Disclaimer: This page refers to an external person. It only lists all the interactions between this person and the Crypto Group. Validity or accuracy of the following information is thus not guaranteed in any way.
Seminars given
May 21, 2002  MIST : A randomised exponentiation algorithm for reducing side channel leakage
by Colin D. Walter
Abstract:  Recent attacks using differential power analysis (DPA) have shown how good equipment and poor implementation might be applied to break a single use of RSA on a smart card. The attacks are based on recognising the reuse of operands in the standard squareandmultiply, mary or sliding windows exponentiation schemes. A new algorithm is presented which avoids such operand reuse and consequently provides much greater resistance to DPA. It is based on generating random addition chains. Unlike the easier process of generating addition/subtraction chains (which have been applied to ECC), the algorithm does not require the computation of an inverse, and so is also applicable to RSA. The talk will concentrate on two aspects of the algorithm, namely its efficiency and its security against side channel leakage. The former establishes performance akin to that of 4ary exponentiation. The latter will assume the attacker can distinguish between squares and multiplies, and perhaps recognise reuse of operands. Under such attacks, it still appears to be computationally infeasible to recover the secret exponent.

September 10, 2002  Breaking the LiardetSmart Randomized Exponentiation Algorithm
by Colin D. Walter
Abstract:  In smartcard encryption and signature applications, randomised algorithms are used to increase tamper resistance against attacks based on side channel leakage. Recently several such algorithms have appeared which are suitable for RSA exponentiation and/or ECC point multiplication. We show that under certain reasonable hypotheses about the countermeasures in place and the attacker's monitoring equipment, the algorithm of Liardet and Smart is insecure against any side channel which leaks enough data to differentiate between the adds and doubles in a single scalar multiplication. It is concluded that the scalar needs to be blinded as well if the algorithm is used.
