Attacking Exponent Blinding in RSA without CRT

摘要

A standard SPA protection for RSA implementations is exponent blinding (see [7]). Fouque et al., [4] and more recently Schindler and Itoh, [8] have described side-channel attacks against such implementations. The attack in [4] requires that the attacker knows some bits of the blinded exponent with certainty. The attack methods of [8] can be defeated by choosing a sufficiently large blinding factor (about 64 bit). In this paper we start from a more realistic model for the information an attacker can obtain by simple power analysis (SPA) than the one that forms the base of the attack in [4]. We show how the methods of [4] can be extended to work in this setting. This new attack works, under certain restrictions, even for long blinding factors (i.e. 64 bit or more).