Journal of Mathematical Cryptology (Apr 2021)

Stochastic methods defeat regular RSA exponentiation algorithms with combined blinding methods

  • Dugardin Margaux,
  • Schindler Werner,
  • Guilley Sylvain

DOI
https://doi.org/10.1515/jmc-2020-0010
Journal volume & issue
Vol. 15, no. 1
pp. 408 – 433

Abstract

Read online

Extra-reductions occurring in Montgomery multiplications disclose side-channel information which can be exploited even in stringent contexts. In this article, we derive stochastic attacks to defeat Rivest-Shamir-Adleman (RSA) with Montgomery ladder regular exponentiation coupled with base blinding. Namely, we leverage on precharacterized multivariate probability mass functions of extra-reductions between pairs of (multiplication, square) in one iteration of the RSA algorithm and that of the next one(s) to build a maximum likelihood distinguisher. The efficiency of our attack (in terms of required traces) is more than double compared to the state-of-the-art. In addition to this result, we also apply our method to the case of regular exponentiation, base blinding, and modulus blinding. Quite surprisingly, modulus blinding does not make our attack impossible, and so even for large sizes of the modulus randomizing element. At the cost of larger sample sizes our attacks tolerate noisy measurements. Fortunately, effective countermeasures exist.

Keywords