A new style CPA attack on the ML implementation of RSA

In this study, a new style CPA type attack applied to Montgomery Ladder (ML) exponentiation steps of an ASIC RSA implementation. The proposed method assumes existence of two types of secret key bits according to the implementation level property of target. For each consecutive key bit quad, a type estimation vector is constructed and correlated with the corresponding power traces. For the quads which contain both types of bits, correct type vector gives the highest correlation peaks. The quads which contain only one type of bits cannot be identified by this way. Because, at least two different types are required in the type vectors for the correlation calculations. However, these quads are identified by looking at the distance of their highest correlation peak values when compared to others. The proposed method differs from previous DPA and CPA type attacks by the way of its leakage model construction and identification of uniform quads from others. Also, the proposed method doesn´t require any control or knowledge about the plain text value or any known key value. Modulus and message blinding type countermeasures don´t have effect on the attack. However, it is possible to use exponent blinding as a countermeasure. The attack is applied to an implementation that could be breakdown by cross correlation type power analysis methods previously. However, the proposed method uses lesser or at most equal number of traces when compared to these methods.