Exponent Blinding Does Not Always Lift (Partial) Spa Resistance to Higher-Level Security
Exponent blinding is known as a secure countermeasure against side-channel attacks. If single power traces reveal some exponent bits, an attack by Fouque et al. applies that recovers the exponent. However, this attack becomes infeasible if some of the guessed bits are incorrect. Thus, the attack was not assumed to be a realistic threat. In this paper we present two variants of a novel generic attack, which works for considerable error rates at each bit position, disproving the hypothesis that mere exponent blinding is always sufficient. We confirmed experimentally that our attack permits up to 28% (RSA case) or 23% (ECC case) error bits.
Unable to display preview. Download preview PDF.
- 8.Kocher, P.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar