primes after certain transformations.


RSA


RKG_1 Prime generation algorithm: Starting with a random odd prime candidate v, trial divisions by small odd primes from a particular set T are performed, and to the ‘surviving’ prime candidates the Miller-Rabin primality test (or any other probabilistic primality test) is applied. If a prime candidate fails, the next candidate is built from the former by iteratively incrementing with 2.

Exact number of trial divisions for each prime candidates v, v+2, v+4,... is detectable

Simple SCA;

Local timing;

/

generated primes;

Prime Generation algorithm

The identified numbers of trial divisions for each prime candidate yields information on p and q, namely p mod s and q mod s for some modulus s, which is a product of small primes of the set T. After some transformations and using the LLL-algorithm, the primes can be calculated.

The attack will be successful if s is sufficiently large

/

For realistic parameters the success probability of the attack is in the order of 10–15 %.

Furthermore a typical implementation of an extended euclidean algorithm for modular inversion can leak additional information by the number of computation steps in form of integer divisions. This information can be combined in some cases to factor the modulus and break the RSA parameters completely. (see ch. 3.2 in [FGS09])

Although the RSA key could not be retrieved in all cases, such a side-channel attack can be used as a preparatory step for an attack on the RSA implementation.

[FGS09]

RKG_2 Bit length of d small Cryptanalytic Attack

/

generation of d

For factoring attack see [B99], chapter 3.

/

A fault attack could possibly force a small d during key generation.

[B99]

Table 8: Side-channel attacks on RSA key generation


RSA

4.6 RSA Signature Verification

The target of the attacks discussed in this section is the RSA signature verification result, i.e. enforcing positive results on faulty signature without knowledge of private key.

In the following we will use the Identifier RV_x for theses attacks.

The Bleichenbacher attack (RV_1 / Bleichenbacher attack 2006) is an attack on a constant padding using the public exponent e=3. The padding can be changed, which makes the exertion of a third root possible. This will be accepted by the signature verification, if the padding is not verified completely.

The enhanced Xbox-attack (RV_2 / enhanced Xbox attack) is a fault attack. In the so-called offline-phase a modulus N' is found, such that d' with d'*e mod φ(N') = 1 can be computed easily. For any chosen message M the signature S'=Md' mod N' is computed. In the so-called online phase the signature verification algorithm with input (M, S') is executed and faults are induced to switch the modulus N to N'.


RSA


RV_1 / Bleichenbacher attack 2006

RSA verification of

• chosen M

• known N

• e=3 (small e)

constant RSA Padding

incomplete verification of message padding

Direct Attack

/

Signature verification

By modification of padded message it is possible to generate a forged signature by extracting a 3rd root instead of applying the private key which is accepted by the signature verification.

/

Private key remains unknown.

In [B06a] this was applied to padding according to RSA PKCS#1 v1.5

Whenever a small value of e is used and an eth root of a modification of a padded message can be found, the attack is possible.

[B06a]

RV_2 / enhanced Xbox attack

No integrity protection of public keys

RSA verification of

• known Mi

• unknown modified N'

Device's fault model defining how modulus N can be modified into N' during fault attack is known.

Fault attack modifies the modulus before RSA verification

Fault attack;

Logical SCA

/


Two steps:

1. Off-Line:According to device's fault model attacker tries to find a faulty modulus N' such that the inverse d' of e mod φ(N') can be computed efficiently (e.g. factorization of N' is known). Then the signature S'=Md' mod N' for every selected message M is constructed.

2. On-Line:Signature verification algorithm with (S', M) as input is executed on device while trying to inject a fault during this procedure in order to proceed computations modulo targeted N' instead of modulo N.

/

[M05]


RSA


Probability of success, and so the average required number of faults, is dependent on the accuracy of the fault model and the capability for an attacker to produce an enough precise fault to be able to obtain the faulty modulus N' with non negligible probability.

Some unauthorized access can be granted but the RSA key itself is not broken.

Table 9: Side-channel attacks on RSA signature verification


DSA

5 DSA

The Digital Signature Algorithm (DSA) is defined in the standard [FIPS 186-3]. We will use the notations from [Q02] in the following.

The signature algorithm DSA makes use of the following parameters:

p: a prime number;

q: a prime number, divisor of p-1;

g: an element of order q mod p;

x: a randomly chosen integer with 0<x<q, associated to a given signer;

k: a randomly chosen integer with 0<k<q, only valid for one signature. k is often called ephemeral key or simply nonce.

The standard specifies the following choices for the pair L and N (the bit lengths of p and q, respectively):

L = 1024, N = 160 10;

L = 2048, N = 224;

L = 2048, N = 256;

L = 3072, N = 256;The integers p, q and g are the system parameters and can be public and used by many signers. The private signing parameter of a given signer is x and the corresponding public verification parameter of the same signer is the value y=gx mod p.

The signature of the message M is the pair of numbers r and s computed according to the following formulas, where H is a suitably chosen hash function:

r=gk mod pmod q , s=k−1∗H M x∗r mod q.

It shall be checked, if r=0 or s=0. If either r=0 or s=0, a new value of k shall be generated, and the signature shall be recalculated.

The verifier first checks to see that 0<r<q and 0<s<q; if either condition is violated the signature shall be rejected. He then computes

gH M ∗s−1 mod q∗y r∗s−1 mod q mod p mod q

and compares to r. If the equality occurs the verifier accepts the message and the signature; otherwise the verifier rejects the message and the signature.

The DSA has the advantage that signatures are fairly short. The RSA signature is about three times as long for a comparable security level.

10 Most common choice of parameters.


DSA

5.1 Security Recommendations

1. It is very important for the random number k to be kept secret by the signer. As a matter of fact, if k was known, it would suffice for the attacker to compute (s*k - H(M))*r-1 mod q to immediately obtain the signer's secret key x from the corresponding signature.

2. A different k must be selected for each message signed; otherwise, the private key can be determined with high probability as follows: Suppose two different message M1 and M2 with H(M1)≠H(M2) are signed to s1 and s2 with the same nonce k, then k could be computed directly by k=(s1-s2)-1*(H(M1)-H(M2)) mod q and so the signer's secret key x.

5.2 Template Generation

The evaluator shall check the signature verification routines for template attack paths for the private key operations. In particular, it should be noted, that a successful side-channel measurement does not necessarily require the verified signatures to be correct, so (r,s) could possibly chosen by the attacker of the full range 0<r<q and 0<s<q.

5.3 Side-Channel Attacks on DSA

We give an overview about the side-channel attacks on DSA. We will use the identifier DSA_x.

By side-channel analysis or by bias of the RNG the attacker can find out few bits of the nonce k. Attack DSA_1 applies lattice basis reduction techniques to obtain the private key in this situation.

The attack DSA_2 is a timing attack on x. x*r mod q is calculated. The time for the modular reduction depends on the most significant bits of x and r. Since r is known, the most significant bits of x can be identified. Instead of a timing attack a template attack is also possible. This attack has got the identifier DSA_6

There are several fault attacks on DSA. In DSA_3 the attacker has to flip one bit of x during the signature generation. Then the TOE puts out a faulty signature (r,s'). Let

T= g H M s'

mod q∗y

rs'

mod qmod p mod q

be the signature verification value with the faulty signature. For each bit position i, a correction factor

Ri=ge i∗r

s 'mod q with e i=2i

is calculated. Either T*Ri or T/Ri passes now the verification comparison with r. By this the bit position i and the correct bit value is determined.

The attack DSA_4 introduces fault to the public parameters such that a forged signature will be accepted. This means (p,q,g) are replaced by faulty parameters (p',q',g'). There are three different possibilities.

- The attacker finds two messages M and M', such that H(M)-H(M') is a 160 bit prime. Now he sets q'=|H(M)-H(M')| and can choose p' and g' such that a valid signature for M will also be valid for M'


DSA

- The attacker sets g'=1 and for any message M the signaturesr= yk mod pmod q and s= r / k mod q will be accepted.

- The attacker sets g'=ya mod p for a known a during verification. Now for any chosen M' the signature

r= yk mod pmod q and s=a∗H M ' r / k mod q will be accepted.

Attack DSA_5 is a fault attack. Here faults are introduced, such that p and g are replaced by p' and g', such that

- p' is 159-bit long, p'<q and p' has the form p'=t*2s+1 with s big and t a small prime number.

- 1 < g' < p'–1 and g' is a generator of the multiplicative group Z*p' .

The TOE calculates r '=g ' k mod p ' mod q and s '=((k−1mod q)(H (m)+ x∗r ' ))mod q . Since p'<q, r'=(g')k mod p' holds and the attacker has transferred the discrete logarithm problem to a group, where it can be easily solved, he can compute k. After that he can compute x.


DSA


DSA_1 Signatures with few known bits of the nonce (ephemeral key) are available

Cryptanalytic Attack;

/

Private DSA key x

Private key can be obtained from modular equations by applying lattice basis reduction techniques (hidden number problem).

/

Few bits of the nonce can be either obtained via side-channels or by a bias of RNG (see [NS02]).

Conclusions from [Q02]:

• If the nonce k is chosen with fewer bits than q, then this attack obviously applies.

• If k is computed from a uniformly distributed 160 bit random value modulo q where q has the bit length of 160, values of k in the range [0, 2160-q-1] are twice as often as in the range [2160-q,q-1], so k is biased. Very little information is available regarding the attack itself, but, according to FIPS change notice, the attack has a workload of 264 and requires 222 known signatures.

• Note that this does in no way mean that the first bit of this 160-bit value has to be forced to 1 (on the contrary, this would be an open door to the above attack).

• If the random nonce k is always odd, its least significant bit leaks.

Without counter measures, a timing attack at the logical interface could be feasible (see [BT11] in the ECDSA case).

Fault attacks like glitch attacks could be used to actively

[NS02]

[BGM97]

[NNT05]

[BT11]

[Q02]


DSA


modify a number of least significant bytes of k to zero (see [NNT05])

If an ephemeral key k is produced by a linear congruential generator with known parameters, or variants of it, the private DSA key can be easily recovered by solving modular equations given in different moduli. (see [BGM97])

DSA_2 No blinding of private key x;No modulus blinding

DSA signature generation of

• random but known H(M)

• with private DSA key x

• unknown ephemeral key k

Timing of calculation of x*r mod q depends on arguments

Timing measurements with chosen arguments available

Logical SCA;

Timing

/

Private DSA key x;

Modular reduction

In the considered scenario, H M x∗r mod q is calculated by long-integer operations followed by a modular reduction involving an integer division. The overall signature generation time is correlated with time for the modular reduction of x∗r mod q , which depends on the most significant bits of x∗r . Since r is known, the upper bits of x could be identified

by looking for the strongest probabilities over the samples, see also ME_4.

/

Measurement errors that are large relative to the standard deviation of the total modular exponentiation time will increase the number of measurements needed.

[K96]

DSA_3 No blinding of private key x;No modulus blinding


Differential FA;

/

Private DSA key x:

The x∗r mod q computation is targeted by the differential fault attack, the value of x is modified before the computation. [NUS97] considers a single bit fault model, where 160 faulty signatures are needed, i.e. one for each of the bits of the private key.

[NUS97]

[GK04]

[GKT10]


DSA





Several faulty DSA with single bit flip or single byte fault of private key x before the modular multiplication x*r mod q.

Modular multiplication key.

The faulty signatures (r, s') is calculated correctly but with a faulty x'. Let

T=g H M /s ' mod q∗ yr / s' mod qmod pmod q

the signature verification value with the faulty signature.

For each bit position i∈[0,1.. ,159] a correction factorRi=ge i∗r / s ' mod q with e i=2i is calculated. Either T∗Ri or T /Ri passes now the verification comparison with r. By this

the bit position i and the correct bit value is determined.

/

[GK04] considers a single byte fault model where 2304 faulty signatures are needed, in [GKT10] this is reduced to 1488 signatures.

DSA_4 No integrity protection of public parameters

DSA verification of

• a known M and a special chosen M'

• modify public parameters to certain values

Fault attack;

Logical SCA

/


Forge public parameters of DSA such that either a forged signature to a chosen message M' gets accepted or a valid signature (r,s) to a known message M gets accepted as a signature to M'.

The following attacks could be performed:

• For given M and chosen M' check whether q'=|H(M)-H(M')| is prime (with sufficient length). The probability is about 1/111. Given prime q' issue valid p' and g'. So (r,s) is also a valid signature for M' and public parameters q', p', g'.

• Set g=1, so signature verification accepts any signature forged

[V96]


DSA


• If g is changed to g '= ya mod p for a known a during verification, then an attacker can forge this signature to be accepted for any chosen M' by r=( yk mod p)mod q and

s=(a∗H (M ' )+ r )/k mod q .

DSA_5 No integrity protection of public parameters

DSA generation of

• unknown M

• modify public parameters to certain values

Fault attack;

Logical SCA

/

Signature generation:private DSA key

Attacker replaces p by p' such that

• p' is 159-bit long and p' < q;

• p' has the form p '=t∗2s+ 1 , with s big and t a small prime number.

and g by g' such that

• 1 < g' < p' – 1

• g' is a generator of the multiplicative group Z*p' .

The signature produced with these replaced parameters is

• r '=(( g ' )k mod p ' )mod q , for some secret value k;

• s '=k−1 mod qH M x∗r ' mod q .

Since p' < q, the first relationship is equivalent to r'=(g')k mod p' and the discrete log problem in order to get k has been transferred into a group in which it is easy to solve, due to the special form of p'. With k, the private key x could be determined.

[KR01]

DSA_6 No blinding of private key x; Template SCA

/

Template attack on x*r mod q as in ME_BME_6 instead of timing attack as in DSA_2.


DSA






Modular multiplication realized with l-bit multiplier with l≤16.

Templates of modular multiplication available

/

modular multiplication: private DSA key x

timing attack as in DSA_2.

Table 10: Side-channel attacks on DSA


Diffie-Hellman Key Exchange

6 Diffie-Hellman Key Exchange

Alice and Bob want to create a common secret. For this purpose they agree publicly on a prime p and a base g∈ℤ p . Alice chooses a private key dA with 0< dA < p-1 and Bob chooses a private key dB with 0< dB < p-1. Now Alice sends g d A∈ℤp to Bob and Bob sends g d B∈ℤp to Alice.

After that Alice and Bob share the common secret gd Ad B∈ℤp .

We will us the identifier DH_X for side-channel attacks on Diffie-Hellman key exchange.

The Diffie-Hellman key exchange protocol can be attacked via a DPA on intermediate values as in DH_1. Also the common secret can be attacked via a template attack in DH_2.


Diffie-Hellman Key Exchange


DH_1 DH shared secret generation of

• known varying Mi

• static private key

No randomization of message or exponent

Differential SCA;

/

Private exponent d

See ME_1.

DH_2 Samples for creating templates

Leakage of the result of the DH shared secret generation

Template SCA

/

shared secret

The result of the DH shared secret generation leaks by side-channel. Templates can be created by using samples such that a template attack on the shared secret becomes feasible.

Table 11: Side-channel attacks on Diffie-Hellman key exchange


Glossary

7 Glossary

ADPA Address-bit Differential Power Analysis

BPA Branch Prediction Analysis

CA Certificate Authority

CLNW Constant Length Non-Zero Window

CPA Comparative Power Analysis

CRT Chinese Reminder Theorem

CSCA Comparative Side-Channel Analysis

C SEA Computational Safe-Error Attack

DFA Differential Fault Analysis

DH Diffie-Hellman Key Exchange

DPA Differential Power Analysis

DSA Digital Signature Algorithm

DSCA Differential Side-Channel Analysis

ECC Elliptic Curve Cryptography

EMV EuroPay, MasterCard and Visa Integrated Circuit Card Specification

FA Fault Analysis

ISO International Organization for Standardization

LNCS Lecture Notes in Computer Science

LLL Lenstra-Lenstra-Lovasz-Algorithm

LSB Least Significant Bit

ME Modular Exponentiation

MESD Multiple-Exponent, Single-Data

MRED Modular Reduction using Equidistant Data

M SEA Memory Safe-Error Attack

MSB Most Significant Bit


Glossary

NAF Non-Adjacent Form (representation of the exponent)

Open SSL Open Secure Sockets Layer Protocol

PKCS Public-Key Cryptography Standard

PRNG Pseudo Random Number Generator

RSA Rivest-Shamir-Adleman-Algorithm

RSA-CRT Rivest-Shamir-Adleman-Algorithm using the Chinese Reminder Theorem

RSA-straight Rivest-Shamir-Adleman-Algorithm not using the Chinese Reminder Theorem

RSAES-OAEP Rivest-Shamir-Adleman-Encryption-Primitive Optimal Asymmetric Encryption Padding

SBPA Simple Branch Prediction Analysis

SCA Side-Channel Analysis

SEA Safe-Error Attack

SEMD Single-Exponent, Multiple-Data

SPA Simple Power Analysis

SSCA Simple Side-Channel Analysis

SSL Secure Sockets Layer Protocol

TLS Transport Layer Security Protocol.

TOE Target of Evaluation (product to be investigated, subject to side-channel analysis)

VLNW Variable Length Non-Zero Window

ℤN Ring ℤ/N∗ℤ of integers modulo N

Z*N Group of Units in the ring ℤ/N∗ℤ of integers modulo N (i.e. integers modulo N which are not zero and coprime to N)

ZN[x] Ring of polynomials in one variable with coefficients in the ring ℤ/N∗ℤ of integers modulo N

ZDN 'Zwei-Drittel-N' multiplication

ZEMD Zero-Exponent, Multiple-Data

Table 12: Glossary


Literature

8 Literature

8.1 Considered Literature

Reference Title Identifier

[ABF02] Aumüller, Christian; Bier, Peter; Fischer, Wieland; Hofreiter, Peter; Seifert, Jean-Pierre: Fault attacks on RSA with CRT: Concrete Results and Practical Countermeasures. In: Kaliski, B.; Koç, Ç.; Paar, C. (Eds:): Proceedings of CHES 2002. LNCS, vol. 2523, pp. 260-275. Berlin, Heidelberg: Springer-Verlag 2003

RC_7

[AFV07] Amiel, Frederic; Feix, Benoit; Villegas, Karine: Power Analysis for Secret Recovering and Reverse Engineering of Public Key Algorithms. In: Adams, C.; Miri, A.; Wiener, M. (Eds.): Proceedings of SAC 2007. LNCS, vol. 2876, pp. 110-125. Berlin, Heidelberg: Springer-Verlag 2007, Chap. 4.3 second attack scenario 'Correlation during the CRT recombination'

ME_1, RC_5, RC_6

[ASK05] Acıiçmez, Onur; Schindler, Werner; Koç, Çetin: “Improving Brumley and Boneh Timing Attack on Unprotected SSL Implementations. In: Al CCS 2005

RC_2

[B06a] Bleichenbacher, Daniel: An Attack on RSA Digital Signature. Rump Session of Crypto 2006.

NIST statement on http://csrc.nist.gov/groups/ST/toolkit/documents/dss/RSAstatement_10-12-06.pdf

RV_1

[B98] Daniel Bleichenbacher: Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. In: Krawczyk, W (Ed.): Proceedings of Crypto 1998. LNCS, vol. 1462, pp. 1-12. Berlin, Heidelberg: Springer-Verlag, 1998

R_2

[BB03] Brumley, David; Boneh, Dan: Remote timing attacks are practical. In: Proceedings of the 12th Usenix Security Symposium, 2003

RC_2

[BCC06] Brier, Eric; Chevallier-Mames, Benoit; Ciet, Mathieu; Clavier, Cristoph: Why One Should Also Secure RSA Public Key Elements. In: Goubin, L.; Matsui, M (Eds.=: Proceedings of CHES 2006. LNCS, vol. 4249, pp. 324-338. Berlin, Heidelberg: Springer-Verlag 2006

RS_2

[BDF98] Boneh, Dan; Durfee, Glenn; Frankel, Yair: An Attack on RSA Given a Small Fraction of the Private Key Bits. In: Ohta, K.; Pei, D. (Eds.): Proceedings of Asiacrypt 1998. LNCS, vol. 1514, pp. 25-34. Berlin, Heidelberg: Springer-Verlag 1998

R_1


http://csrc.nist.gov/groups/ST/toolkit/documents/dss/RSAstatement_10-12-06.pdf

http://csrc.nist.gov/groups/ST/toolkit/documents/dss/RSAstatement_10-12-06.pdf

Literature


[BDL96]

[BDL96_extended]

[BDL97]

[BDL01]

Boneh, Dan; DeMillo, Richard A.; Lipton, Richard R.: On the Importance of Checking Computations, Bellcore Press Release, September 1996, Published in Fumy, W.(Ed.): Proceedings of Eurocrypt 1997. LNCS, vol. 1233, pp. 37-51. Berlin, Heidelberg: Springer-Verlag 1997, Extended version in J. of Cryptology 14(2) 2001

RS_2, R_7

[BFK+12] Bardou, Romain; Focardi, Riccardo; Kawamoto, Yusuke; Simionato, Lorenzo; Steel, Graham; Tsay, Joe-Kai:

Efficient Padding Oracle Attacks on Cryptographic Hardware. In:Safavi-Naini R.; Canetti, R. (Eds.): CRYPTO 2012, LNCS 7417, pp. 608–625, 2012.

R_2

[BGM97] Bellare, Mihir; Goldwasser, Shafi; Micciancio, Danielle: “Pseudo-random” number generation within cryptographic algorithms: The DSS case. In: Krawczyk, W (Ed.): Proceedings of Crypto 1998. LNCS, vol. 1462, pp. 1-12. Berlin, Heidelberg: Springer-Verlag, 1998

DSA_1

[BLW02] den Boer, Bert; Lemke, Kerstin; Wicke, Guntram: A DPA Attack against the Modular Reduction within a CRT Implementation of RSA. In: Kaliski, B.; Koç, Ç.; Paar, C. (Eds:): Proceedings of CHES 2002. LNCS, vol. 2523, pp. 228-243. Berlin, Heidelberg: Springer-Verlag 2003 Chap. 4 and 5

RC_6

[BM03] Blömer, Johannes; May, Alexander: New Partial Key Exposure Attacks on RSA. In: Boneh, D. (Ed.): Proceedings of Crypto 2003. LNCS, vol. 2729. pp. 27-43. Berlin, Heidelberg: Springer-Verlag 2003

R_1

[BT11] Brumley, Billy Bob; Tuveri, Nicola: Remote Timing Attacks are Still Practical, http://eprint.iacr.org/2011/232

DSA_1

[C97] Coppersmith, Don: Small solutions to polynomial equations, and low exponent RSA vulnerabilities, Journal of Cryptology, 10:233-260, 1997

Chap. 4.1

[CFG10] Clavier, Christoph; Feix, Benoit; Gagnerot, Georges; Roussellet, Mylène; Verneuil, Vincent: Horizontal Correlation Analysis on Exponentiation. In: Proceedings of ICICS 2010, Full version under http://eprint.iacr.org/2010/394

ME_E_1, ME_BME_5

[CFPR96] Coppersmith, Don; Franklin, Matthew; Patarin, Jacques; Reiter, Michael: Low-Exponent RSA with Related Messages. In: Maurer, U.: Proceedings of Eurocrypt 1996. LNCS, vol. 1070, pp.1-9. Berlin, Heidelberg: Springer, 1996

Chap. 4.1.

[DLPSS11] Degabriele, Jean Paul; Lehmann, Anja; Paterson, Kenneth G.; Smart, Nigel; Strefler, Mario: On the Joint Security of Encryption and

Chap. 4.2.


http://eprint.iacr.org/2011/615



Literature


[E01] Everstine, Eric W.: Partial Key Exposure Attack On Low-Exponent RSA. 2001, http://www.cs.umd.edu/Honors/reports/Everstine/390ResearchPaper.pdf

R_1

[ECC-Guide]

Minimum Requirements for Evaluating Side-channel Attack Resistance of Elliptic Curve Implementations, Bundesamt für Sicherheit in der Informationstechnik, 2011

[EJMW05] Ernst, Matthias; Jochemsz, Ellen; May, Alexander; de Weger, Benne: Partial Key Exposure Attacks on RSA Up to Full Size Exponents. In: Cramer, R. (Ed.): Proccedings of Eurocrypt 2005. LNCS, vol. 3494, pp. 371-386. Berlin, Heidelberg: Springer, 2005

R_1

[FGS09] Finke, Thomas; Gebhardt, Max; Schindler, Werner: A New Side-Channel Attack on RSA Prime Generation. In: Clavier, C.; Gaj, K.(Eds.): Proccedings of CHES 2009. LNCS, vol. 5747, pp. 141-155. Berlin, Heidelberg: Springer, 2009

RKG_1

[FKM06] Fouque, Pierre-Alain; Kunz-Jacques, Sèbastien; Martinet, Gwenaelle; Muller, Frèdèric; Valette, Frédéric: Power Attack on Small RSA Public Exponent. In: Goubin, L., Matsui,M:. (Eds.): Proceedings of CHES 2006. LNCS, vol. 4249, pp. 324-338. Berlin, Heidelberg: Springer-Verlag 2006

RS_3

[FMP03] Fouque, Pierre-Alain; Martinet, Gwenaelle; Poupard, Guillaume: Attacking Unbalanced RSA-CRT Using SPA. In: Walter, C., Koç, Ç.; Paar, C. (Eds.): Proceedings of CHES 2003. LNCS, vol. 2779, pp. 254-268. Berlin, Heidelberg: Springer-Verlag 2003

RC_4

[FRVD08] Fouque, Pierre-Alain; Réal, Denis; Valette, Frèdèric; Drissi, Mhamed: The carry leakage on the randomised exponent countermeasure. In: Oswald, E.; Rohatgi, P. (Eds.): Proceedings of CHES 2008. LNCS 5154, pp. 198-213. Berlin, Heidelberg: Springer-Verlag 2008

ME_BME_7

[FV03] Fouque, Pierre-Alain; Valette, Frèdèric: The Doubling Attack – Why Upwards Is Better than Downwards. In: Walter, C., Koç, Ç.; Paar, C. (Eds.): Proceedings of CHES 2003. LNCS, vol. 2779, pp. 254-268. Berlin, Heidelberg: Springer-Verlag 2003

ME_6

[GK04] Giruad, Christophe; Knudson, Eric Woodward: Fault Attacks on Signature Schemes. In: Wang, H. Pieprzyk, J., Varadharajan, V. (Eds.): Proccedings of ACISP 2004. LNCS; vol. 2108, pp. 478-491. Berlin, Heidelberg: Springer-Verlag 2004

DSA_3

[GKT10] Giruad, Christophe; Knudson, Eric Woodward, Tunstall, Michael: Improved Fault Analysis of Signature Schemes. In Gollmann, G., Lanet, J., Cartigny, J. (Eds.): Proceedings of CARDIS 2010. LNCS, vol. 6035,

DSA_3


http://www.cs.umd.edu/Honors/reports/Everstine/390ResearchPaper.pdf

Literature


Improved Fault Analysis of Signature Schemes. In Gollmann, G., Lanet, J., Cartigny, J. (Eds.): Proceedings of CARDIS 2010. LNCS, vol. 6035, pp. 164-181. Berlin, Heidelberg: Springer-Verlag 2010

[H09] Hlaváč, Martin: Known-Plaintext-Only Attack on RSA-CRT with Montgomery Multiplication. In: Clavier, C.; Gaj, K. (Eds.): Proccedings of CHES 2009. LNCS, vol. 5747, pp. 141-155. Berlin, Heidelberg: Springer-Verlag 2009

RC_4

[H85] Hastad, John: On using RSA with Low Exponent in a Public Key Network. In: Williams, H. (Ed.): Proceedings of Crypto 1985. LNCS, vol 218, pp. 403-408. Berlin, Heidelberg: Springer-Verlag 1985

Chap. 4.1.

[HM07] Herbst, Cristoph; Medwed, Marcel: Using Templates to Attack Masked Montgomery Ladder Implementations of Modular Exponentiation. In: Chung, K.-I.; Sohn, K.; Yung, M. (Eds.): WISA 2008. LNCS, vol. 5379, pp. 1-13. Berlin, Heidelberg: Springer-Verlag 2009

ME_BME_6

[HMA08] Homma, Naofumi; Miyamoto, Atsushi; Aoki, Takafumi; Satoh, Akashi; Shamir, Adi: Collision-Based Power Analysis of Modular Exponentiation Using Chosen-Message Pairs. In: Oswald, E.; Rohatgi, P.(Eds.): Proceedings of CHES 2008. LNCS 5154, pp. 198-213. Berlin, Heidelberg: Springer-Verlag 2008

ME_6

[HN04] Hastad, Johann; Nälsund, Matts: The Security of all RSA and Discrete Log Bits, J. ACM 2004 basing on Hastad, Johann; Nälsund, Matts: The security of individual RSA bits, Proc. of 39th FOCS 1998

R_2

[HTM11] Hanley, Neil; Tunstall, Michale; Marnane, William P.: Using Templates to Distinguish Multiplications from Squaring Operations, http://eprint.iacr.org/2011/236, 2011

ME_BME_3

[IIT02] Itoh, Kouichi; Izu, Tetsuya; Takenaka, Masahiko:Address-Bit Differential Power Analysis of Cryptographic Schemes OK-ECDH and OK-ECDSA. In: Kaliski, B.; Koç, Ç.; Paar, C. (Eds:): Proceedings of CHES 2002. LNCS, vol. 2523, pp. 260-275. Berlin, Heidelberg: Springer-Verlag 2003

ME_BM_7

ME_BM_8

[IIT03] Itoh, Kouichi; Izu, Tetsuya; Takenaka, Masahiko:A Practical Countermeasure against Address-Bit Differential Power Analysis. In: Walter, C., Koç, Ç.; Paar, C. (Eds.): Proceedings of CHES 2003. LNCS, vol. 2779, pp. 254-268. Berlin, Heidelberg: Springer-Verlag 2003

ME_BM_7

ME_BM_8

[J07] Jochemsz, Ellen: Cryptanalysis of RSA variants using small roots of polynomials, proefschrift TU Eindhoven 2007

R_1

[JLQ99] Joye, Marc; Lenstra, Arjen; Quisquater, Jean-Jacques: Chinese RC_8



Literature


[JQB97] Joye, Marc; Quisquater, Jean-Jacques: Bao, Feng; Deng, Robert H.: RSA-type Signatures in the Presence of Transient Faults. IMA Int. Conf. 1997, M. Joye , J.-J. Quisquater, F. Bao, R. Deng

ME_BME_4

[K04] Kahl, Helmut: SPA-based attack against the modular reduction within a partially secured RSA-CRT implementation. http://eprint.iacr.org/2004/197, 1997

RC_10

[K96] Kocher,Paul: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (Ed.): Proceedings of Crypto 1996, LNCS, vol. 1109, pp. 104-113. Berlin, Heildelberg: Springer-Verlag 1996

ME_4, DSA_2

[KR01] Klima, Vastimil; Rosa, Tomas: Attack on private signature keys of the OpenPGP format, PGP programs and other applications compatible with OpenPGP. http://eprint.iacr.org/2002/076.pdf, 2002

DSA_5

[KPR03] Klima, Vastimil; Pokorny, Ondrej; Rosa, Tomas: Attacking RSA-base sessions in SSL/TLS. http://eprint.iacr.org/2003/052.pdf, 2003

R_2

[M01] Manger, James:A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0. In: Kilian, J.(Ed.): Proceedings of Crypto 2001. LNCS, vol. 2139, pp.230-238. Berlin, Heidelberg: Springer-Verlag 2001

R_2

[M05] Muir, James A.: Seifert’s RSA Fault Attack: Simplified Analysis and Generalizations. http://eprint.iacr.org/2005/458

RV_2

[MDS99] Messerges, Thomas S.; Dabbish, Ezzy A.; Sloan, Robert H.: Power Analysis Attacks of Modular Exponentiation in Smartcards. In: Koç, Ç.; Paar, C. (Eds:): Proceedings CHES 1999. LNCS, vol. 1712, pp. 144-157. Berlin, Heidelberg: Springer-Verlag 1999

ME_1, ME_2, ME_BM_1, ME_BME_1

[MH10] Herbst, Cristoph; Medwed, Marcel: Randomizing the Montgomery Multiplication to Repel Template Attacks on Multiplicative Masking. Cosade 2010

ME_BME_6

[MSG10] Maitra, Subhamoy; Sarkar, Santanu; Gupta, Sourav Sen: Factoring RSA Modulus using Prime Reconstruction from Random Known Bits. In: Bernstein, D.; Lange, T.(Eds.): Proceedings of Africacrypt 2010. LNCS, vol. 6055, pp. 82-99. Berlin, Heidelberg: Springer-Verlag 2010

R_1

[MWW11] Witteman, Marc; van Woudenberg, Jasper G.J., Menarini, Federico: Defeating RSA multiply-always and message blinding countermeasures. Kiayias, A. (Ed.): Proceedings of CT-RSA 2011. LNCS, vol. 6558, pp. 77-88. Berlin, Heidelberg: Springer-Verlag 2011

ME_BM_3



http://eprint.iacr.org/2003/052.pdf

http://eprint.iacr.org/2002/076.pdf



Literature


Kiayias, A. (Ed.): Proceedings of CT-RSA 2011. LNCS, vol. 6558, pp. 77-88. Berlin, Heidelberg: Springer-Verlag 2011

[N02] Novak, Robert: SPA-based adaptive chosen-ciphertext attack on RSA implementation. In: Naccache, D., Paillier, P.(Eds.): Proceedings of PKC 2002. LNCS, vol 2274, pp. 252-262. Berlin, Heidelberg: Springer-Verlag 2002

RC_3

[NNT05] Naccache, David; Nguyên, Phong Q.; Tunstall, Michael; Whelan, Claire: Experimenting with Faults, Lattices and the DSA. In: Vaudenay, S.(Ed.): Proceedings of PKC 2005. LNCS, vol 3386, pp. 16-28. Berlin, Heidelberg: Springer-Verlag 2002

DSA_1

[NS02] Nguyen, Phong Q.; Shparlinski, Igor E: The Insecurity of the Digital Signature Algorithm with Partially Known Nonces. In; Journal of Cryptology, Volume 15, Number 3, 2002

DSA_1

[NUS97] F. Bao, R. Deng, Y. Han, A. Jeng, A. D. Narasimhalu, T.-H. Ngair: Breaking Public Key Cryptosystems an Tamper Resistance Devices in the Presence of Transient Fault. 5th Security Protocols WorkShop, 1997

DSA_3

[RH04] Regev, Oded; Haviv, Ishay: Attack on RSA with Low Public Exponent, Lattices in Computer Science, Tel Aviv University, Fall 2004

[S00] Schindler, Werner: A Timing Attack against RSA with the Chinese Remainder Theorem. In: Koç, Ç.; Paar, C. (eds:): Proceedings CHES 2000. LNCS, vol. 1965, pp. 109-124. Berlin, Heidelberg: Springer-Verlag 2000

Chap 3.2.

RC_1

[S02] Schindler, Werner: A Combined Timing and Power Attack. In: Naccache, D., Paillier, P.(Eds.): Proceedings of PKC 2002. LNCS, vol 2274, pp. 263-279. Berlin, Heidelberg: Springer-Verlag 2002

ME_BM_2

[S09] Smart, Nigel: Breaking RSA-based PIN Encryption with thirty ciphertext validity queries, http://eprint.iacr.org/2009/315, 2009

R_2

[SI11] Schindler, Werner; Itoh, Kouichi; Exponent Blinding Does Not Always Lift (Partial) Spa Resistance to Higher-Level Security. In: Lopez, J.; Tsudik, G. (Eds.): Proceedings of ACNS 2011. LNCS, vol. 6715, pp. 73-90. Berlin, Heidelberg: Springer-Verlag 2011

ME_BME_8, RS_3

[SS04] Sakai, Yasuyuki; Sakurai, Kouichi: A New Attack with Side Channel Leakage During Exponent Recoding Computations. In: Joye, M.; Quisquater, J.-J. (Eds.): Proceedings of CHES 2004. LNCS, vol. 3156, pp. 298-311. Berlin, Heidelberg: Springer-Verlag 2004

ME_BME_4

[SST04] Sato, Hisayoshi; Schepers, Daniel; Takagi, Tsuyoshi: Exact Analysis of Montgomery Multiplication, In: Canteaut, A., Viswanathan, K. (Eds.):

RC_1



Literature


[TMSK05] Tomoeda, Yuuki; Miyake, Hideyuki; Shimbo, Atsushi; Kawamura, Shinichi: An SPA-Based Extension of Schindler’s Timing Attack against RSA Using CRT, IEICE Trans. Fundamentals, Vol.E88–A, No.1 January 2005

RC_9

[V96] Vaudenay, Serge: Hidden collisions on DSS. In: Koblitz, N. (Ed.): Proceedings of Crypto 1996, LNCS, vol. 1109, pp. 104-113. Berlin, Heildelberg: Springer-Verlag 1996

DSA_4

[W01] Walter, Colin D.: Sliding Windows Succumbs to Big Mac Attack. In: Koç, Ç.; Naccache, D.; Paar, C. (Eds:): Proceedings of CHES 2001. LNCS, vol. 2162, pp. 286-299. Berlin, Heidelberg: Springer-Verlag 2001

ME_BME_2

[WT01] Walter, Colin D., Thompson, Susan: Distinguishing Exponent Digits by Observing Modular Subtractions. In: Naccache, D.: Proceedings of CT-RSA 2001. LNCS, vol. 2020, pp. 192-207. Berlin, Heildelberg: Springer-Verlag 2001

ME_3, ME_BM_2

[YJ00] Yen, Sun-Ming; Joye, Marc: Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis, IEEE Transactions on Computers 49(9), 2000

ME_BM_6

[YKLM01] Yen, Sung-Ming, Kim, Seungjoo; Lim, Seongang; Moon, Sangjae: A Countermeasure against One Physical Cryptanalysis May Benefit Another Attack. In: Kim, K. (Ed.): Proceedings of ICISC 2001. LNCS, vol. 2288, pp. 414-427. Berlin, Heildelberg: Springer-Verlag 2002

[YLMH05] Yen, Sung-Ming; Lien,Wei-Chih; Moon, SangJean; Ha, JaeCheol: Power Analysis by Exploiting Chosen Message and Internal Collisions - Vulnerability of Checking Mechanism for RSA-Decryption. Mycrypt 2005 In: Dawson, E.; Vaudenay, S. (Eds.): Proceedings of Mycrypt 2005. LNCS, vol. 3715, pp. 183-195. Berlin, Heildelberg: Springer-Verlag 2005

ME_5, ME_6

Table 13: Considered Literature

8.2 Literature Not Considered

Reference Title Reason for not addressing in table

[NS03] The Insecurity of the Elliptic Curve Digital Signature Algorithm with Partially Known Nonces Designs, Codes and Cryptography, Volume 30, 2003, P. Nguyen, I. Shparlinski

Variant for ECDSA of [NS02], which is considered in DSA_1


Literature


Nonces Designs, Codes and Cryptography, Volume 30, 2003, P. Nguyen, I. Shparlinski

[W03] Longer keys may facilitate Side Channel attacks, SAC 2003, C.D. Walter

Effect of longer keys is discussed, original attack scenarios are already addressed in the tables

[PL04] A DPA Attack on the Improved Ha-Moon Algorithm, D. Park, P. Lee, http://eprint.iacr.org/2004/349

See remark about randomised addition chains on p. 14

[HM02] Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks, CHES 2002, J. Ha, S. Moon


[YCM04] Improvement on Ha-Moon Randomized Exponentiation Algorithm. ICISC 2004, S. Yen, C. Chen, S. Moon, J. Ha


[FMP04] Defeating Countermeasures Based on Randomized BSD Representations. CHES 2004, P. Fouque, F. Muller, G. Poupard, F. Valette


[C04] Self-Randomized Exponentiation Algorithms, CT-RSA 2004, B. Chevallier-Mames


[KHM05] An Improved and Efficient Countermeasure against Power Analysis Attacks, C. Kim, J. Ha, S. Moon, S. Yen, W. Lien, S. Kim, http://eprint.iacr.org/2005/022


[W02] MIST: An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis, CT-RSA 2002, C. D. Walter


[W02a] Some Security Aspects of the Mist Randomized Exponentiation Algorithm, CHES 2002, C. D. Walter


[W03a] Seeing through MIST Given a Small Fraction of an RSA Private Key, CT-RSA 2003, C. D. Walter


[W03b] Security Constraints on the Oswald-Aigner Exponentiation Algorithm, C. D. Walter, http://eprint.iacr.org/2003/013






Literature


[W04] Issues of Security with the Oswald-Aigner Exponentiation Algorithm, CT-RSA 2004, C. D. Walter


[OA01] Randomized addition-subtraction chains as a countermeasure against power attacks. CHES 2001, E. Oswald, M. Aigner.


[CJ01] Universal Exponentiation Algorithm: A First Step towards Provable SPA-Resistance, CHES 2001, C. Clavier, M. Joye


[KW03] Hidden Markov Model Cryptanalysis, CHES 2003, C. Karlof, D. Wagner


Table 14: Literature not considered

8.3 Background Literature

Identifier Reference Title Remark

1 [B01] Multidigit Multiplication for Mathematicians, D. Bernstein, 2001,

http://cr.yp.to/papers/m3.pdf

Overview over multiplication techniques

2 [BM04] A Generalized Wiener Attack on RSA, PKC 2004, J. Blöhmer, A. May

Factorisation technique (Cryptanalysis of RSA in special scenario)

3 [H04] Long Modular Multiplication for Cryptographic Applications, CHES 2004, L. Hars

Full version of paper at author's website: http://www.hars.us/Papers/ModMult.pdf

Overview over hardware implementation methods of modular multiplication

4 [JY02] The Montgomery Powering Ladder, CHES 2002, M. Joye, S. Yen

Description of a specific counter measure against side channel and fault attacks.

5 [M87] Speeding the Pollard and elliptic curve methods of factorization. Mathematics of Computation, 48(177):243–264, January 1987, P. Montgomery.

Original paper defining Montgomery Powering Ladder

6 [K95] RSA Hardware Implementation, C. Koc, Survey about hardware


http://www.hars.us/Papers/ModMult.pdf

http://cr.yp.to/papers/m3.pdf

Literature


RSA Laboratories, TR-801 multiplication techniques

7 [KM04] A Survey of Public-Key Cryptosystems, SIAM Review, 46 (2004), 599-634, N. Koblitz, A. Menezes

An overview of the most important public-key cryptosystems.

8 [RSA78] A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Communications of the ACM 21, 1978, R. Rivest, A. Shamir, L. Adleman

Publication of RSA algorithm

9 [B99] Twenty Years of Attacks on the RSA Cryptosystem, Notices of the AMS, Feb. 1999, Vol. 46, Issue 2, D. Boneh

Overview of cryptanalytic attacks on RSA.

10 [SW05] Data Dependent Power Use in Multipliers, Proc. 17th IEEE Symposium on Computer Arithmetic, IEEE Press, 2005, D. Samyde, C. Walter

Leakage behaviour of hardware multipliers

11 [Q02] DSA, Security Evaluation of the Signature Scheme and Primitive, Cryptrec Evaluation report 2002, J.-J. Quisquater

Overview of cryptanalytic attacks on DSA.

12 [J09] Protecting RSA Against Fault Attacks: The Embedding Method, FDTC 2009, M. Joye

Overview of fault-based attacks on DSA.

13 [FV06] Blinded Fault Resistant Exponentiation, FDTC 2006, G. Fumaroli, D. Vigilantalso see http://eprint.iacr.org/2006/143

Definition of specific counter measure for modular exponentiation with Montgomery ladder against SCA and fault injection. See ME_BME_6 for an attack against this counter measure.

14 [M85] Modular Multiplication Without Trial Division, Mathematics of Computation, Vol 44, 170, p. 519-521, 1985, P. Montgomery

Publication of Montgomery Multiplication

15 [BCN+04] The sorcerer’s apprentice guide to fault attacks. H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, C. Whelan Cryptology

Survey of techniques for inducing computational faults in a device



Literature



16 [S11] Seitenkanalangriffe gegen IT-Systeme, TU Darmstadt 2011, W. Schindler, M. Kasper

Chapter about application of statical decision theory to side channel attacks

17 [FIPS 186-3] FIPS PUB 186-3, Digital Signature Standard (DSS), NIST, June 2009

Definition of DSA

Table 15: Background literature

8.4 Further Literature

Reference Title

[AKS06] On the Power of Simple Branch Prediction Analysis, O. Aciicmez, C. Koc, J. Seifert, http://eprint.iacr.org/2006/351

[ASK06] Predicting Secret Keys via Branch Prediction, O. Aciicmez, J. Seifert, C. Koc, http://eprint.iacr.org/2006/288

[B06] Attacking Right-to-Left Modular Exponentiation with Timely Random Faults, FDTC 2006, M. Boreale

[BBO04] Flexible Hardware Design for RSA and Elliptic Curve Cryptosystems, CT-RSA 2004, L. Batina, G. Bruin-Muurling, S. Örs

[BCDG09] Fault attacks on RSA public keys: Left-to-right implementations are also vulnerable. CT-RSA 2009, A. Berzati, C. Canovas, J.-G. Dumas, L. Goubin.

[BCG08] In(security) Against Fault Injection Attacks for CRT-RSA Implementations, FDTC 2008, A. Berzati, C. Canovas, L. Goubin

[BCG08a] Perturbating RSA public keys: An improved attack. CHES 2008, A. Berzati, C. Canovas, L. Goubin.

[BNNT11] Modulus Fault Attacks Against RSA-CRT Signatures, CHES 2011, E. Brier, D. Naccache, P. Nguyen, M. Tibouchi, full version: http://eprint.iacr.org/2011/388

[CCJ03] Low-Cost Solutions for Preventing Simple Side-Channel Analysis: Side-Channel Atomicity, B. Chevallier-Mames, M. Ciet, M. Joye, http://eprint.iacr.org/2003/237

[CJKNP09] Fault Attacks on RSA Signatures with Partially Unknown Messages, CHES 2009, J. Coron, A. Joux, I. Kizhvatov, D. Naccache, P. Paillier

[CJR99] Towards Sound Approaches to Counteract Power-Analysis Attacks, CRYPTO '99, S.







Literature

Reference Title

Chari, C. Jutla, J. Rao, P. Rohatgi

[CNPQ04] Parallel FPGA Implementation of RSA with Residue Number Systems - Can side-channel threats be avoided? M. Ciet, M. Neve, E. Peeters, J.-J. Quisquater, http://eprint.iacr.org/2004/187

[CWT10] An improved timing attack with error detection on RSA-CRT. C. Chen, T. Wang, J. Tian, http://eprint.iacr.org/2010/054

[DGR09] On Second-Order Fault Analysis Resistance for CRT-RSA Implementations, E. Dottax, C. Giraud, M. Rivain, Y. Sierra, http://eprint.iacr.org/2009/024

[DHA10] Fault-Based Attack on Montgomery’s Ladder Algorithm, J. Cryptol. (2011) 24: 346–374, A. Dominguez-Oviedo, M. Hasan, B. Ansari.

[DKL98] A Practical Implementation of the Timing Attack, CARDIS 1998, J. Dhem, F. Koeune, P. Leroux, P. Mestre, J.-J. Quisquater, J. Willems

[FS04] High-Speed Modular Multiplication, CT-RSA 2004, W. Fischer, J. Seifert

[GNS05] Further Hidden Markov Model Cryptanalysis, CHES 2005, P. Green, R. Noad, N. Smart

[HS99] Lattice Attacks on Digital Signature Schemes, Designs, Codes and Cryptography 2001, N.A. Howgrave-Graham, N.P. Smart

[JV02] A Protected Division Algorithm, CARDIS 02, M. Joye, K. Villegas

[K03] Side-Channel Attacks on Textbook RSA and ElGamal Encryption, PKC 2003, U. Kühn

[K95a] Analysis of sliding window techniques for exponentiation. Computers and Mathematics with Applications, 30(10):17-24, 1995. C. Koc.

[KQ07] Fault Attacks for CRT Based RSA: New Attacks, New Results, and New Countermeasures, WISTP 2007, C. Kim, J.-J. Quisquater

[KQ07a] How can we overcome both side channel analysis and fault attacks on RSA-CRT?, FDTC 2007, C. Kim, J.-J. Quisquater

[KR02] Further Results and Considerations on Side Channel Attacks on RSA, CHES 2002, V. Klíma, T. Rosa

[KR02a] Further Results and Considerations on Side Channel Attacks on RSA, V. Klima, T. Rosa, http://eprint.iacr.org/2002/071

[KSQL07] Safe-Error Attack on SPA-FA Resistant Exponentiations Using a HW Modular







Literature

Reference Title

[MDS99a] Investigations of Power Analysis Attacks on Smartcards, preprint, USENIX Workshop on Smartcard Technology, 1999, T.S. Messerges, E.A. Dabbish, and R.H. Sloan.

[MV06] High-Order Attacks Against the Exponent Splitting Protection. PKC 2006, F. Muller, F Valette

[N08] DSA Signature Scheme Immune to the Fault Cryptanalysis, CARDIS 2008, M. Nikodem

[P05] Cache missing for fun and profit, presented at BSDCan '05, C. Percival

[SW03] More Detail for a Combined Timing and Power Attack against Implementations of RSA, Cryptography and Coding 2003, W. Schindler, C. D. Walter

[V03] The Security of DSA and ECDSA, Bypassing the Standard Elliptic Curve Certification Scheme, PKC 2003, S. Vaudenay

[V08] RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks, CHES 2008, D. Vigilant,

[We02] Cryptanalysis of RSA with Small Prime Difference, B. de Weger, Applicable Algebra in Engineering, Communication and Computing (AAECC) 13, 17–28 (2002), 2002

[A09] Solving Hidden Number Problem with One Bit Oracle and Advice, Crypto 2009, A. Akavia

[SKQ01] Improving Divide and Conquer Attacks Against Cryptosystems by Better Error Detection / Correction Strategies. Cryptography and Coding - IMA 2001, W. Schindler, F. Koeune, J.-J. Quisquater

[S05] On the Optimization of Side-Channel Attacks by Advanced Stochastic Methods. In: S. Vaudenay (ed.): Public Key Cryptography - PKC 2005, W. Schindler:

[S02a] Optimized Timing Attacks against Public Key Cryptosystems. Statist. Decisions 20 (2002), W. Schindler

[SW09] Optimal Recovery of Secret Keys from Weak Side Channel Traces. Cryptography and Coding - IMA 2009, W. Schindler, C. Walter

[AS08] A Vulnerability in RSA Implementations due to Instruction Cache Analysis and Its Demonstration on OpenSSL. CT-RSA 2008, O. Aciçmez, W. Schindler

[KNS11] Weaknesses in Current RSA Signature Schemes. ICISC 2011, Krämer, Juliane; Nedospasov, Dmitry; Seifert, Jean-Pierre


Literature

Reference Title

Nedospasov, Dmitry; Seifert, Jean-Pierre

[BCS08] Bug Attacks. Crypto 2008, Biham, Eli; Carmeli, Yaniv; Shamir, Adi

[H12] New research: There's no need to panic over factorable keys--just mind your Ps and Qs. Heninger; Nadia, https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs

[LHA+12] Ron was wrong, Whit is right. Lenstra, Arjen K.; Hughes, James P. ; Augier, Maxime; Bos, Joppe W. ; Kleinjung, Thorsten; Wachter; Christophe, http://eprint.iacr.org/2012/064

Table 16: Further literature



https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs

https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs

minimum requirements for evaluating side-channel attack resistance of rsa, dsa and diffie

Documents