T. .. Upper-bound-for-#roots, , p.125

P. .. Study, 127 7.4.1 Scalar Multiplication with the modular extension protection, vol.127

.. .. Performance,

. .. Conclusions, Y 3 ? T 2 × T 2 mod p 4: X 3 ? X + T 2 mod p 5: X 3 ? X 3 × X 3 mod p 6: X 3 ? X 3 ? Y, X 3 ? X 3 ? T 1 mod p 16: X 3 ? X 3 ? T 1, vol.135, p.15

C. Aumüller, P. Bier, W. Fischer, P. Hofreiter, J. Seifert et al., Fault attacks on RSA with CRT: concrete results and practical countermeasures, JKP03, pp.260-275

, Public key cryptography for the financial services industry: Agreement of symmetric algorithm keys using diffie-hellman, 1996.

, Public key cryptography for the financial services industry-the elliptic curve digital signature algorithm (ECDSA), 1999.

O. Aciiçmez and W. Schindler, A vulnerability in RSA implementations due to instruction cache analysis and its demonstration on openssl, Topics in Cryptology -CT-RSA 2008, The Cryptographers' Track at the RSA Conference, vol.4964, pp.256-273, 2008.

O. Aciiçmez, W. Schindler, and Ç. Koç, Improving Brumley and Boneh timing attack on unprotected SSL implementations, Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, pp.139-146, 2005.

T. Akishita and T. Takagi, Zero-value point attacks on elliptic curve cryptosystem, Information Security, 6th International Conference, vol.2851, pp.218-233, 2003.

A. Battistello, Common points on elliptic curves: The achilles' heel of fault attack countermeasures, Prouff [Pro14], pp.69-81

P. Belgarric, S. Bhasin, N. Bruneau, J. Danger, N. Debande et al., Annelie Heuser, Zakaria Najm, and Olivier Rioul. Time-Frequency Analysis for Second-Order Attacks, Francillon and Rohatgi, pp.108-122

D. J. Bernstein, P. Birkner, M. Joye, T. Lange, and C. Peters, Twisted edwards curves, First International Conference on Cryptology in Africa, vol.5023, pp.389-405, 2008.

A. Berzati, C. Canovas-dumas, and L. Goubin, Public key perturbation of randomized RSA implementations, Cryptographic Hardware and Embedded Systems, vol.6225, pp.306-319, 2010.

E. Brier, C. Clavier, and F. Olivier, Correlation power analysis with a leakage model, Cryptographic Hardware and Embedded Systems -CHES 2004: 6th International Workshop, vol.3156, pp.16-29, 2004.

. Bcp-+-14]-lejla, L. Batina, L. Chmielewski, P. Papachristodoulou, M. Schwabe et al., Online template attacks, Progress in Cryptology -INDOCRYPT 2014 -15th International Conference on Cryptology in India, vol.8885, pp.21-36, 2014.

F. Gilles-barthe, P. Dupressoir, B. Fouque, J. Grégoire, and . Zapalowicz, Synthesis of Fault Attacks on Cryptographic Implementations, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp.1016-1027, 2014.

D. Boneh, R. A. Demillo, and R. J. Lipton, On the importance of checking cryptographic protocols for faults (extended abstract), Lecture Notes in Computer Science, vol.1233, pp.37-51, 1997.

D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B. Yang, High-speed high-security signatures, J. Cryptographic Engineering, vol.2, issue.2, pp.77-89, 2012.

+. Bdsg, R. Blömer, . Gomes-da, P. Silva, J. Günther et al., A practical second-order fault attack against a realworld pairing implementation, Tria and Choi, vol.14, pp.123-136

, Topics in Cryptology -CT-RSA 2014 -The Cryptographer's Track at the RSA Conference, vol.8366, 2014.

J. Blömer, P. Günther, and G. Liske, Tampering attacks in pairing-based cryptography, pp.1-7

A. Bauer, É. Jaulmes, E. Prouff, J. Reinhard, and J. Wild, Horizontal collision correlation attack on elliptic curves --extended version -. Cryptography and Communications, vol.7, pp.91-119, 2015.

A. Bauer, É. Jaulmes, E. Prouff, and J. Wild, Horizontal and vertical side-channel attacks against secure RSA implementations, Topics in Cryptology -CT-RSA 2013 -The Cryptographers' Track at the RSA Conference, vol.7779, pp.1-17, 2013.

J. Daniel, T. Bernstein, and . Lange, Explicit formulas database

J. Daniel, T. Bernstein, and . Lange, Faster addition and doubling on elliptic curves, Advances in Cryptology -ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, vol.4833, pp.29-50, 2007.

D. J. Bernstein, T. Lange, and P. Schwabe, The security impact of a new cryptographic library, Progress in Cryptology -LATINCRYPT 2012 -2nd International Conference on Cryptology and Information Security in Latin America, vol.7533, pp.159-176, 2012.

I. Biehl, B. Meyer, and V. Müller, Differential fault attacks on elliptic curve cryptosystems, 20th Annual International Cryptology Conference, vol.1880, pp.131-146, 2000.

A. Boscher, R. Naciri, and E. Prouff, Smart Cards, Mobile and Ubiquitous Computing Systems, First IFIP TC6 / WG 8.8 / WG 11.2 International Workshop, Damien Sauveron, Constantinos Markantonakis, Angelos Bilas, and Jean-Jacques Quisquater, vol.4462, pp.229-243, 2007.

J. Blömer, M. Otto, and J. Seifert, A new CRT-RSA algorithm secure against bellcore attacks, Proceedings of the 10th ACM Conference on Computer and Communications Security, pp.311-320, 2003.

J. Blömer, M. Otto, and J. Seifert, Sign change fault attacks on elliptic curve cryptosystems, Fault Diagnosis and Tolerance in Cryptography, Third International Workshop, FDTC 2006, Yokohama, vol.4236, pp.36-52, 2006.

. Bsi and . Rfc, 5639 -Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation, Bundesamt für Sicherheit in der Informationstechnik (BSI), 2010.

. Bsi--technische-richtlinie, Kryptographische Verfahren: Empfehlungen und Schlüssellangen, pp.2017-2018, 2017.

B. B. Brumley and N. Tuveri, Remote timing attacks are still practical, Computer Security -ESORICS 2011 -16th European Symposium on Research in Computer Security, vol.6879, pp.355-371, 2011.

J. Yoo, I. Baek, and . Vasyltsov, How to prevent DPA and fault attack in a unified way for ECC scalar multiplication -ring extension method, Information Security Practice and Experience, Third International Conference, vol.4464, pp.225-237, 2007.

C. Clavier, B. Feix, G. Gagnerot, M. Roussellet, and V. Verneuil, Horizontal correlation analysis on exponentiation, Information and Communications Security -12th International Conference, ICICS 2010, vol.6476, pp.46-61, 2010.
URL : https://hal.archives-ouvertes.fr/inria-00540384

. Cfg-+-12]-christophe, B. Clavier, G. Feix, C. Gagnerot, M. Giraud et al., ROSETTA for single trace analysis, Progress in Cryptology -INDOCRYPT 2012, 13th International Conference on Cryptology in India, vol.7668, pp.140-155, 2012.

J. Courrège, B. Feix, and M. Roussellet, Simple power analysis on exponentiation revisited, Smart Card Research and Advanced Application, 9th IFIP WG 8.8/11.2 International Conference, CARDIS 2010, vol.6035, pp.65-79, 2010.

M. Ciet and M. Joye, Practical fault countermeasures for chinese remaindering based RSA, Fault Diagnosis and Tolerance in Cryptography, pp.124-131, 2005.

C. Clavier, Secret external encodings do not prevent transient fault analysis, Cryptographic Hardware and Embedded Systems -CHES 2007, 9th International Workshop, vol.4727, pp.181-194, 2007.

J. Coron, Resistance against differential power analysis for elliptic curve cryptosystems, pp.292-302

S. Chari, J. R. Rao, P. Rohatgi, and ;. , Template attacks, JKP03, pp.13-28

M. Dugardin, S. Guilley, J. Danger, Z. Najm, and O. Rioul, Correlated extra-reductions defeat blinded regular exponentiation, Cryptographic Hardware and Embedded Systems -CHES 2016 -18th International Conference, vol.9813, pp.3-22, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01362463

S. Dgm-+-16]-margaux-dugardin, M. Guilley, Z. Moreau, P. Najm, and . Rauzy, Using Modular Extension to Provably Protect Edwards Curves Against Fault Attacks, PROOFS: Security Proofs for Embedded Systems, 2016.

M. Dugardin, S. Guilley, M. Moreau, Z. Najm, and P. Rauzy, Using modular extension to provably protect edwards curves against fault attacks, Journal of Cryptographic Engineering, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01362552

E. Dottax, C. Giraud, M. Rivain, and Y. Sierra, On second-order fault analysis resistance for CRT-RSA implementations, Olivier Markowitch, Angelos Bilas

J. Mitchell and . Quisquater, Information Security Theory and Practice. Smart Devices, Pervasive Systems, and Ubiquitous Networks, Third IFIP WG 11.2 International Workshop, vol.5746, pp.68-83, 2009.

W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Trans. Information Theory, vol.22, issue.6, pp.644-654, 1976.

M. Dugardin, L. Papachristodoulou, Z. Najm, L. Batina, J. Danger et al., Dismantling real-world ECC with horizontal and vertical template attacks, Constructive Side-Channel Analysis and Secure Design -7th International Workshop, vol.9689, pp.88-108, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01362466

H. M. Edwards, A normal form for elliptic curves, Bulletin of the American Mathematical Society, vol.44, pp.2-9904, 2007.

L. Euler, Theorematum quorundam ad numeros primos spectantium demonstratio. Commentarii academiae scientiarum Petropolitanae, vol.8, pp.141-146, 1741.

L. Euler, Theoremata arithmetica nova methodo demonstrata. Novi Commentarii academiae scientiarum Petropolitanae, vol.8, pp.74-104, 1763.

, Smart Card Research and Advanced Applications -12th International Conference, vol.8419, 2013.

P. , A. Fouque, and F. Valette, The doubling attack -Why Upwards Is Better than Downwards, Cryptographic Hardware and Embedded Systems -CHES 2003, 5th International Workshop, vol.2779, pp.269-280, 2003.
URL : https://hal.archives-ouvertes.fr/inria-00563965

C. Giraud, An RSA implementation resistant to fault attacks and to simple power analysis, IEEE Trans. Computers, vol.55, issue.9, pp.1116-1120, 2006.

K. Gandolfi, C. Mourtel, and F. Olivier, Electromagnetic analysis: Concrete results, pp.251-261

A. Guillevic and D. Vergnaud, Genus 2 hyperelliptic curve families with explicit jacobian order evaluation and pairing-friendly constructions, Pairing-Based CryptographyPairing 2012 -5th International Conference, vol.7708, pp.234-253, 2012.
URL : https://hal.archives-ouvertes.fr/hal-00871327

J. Hastad, Clustering algorithms for non-profiled single-execution attacks on exponentiations, Johann Heyszl, Andreas Ibing, Stefan Mangard, Fabrizio De Santis, and Georg Sigl, vol.17, pp.79-93, 1988.

N. Hanley, H. Kim, and M. Tunstall, Exploiting collisions in addition chain-based exponentiation algorithms using a single trace, The Cryptographer's Track at the RSA Conference, vol.9048, pp.431-448, 2015.

M. Hutter and P. Schwabe, Nacl on 8-bit AVR microcontrollers, Progress in Cryptology -AFRICACRYPT 2013, 6th International Conference on Cryptology in Africa, vol.7918, pp.156-172, 2013.

N. Hanley, M. Tunstall, and W. P. Marnane, Using templates to distinguish multiplications from squaring operations, Int. J. Inf. Sec, vol.10, issue.4, pp.255-266, 2011.

R. Inspector,

, Information technology -Security techniques -Test tool requirements and test tool calibration methods for use in testing non-invasive attack mitigation techniques in cryptographic modules -Part 1: Test tools and techniques, ISO/IEC JTC 1/SC 27/WG 3. ISO/IEC CD 20085-1:2017(E), 2017.

B. S. Kaliski, C. Çetin-kaya-koç, and . Paar, Cryptographic Hardware and Embedded Systems -CHES 2002, 4th International Workshop, vol.2523, 2002.

M. Joye, Elliptic curve cryptosystems and Side Channel Analysis, vol.4, pp.17-21, 2003.

M. Joye, Fault-resistant calculations on elliptic curves, EP Patent App. EP20, vol.100, p.1, 2010.

M. Joye, Elliptic curve cryptosystems in the presence of faults, Workshop on Fault Diagnosis and Tolerance in Cryptography, p.73, 2013.

M. Joye, P. Paillier, and S. Yen, Secure evaluation of modular functions, International Workshop on Cryptology and Network Security, pp.227-229, 2001.

M. Joye and C. Tymen, Protections against differential analysis for elliptic curve cryptography, pp.377-390

, Fault Analysis in Cryptography. Information Security and Cryptography, 2012.

M. Joye, S. Yen, and ;. , The montgomery powering ladder, pp.291-302

D. Karaklajic, J. Fan, J. Schmidt, and I. Verbauwhede, Low-cost fault detection method for ECC using montgomery powering ladder, Design, Automation and Test in Europe, pp.1016-1021, 2011.

C. Paul, J. Kocher, B. Jaffe, and . Jun, Differential power analysis, Advances in Cryptology -CRYPTO '99, 19th Annual International Cryptology Conference, vol.1666, pp.388-397, 1999.

S. Kim, T. H. Kim, D. Han, and S. Hong, An efficient CRT-RSA algorithm secure against power and fault attacks, Journal of Systems and Software, vol.84, issue.10, pp.1660-1669, 2011.

D. Çetin-kaya-koç, C. Naccache, and . Paar, Cryptographic Hardware and Embedded Systems -CHES 2001, Third International Workshop, vol.2162, 2001.

N. Koblitz, Elliptic curve cryptosystems, Mathematics of Computation, vol.48, pp.203-209, 1987.

C. Paul, . Kocher-;-hellman, D. Rsa, and O. Systems, Timing Attacks on, Advances in Cryptology -CRYPTO '96, 16th Annual International Cryptology Conference, vol.1109, pp.104-113, 1996.

C. Paul and . Kocher, On certificate revocation and validation, Financial Cryptography, Second International Conference, FC'98, vol.1465, pp.172-177, 1998.

, Cryptographic Hardware and Embedded Systems, First International Workshop, CHES'99, vol.1717, 1999.

V. K. Leont'ev, Roots of random polynomials over a finite field, Mathematical Notes, vol.80, issue.1-2, pp.300-304, 2006.

S. F. Lmv-+-13]-liran-lerman, N. Medeiros, C. Veshchikov, G. Meuter, O. Bontempi et al., Semi-supervised template attack, Constructive Side-Channel Analysis and Secure Design -4th International Workshop, COSADE 2013, vol.7864, pp.184-199, 2013.

M. Lpm-+-14]-ronan-lashermes, N. E. Paindavoine, J. J. Mrabet, L. Fournier, and . Goubin, Practical validation of several fault attacks against the miller algorithm, Tria and Choi, vol.14, pp.115-122

D. Le, M. Rivain, and C. Tan, On double exponentiation for securing RSA against fault analysis, Benaloh [Ben14], pp.152-168

E. D. Mulder, P. Buysschaert, S. Berna-Örs, P. Delmotte, B. Preneel et al., Electromagnetic Analysis Attack on an FPGA Implementation of an Elliptic Curve Cryptosystem, IEEE International Conference on Computer as a tool, pp.1879-1882, 2005.

T. S. Messerges, E. A. Dabbish, and R. H. Sloan, Power analysis attacks of modular exponentiation in smartcards, pp.144-157

N. E. Mrabet and J. J. Fournier, Louis Goubin, and Ronan Lashermes. A survey of fault attacks in pairing based cryptography, Cryptography and Communications, vol.7, issue.1, pp.185-205, 2015.

N. Moro, K. Heydemann, E. Encrenaz, and B. Robisson, Formal verification of a software countermeasure against instruction skip attacks, J. Cryptographic Engineering, vol.4, issue.3, pp.145-156, 2014.
URL : https://hal.archives-ouvertes.fr/emse-00869509

S. Victor and . Miller, Use of elliptic curves in cryptography, Advances in Cryptology -CRYPTO '85, vol.218, pp.417-426, 1985.

M. Medwed and E. Oswald, Template attacks on ECDSA, Information Security Applications, 9th International Workshop, vol.5379, pp.14-27, 2008.

L. Peter and . Montgomery, Modular multiplication without trial division, Math. Comput, vol.44, issue.170, pp.519-521, 1985.

D. Moody and D. Shumow,

A. Menezes, P. C. Van-oorschot, and S. A. Vanstone, Handbook of Applied Cryptography, 1996.

, NIST. FIPS publication 186-4 -Digital Signature standard (DSS), 2013.

M. Naehrig, R. Niederhagen, and P. Schwabe, New software speed records for cryptographic pairings, Progress in Cryptology -LATINCRYPT 2010, First International Conference on Cryptology and Information Security in Latin America, vol.6212, pp.109-123, 2010.

S. Berna-Örs, L. Batina, B. Preneel, and J. Vandewalle, Hardware implementation of an elliptic curve processor over GF(p) with Montgomery modular multiplier, IJES, vol.3, issue.4, pp.229-240, 2008.

G. Perin, L. Imbert, L. Torres, and P. Maurine, Attacking randomized exponentiations using unsupervised learning, Prouff [Pro14], pp.144-160
URL : https://hal.archives-ouvertes.fr/lirmm-01096039

, Constructive Side-Channel Analysis and Secure Design -5th International Workshop, Lecture Notes in Computer Science, vol.8622, 2014.

M. Rivain, Fast and regular algorithms for scalar multiplication over elliptic curves, IACR Cryptology ePrint Archive, p.338, 2011.

C. Rechberger and E. Oswald, Practical template attacks, Information Security Applications, 5th International Workshop, vol.3325, pp.440-456, 2004.

R. L. Rivest, A. Shamir, and L. M. Adleman, Cryptographic communications system and method, US Patent, vol.4, p.829, 1983.

W. Schindler, A timing attack against RSA with the chinese remainder theorem, Cryptographic Hardware and Embedded Systems -CHES 2000, Second International Workshop, vol.1965, pp.109-124, 2000.

W. Schindler, A combined timing and power attack, Public Key Cryptography, 5th International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2002, vol.2274, pp.263-279, 2002.

W. Schindler, Exclusive exponent blinding may not suffice to prevent timing attacks on RSA, Cryptographic Hardware and Embedded Systems -CHES 2015 -17th International Workshop, vol.9293, pp.229-247, 2015.

A. Shamir, Method and apparatus for protecting public key schemes from timing and fault attacks, US Patent, vol.5, p.415, 1999.

W. Schindler, F. Koeune, and J. Quisquater, Improving divide and conquer attacks against cryptosystems by better error detection / correction strategies, Cryptography and Coding, 8th IMA International Conference, vol.2260, pp.245-267, 2001.
DOI : 10.1007/3-540-45325-3_22

H. Sato, D. Schepers, and T. Takagi, Exact analysis of montgomery multiplication, Progress in Cryptology -INDOCRYPT 2004, 5th International Conference on Cryptology in India, vol.3348, pp.290-304, 2004.
DOI : 10.1007/978-3-540-30556-9_23

. Springer, , 2004.

W. Schindler and C. D. Walter, More detail for a combined timing and power attack against implementations of RSA, Cryptography and Coding, 9th IMA International Conference, vol.2898, pp.245-263, 2003.

A. Tria and D. Choi, Workshop on Fault Diagnosis and Tolerance in Cryptography, 2014.
URL : https://hal.archives-ouvertes.fr/emse-01222706

S. Theodoridis and K. Koutroumbas, Pattern recognition and neural networks, Georgios Paliouras, Vangelis Karkaletsis, and Constantine D. Spyropoulos, vol.2049, pp.169-195, 2001.

, Magma Computational Algebra System, pp.2014-2022

V. Verneuil, Elliptic curve cryptography and security of embedded devices, 2012.
URL : https://hal.archives-ouvertes.fr/tel-00733004

D. Vigilant, RSA with CRT: A new cost-effective solution to thwart fault attacks, Cryptographic Hardware and Embedded Systems -CHES 2008, 10th International Workshop, pp.130-145, 2008.

D. Wagner, Cryptanalysis of a provably secure CRT-RSA algorithm, ACM Conference on Computer and Communications Security, pp.92-97

S. Werner, Optimized timing attacks against public key cryptosystems, Statistics & Risk Modeling, vol.20, issue.1-4, pp.191-210, 2002.

C. Whitnall and E. Oswald, A Comprehensive Evaluation of Mutual Information Analysis Using a Fair Evaluation Framework, Lecture Notes in Computer Science, vol.6841, pp.316-334, 2011.

C. Whitnall, E. Oswald, and F. Standaert, The Myth of Generic DPA . . . and the Magic of Learning, Benaloh [Ben14], pp.183-205

C. D. Walter and S. Thompson, Distinguishing exponent digits by observing modular subtractions, The Cryptographer's Track at RSA Conference, vol.2020, pp.192-207, 2001.

M. F. Witteman, G. J. Jasper, F. Van-woudenberg, and . Menarini, Defeating RSA multiply-always and message blinding countermeasures, Topics in Cryptology -CT-RSA 2011 -The Cryptographers' Track at the RSA Conference, vol.6558, pp.77-88, 2011.

. .. Hellman, . Walter-&-thomson, and . .. Schindler, xxi 10 Évolution du taux de succès pour un bit en utilisant 500 expériences entre la méthode du chapitre 5 et l'amélioration décrites dans le chapitre 6 avec u = 2 sans erreur dans la détection d'extra-réductions, Protocole standard pour chiffrer un message avec un secret commun partagé par Diffie

, Global view of this thesis

. .. Diffie-hellman,

, RSA scheme to send an encrypted message to one user, p.11

, Global view of state-of-the-art of attacks and protections required for this thesis

, Specialized equipment for a side channel acquisition set up, p.31

. .. , Principle of simple side channel analysis on RSA, p.33

, 4 EM acquisition on elliptic curve scalar multiplication execution on brainpoolP256r1 with affine coordinates

, Zoom on EM acquisition on elliptic curve operation to spot the modular multiplication operation

, and sketch of dichotomy attack by Schindler [Sch00] (in grey line with grey iteration numbers), 43 3.7 ERA3: Extra-reduction analysis by, p.44

, Protection against extra-reduction analysis ERA3 -used regular algorithm 45

. .. Modular-extension, 54 trace with the template traces 4P and 5P

, Pattern of the j-th multiplication in acquisition with different input, p.56

. .. , Propagation of carry during multiplication in the field, .6 Electromagnetic emanation acquisition for ECSM on P-256with k = 0xA5A5, vol.57, p.61

, Pattern of multiplication-before-reduction, p.61

, Cross correlation between the pattern of the multiplication and the target trace, p.61

, The first seven iterations of the ECSM algorithm on the curve, p.62

, Misalignment of two template traces due to propagation of carry, p.63

. .. Carry, 63 4.12 Four cases if the template trace 2P and 3P have the same propagation of carry

. .. , Generalization of the detection and correction method, p.66

, Comparison between the output value of multiplication with the input of the following square in the "Square-and-Multiply-Always" exponentiation algorithm (algorithm 3.1), these kinds of implementations with some countermeasures. 71 5.2, p.75

, 4 Distribution of the output value of Montgomery multiplication (left) and square (right) for RSA-1024-p

X. Pearson's-correlation-between-x-m-i and . .. S-i?1, , p.80

, Illustration of {(a, b) ? {0, p.1

. .. Montgomery-ladder-algorithm, 94 5.11 Evolution of the success rate for the ?-attack-Soft and the ?-attack-Hard as a function of the number Q of queries (upper bound is the maximum likelihood), for RSA-1024-p

. .. , 97 5.14 Electromagnetic acquisition focuses on one real subtraction (left) and pattern of one dummy subtraction (right) between two consecutive MMM operations, Evolution of the success rate for the ?-attack in function of queries Q using p = RSA-1024-p for four increasing noise values

.. .. , 109 6.2 Statistic box-plot to estimated the ratio p/R and the probability p noise in function of side channel traces Q using 1.000 exponents values, p.113

, Evolution of the success rate of one bit using 500 experiments between the chapter 5 attack version and the optimized version with u = 2 without noise in acquisition

, Success rate for a entire exponent using 1.000 exponents values depending of the number of side channel trace Q without different probability p noise, vol.118

G. .. , Countermeasure protects these fault attack and side channel presented in this chapter

, Degree of the polynomial ?P against the value of k (in log-log scale), p.127

, Extra-reduction probability for multiplications (M i ) and squares (S i ), p.44

. .. Attacks, 51 4.2 Different success rates on 3000 attacks according to the number of average template traces on brainpoolP256r1 curve

, Probabilities to have m template traces with the same propagation of inner carry among d template traces

, State-of-the-art of timing attacks and the attacks based on extra-reduction 74

M. .. Sma, Example of probabilities of eXtra-reduction X M i of multiply operation and X S i?1 of square operation knowing the Boolean value G i for RSA-1024-p. The first line (correct guess) is applicable for both, p.76

, 3 Summary of the number of queries (see figure 5.12(b)) to retrieve all key bits of a secret exponent, as a function of side channel detection method and regular exponentiation algorithm

, Summarize of the extra-reduction analysis published before, p.119, 2017.

, 135 {(0, 0), (1, 1)} (corresponds to the case k i = k i?1 ), Prime Factors < p of ? for the generator point (u G , v G ) given in example (curve Ed25519 defined in section 7.5.2)

. X-m-i-,-x-s-i-,-x-m-i?1-,-x-s-i?1-,-x-m-i?2, X S i?2 for k i ? k i?1 = 0 and k i?1 ? k i?2 = 0 (case (a))

. X-m-i-,-x-s-i-,-x-m-i?1-,-x-s-i?1-,-x-m-i?2, X S i?2 for k i ? k i?1 = 0 and k i?1 ? k i?2 = 1 (case (b))

. X-m-i-,-x-s-i-,-x-m-i?1-,-x-s-i?1-,-x-m-i?2, X S i?2 for k i ? k i?1 = 1 and k i?1 ? k i?2 = 0 (case (c)), D.5 Probability of the 6 consecutive operations

. X-m-i-,-x-s-i-,-x-m-i?1-,-x-s-i?1-,-x-m-i?2, X S i?2 for k i ? k i?1 = 1 and k i?1 ? k i?2 = 1 (case (d))

, Modular exponentiation: Classical Square and Multiply (Left-to-Right) . . . 12 2.2 Modular exponentiation: Classical Square and Multiply (Right-to-Left, p.12

, 15 2.4 ECSM: Classical Double and Add (Left-to-Right), ECSM: Classical Double and Add (Right-to-Left)

, Multiplication of two large numbers in mbedTLS

, Euclidean division in mbedTLS, p.24

, Square and Multiply Always Left-to-Right

M. .. Ladder-left-to-right, 36 3.3 double-and-add-always Left-to-Right

, ECSM Montgomery Ladder Left-to-Right

.. .. Multiply-always-left-to-right,

.. .. Add-always-left-to-right,

, Improvement Online Template attack description

, ?-attack using histogram method for probability estimation, p.93

, 128 7.2 ECSM with modular extension protection using complete unified addition formulas -Twisted Edwards Curves case

C. , Doubling in PolarSSL v1

, Mixed-add in PolarSSL v1