Practical Modifications of Leadbitter et al.’s Repeated-Bits Side-Channel Analysis on (EC)DSA

摘要

In this paper, we will report practical modifications of the side-channel analysis to (EC)DSA [1, 2, 4, 31] that Leadbitter et al. have proposed in [12]. To apply the analyses, we assume that the window method is used in the exponentiation (EC scalar multiplication) calculation and the side-channel information described in Section [2] can be collected. So far, the method in [12] haven’t been effective when q is 160 bit long and the window size w < 9. We show that the modified method we propose in this paper is effective even when q is 160 bit long and w=4, that is, in the case of frequent implementation. First, we estimate the window size w necessary for the proposed analyses (attacks) to succeed. Then by experiment of the new method, we show that private keys of (EC)DSA can be obtained under the above assumptions, in practical time and with sufficient success rate. The result raises the necessity of countermeasures against the analyses (attacks) in the window method based implementation of (EC)DSA.