Abstract
Side-channel analysis aims at cryptography implementation by exploiting and analyzing side-channel information. Side-channel leakage of software implementation does not only depend on operators (instruction) and operands (value) but also on where operators and operands are called or stored in the memory. However, in contrast to the leakage of the operator and operand values, the exploitable leakage caused by the memory address is quite small. Side-channel analysis aiming at memory address usually needs a huge number of samples to eliminate the algorithmic noise. This paper presents a new attack method exploiting the leakage from consecutive addresses when accessing multiple-byte operands during evaluation of an exponentiation. By folding the observed side-channel leakage, one measurement is enough to perform statistical side-channel analysis and successfully reveal the secret key. Since only one measurement is sufficient, this attack even works in the presence of common side-channel countermeasures such as exponent randomization and message blinding.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Actually, the analysis in [3] targets \(\mathtt {a}_i \times \mathtt {b}_j\) in a long-integer multiplication, but the same idea can be applied to Montgomery multiplication.
- 2.
This paper targets the right-to-left exponentiation algorithm, and the operands \(\mathtt {A}\) and \(\mathtt {A}'\) are identical to \(\mathtt {S}\) and \(\mathtt {Y}\) in Fig. 1(B), storing in the addresses \(\mathsf {Addr}(\mathtt {a}_i) = \mathtt {0x0344} + i\) and \(\mathsf {Addr}(\mathtt {a}'_i) = \mathtt {0x0385}+ i\), respectively.
- 3.
In the second experiment, the two operands of the multiplication in line 04 of Fig. 1(B) are swapped, i.e., replacing \(\mathtt {Y} = \mathtt {Y} \times \mathtt {S} ~\hbox {mod}~\mathtt {M}\) by \(\mathtt {Y} = \mathtt {S} \times \mathtt {Y} ~\hbox {mod}~\mathtt {M}\).
References
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)
Koç, Ç.K., Paar, C. (eds.): CHES 1999. LNCS, vol. 1717. Springer, Heidelberg (1999)
Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010)
Coron, J.-S.: Resistance against differential power analysis for elliptic curvecryptosystems. In: Koç, Ç.K., Paar [2], pp. 292–302
Hachez, G., Quisquater, J.-J.: Montgomery exponentiation with no final subtractions: improved results. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 293–301. Springer, Heidelberg (2000)
Heyszl, J., Mangard, S., Heinz, B., Stumpf, F., Sigl, G.: Localized electromagnetic analysis of cryptographic implementations. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 231–244. Springer, Heidelberg (2012)
Itoh, K., Izu, T., Takenaka, M.: Address-bit differential power analysis of cryptographic schemes OK-ECDH and OK-ECDSA. In: Jr. et al. [11], pp. 129–143
Itoh, K., Izu, T., Takenaka, M.: A practical countermeasure against address-bit differential power analysis. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 382–396. Springer, Heidelberg (2003)
Izumi, M., Sakiyama, K., Ohta, K.: A new approach for implementing the MPL method toward higher SPA resistance. In: Proceedings of the The Forth International Conference on Availability, Reliability and Security, ARES 2009, March 16–19, 2009, Fukuoka, Japan, pp. 181–186. IEEE Computer Society (2009)
Joye, M., Yen, S.-M.Y.: The montgomery powering ladder. In: Jr., et al. [11], pp. 291–302
Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.): CHES 2002. LNCS, vol. 2523. Springer, Heidelberg (2003)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)
Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)
Mamiya, H., Miyaji, A., Morimoto, H.: Secure elliptic curve exponentiation against RPA, ZRA, DPA, and SPA. IEICE Trans. 89–A(8), 2207–2215 (2006)
Messerges, T.S., Dabbish, E.A.: Investigations of power analysis attacks on smartcards. In: Guthery, S.B., Honeyman, P. (eds.) Proceedings of the 1st Workshop on Smartcard Technology, Smartcard 1999, Chicago, Illinois, USA, 10–11 May. USENIX Association (1999)
Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44(170), 519–521 (1985)
Walter, C.D.: Montgomery’s multiplication technique: How to make it smaller andfaster. In: Koç, Ç.K., Paar [2], pp. 80–93
Acknowledgments
The author wishes to thank Marc Stöttinger for his kindness to provide many useful discussions. He also likes to thank the anonymous referees for their helpful comments which improve both presentation and technical content.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Chen, CN. (2015). Memory Address Side-Channel Analysis on Exponentiation. In: Lee, J., Kim, J. (eds) Information Security and Cryptology - ICISC 2014. ICISC 2014. Lecture Notes in Computer Science(), vol 8949. Springer, Cham. https://doi.org/10.1007/978-3-319-15943-0_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-15943-0_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-15942-3
Online ISBN: 978-3-319-15943-0
eBook Packages: Computer ScienceComputer Science (R0)