Recovering CRT-RSA secret keys from message reduced values with side-channel analysis

Abstract

Long integer modular reduction is an operation executed when processing public-key cryptographic algorithms such as a CRTRSA signature. This operation is sensitive as it manipulates a part of the secret key. When computing a CRT-RSA signature or a decryption the input message is first reduced modulo the two secret prime values p and q. These two reductions are executed preliminarily before the exponentiations with dp and dq. Amongst the range of published side-channel attacks so far, few target these initial reductions whereas it represents a significant threat for the secret key confidentiality. One of them, the MRED attack from den Boer et al. makes use of chosen messages for attacking the reduced values. This attack is interesting as it does not require the knowledge of the algorithm used for the reduction. Besides it defeats the countermeasures aiming at randomizing the intermediate data during the reduction but not the final reduced value, as it is the case with the message additive blinding method. However this attack requires a large amount of traces to be successful. This paper introduces two efficient side-channel attacks considered more efficient than the MRED. Indeed it requires much less side-channel traces to expose the secret primes. The new techniques are exposed in this paper with practical results and discussion about their efficiency against the different existing countermeasures.