Memory address side-channel analysis on exponentiation

Abstract

Side-channel analysis aims at cryptography implementation by exploiting and analyzing side-channel information. Side-channel leakage of software implementation does not only depend on operators (instruction) and operands (value) but also on where operators and operands are called or stored in the memory. However, in contrast to the leakage of the operator and operand values, the exploitable leakage caused by the memory address is quite small. Side-channel analysis aiming at memory address usually needs a huge number of samples to eliminate the algorithmic noise. This paper presents a new attack method exploiting the leakage from consecutive addresses when accessing multiple-byte operands during evaluation of an exponentiation. By folding the observed side-channel leakage, one measurement is enough to perform statistical side-channel analysis and successfully reveal the secret key. Since only one measurement is sufficient, this attack even works in the presence of common side-channel countermeasures such as exponent randomization and message blinding.