Abstract
In this paper we treat a timing attack on RSA implementations, which apply the Chinese remainder theorem and Montgomery’s multiplication algorithm and are protected by exponent blinding. Our attack is applicable to square & multiply exponentiation and to table-based exponentiation algorithms, extending known timing attacks on unprotected implementations. Simulation experiments are conducted, which confirm the theoretical results. Interestingly, increasing the blinding length does not counteract our attack. Our attack can be adjusted to fulfil mild format restrictions. Effective countermeasures exist. This article extends a conference paper by new results.
Similar content being viewed by others
References
Atallah, M.(ed.): Algorithms and Theory of Computation Handbook. CRC Press, Boca Raton 1998
Acıiçmez, O., Schindler, W., Koç, Ç.K.: Improving Brumley and Boneh timing attack on unprotected SSL implementations. In: Meadows, C., Syverson, P. (eds.) 12th ACM Conference on Computer and Communications Security—CCS 2005, pp. 139–146. ACM Press, New York (2005)
Acıiçmez, O., Schindler, W.: A vulnerability in RSA implementations due to instruction cache analysis and its demonstration on openSSL. In: Malkin, T. (ed.) Topics in Cryptology—CT-RSA 2008, pp. 256–273. Springer, LNCS 4964, Berlin (2008)
Brumley, D., Boneh, D.: Remote timing attacks are practical. In: Proceedings of the 12th Usenix Security Symposium (2003)
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10, 233–260 (1997)
Dhem, J.-F., Koeune, F., Leroux, P.-A., Mestré, P.-A., Quisquater, J.-J., Willems, J.-L.: A practical implementation of the timing attack. In: Quisquater, J.-J., Schneier, B. (eds.) Smart Card—Research and Applications, pp. 175–191. Springer, LNCS 1820, Berlin (2000)
Feller, W.: An Introduction to Probability Theory and Its Applications, vol. 1, 3rd edn. Wiley, New York (1970) (revised printing)
Kocher, P.: Timing attacks on implementations of Diffie–Hellman, RSA, DSS and other systems. In: Koblitz, N. (ed.) Crypto 1996, pp. 104–113. Springer, LNCS 1109, Heidelberg (1996)
Menezes, A.J., van Oorschot, P.C., Vanstone, S.C.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)
Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44, 519–521 (1985)
Schindler, W.: A Timing attack against RSA with the Chinese remainder theorem. In: Koç, Ç.K., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2000, pp. 110–125. Springer, LNCS 1965, Berlin (2000)
Schindler, W., Koeune, F., Quisquater, J.-J.: Improving divide and conquer attacks against cryptosystems by better error detection/correction strategies. In: Honary, B. (ed.) Cryptography and Coding—IMA 2001, pp. 245–267. Springer, LNCS 2260, Berlin (2001)
Schindler, W.: Optimized timing attacks against public key cryptosystems. Stat. Decisions 20, 191–210 (2002)
Schindler, W.: Exponent blinding may not prevent timing attacks on RSA. Cryptology ePrint Archive, Report 2014/869. https://eprint.iacr.org/2014/869, Version 20141022:205703
Schindler, W.: Exclusive exponent blinding may not suffice to prevent timing attacks on RSA. In: Güneysu, T., Handschuh, H. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2015. pp. 229–247. Springer, LNCS 9293, Berlin (2015)
Walter, C.D.: Precise bounds for montgomery modular multiplication and some potentially insecure RSA moduli. In: Preneel, B. (ed.) Topics in Cryptology—CT-RSA 2002, pp. 30–39. Springer, LNCS 2271, Berlin (2002)
Author information
Authors and Affiliations
Corresponding author
Additional information
This article is based on the earlier article [15], ©IACR 2015, doi:10.1007/978-3-662-48324-4_12.
Rights and permissions
About this article
Cite this article
Schindler, W. Exclusive exponent blinding is not enough to prevent any timing attack on RSA. J Cryptogr Eng 6, 101–119 (2016). https://doi.org/10.1007/s13389-016-0124-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-016-0124-7