This report describes the current state-of-the-art about side channel crypt- analysis. It will describe the various side channels known in the literature and discuss them from various points of view (conditions of application, ease of de- ployment, relative e\ufb03ciency, . . . ) The question of countermeasures will also be explored. We will review the (large number of) countermeasures proposed in the literature, compare them and attempt to distinguish the most e\ufb03cient ones.

Our conclusion is that, at the moment, no perfect protection exists. By using appropriate countermeasures, it is possible to make the attacker\u2019s task harder, but not to make it impossible yet. One must therefore start by de\ufb01ning the adversary the device must resist again, and the resources he disposes of, before choosing appropriate countermeasures against this adversary.

Although we tried to keep the various countermeasures in perspective, the large number of problems to be taken into account, and the highly application- dependent character of side channel attacks make it impossible to advise ade- quate countermeasure in a general framework. This topic needs therefore to be further studied in each practical case.

6.1 Types of faults. . . . . . . . . . . . . . . . . . . . . . . . . . .8
6.2 Cryptanalyses based on fault. . . . . . . . . . . . . . . . . . . .9
6.2.1 Attack on RSA with CRT. . . . . . . . . . . . . . . . .9
6.2.2 Di\ufb00erential fault analysis. . . . . . . . . . . . . . . . . .10
6.2.3 Attacks on elliptic curve cryptography. . . . . . . . . . .11

7.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . .14 7.2 Themodel. . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 7.3 Timing attack against RSA with Montgomery reduction. . . . .15

8.1 Simple power analysis. . . . . . . . . . . . . . . . . . . . . . .19 8.2 Di\ufb00erential Power Analysis. . . . . . . . . . . . . . . . . . . . .21 8.3 Furtherresults. . . . . . . . . . . . . . . . . . . . . . . . . . .23

10.2 Fault attacks protection. . . . . . . . . . . . . . . . . . . . . .26 10.2.1 Software countermeasures. . . . . . . . . . . . . . . . .26 10.2.2 Hardware countermeasures. . . . . . . . . . . . . . . . .28

10.3 Timing attacks protection. . . . . . . . . . . . . . . . . . . . .29 10.3.1 Hiding variations. . . . . . . . . . . . . . . . . . . . . .29 10.3.2 Hiding internal state. . . . . . . . . . . . . . . . . . . .30

10.4 Power analysis and electromagnetic analysis protection. . . . . .31 10.4.1 In a perfect world... . . . . . . . . . . . . . . . . . . . .31 10.4.2 Software countermeasures. . . . . . . . . . . . . . . . .32 10.4.3 Hardware countermeasures. . . . . . . . . . . . . . . . .35

10.5 Elliptic curve speci\ufb01c countermeasures. . . . . . . . . . . . . .36 10.5.1 SPA protection. . . . . . . . . . . . . . . . . . . . . . .36 10.5.2 DPA protection. . . . . . . . . . . . . . . . . . . . . .37