Improved Side-Channel Analysis of Finite-Field Multiplication

A side-channel analysis of multiplication in GF(2(128)) has recently been published by Belaid, Fouque and Gerard at Asiacrypt 2014, with an application to AES-GCM. Using the least significant bit of the Hamming weight of the multiplication result, the authors have shown how to recover the secret multiplier efficiently. However such least significant bit is very sensitive to noise measurement; this implies that, without averaging, their attack can only work for high signal-to-noise ratios (SNR > 128). In this paper we describe a new side-channel attack against the multiplication in GF(2(128)) that uses the most significant bits of the Hamming weight. We show that much higher values of noise can be then tolerated. For instance with an SNR equal to 8, the key can be recovered using 2 20 consumption traces with time and memory complexities respectively equal to 2(51.68) and 2(36.) We moreover show that the new method can be extended to attack the fresh re-keying countermeasure proposed by Medwed, Standaert, Groschadl and Regazzoni at Africacrypt 2010.