Quiz Entry - updated: 2026.07.14
True or false: "RSA is immune to side-channel attacks."
False — RSA is highly vulnerable to side-channel attacks, particularly power analysis (SPA/DPA) during the square-and-multiply computation of $m^d \mod N$.
* Every 1-bit of the private exponent triggers an extra multiply, so its larger power/timing signature lets an attacker read d straight off the trace. *
Why RSA is vulnerable:
- Decryption/signing computes $m^d \mod N$ using SAM (Square-and-Multiply)
- For each bit of $d$: a "1" bit causes a MULTIPLY + SQUARE, a "0" bit causes only a SQUARE
- These operations have different power consumption and different timing
- An attacker monitoring power traces can literally read the private key $d$ bit by bit
Known side-channel attacks on RSA:
- Simple Power Analysis (SPA): Directly read the key from one power trace
- Differential Power Analysis (DPA): Statistical analysis over many traces
- Timing attacks: Different keys cause different computation times
- Electromagnetic emissions: EM radiation leaks key information
Countermeasures:
- Blinding: Randomize the computation using RSA's multiplicative property — multiply $m$ by a random $r^e$ before decryption, then divide by $r$ afterward
- Constant-time implementations: Ensure every bit of the key takes the same time
- Hardware shielding: EM and power filtering
Tip: The multiplicative property of RSA is both a weakness (malleability) AND a tool for defending against side channels (blinding). Context determines whether it's friend or foe.
Go deeper:
Power analysis — SPA & DPA (Wikipedia) — reading a key straight from the power trace.
Side-channel attack (Wikipedia) — the whole family: timing, power, EM, cache.
Blinding (cryptography) (Wikipedia) — the randomisation countermeasure named in the tip.