Exponent Blinding Does Not Always Lift (Partial) Spa Resistance to Higher-Level Security

  • Werner Schindler
  • Kouichi Itoh
Conference paper

DOI: 10.1007/978-3-642-21554-4_5

Part of the Lecture Notes in Computer Science book series (LNCS, volume 6715)
Cite this paper as:
Schindler W., Itoh K. (2011) Exponent Blinding Does Not Always Lift (Partial) Spa Resistance to Higher-Level Security. In: Lopez J., Tsudik G. (eds) Applied Cryptography and Network Security. ACNS 2011. Lecture Notes in Computer Science, vol 6715. Springer, Berlin, Heidelberg

Abstract

Exponent blinding is known as a secure countermeasure against side-channel attacks. If single power traces reveal some exponent bits, an attack by Fouque et al. applies that recovers the exponent. However, this attack becomes infeasible if some of the guessed bits are incorrect. Thus, the attack was not assumed to be a realistic threat. In this paper we present two variants of a novel generic attack, which works for considerable error rates at each bit position, disproving the hypothesis that mere exponent blinding is always sufficient. We confirmed experimentally that our attack permits up to  28% (RSA case) or  23% (ECC case) error bits.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Werner Schindler
    • 1
  • Kouichi Itoh
    • 2
  1. 1.Bundesamt für Sicherheit in der Informationstechnik (BSI)BonnGermany
  2. 2.Fujitsu Laboratories Ltd.Nakahara-kuJapan

Personalised recommendations