Collision-Based Power Attack for RSA with Small Public Exponent

概要

論文の詳細を見る
This paper proposes a new side channel attack to RSA cryptography. Our target is an implementation with a combination of countermeasures. These are an SPA countermeasure by m-ary method and a DPA countermeasure by randomizing exponent techniques. Here, randomizing exponent techniques shows two DPA countermeasures to randomize the secret exponent d. One is an exponent randomizing technique using di = d + riφ(N) to calculate cdi (mod N), and another is a technique using di,1 = ⌊ d/ri ⌋ and di,2 = (d mod ri)) to calculate (cdi,1)ri × cdi,2 (mod N). Using the combination of countermeasures, it was supposed that the implementation is secure against power attack. However, we firstly show the result to successfully attack the implementation of the combination of these countermeasures. We performed the experiment of this search on a PC, and complete d has been successfully revealed less than 10 hours for both attacks.
2009-05-01