Skip to main content
Log in

Exclusive exponent blinding is not enough to prevent any timing attack on RSA

  • CHES 2015
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript


In this paper we treat a timing attack on RSA implementations, which apply the Chinese remainder theorem and Montgomery’s multiplication algorithm and are protected by exponent blinding. Our attack is applicable to square & multiply exponentiation and to table-based exponentiation algorithms, extending known timing attacks on unprotected implementations. Simulation experiments are conducted, which confirm the theoretical results. Interestingly, increasing the blinding length does not counteract our attack. Our attack can be adjusted to fulfil mild format restrictions. Effective countermeasures exist. This article extends a conference paper by new results.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others


  1. Atallah, M.(ed.): Algorithms and Theory of Computation Handbook. CRC Press, Boca Raton 1998

  2. Acıiçmez, O., Schindler, W., Koç, Ç.K.: Improving Brumley and Boneh timing attack on unprotected SSL implementations. In: Meadows, C., Syverson, P. (eds.) 12th ACM Conference on Computer and Communications Security—CCS 2005, pp. 139–146. ACM Press, New York (2005)

  3. Acıiçmez, O., Schindler, W.: A vulnerability in RSA implementations due to instruction cache analysis and its demonstration on openSSL. In: Malkin, T. (ed.) Topics in Cryptology—CT-RSA 2008, pp. 256–273. Springer, LNCS 4964, Berlin (2008)

  4. Brumley, D., Boneh, D.: Remote timing attacks are practical. In: Proceedings of the 12th Usenix Security Symposium (2003)

  5. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10, 233–260 (1997)

    Article  MathSciNet  MATH  Google Scholar 

  6. Dhem, J.-F., Koeune, F., Leroux, P.-A., Mestré, P.-A., Quisquater, J.-J., Willems, J.-L.: A practical implementation of the timing attack. In: Quisquater, J.-J., Schneier, B. (eds.) Smart Card—Research and Applications, pp. 175–191. Springer, LNCS 1820, Berlin (2000)

  7. Feller, W.: An Introduction to Probability Theory and Its Applications, vol. 1, 3rd edn. Wiley, New York (1970) (revised printing)

  8. Kocher, P.: Timing attacks on implementations of Diffie–Hellman, RSA, DSS and other systems. In: Koblitz, N. (ed.) Crypto 1996, pp. 104–113. Springer, LNCS 1109, Heidelberg (1996)

  9. Menezes, A.J., van Oorschot, P.C., Vanstone, S.C.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)

    MATH  Google Scholar 

  10. Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44, 519–521 (1985)

    Article  MathSciNet  MATH  Google Scholar 

  11. Schindler, W.: A Timing attack against RSA with the Chinese remainder theorem. In: Koç, Ç.K., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2000, pp. 110–125. Springer, LNCS 1965, Berlin (2000)

  12. Schindler, W., Koeune, F., Quisquater, J.-J.: Improving divide and conquer attacks against cryptosystems by better error detection/correction strategies. In: Honary, B. (ed.) Cryptography and Coding—IMA 2001, pp. 245–267. Springer, LNCS 2260, Berlin (2001)

  13. Schindler, W.: Optimized timing attacks against public key cryptosystems. Stat. Decisions 20, 191–210 (2002)

    MathSciNet  MATH  Google Scholar 

  14. Schindler, W.: Exponent blinding may not prevent timing attacks on RSA. Cryptology ePrint Archive, Report 2014/869., Version 20141022:205703

  15. Schindler, W.: Exclusive exponent blinding may not suffice to prevent timing attacks on RSA. In: Güneysu, T., Handschuh, H. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2015. pp. 229–247. Springer, LNCS 9293, Berlin (2015)

  16. Walter, C.D.: Precise bounds for montgomery modular multiplication and some potentially insecure RSA moduli. In: Preneel, B. (ed.) Topics in Cryptology—CT-RSA 2002, pp. 30–39. Springer, LNCS 2271, Berlin (2002)

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Werner Schindler.

Additional information

This article is based on the earlier article [15], ©IACR 2015, doi:10.1007/978-3-662-48324-4_12.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Schindler, W. Exclusive exponent blinding is not enough to prevent any timing attack on RSA. J Cryptogr Eng 6, 101–119 (2016).

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: