Recovering Secrets From Prefix-Dependent Leakage

Recovering Secrets From Prefix-Dependent Leakage

We discuss how to recover a secret bitstring given partial information obtained during a computation over that string, assuming the computation is a deterministic algorithm processing the secret bits sequentially. That abstract situation models certain types of side-channel attacks against discrete...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Journal of mathematical cryptology 2020-06, Vol.14 (1), p.15-24
Hauptverfasser: Ferradi, Houda, Géraud, Rémi, Guilley, Sylvain, Naccache, David, Tibouchi, Mehdi
Format: Artikel
Sprache:eng
Schlagworte:
11T71
94A60
Algorithms
Computation
Computer Science
Computer systems
cryptanalysis
Cryptography
discrete logarithm problem
Galton–Watson process
Iterative methods
Leakage
Polynomials
Rings (mathematics)
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:We discuss how to recover a secret bitstring given partial information obtained during a computation over that string, assuming the computation is a deterministic algorithm processing the secret bits sequentially. That abstract situation models certain types of side-channel attacks against discrete logarithm and RSA-based cryptosystems, where the adversary obtains information not on the secret exponent directly, but instead on the group or ring element that varies at each step of the exponentiation algorithm. Our main result shows that for a leakage of a single bit per iteration, under suitable statistical independence assumptions, one can recover the whole secret bitstring in polynomial time. We also discuss how to cope with imperfect leakage, extend the model to -bit leaks, and show how our algorithm yields attacks on popular cryptosystems such as (EC)DSA.
ISSN:1862-2976
1862-2984
DOI:10.1515/jmc-2015-0048