Side-Channel Attack against RSA Key Generation Algorithms

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8731)


Many applications of embedded devices require the generation of cryptographic secret parameters during the life cycle of the product. In such an unsafe context, several papers have shown that key generation algorithms are vulnerable to side-channel attacks. This is in particular the case of the generation of the secret prime factors in RSA. Until now, the threat has been demonstrated against naive implementations whose operations’ flow depends on secret data, and a simple countermeasure is to avoid such kind of dependency. In this paper, we propose a new attack that renders this defence strategy ineffective. It is in particular able to break secure implementations recommended by the ANSI X9.31 and FIPS 186-4 standards. We analyse its efficiency for various realistic attack contexts and we demonstrate its practicality through experiments against a smart-card implementation. Possible countermeasures are eventually proposed, drawing the following main conclusion: prime generation algorithms should avoid the use of a prime sieve combined with a deterministic process to generate the prime candidates from a random seed.


Sieve Element Chinese Remainder Theorem Embed Device Fault Attack Simple Power Analysis 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    ANSI X9.31. Digital Signature Using Reversible Public Key Cryptography for the Financial Services Industry. American National Standards Institute (1998)Google Scholar
  2. 2.
    Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 1–17. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  3. 3.
    Boneh, D., Durfee, G., Frankel, Y.: An Attack on RSA Given a Small Fraction of the Private Key Bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. 4.
    Boscher, A., Naciri, R., Prouff, E.: CRT RSA Algorithm Protected Against Fault Attacks. In: Sauveron, D., Markantonakis, K., Bilas, A., Quisquater, J.-J. (eds.) WISTP 2007. LNCS, vol. 4462, pp. 229–243. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Brandt, J., Damgård, I.B.: On Generation of Probable Primes by Incremental Search. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 358–370. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  6. 6.
    Brandt, J., Damgård, I., Landrock, P.: Speeding Up Prime Number Generation. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 440–449. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  7. 7.
    Chevallier-Mames, B., Ciet, M., Joye, M.: Low-cost Solutions for Preventing Simple Side-Channel Analysis: Side-Channel Atomicity. IEEE Transactions on Computers 53(6), 760–768 (2004)CrossRefGoogle Scholar
  8. 8.
    Clavier, C., Coron, J.-S.: On the Implementation of a Fast Prime Generation Algorithm. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 443–449. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Clavier, C., Feix, B., Gagnerot, G., Giraud, C., Roussellet, M., Verneuil, V.: ROSETTA for Single Trace Analysis – Recovery of Secret Exponent by Triangular Trace Analysis. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 140–155. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. 10.
    Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal Correlation Analysis on Exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    Clavier, C., Feix, B., Thierry, L., Paillier, P.: Generating Provable Primes Efficiently on Embedded Devices. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 372–389. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  12. 12.
    Clavier, C., Joye, M.: Universal Exponentiation Algorithm – A First Step towards Provable SPA-Resistance. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 300–308. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Coppersmith, D.: Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 178–189. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  14. 14.
    Coppersmith, D.: Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Journal of Cryptology 10(4), 233–260 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Doget, J., Prouff, E., Rivain, M., Standaert, F.-X.: Univariate Side Channel Attacks and Leakage Modeling. Journal of Cryptographic Engineering 1(2), 123–144 (2011)CrossRefGoogle Scholar
  16. 16.
    Finke, T., Gebhardt, M., Schindler, W.: A New Side-Channel Attack on RSA Prime Generation. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 141–155. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    FIPS PUB 186-4. Digital Signature Standard (DSS). Federal Information Processing Standards Publication (July 2013)Google Scholar
  18. 18.
    Fouque, P.-A., Tibouchi, M.: Close to Uniform Prime Number Generation With Fewer Random Bits. IACR Cryptology ePrint Archive, 2011:481 (2011)Google Scholar
  19. 19.
    Gérard, B., Standaert, F.-X.: Unified and Optimized Linear Collision Attacks and Their Application in a Non-profiled Setting. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 175–192. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  20. 20.
    Giraud, C.: An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis. IEEE Transactions on Computers 55(9), 1116–1120 (2006)CrossRefGoogle Scholar
  21. 21.
    Gordon, J.: Strong Primes are Easy to Find. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 216–223. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  22. 22.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press (1997)Google Scholar
  23. 23.
    Moreno, C., Hasan, M.A.: SPA-Resistant Binary Exponentiation with Optimal Execution Time. Journal of Cryptographic Engineering 1(2), 87–99 (2011)CrossRefGoogle Scholar
  24. 24.
    Schindler, W.: Advanced Stochastic Methods in Side Channel Analysis on Block Ciphers in the Presence of Masking. Journal of Mathematical Cryptology 2, 291–310 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Berichte Der Mathematisch-Statistischen Sektion Im Forschungszentrum Graz. Forschungszentrum Graz, Mathematisch-Statistische Sektion (1973)Google Scholar
  26. 26.
    Veyrat-Charvillon, N., Gérard, B., Renauld, M., Standaert, F.-X.: An Optimal Key Enumeration Algorithm and Its Application to Side-Channel Attacks. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 390–406. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  27. 27.
    Vigilant, D.: RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 130–145. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  28. 28.
    Vuillaume, C., Endo, T., Wooderson, P.: RSA Key Generation: New Attacks. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 105–119. Springer, Heidelberg (2012)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.ANSSIParis 07France

Personalised recommendations