Vertical and horizontal correlation attacks on RNS-based exponentiations

Guilherme Perin, Laurent Imbert, Philippe Maurine, Lionel Torres
2015 Journal of Cryptographic Engineering  
Side-channel attacks are a serious threat for physical implementations of public-key cryptosystems and notably for the RSA. Side-channel leakages can be explored from unprotected cryptodevices and several power or electromagnetic traces are collected in order to construct (vertical) differential side-channel attacks. On exponentiations, the so-called horizontal correlation attacks originally proposed by Walter in 2001 and improved by Clavier et al in 2010 demonstrated to be efficient even in
more » ... presence of strong countermeasures like the exponent and message blinding. In particular, a single trace is sufficient to recover the secret if the modular exponentiation features long-integer multiplications. In this paper, we consider the application of vertical and horizontal correlation attacks on RNS-based approaches. The Montgomery multiplication, which is widely adopted in the finite ring of an exponentiation, has different construction details in the RNS domain. Experiments are conducted on hardware (parallel) and software (sequential) and leakage models for known and masked inputs are constructed for the regular and SPAprotected Montgomery ladder algorithm. ∏ k i=1 b i , gcd(A, B) = gcd(B, N ) = 1 and δ = (δ ℓ−1 . . . δ 1 δ 0 ) 2 Result: z = x δ mod N in A ∪ B 1 Pre-Computations: ⟨AB mod N ⟩ A∪B 2 Randomize(A, B) 3 A 0 = M M (1, AB mod N, N, A, B), in A ∪ B 4 A 1 = M M (x, AB mod N, N, A, B), in A ∪ B 5 for i = ℓ − 1 to 0 do 6
doi:10.1007/s13389-015-0095-0 fatcat:gaixhnguevbb3o3vhfsexcbe7a