Journal of Cryptographic Engineering

, Volume 5, Issue 3, pp 171–185 | Cite as

Vertical and horizontal correlation attacks on RNS-based exponentiations

  • Guilherme Perin
  • Laurent Imbert
  • Philippe Maurine
  • Lionel Torres
Regular Paper

Abstract

Side-channel attacks are a serious threat for physical implementations of public key cryptosystems and notably for the RSA. Side-channel leakages can be explored from unprotected cryptodevices and several power or electromagnetic traces are collected in order to construct (vertical) differential side-channel attacks. On exponentiations, the so-called horizontal correlation attacks originally proposed by Walter in “Sliding windows succumbs to big mac attack” (Cryptographic hardware and embedded systems, 2001) and improved by Clavier et al. in “Horizontal correlation analysis on exponentiation” (ICICS, 2010) demonstrated to be efficient even in the presence of strong countermeasures like the exponent and message blinding. In particular, a single trace is sufficient to recover the secret if the modular exponentiation features long integer multiplications. In this paper, we consider the application of vertical and horizontal correlation attacks on residue number systems (RNS)-based approaches. The montgomery multiplication, which is widely adopted in the finite ring of an exponentiation, has different construction details in the RNS domain. Experiments are conducted on hardware (parallel) and software (sequential) and leakage models for known and masked inputs are constructed for the regular and SPA-protected Montgomery ladder algorithm.

Keywords

Side-channel sttacks RSA RNS Exponentiation  Correlation electromagnetic analysis 

References

  1. 1.
    Bajard, J.-C., Didier, L-Stéphane, Kornerup, P.: An RNS Montgomery modular multiplication algorithm. IEEE Trans. Comput. 47(7), p. 766–776, 62–75 (1998)Google Scholar
  2. 2.
    Bajard, J.-C., Imbert, L., Liardet, P.-Y., Teglia, Y.: Leak resistant arithmetic. In: Cryptographic Hardware and Embedded Systems, CHES’04, ser. Lecture Notes in Computer Science, vol. 3156. pp. 62–75, Springer, Berlin (2004)Google Scholar
  3. 3.
    Bajard, J.-C., Imbert, L.: A full RNS implementation of RSA. IEEE Trans. Comput. 53(6), 769–774 (2004)CrossRefGoogle Scholar
  4. 4.
    Batina, L., Gierlichs, B., Lemke-Rust, K.: Differential cluster analysis, cryptographic hardware and embedded systems, CHES’09, ser. Lecture Notes in Computer Science, vol. 5747. pp. 112–127, Springer, Berlin (2009)Google Scholar
  5. 5.
    Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal and vertical side-channel attacks against secure rsa implementations. In: Proceedings of CT-RSA, pp. 1–17 (2013)Google Scholar
  6. 6.
    Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal collision correlation attack on elliptic curves, research gate (2014)Google Scholar
  7. 7.
    Bauer, A., Jaulmes, E.: Correlation analysis against protected SFM implementations of RSA. In: Proceedings of INDOCRYPT, pp. 98–115 (2013)Google Scholar
  8. 8.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Cryptographic Hardware and Embedded Systems, CHES’04, ser. Lecture Notes in Computer Science, vol. 3156. pp. 16–29, Springer, Berlin (2004)Google Scholar
  9. 9.
    Chari, S., Rao, J.R., Rohatgi, P.: Template attacks, cryptographic hardware and embedded systems, CHES’02, ser. Lecture Notes in Computer Science, vol. 2523. pp. 13–28, Springer, Berlin (2002)Google Scholar
  10. 10.
    Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost solutions for preventing simple side-channel analysis: side-channel atomicity, IACR Cryptology ePrint Archive (2003)Google Scholar
  11. 11.
    Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Proceedings of ICICS, pp. 46–61 (2010)Google Scholar
  12. 12.
    Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: ROSETTA for single trace analysis. In: Proceedings of INDOCRYPT, pp. 140–155 (2012)Google Scholar
  13. 13.
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptography. In: Cryptographic Hardware and Embedded Systems, CHES’99, ser. Lecture Notes in Computer Science, vol. 1717. pp. 292–302, Springer, Berlin (1999)Google Scholar
  14. 14.
    Dupaquis, V., Venelli, A.: Redundant modular reduction algorithms. In: Proceedings of CARDIS. Lecture Notes in Computer Science, vol. 7079, pp. 102–114 (2011)Google Scholar
  15. 15.
    Gandino, F., Lamberti, F., Montuschi, P., Bajard, J.-C.: A general approach for improving RNS montgomery exponentiation using pre-processing. In: Proceedings of the 20th IEEE Symposium on Computer Arithmetic, ARITH20. IEEE Computer Society, 2011, pp. 195–204 (2011)Google Scholar
  16. 16.
    Gierlichs, B., Batina, L., Tuyls, P., Preneel, B.: Mutual information analysis—a generic side-channel distinguisher, cryptographic hardware and embedded systems, CHES’08. Lect. Notes Comput. Sci. 5154, 426–442 (2008)CrossRefGoogle Scholar
  17. 17.
    Hanley, N., Kim, H., Tunstall, M.: Exploiting collisions in addition chain-based exponentiation algorithms using a single trace, Cryptology ePrint Archive, Report 2012/485, (2012)Google Scholar
  18. 18.
    Heyszl, J., Ibing, A., Mangard, S., Santis, F., Sigl, G.: Clustering algorithms for non-profiled single-execution attacks on exponentiations, IACR Cryptology ePrint Archive, Report 2013/438 (2013)Google Scholar
  19. 19.
    Joye, M., Yen, S.-M.: The Montgomery powering ladder. In: Cryptographic Hardware and Embedded Systems, CHES’02, ser. Lecture Notes in Computer Science, vol. 2523. pp. 291–302, Springer, Berlin (2002)Google Scholar
  20. 20.
    Kawamura, S., Koike, M., Sano, F., Shimbo, A.: Cox-rower architecture for fast parallel montgomery multiplication. In: Advances in Cryptology, EUROCRYPT’00, ser. Lecture Notes in Computer Science, vol. 1807. pp. 523–538, Springer, Berlin ( 2000)Google Scholar
  21. 21.
    Kim, H., Kim, T.H., Yoon, J.C., Hong, S.: Practical second-order correlation power analysis on the message blinding method and its novel countermeasure for RSA. ETRI J 32(1), 102–111 (2010)CrossRefGoogle Scholar
  22. 22.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)MathSciNetCrossRefMATHGoogle Scholar
  23. 23.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis, CRYPTO, pp. 388–397 (1999)Google Scholar
  24. 24.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems, CRYPTO, pp. 1104–1113 (1996)Google Scholar
  25. 25.
    Mangard, S.: Hardware countermeasures against DPA—a statistical analysis of their effectiveness. In: Proceedings of CT-RSA, pp. 222–235 (2004)Google Scholar
  26. 26.
    Miller, V.: Use of elliptic curves in cryptography. Adva. Cryptol. CRYPTO’85, (LCNS 218)[483], pp. 417–426 (1986)Google Scholar
  27. 27.
    Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44(170), 519–521 (1985)CrossRefMATHGoogle Scholar
  28. 28.
    Montgomery, P.L.: Speeding the pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)CrossRefMATHGoogle Scholar
  29. 29.
    Moradi, A., Mischke, O., Eisenbarth, T.: Correlation-enhanced power analysis collision attack, cryptographic hardware and embedded systems, CHES’10, ser. LNCS, vol. 6225, pp. 125–139, Springer, Berlin (2010)Google Scholar
  30. 30.
    Perin, G., Imbert, L., Torres, L., Maurine, P.: Electromagnetic analysis on RSA algorithm based on RNS. In: Proceedings of 16th Euromicro Conference on Digital System Design (DSD), pp. 345–352. IEEE, September (2013)Google Scholar
  31. 31.
    Posch, K., Posch, R.: Modulo reduction in residue number systems. IEEE Trans. Parallel Distrib. Syst. 6(5), 449–454 (1995)MathSciNetCrossRefGoogle Scholar
  32. 32.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefMATHGoogle Scholar
  33. 33.
    Walter, C.: Sliding Windows Succumbs to Big Mac Attack, Cryptographic Hardware and Embedded Systems, CHES’01, ser. LNCS, vol. 2165, pp. 286–299. Springer, Berlin (2011)Google Scholar
  34. 34.
    Witteman, M.F., Woudenberg, J.G.J., Menarini, F.: Defeating RSA multiply-always and message blinding countermeasures. In: Proceedings of CT-RSA, ser. LNCS, vol. 6558, pp. 77–88 (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  • Guilherme Perin
    • 1
  • Laurent Imbert
    • 1
  • Philippe Maurine
    • 1
  • Lionel Torres
    • 1
  1. 1.LIRMMMontpellierFrance

Personalised recommendations