2014
DOI: 10.1007/978-3-319-04852-9_8
|View full text |Cite
|
Sign up to set email alerts
|

On Double Exponentiation for Securing RSA against Fault Analysis

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1

Citation Types

0
11
0

Year Published

2014
2014
2020
2020

Publication Types

Select...
2
2
1

Relationship

1
4

Authors

Journals

citations
Cited by 5 publications
(11 citation statements)
references
References 26 publications
0
11
0
Order By: Relevance
“…We assume this chain to be precomputed. Le et al presented a double exponentiation algorithm, that does not rely on precomputation [18]. The binary exponentiation works as two parallel executions of the right-to-left exponentiation and uses register R 0 for calculations with d 1 and register R 1 for calculations with d 2 .…”
Section: Self-secure Exponentiation Countermeasuresmentioning
confidence: 99%
See 1 more Smart Citation
“…We assume this chain to be precomputed. Le et al presented a double exponentiation algorithm, that does not rely on precomputation [18]. The binary exponentiation works as two parallel executions of the right-to-left exponentiation and uses register R 0 for calculations with d 1 and register R 1 for calculations with d 2 .…”
Section: Self-secure Exponentiation Countermeasuresmentioning
confidence: 99%
“…The first such method is based on the Montgomery ladder [9]. This was adapted to the right-to-left version of the square-and-multiplyalways algorithm [5,6] and to double exponentiation [18,22]. We test the security of these methods using an automated testing framework.…”
Section: Introductionmentioning
confidence: 99%
“…Finally, redundant exponentiation algorithms [19,26] such as the Montgomery Ladder can be used. Regardless of the approach, RSA-CRT fault countermeasures tend to be rather costly: for example, Rivain's countermeasure [26,20] has a stated overhead of 10% compared to an unprotected implementation, and is purportedly more efficient than previous works [19,29,20].…”
Section: Introductionmentioning
confidence: 99%
“…Since our faults are non-random, the probability distributions are more complex; we use careful estimates of exponential sums attached to corresponding rational functions to establish their regularity. We only analyze this countermeasure when the validity check is performed in the standard way (by computing the public permutation), but our random infection might also be used to protect other checks such as Rivain's [26,20]. In the same way, although we use RSA-CRT as a motivating example, our fault model is in fact independent of the way the modular exponentiation is implemented, and is not limited to fault attacks on RSA-CRT.…”
Section: Introductionmentioning
confidence: 99%
“…Algorithmic protections have been proposed by Giraud [22] (and many others [16,32,29]) for CRT-RSA, which naturally transpose to ECC, as shown in [28]. These protections are implementation specific (e.g., depend on the chosen exponentiation algorithm) and are thus difficult to automate, requiring specialized engineering skills.…”
mentioning
confidence: 99%