Springer Verlag, Cryptography and Communications, 1(7), p. 71-90
DOI: 10.1007/s12095-014-0110-9
Full text: Unavailable
A difference-of-means test applied to acquisitions of the instantaneous power consumption has been shown to be a suitable means of distinguishing a multiplication from a squaring operation over the integers. This has been attributed to the difference in expected Hamming weight of the output of these operations but few details are present in the literature. In this paper we define how this difference occurs and show that, somewhat surprisingly, a difference can, for some moduli, still be observed after a modular reduction. Moreover, we show that this difference leads to a practical attack under reasonable assumptions where a modulus is blinded. The presented attack goes beyond the cryptographic primitive and applies to concrete provably secure implementations, including RSA-PSS for signature generation or RSA-OAEP for encryption that uses side-channel countermeasures.