On the BRIP algorithms security for RSA

Power Analysis has been intensively studied since the first publications in 1996 and many related attacks on naive implementations have been proposed. Nowadays algorithms in tamper resistant devices are protected by different countermeasures most often based on data randomization such as the BRIP algorithm on ECC and its RSA derivative. However not all of them are really secure or in the best case proven to be secure. In 2005, Yen, Lien, Moon and Ha introduced theoretical power attacks on some classical and BRIP exponentiation implementations, characterized by the use of a chosen input message value +/- 1. The first part of our article presents an optimized implementation for BRIP that takes advantage of the Montgomery modular arithmetic to speed up the mask inversion operation. An extension of the Yen et al. attack, based on collision detection through power analysis, is also presented. Based on this analysis we give security advice on this countermeasure implementation and determine the minimal random length to reach an appropriate level of security.