Chapter

Cryptographic Hardware and Embedded Systems -- CHES 2015

Volume 9293 of the series Lecture Notes in Computer Science pp 229-247

Date:

Exclusive Exponent Blinding May Not Suffice to Prevent Timing Attacks on RSA

  • Werner SchindlerAffiliated withBundesamt für Sicherheit in der Informationstechnik (BSI) Email author 

* Final gross prices may vary according to local VAT.

Get Access

Abstract

The references [1, 3, 9] treat timing attacks on RSA with CRT and Montgomery’s multiplication algorithm in unprotected implementations. It has been widely believed that exponent blinding would prevent any timing attack on RSA. At cost of significantly more timing measurements this paper extends the before-mentioned attacks to RSA with CRT when Montgomery’s multiplication algorithm and exponent blinding are applied. Simulation experiments are conducted, which confirm the theoretical results. Effective countermeasures exist. In particular, the attack efficiency is higher than in the previous version [12] while large parts of both papers coincide.

Keywords

Timing attack RSA CRT Exponent blinding Montgomery’s multiplication algorithm