RSA Side Channel Attack

An energy analysis attack (side channel attack) is a password attack method that can obtain secret information from a cryptographic device. Instead of His attack method is different: this attack uses the energy consumption characteristics of the cryptographic device, not the mathematical characteristics of the cryptographic algorithm. An energy analysis attack is a non-intrusive attack that allows an attacker to easily purchase the equipment needed to implement an attack: this type of attack poses a serious threat to the security of cryptographic devices such as smart cards.

Energy analysis attacks are a very important part of the security arena, and we will only discuss them briefly here.

Energy analysis attacks are divided into: - Simple Energy Analysis Attack (SPA), which allows visual analysis of energy traces, which can be viewed with the naked eye. - Differential Energy Analysis Attack (DPA), based on correlation coefficients between energy traces.

Attack conditions

The attacker can obtain side channel information related to encryption and decryption, such as energy consumption, computing time, electromagnetic radiation, and the like.


Here we take the Hack in the card I of HITB 2017 as an example.

The topic gives the public key file publickey.pem, ciphertext, the circuit diagram for measuring the smart card power, and the power consumption consumed by the smart card during the decryption (given [trace] via the online website (http://47.74 .147.53:20015/index.html)).

Circuit diagram




Since the site only gives an energy trace, it can be concluded that this is a Simple channel analysis (SPA) attack. Then we can directly obtain the key d of the RSA decryption process by observing the high and low levels of the energy trace. The theoretical basis for RSA attacks by SPA comes from the fast power remainder algorithm included in RSA.

The fast power algorithm is as follows

  1. When b is even, a^b \bmod c = ({a^2}^{b/2}) \bmod c.
  2. When b is an odd number, a^b \bmod c = ({a^2}^{b/2} \times a) \bmod c.

The corresponding C code is implemented as:

int PowerMod(int a, int b, int c)


int ans = 1;
    a = a % c;

    while(b>0) {

If(b % 2 == 1) // When b is odd, the following instructions will be executed more
years = (years * a)% c;
        b = b/2;

        a = (a * a) % c;


return years;

Since the value of the exponent is judged bit by bit during the calculation of the fast power, and different operations are taken, the value of d can be restored from the energy trace (from the above, the directly obtained value is the binary value of d) reverse order).


> Sometimes modular multiplication may also be multiplied from high to low. Here is the multiplication from the low to the high.

The script that restores d can be given as follows:

f = open('./data.txt')

data = f.read().split(",")

print('point number:', len(data))

Start_point = 225 # Point to start analysis
Mid = 50 # sampling point interval
Fence = 228 # high and low level dividing line

bin_array = []

for point_index in range(start_point, len(data), mid):

    if float(data[point_index]) > fence:




bin_array2 = []
flag1 = 0
flag2 = 0

for x in bin_array:

    if x:

        if flag1:

            flag2 = 1


flag1 = 1

        if flag2:




flag1 = 0
        flag2 = 0

# d_bin = bin_array2 [:: - 1]
d_bin = bin_array2
d = "".join(str(x) for x in d_bin)[::-1]


d_int = int(d,2)



  1. Mangard, S., Oswald, E., Popp, T., Feng Dengguo, Zhou Yongbin, & Liu Jiye. (2010). Energy Analysis Attack.