Recovering CRT-RSA Secret Keys from Message Reduced Values with Side-Channel Analysis

• Published in: Progress in Cryptology -- INDOCRYPT 2014 pp. 53 - 67
• Main Authors: Feix, Benoit, Thiebeauld, Hugues, Tordella, Lucille
• Format: Book Chapter
• Language: English
• Published: Cham Springer International Publishing
• Series: Lecture Notes in Computer Science
• Subjects: Embedded devices; Exponentiation; Long integer arithmetic; Modular reduction; Side-Channel Analysis
• ISBN: 3319130382; 9783319130385
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-319-13039-2_4

Long integer modular reduction is an operation executed when processing public-key cryptographic algorithms such as a CRT-RSA signature. This operation is sensitive as it manipulates a part of the secret key. When computing a CRT-RSA signature or a decryption the input message is first reduced modulo the two secret prime values \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$p$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$q$$\end{document}. These two reductions are executed preliminarily before the exponentiations with \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$d_p$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$d_q$$\end{document}. Amongst the range of published side-channel attacks so far, few target these initial reductions whereas it represents a significant threat for the secret key confidentiality. One of them, the MRED attack from den Boer et al.  makes use of chosen messages for attacking the reduced values. This attack is interesting as it does not require the knowledge of the algorithm used for the reduction. Besides it defeats the countermeasures aiming at randomizing the intermediate data during the reduction but not the final reduced value, as it is the case with the message additive blinding method. However this attack requires a large amount of traces to be successful. This paper introduces two efficient side-channel attacks considered more efficient than the MRED. Indeed it requires much less side-channel traces to expose the secret primes. The new techniques are exposed in this paper with practical results and discussion about their efficiency against the different existing countermeasures.