Power Analysis by Exploiting Chosen Message and Internal Collisions – Vulnerability of Checking Mechanism for RSA-Decryption

“…For other attacks against RSA see the power attack by Yen et al [18], and the timing attack by Miyamoto et al [11]. Now to our DPA attack: Every multiplication (in this section this includes squarings) starts with an empty accumulator M = 0, and also a zero adjustment value μ 0 (both for Reduce-by-Feedback and Montgomery multiplication).…”

Reduce-by-Feedback: Timing Resistant and DPA-Aware Modular Multiplication Plus: How to Break RSA by DPA

“…For other attacks against RSA see the power attack by Yen et al [18], and the timing attack by Miyamoto et al [11]. Now to our DPA attack: Every multiplication (in this section this includes squarings) starts with an empty accumulator M = 0, and also a zero adjustment value μ 0 (both for Reduce-by-Feedback and Montgomery multiplication).…”

Reduce-by-Feedback: Timing Resistant and DPA-Aware Modular Multiplication Plus: How to Break RSA by DPA

“…This idea can be seen as a correct form to protect the modular exponentiation. However, it can be observed that algorithm 3 blinds the message and it remains vulnerable to the 1 − N attack [15]. The best technique for message blinding under this scheme is that proposed by Fumaroli and Vigilant [20].…”

“…One of the simplest chosen-message attacks is the 1 − N attack proposed by Yen et al in [15]. Though they explained the theoretical form of their attack against the left-to-right SaMA and BRIP algorithms [16], Miyamoto et al demonstrated the effectiveness of an 1 − N attack in practice [17].…”

“…This might be the most logical reaction against this type of attack. However, according to Yen et al [15], it is possible to choose messages with a modified m and j m , might not be consecutive messages, and it is not possible to store all of the previous messages required to perform the detection of that relationship.…”

How to Avoid the N-1 Attack Without Costly Implementations

“…SPAAttacks assuming that the messages can be chosen by the adversary (e.g. [26,27]) are out of the scope of this paper. Classical countermeasures such as the randomization of M (see for instance [28]) can be used together with our SPA/FA countermeasure to counteract such attacks by rendering the value of M unpredictable.…”

CRT RSA Algorithm Protected Against Fault Attacks