Power attacks in the presence of exponent blinding

Abstract

Exponent blinding has been known as an effective countermeasure against side-channel attacks on RSA. However, if single power traces reveal some exponent bits with certainty, an attack by Fouque et al. (Power attack on small RSA public exponent. Springer, Berlin, pp 339–353, 2006) applies that recovers the exponent. Since this attack becomes infeasible if some of these assumed exponent bits are incorrect it has not been assumed to be a realistic threat in the context of side-channel attacks. In this paper we present three generic attack variants (basic attack, enhanced attack, alternate attack), which work in the presence of considerable error rates at each bit position, disproving the hypothesis that mere exponent blinding is always sufficient to protect SPA-resistant implementations against any type of power attacks. Simulation experiments confirm that for small blinding factors the basic attack permits error rates of more than \(25~\%\). The enhanced attack allows smaller error rates but requires much less power traces and computations. Unlike the basic attack and the enhanced attack the alternate attack (against ECC and RSA without CRT) cannot effectively be prevented by simply enlarging the blinding factor. This paper extends (Schindler and Itoh, Exponent blinding does not always lift (Partial) SPA resistance to higher-level security. Springer, Berlin, pp 73–90, 2011) by many new results.

Appendix

We believe that Lemma 1 should be well-known in the literature but we are unable to provide a reference. Lemma 1(iii) follows from Lemma 1(ii). The fact \(E(Y)\approx 0.333n\) is mentioned, e.g. in [3], Theorem II.2.2.

Proof of Lemma 1 Let \(\sum _{j=0}^n \beta _{i;j}2^j\) denote the \(\mathrm{NAF}\)-representation of \(z_i\) for \(i=1,2\). Then \(z_1+z_2 = \sum _{j=0}^n (\beta _{1;j}+\beta _{2,j})2^j\) and by triangle inequality \(\sum _{j=0}^n \vert \beta _{1;j}+\beta _{2,j}\vert \le \sum _{j=0}^n \vert \beta _{1;j}\vert +\sum _{j=0}^n \vert \beta _{2,j}\vert = \mathrm{ham}(\mathrm{NAF}(z_1)) + \mathrm{ham}(\mathrm{NAF}(z_2))\). Now scan the coefficient vector \((\beta _{1;n}+\beta _{2,n},\beta _{1;n-1}+\beta _{2,n-1},\ldots ,\beta _{1;0}+\beta _{2,0})\) from right to left, and do the following: If \(\beta _{1;j}+\beta _{2,j}\in \{-1,0,1\}\) then do nothing. If \(\beta _{1;j}+\beta _{2,j}\in \{2,3\}\) then replace \((\beta _{1;j}+\beta _{2,j})\) by \((\beta _{1;j}+\beta _{2,j}-2)\) and \((\beta _{1;j+1}+\beta _{2,j+1})\) by \((\beta _{1;j+1}+\beta _{2,j+1}+1)\) (carry bit). If \(\beta _{1;j}+\beta _{2,j}\in \{-2,-3\}\) then perform corresponding operations with ‘\(+2\)’ and ‘\(-1\)’ in place of ‘\(-2\)’ and ‘\(+1\)’. (Possibly a leading digit has to be added.) Within this process \((\beta _{1;j}+\beta _{2;j})\in \{-3,\ldots ,+3\}\), and each replacement reduces the sum of the absolute values at least by one. Thus, we obtain a signed representation of \(z_1+z_2\), which fulfils (12)in place of \(NAF(z_1+z_2).\) The NAF property finally implies (12) and the second assertion of (i).

We represent \(\mathrm{NAF}(0),\ldots ,\mathrm{NAF}(2^n-1)\) as sequences of \((n+1)\) digits, prepending leading zeroes if necessary. Clearly, \(\mathrm{ham}(\mathrm{NAF}(z))=(0,\ldots ,0)\) iff \(z=0\), and there are exactly \(n\) sequences with Hamming weight \(1\) (encoding \(1,2,\ldots ,2^{n-1}\)). Within this proof \(A\) denotes the subset of all non-zero \(\mathrm{NAF}\) representations with leading digit \(0\), and \(B\) denotes the sequences with leading digit \(1\). Let \(k\in \{2,\ldots ,\lfloor (n+1)/2\rfloor \}\). We first note that there are \({n+1-k \atopwithdelims ()k}\) sequences with digits \(0\) and \(*\) of length \((n+1)\), that begin with \(0\) and have non-adjacent \(*\)-digits (\(*\in \{1,-1\}\)). This claim can be seen as follows: each such sequence can be covered by \(k\) patterns ‘\(0*\)’ and \(n+1-2k\) patterns ‘\(0\)’. This immediately yields the number of sequences in \(A\) with Hamming weight \(k\), namely \(2^{k-1}{n+1-k \atopwithdelims ()k}\), since the most significant non-zero digit is \(1\). Similarly, one shows that in \(B\) there are \(2^{k-2}{n-(k-1) \atopwithdelims ()k-1}\) sequences with Hamming weight \(k\). (The second most significant non-zero digit must be \(-1\) since \(z<2^n\).) The identity \({n+1-k \atopwithdelims ()k}+{n+1-k \atopwithdelims ()k-1}={n+2-k \atopwithdelims ()k}\) finally verifies the third line in (13). For even \(n\), set \(B\) also contains \(2^{n/2-1}\) sequences with Hamming weight \(\lfloor n/2\rfloor +1\) (having alternating zero and non-zero digits). This completes the proof of (ii).

Let \(x=(\beta _{n+1},\ldots ,\beta _0)_2\). The NAF digit \(z_i\) depends on the binary digits \(\beta '_{i+1},\beta '_i\) and on the carry bit \(c_{i}\), i.e. it can be written as \(f(\beta '_{i+1},\beta '_i,c_{i})\) for a suitably defined function \(f\) (cf. Algorithm 5). The next state \((\beta '_{i+2},\beta '_{i+1},c_{i+1})\) depends on \((\beta '_{i+1},\beta '_i,c_{i})\) and on the next binary digit \(\beta _{i+2}\) of \(x\). Since \(X\) is uniformly distributed on \(Z_{2^n}\) the sequence \((B'_{i+1},B'_i,C_{i-1})_{i\ge 0}\) forms a homogeneous ergodic Markov chain on the state space \(\Omega := \{(\beta '',\beta ',c) \mid 0\le \beta ',\beta '',c\le 1\}\), and \(\mathrm{ham}(\mathrm{NAF}(x)) = \vert f(\beta '_{1},\beta '_0,c_{0})\vert + \vert f(\beta '_{2},\beta '_1,c_{1})\vert +\cdots \). Neglecting boundary effects for the most significant binary digits Theorem 1 in [13] says that \(\mathrm{ham}(\mathrm{NAF}(X))\) fulfils the Central Limit Theorem if \(n\) tends to infinity. Concerning the second assertion of (iii) recall that the NAF digits \(\le i\) of \(x\) only depend on the binary digits \(\beta _0,\beta _1,\ldots ,\beta _{i+1}\). Unless \(n-(i+1)\) is very small, \(X (\mathrm{mod}\,2^{i})\) should be ‘almost’ uniformly distributed on \(Z_{2^{i-1}}\). Thus, the Central Limit Theorem applies to the \(\mathrm{NAF}\) digits \(z_0,\ldots ,z_{i+1}\) while the remaining bits may be viewed as ‘boundary effects’.\(\square \)

The proof of Lemma 1 applies Algorithm 5 ([3], Algorithm 1), which provides explicit instructions to compute \(\mathrm{NAF}(z)\). We mention that [19], Theorem (10.24) (with \(r=2\)) should allow a more efficient implementation. It is not necessary to compute the binary representation of \(z\) first (c.f. [9], Algorithm 3.30, for instance).