Issue No.06 - June (2010 vol.59)

pp: 795-807

Naofumi Homma , Tohoku University, Sendai

Atsushi Miyamoto , Tohoku University, Sendai

Takafumi Aoki , Tohoku University, Sendai

Akashi Satoh , National Institute of Advanced Industrial Science and Technology, Tokyo

Adi Shamir , Weizmann Institute of Science, Rehovot

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TC.2009.176

ABSTRACT

This paper proposes new chosen-message power-analysis attacks for public-key cryptosystems based on modular exponentiation, where specific input pairs are used to generate collisions between squaring operations at different locations in the two power traces. Unlike previous attacks of this kind, the new attack can be applied to all standard implementations of the exponentiation process, namely binary (left-to-right and right-to-left), m-ary, and sliding window methods. The proposed attack can also circumvent typical countermeasures, such as the Montgomery powering ladder and the double-add algorithm. The effectiveness of the attack is demonstrated in experiments with hardware and software implementations of RSA on an FPGA and a PowerPC processor, respectively. In addition to the new collision generation methods, a highly accurate waveform matching technique is introduced for detecting the collisions even when the recorded signals are noisy and there is a certain amount of clock jitter.

INDEX TERMS

Side-channel attacks, power-analysis attacks, RSA, modular exponentiation, waveform matching.

CITATION

Naofumi Homma, Atsushi Miyamoto, Takafumi Aoki, Akashi Satoh, Adi Shamir, "Comparative Power Analysis of Modular Exponentiation Algorithms",

*IEEE Transactions on Computers*, vol.59, no. 6, pp. 795-807, June 2010, doi:10.1109/TC.2009.176REFERENCES

- [1] P. Kocher, J. Jaffe, and B. Jun, "Differential Power Analysis,"
Proc. CRYPTO '99, pp. 388-397, Aug. 1999.- [2] P. Kocher, "Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,"
Proc. CRYPTO '96, pp. 104-113, Aug. 1996.- [3] T.S. Messerges, E.A. Dabbish, and R.H. Sloan, "Power Analysis Attacks of Modular Exponentiation in Smartcards,"
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '99), pp. 144-157, Aug. 1999.- [4] W. Schindler, "A Timing Attack against RSA with the Chinese Remainder Theorem,"
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '00), pp. 109-124, Aug. 2000.- [5] C.D. Walter and S. Thompson, "Distinguishing Exponent Digits by Observing Modular Subtractions,"
Proc. Cryptographer's Track at the RSA Conf. Topics in Cryptology (CT-RSA '01), pp. 192-207, Apr. 2001.- [6] R. Novak, "SPA-Based Adaptive Chosen-Ciphertext Attack on RSA Implementation,"
Proc. Int'l Workshop Practice and Theory in Public Key Cryptography (PKC '02), pp. 252-262, Feb. 2002.- [7] J.A. Menezes, C.P. Oorschot, and A.S. Vanstone,
Handbook of Applied Cryptography. CRC Press, 1997.- [8] B.D. Boer, K. Lemke, and G. Wicke, "A DPA Attack against the Modular Reduction within a CRT Implementation of RSA,"
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '02), pp. 228-243, Aug. 2002.- [9] A.P. Fouque and F. Valette, "The Doubling Attack—Why Upwards is Better Than Downwards,"
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '03), pp. 269-280, Sept. 2003.- [10] S.M. Yen, W.C. Lien, S.J. Moon, and J.C. Ha, "Power Analysis by Exploiting Chosen Message and Internal Collisions—Vulnerability of Checking Mechanism for RSA-Decryption,"
Proc. Mycrypt '05, pp. 183-195, Sept. 2005.- [11] P.L. Montgomery, "Modular Multiplication without Trial Division,"
Math. Computation, vol. 44, no. 170, pp. 519-521, 1985.- [12] K. Schramm, T. Wollinger, and C. Paar, "A New Class of Collision Attacks and its Application to DES,"
Proc. Int'l Workshop Fast Software Encryption (FSE '03), pp. 206-222, Feb. 2003.- [13] K. Schramm, G. Leander, P. Felke, and C. Paar, "A Collision-Attack on AES Combining Side Channel- and Differential-Attack,"
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '04), pp. 163-175, Aug. 2004.- [14] A. Bogdanov, "Improved Side Channel Collision Attacks on AES,"
Proc. Int'l Workshop Selected Areas in Cryptography (SAC '07), pp. 84-95, Aug. 2007.- [15] N. Homma, A. Miyamoto, T. Aoki, A. Satoh, and A. Shamir, "Collision-Based Power Analysis of Modular Exponentiation Using Chosen-Message Pairs,"
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '08), pp. 15-29, Aug. 2008.- [16] C.K. Koc, "High-Speed RSA Implementation," Technical Report TR201, RSA Laboratories, Nov. 1994.
- [17] J.S. Coron, "Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems,"
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '99), pp. 192-302, Aug. 1999.- [18] M. Joye and S.M. Yen, "The Montgomery Powering Ladder,"
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '02), pp. 291-302, Aug. 2002.- [19] M. Joye, "Highly Regular Right-to-Left Algorithms for Scalar Multiplication,"
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '07), pp. 135-147, Sept. 2007.- [20] S.M. Yen and M. Joye, "Checking Before Output may Not Be Enough against Fault-Based Cryptanalysis,"
IEEE Trans. Computers, vol. 49, no. 9, pp. 967-970, Sept. 2000.- [21] C.D. Walter, "Sliding Windows Succumbs to Big Mac Attack,"
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '01), pp. 286-299, May 2001.- [22] N. Homma, S. Nagashima, Y. Imai, T. Aoki, and A. Satoh, "High-Resolution Side Channel Attack Using Phase-Based Waveform Matching,"
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '06), pp. 187-200, May 2006.- [23] Q. Chen, M. Defrise, and F. Deconinck, "Symmetric Phase-Only Matched Filtering of Fourier-Mellin Transforms for Image Registration and Recognition,"
IEEE Trans. Pattern Analysis and Machine Intelligence, vol. 16, no. 12, pp. 1156-1168, Dec. 1994.- [24] K. Takita, T. Aoki, Y. Sasaki, T. Higuchi, and K. Kobayashi, "High-Accuracy Subpixel Image Registration Based on Phase-Only Correlation,"
IEICE Trans. Fundamentals of Electronics, Comm. and Computer Sciences, vol. E86-A, no. 8, pp. 1925-1934, Aug. 2003.- [25] Side Channel Attack Standard Evaluation Board, http://www. rcis.aist.go.jp/specialSASEBO /, 2009.
- [26] C.D. Walter, "MIST: An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis,"
Proc. Cryptographer's Track at the RSA Conf. Topics in Cryptology (CT-RSA '02), pp. 53-66, Apr. 2002.- [27] K. Itoh, J. Yajima, and M. Takenaka, "DPA Countermeasures by Improving the Window Method,"
Proc. Int'l Workshop Cryptographic Hardware and Embedded Systems (CHES '02), pp. 303-317, Aug. 2002. |