Vertical and horizontal correlation attacks on RNS-based exponentiations

Abstract

Side-channel attacks are a serious threat for physical implementations of public key cryptosystems and notably for the RSA. Side-channel leakages can be explored from unprotected cryptodevices and several power or electromagnetic traces are collected in order to construct (vertical) differential side-channel attacks. On exponentiations, the so-called horizontal correlation attacks originally proposed by Walter in “Sliding windows succumbs to big mac attack” (Cryptographic hardware and embedded systems, 2001) and improved by Clavier et al. in “Horizontal correlation analysis on exponentiation” (ICICS, 2010) demonstrated to be efficient even in the presence of strong countermeasures like the exponent and message blinding. In particular, a single trace is sufficient to recover the secret if the modular exponentiation features long integer multiplications. In this paper, we consider the application of vertical and horizontal correlation attacks on residue number systems (RNS)-based approaches. The montgomery multiplication, which is widely adopted in the finite ring of an exponentiation, has different construction details in the RNS domain. Experiments are conducted on hardware (parallel) and software (sequential) and leakage models for known and masked inputs are constructed for the regular and SPA-protected Montgomery ladder algorithm.