.. Practical-case-study, Protecting an ECSM Implementation

P. Conclusion, P. Aumüller, W. Bier, P. Fischer, J. Hofreiter et al., 132 0xA Bibliography [ABF + 02 Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures, CHES, volume 2523 of Lecture Notes in Computer Science, pp.260-275, 2002.

A. Berzati, C. Canovas-dumas, and L. Goubin, A Survey of Differential Fault Analysis Against Classical RSA Implementations, Fault Analysis in Cryptography, Information Security and Cryptography, pp.111-124, 2012.
DOI : 10.1007/978-3-642-29656-7_7

[. Brier, C. Clavier, and F. Olivier, Correlation Power Analysis with a Leakage Model, CHES, pp.16-29, 2004.
DOI : 10.1007/978-3-540-28632-5_2

E. Biham, Y. Carmeli, and A. Shamir, Bug attacks, CRYPTO, pp.221-240, 2008.

F. Gilles-barthe, P. Dupressoir, B. Fouque, M. Grégoire, J. Tibouchi et al., Making RSA-PSS Provably Secure Against Non-Random Faults, IACR Cryptology ePrint Archive, p.252, 2014.

F. Gilles-barthe, P. Dupressoir, B. Fouque, J. Grégoire, and . Zapalowicz, Synthesis of Fault Attacks on Cryptographic Implementations, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp.1016-1027, 2014.

S. Bhasin, J. Danger, S. Guilley, and Z. Najm, NICV: Normalized Inter-Class Variance for Detection of Side-Channel Leakage, International Symposium on Electromagnetic Compatibility (EMC '14 Session OS09: EM Information Leakage. Hitotsubashi Hall (National Center of Sciences), Chiyoda, 2014.

S. Bhasin, J. Danger, S. Guilley, and Z. Najm, Side-channel leakage and trace compression using normalized inter-class variance, Proceedings of the Third Workshop on Hardware and Architectural Support for Security and Privacy, HASP '14, pp.1-7, 2014.
DOI : 10.1145/2611765.2611772

[. Boneh, R. A. Demillo, and R. J. Lipton, On the Importance of Checking Cryptographic Protocols for Faults, Proceedings of Eurocrypt'97, pp.37-51, 1997.
DOI : 10.1007/3-540-69053-0_4

C. H. Bennett, Notes on Landauer's principle, Reversible Computation and Maxwell's Demon. Studies in History and Philosophy of Modern Physics, pp.501-510, 2003.

A. Battistello and C. Giraud, Fault Analysis of Infective AES Computations, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp.101-107, 2013.
DOI : 10.1109/FDTC.2013.12

[. Blömer, R. G. , D. Silva, P. Gunther, J. Krämer et al., A Practical Second-Order Fault Attack against a Real-World Pairing Implementation, 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp.123-136, 2014.
DOI : 10.1109/FDTC.2014.22

[. Blömer, P. Günther, and G. Liske, Tampering Attacks in Pairing-Based Cryptography, 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp.1-7, 2014.
DOI : 10.1109/FDTC.2014.10

[. Barthe, B. Grégoire, and S. Zanella-béguelin, Formal certification of code-based cryptographic proofs, 36th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp.90-101, 2009.

E. Biham, A fast new DES implementation in software, Lecture Notes in Computer Science, vol.1267, pp.260-272, 1997.
DOI : 10.1007/BFb0052352

A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. Poschmann et al., PRESENT: An Ultra-Lightweight Block Cipher, CHES, pp.450-466, 2007.
DOI : 10.1007/978-3-540-74735-2_31

B. Blanchet, ProVerif: Cryptographic protocol verifier in the formal model

[. Boscher, R. Naciri, and E. Prouff, CRT RSA Algorithm Protected Against Fault Attacks, Lecture Notes in Computer Science, vol.49, issue.9, pp.229-243, 2007.
DOI : 10.1007/11554868_13

[. Blömer, M. Otto, and J. Seifert, A new CRT-RSA algorithm secure against bellcore attacks, ACM Conference on Computer and Communications Security, pp.311-320, 2003.

[. Blömer, M. Otto, and J. Seifert, Sign Change Fault Attacks on Elliptic Curve Cryptosystems, Fault Diagnosis and Tolerance in Cryptography, pp.36-52, 2006.
DOI : 10.1007/11889700_4

E. Biham and A. Shamir, Differential fault analysis of secret key cryptosystems, CRYPTO, pp.513-525, 1997.
DOI : 10.1007/BFb0052259

[. Baek and I. Vasyltsov, How to Prevent DPA and Fault Attack in a Unified Way for ECC Scalar Multiplication ??? Ring Extension Method, Information Security Practice and Experience, pp.225-237, 2007.
DOI : 10.1007/978-3-540-72163-5_18

[. Christofi, B. Chetali, L. Goubin, and D. Vigilant, Formal verification of a CRT-RSA implementation against fault attacks, Journal of Cryptographic Engineering, vol.2009, issue.3, pp.157-167, 2013.
DOI : 10.1007/s13389-013-0049-3

[. Chen, T. Eisenbarth, A. Shahverdi, and X. Ye, Balanced Encoding to Mitigate Power Analysis: A Case Study, CARDIS, Lecture Notes in Computer Science, 2014.
DOI : 10.1007/978-3-319-16763-3_4

C. Carlet, J. Faugère, and C. Goyet, Analysis of the algebraic side channel attack, Journal of Cryptographic Engineering, vol.24, issue.1, pp.45-62, 2012.
DOI : 10.1007/s13389-012-0028-0

URL : https://hal.archives-ouvertes.fr/hal-00777829

C. Jean-sébastien-coron, N. Giraud, G. Morin, D. Piret, and . Vigilant, Fault Attacks and Countermeasures on Vigilant's RSA-CRT Algorithm, pp.89-96, 2010.

C. Carlet, L. Goubin, E. Prouff, M. Quisquater, and M. Rivain, Higher-Order Masking Schemes for S-Boxes, Fast Software Encryption -19th International Workshop, FSE 2012, pp.366-384, 2012.
DOI : 10.1007/978-3-642-34047-5_21

[. Courtois, D. Hulme, and T. Mourouzis, Solving Circuit Optimisation Problems in Cryptography and Cryptanalysis, IACR Cryptology ePrint Archive, issue.179, pp.475-492, 2011.

M. Ciet and M. Joye, Practical fault countermeasures for chinese remaindering based RSA, Fault Diagnosis and Tolerance in Cryptography, pp.124-131, 2005.

A. Jean-sébastien-coron and . Mandal, PSS Is Secure against Random Fault Attacks, ASIACRYPT, pp.653-666, 2009.

E. Jean-sébastien-coron, M. Prouff, and . Rivain, Side Channel Cryptanalysis of a Higher Order Masking Scheme, CHES, pp.28-44, 2007.

[. Chen, A. Sinha, and P. Schaumont, Using Virtual Secure Circuit to Protect Embedded Software from Side-Channel Attacks, IEEE Transactions on Computers, vol.62, issue.1, pp.124-136, 2013.
DOI : 10.1109/TC.2011.225

D. Dfk-+-13-]-goran-doychev, B. Feld, L. Köpf, J. Mauborgne, and . Reineke, CacheAudit: A Tool for the Static Analysis of Cache Side Channels, IACR Cryptology ePrint Archive, p.253, 2013.

[. Dottax, C. Giraud, M. Rivain, and Y. Sierra, On Second-Order Fault Analysis Resistance for CRT-RSA Implementations, Lecture Notes in Computer Science, vol.5746, pp.68-83, 2009.
DOI : 10.1007/978-3-642-03944-7_6

[. Diffie and M. E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory, vol.22, issue.6, pp.644-654, 1976.
DOI : 10.1109/TIT.1976.1055638

N. Debande, Y. Souissi, M. Abdelaziz-elaabid, S. Guilley, and J. Danger, Wavelet transform based pre-processing for side channel analysis, 2012 45th Annual IEEE/ACM International Symposium on Microarchitecture Workshops, pp.32-38, 2012.
DOI : 10.1109/MICROW.2012.15

T. Eisenbarth, Z. Gong, T. Güneysu, S. Heyse, S. Indesteege et al., François-Xavier Standaert, and Loïc van Oldeneel tot Oldenzeel . Compact Implementation and Performance Evaluation of Block Ciphers in ATtiny Devices, Lecture Notes in Computer Science, vol.12, issue.7374, pp.172-187, 2012.

N. E. Mrabet, J. J. Fournier, L. Goubin, and R. Lashermes, A survey of fault attacks in pairing based cryptography, Cryptography and Communications, vol.56, issue.1, pp.1-21, 2014.
DOI : 10.1007/s12095-014-0114-5

URL : https://hal.archives-ouvertes.fr/hal-01197172

L. Harvey and . Garner, Number Systems and Arithmetic, Advances in Computers, vol.6, pp.131-194, 1965.

S. Sylvain-guilley, L. Chaudhuri, P. Sauvage, R. Hoogvorst, G. M. Pacalet et al., Security Evaluation of WDDL and SecLib Countermeasures against Power Attacks, IEEE Transactions on Computers, vol.57, issue.11, pp.1482-1497, 2008.
DOI : 10.1109/TC.2008.109

S. Guilley, P. Hoogvorst, Y. Mathieu, and R. Pacalet, The ???Backend Duplication??? Method, CHES, pp.383-397, 2005.
DOI : 10.1007/11545262_28

C. Giraud, An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis, IEEE Transactions on Computers, vol.55, issue.9, pp.1116-1120, 2006.
DOI : 10.1109/TC.2006.135

T. Güneysu and A. Moradi, Generic Side-Channel Countermeasures for Reconfigurable Devices, CHES, pp.33-48, 2011.
DOI : 10.1007/978-3-642-23951-9_3

X. Guo, D. Mukhopadhyay, and R. Karri, Provably secure concurrent error detection against differential fault analysis, Cryptology ePrint Archive, vol.552552, 2012.

A. Guillevic and D. Vergnaud, Genus 2 Hyperelliptic Curve Families with Explicit Jacobian Order Evaluation and Pairing-Friendly Constructions, Pairing-Based Cryptography ? Pairing 2012, pp.234-253, 2013.
DOI : 10.1007/978-3-642-36334-4_16

URL : https://hal.archives-ouvertes.fr/hal-00871327

[. Hoogvorst, J. Danger, and G. Duc, Software Implementation of Dual-Rail Representation, In COSADE, 2011.

K. Heydemann, N. Moro, E. Encrenaz, and B. Robisson, Formal Verification of a Software Countermeasure Against Instruction Skip Attacks, Cryptology ePrint Archive, vol.679679, 2013.
URL : https://hal.archives-ouvertes.fr/emse-00869509

. Inr and . Inria, OCaml, a variant of the Caml language

M. Ishai, A. Prabhakaran, D. Sahai, and . Wagner, Private Circuits II: Keeping Secrets in Tamperable Circuits, EUROCRYPT, pp.308-327, 2006.
DOI : 10.1007/11761679_19

A. Ishai, D. Sahai, and . Wagner, Private Circuits: Securing Hardware against Probing Attacks, CRYPTO, volume 2729 of Lecture Notes in Computer Science, pp.463-481, 2003.
DOI : 10.1007/978-3-540-45146-4_27

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

M. Joye, A. K. Lenstra, and J. Quisquater, Chinese Remaindering Based Cryptosystems in the Presence of Faults Alfred Menezes, and Scott Vanstone. The Elliptic Curve Digital Signature Algorithm (ECDSA), JMV01] Don Johnson, pp.241-24536, 1999.

M. Joye, Protecting RSA against Fault Attacks: The Embedding Method, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp.41-45, 2009.
DOI : 10.1109/FDTC.2009.32

M. Joye and P. Paillier, GCD-Free Algorithms for Computing Modular Inverses, CHES, pp.243-253, 2003.
DOI : 10.1007/978-3-540-45238-6_20

M. Joye, P. Paillier, and S. Yen, Secure evaluation of modular functions, 2001.

M. Joye and M. Tunstall, Fault Analysis in Cryptography, 2011.
DOI : 10.1007/978-3-642-29656-7

[. Köpf and D. A. Basin, An information-theoretic model for adaptive sidechannel attacks, ACM Conference on Computer and Communications Security, pp.286-296, 2007.

[. Köpf and M. Dürmuth, A Provably Secure and Efficient Countermeasure against Timing Attacks, 2009 22nd IEEE Computer Security Foundations Symposium, pp.324-335, 2009.
DOI : 10.1109/CSF.2009.21

[. Karaklajic, J. Fan, J. Schmidt, and I. Verbauwhede, Lowcost fault detection method for ECC using montgomery powering ladder, Design, Automation and Test in Europe, DATE 2011, pp.1016-1021, 2011.

C. Paul, J. Kocher, and B. Jaffe, Differential Power Analysis, Proceedings of CRYPTO'99, pp.388-397, 1999.

[. Kim, T. H. Kim, D. Han, and S. Hong, An efficient CRT-RSA algorithm secure against power and fault attacks, Journal of Systems and Software, vol.84, issue.10, pp.1660-1669, 2011.
DOI : 10.1016/j.jss.2011.04.026

[. Koç, High-Speed RSA Implementation, 1994.

C. Paul and . Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems, Proceedings of CRYPTO'96, pp.104-113, 1996.

]. V. Leo06 and . Leont-'ev, Roots of random polynomials over a finite field, Mathematical Notes, vol.80, issue.12, pp.300-304, 2006.

[. Liu, B. King, and W. Wang, A CRT-RSA Algorithm Secure against Hardware Fault Attacks, 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing, pp.51-60, 2006.
DOI : 10.1109/DASC.2006.5

H. [. Lenstra, J. Lenstra, and L. Lovász, Factoring polynomials with rational coefficients, Mathematische Annalen, vol.32, issue.4, pp.515-534, 1982.
DOI : 10.1007/BF01457454

M. Lpem-+-14-]-ronan-lashermes, N. E. Paindavoine, J. J. Mrabet, L. Fournier, and . Goubin, Practical Validation of Several Fault Attacks against the Miller Algorithm, Fault Diagnosis and Tolerance in Cryptography (FDTC), 2014 Workshop on, pp.115-122, 2014.

[. Le, M. Rivain, and C. Tan, On Double Exponentiation for Securing RSA against Fault Analysis, Lecture Notes in Computer Science, vol.8366, pp.152-168, 2014.
DOI : 10.1007/978-3-319-04852-9_8

R. Mam-+-03-]-simon-moore, R. Anderson, G. Mullins, J. J. Taylor, and . Fournier, Balanced self-checking asynchronous logic for smart card applications, Microprocessors and Microsystems, vol.27, issue.9, pp.421-430, 2003.
DOI : 10.1016/S0141-9331(03)00092-9

M. Mcloone, C. Mcivor, and J. V. Mccanny, Coarsely integrated operand scanning (CIOS) architecture for high-speed Montgomery modular multiplication, Proceedings. 2004 IEEE International Conference on Field- Programmable Technology (IEEE Cat. No.04EX921), pp.185-191, 2004.
DOI : 10.1109/FPT.2004.1393267

L. Mather and E. Oswald, Pinpointing side-channel information leaks in web applications, Journal of Cryptographic Engineering, vol.15, issue.6, pp.161-177, 2012.
DOI : 10.1007/s13389-012-0036-0

[. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks: Revealing the Secrets of Smart Cards, 2006.

[. Moss, E. Oswald, D. Page, and M. Tunstall, Compiler Assisted Masking, CHES, pp.58-75, 2012.
DOI : 10.1007/978-3-642-33027-8_4

URL : http://urn.kb.se/resolve?urn=urn:nbn:se:bth-7057

[. Mangard, E. Oswald, and F. Standaert, One for all ??? all for one: unifying standard differential power analysis attacks, IET Information Security, vol.5, issue.2, pp.100-111, 2011.
DOI : 10.1049/iet-ifs.2010.0096

S. Mangard and K. Schramm, Pinpointing the Side-Channel Leakage of Masked AES Hardware Implementations, CHES, pp.76-90, 2006.
DOI : 10.1007/11894063_7

M. Medwed, F. Standaert, J. Großschädl, and F. Regazzoni, Fresh Re-keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices, AFRICACRYPT, pp.279-296
DOI : 10.1007/978-3-642-12678-9_17

A. J. Menezes, P. C. Van-oorschot, and S. A. Vanstone, Handbook of Applied Cryptography, 1996.
DOI : 10.1201/9781439821916

M. Nassar, S. Bhasin, J. Danger, G. Duc, and S. Guilley, BCDL: A high performance balanced DPL with global precharge and without early-evaluation, DATE'10, pp.849-854, 2010.

[. Naehrig, R. Niederhagen, and P. Schwabe, New Software Speed Records for Cryptographic Pairings, Progress in Cryptology ? LATINCRYPT 2010, pp.109-123, 2010.
DOI : 10.1007/978-3-642-14712-8_7

P. Paillier, Public-Key Cryptosystems Based on Composite Degree Residuosity Classes, EUROCRYPT, pp.223-238, 1999.
DOI : 10.1007/3-540-48910-X_16

[. Popp and S. Mangard, Masked Dual-Rail Pre-charge Logic: DPA-Resistance Without Routing Constraints, Cryptographic Hardware and Embedded Systems ? CHES 2005, pp.172-186, 2005.
DOI : 10.1007/11545262_13

P. Rauzy and S. Guilley, A formal proof of countermeasures against fault injection attacks on CRT-RSA, Journal of Cryptographic Engineering, vol.21, issue.2, pp.173-185, 2014.
DOI : 10.1007/s13389-013-0065-3

URL : https://hal.archives-ouvertes.fr/hal-00863914

P. Rauzy and S. Guilley, Formal Analysis of CRT-RSA Vigilant's Countermeasure Against the BellCoRe Attack, Proceedings of ACM SIGPLAN on Program Protection and Reverse Engineering Workshop 2014, PPREW'14, pp.978-979, 2014.
DOI : 10.1145/2556464.2556466

P. Rauzy and S. Guilley, Countermeasures against High-Order Fault-Injection Attacks on CRT-RSA, 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp.68-82, 2014.
DOI : 10.1109/FDTC.2014.17

URL : https://hal.archives-ouvertes.fr/hal-01071425

[. Rivain, Securing RSA against Fault Analysis by Double Addition Chain Exponentiation, Cryptology ePrint Archive Report, vol.52, issue.4, 2009.
DOI : 10.1109/TC.2003.1190587

M. Rivain and E. Prouff, Provably Secure Higher-Order Masking of AES, CHES, pp.413-427, 2010.
DOI : 10.1007/978-3-642-15031-9_28

M. Renauld and F. Standaert, Algebraic Side-Channel Attacks, Lecture Notes in Computer Science, vol.6151, pp.393-410, 2009.
DOI : 10.1007/978-3-642-16342-5_29

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

R. L. Rivest, A. Shamir, and L. M. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, vol.21, issue.2, pp.120-126, 1978.
DOI : 10.1145/359340.359342

[. Renauld, F. Standaert, and N. Veyrat-charvillon, Algebraic Side-Channel Attacks on the AES: Why Time also Matters in DPA, CHES, pp.97-111, 2009.
DOI : 10.1007/978-3-642-04138-9_8

S. Selmane, S. Bhasin, T. Guilley, J. Graba, and . Danger, WDDL is Protected against Setup Time Violation Attacks, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp.73-83, 2009.
DOI : 10.1109/FDTC.2009.40

URL : https://hal.archives-ouvertes.fr/hal-00410135

N. Victor-servant, H. Debande, J. Maghrebi, and . Bringer, Study of a Novel Software Constant Weight Implementation, CARDIS, Lecture Notes in Computer Science, 2014.

M. Souissi, J. Aziz-elaabid, S. Danger, N. Guilley, and . Debande, Novel Applications of Wavelet Transforms based Side-Channel Analysis, Non-Invasive Attack Testing Workshop coorganized by NIST & AIST. Todai-ji Cultural Center, 2011.

[. Shams, J. C. Ebergen, and M. I. Elmasry, Modeling and comparing CMOS implementations of the C-element, IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol.6, issue.4, pp.563-567, 1998.
DOI : 10.1109/92.736128

A. Shamir, Method and apparatus for protecting public key schemes from timing and fault attacks US Patent Number 5,991,415; also presented at the rump session of EUROCRYPT, 1997.

K. Schramm and C. Paar, Higher Order Masking of the AES, LNCS, vol.3860, pp.208-225, 2006.
DOI : 10.1007/11605805_14

. Tnk-+-14-]-v, Y. Tomashevich, R. Neumeier, O. Kumar, I. Keren et al., Protecting cryptographic hardware against malicious attacks by nonlinear robust codes, Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFT), 2014 IEEE International Symposium on, pp.40-45, 2014.

A. Thillard, E. Prouff, and T. Roche, Success through Confidence: Evaluating the Effectiveness of a Side-Channel Attack, CHES, pp.21-36, 2013.
DOI : 10.1007/978-3-642-40349-1_2

K. Tiri and I. Verbauwhede, A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation, Proceedings Design, Automation and Test in Europe Conference and Exhibition, pp.246-251, 2004.
DOI : 10.1109/DATE.2004.1268856

K. Tiri and I. Verbauwhede, Place and Route for Secure Standard Cell Design, Proceedings of WCC / CARDIS, pp.143-158, 2004.
DOI : 10.1007/1-4020-8147-2_10

K. Tiri and I. Verbauwhede, A digital design flow for secure integrated circuits, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol.25, issue.7, pp.1197-1208, 2006.
DOI : 10.1109/TCAD.2005.855939

[. Vigilant, RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks, CHES, pp.130-145, 2008.
DOI : 10.1007/978-3-540-85053-3_9

[. Vigilant, RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks, CHES, 2008. Slides presented at CHES [Vig08a]
DOI : 10.1007/978-3-540-85053-3_9

[. Vigilant, Countermeasure securing exponentiation based cryptography

G. J. Jasper, M. F. Van-woudenberg, F. Witteman, and . Menarini, Practical Optical Fault Injection on Secure Microcontrollers, pp.91-99, 2011.

D. Wagner, Cryptanalysis of a provably secure CRT-RSA algorithm, Proceedings of the 11th ACM conference on Computer and communications security , CCS '04, pp.92-97, 2004.
DOI : 10.1145/1030083.1030097

Z. Wang and M. Karpovsky, Algebraic manipulation detection codes and their applications for design of secure cryptographic devices, 2011 IEEE 17th International On-Line Testing Symposium, pp.234-239, 2011.
DOI : 10.1109/IOLTS.2011.5994535

[. Yen and M. Joye, Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis, IEEE Trans. Computers, vol.49, issue.9, pp.967-970, 2000.

[. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, Cross-VM side channels and their use to extract private keys, Proceedings of the 2012 ACM conference on Computer and communications security, CCS '12, pp.305-316, 2012.
DOI : 10.1145/2382196.2382230

A. E. Figures, . Tables, and A. And, 3 Header of finja report for our fixed and simplified version of Vigilant's countermeasure, p.150

C. Vigilant-'s and . Coron, 78 7.1 CRT-RSA with a Giraud's family countermeasure 91 7.2 CRT-RSA with Joye et al.'s countermeasure 93 7.3 CRT-RSA with Ciet & Joye's countermeasure 96 7.5 CRT-RSA with Shamir's countermeasure, 97 7.6 CRT-RSA with Aumüller et al.'s countermeasure 1 . . . . . . . . . . . 98 7.7 CRT-RSA with Vigilant's countermeasure 4 with Coron et al.'s fixes and Rauzy & Guilley's simplifications, p.99

C. Aumüller, s countermeasure 4 , under its infective avatar (new algorithm contributed in this chapter