A Practical Second-Order Fault Attack against a Real-World Pairing Implementation

Several fault attacks against pairing-based cryptography have been described theoretically in recent years. Interestingly, none of these have been practically evaluated. We accomplished this task and prove that fault attacks against pairing-based cryptography are indeed possible and are even practical — thus posing a serious threat. Moreover, we successfully conducted a second-order fault attack against an open source implementation of the eta pairing on an AVR XMEGA A1. We injected the first fault into the computation of the Miller Algorithm and applied the second fault to skip the final exponentiation completely. We introduce a low-cost setup that allowed us to generate multiple independent faults in one computation. The setup implements these faults by clock glitches which induce instruction skips. With this setup we conducted the first practical fault attack against a complete pairing computation

Fixed Argument Pairing Inversion on Elliptic Curves

Let $E$ be an elliptic curve over a finite field ${\mathbb F}_q$ with a power of prime $q$, $r$ a prime dividing $\#E({\mathbb F}_q)$, and $k$ the smallest positive integer satisfying $r | \Phi_k(p)$, called embedding degree. Then a bilinear map $t: E({\mathbb F}_q)[r] \times E({\mathbb F}_{q^k})/rE({\mathbb F}_{q^k}) \rightarrow {\mathbb F}_{q^k}^*$ is defined, called the Tate pairing. And the Ate pairing and other variants are obtained by reducing the domain for each argument and raising it to some power. In this paper we consider the {\em Fixed Argument Pairing Inversion (FAPI)} problem for the Tate pairing and its variants. In 2012, considering FAPI for the Ate$_i$ pairing, Kanayama and Okamoto formulated the {\em Exponentiation Inversion (EI)} problem. However the definition gives a somewhat vague description of the hardness of EI. We point out that the described EI can be easily solved, and hence clarify the description so that the problem does contain the actual hardness connection with the prescribed domain for given pairings. Next we show that inverting the Ate pairing (including other variants of the Tate pairing) defined on the smaller domain is neither easier nor harder than inverting the Tate pairing defined on the lager domain. This is very interesting because it is commonly believed that the structure of the Ate pairing is so simple and good (that is, the Miller length is short, the solution domain is small and has an algebraic structure induced from the Frobenius map) that it may leak some information, thus there would be a chance for attackers to find further approach to solve FAPI for the Ate pairing, differently from the Tate pairing

Physical attacks on pairing-based cryptography

In dieser Dissertation analysieren wir Schwächen paarungsbasierter kryptographischer Verfahren gegenüber physikalischen Angriffen wie Seitenkanalangriffen und Fehlerangriffen. Verglichen mit weitverbreiteten Primitiven, beispielsweise basierend auf elliptischen Kurven, ist noch relativ wenig über Angriffsmöglichkeiten aufpaarungsbasierte Verfahren bekannt. Ein Grund dafür ist die hohe Komplexität paarungsbasierter Kryptographie und fehlende Standards für die Festlegung von Parametern, Algorithmen und Verfahren. Des Weiteren läßt sich Wissen aus dem Zusammenhang mit elliptischen Kurven aufgrundstruktureller Unterschiede nicht direkt übertragen. Um ein besseres Verständnis des Problems zu erlangen, präsentieren wir in dieser Arbeit neue physikalische Angriffe auf paarungsbasierte Kryptographie. Unsere Ergebnisse, einschließlich deren praktische Umsetzung, machen deutlich, dass physikalische Angriffe eine Gefahr für die Implementierung paarungsbasierter kryptographischer Verfahren darstellen. Diese Gefahr sollte weiter untersucht und bei der Realisierung dieser Verfahren berücksichtig werden. Weiterhin zeigen unsere Ergebnisse, dass eine Einigung über verwendete Parameter, Algorithmen und Verfahren erzielt werden sollte, um die Komplexität von paarungsbasierter Kryptographie hinischtlich physikalische rAngriffe zu vermindern.In this thesis, we analyze the vulnerability of pairing-based cryptographic schemes against physical attacks like side-channel attacks (SCAs) or fault attacks (FAs). Compared to well-established cryptographic schemes, for example, from standard elliptic curve cryptography (ECC), less is known about weaknesses of pairing-based cryptography (PBC) against those attacks. Reasons for this shortcoming are the complexity of PBC and a missing consensus on parameters, algorithms, and schemes,e.g., in the form of standards. Furthermore, the structural difference between ECC and PBC prevents a direct application of the results from ECC. To get a better understanding of the subject, we present new physical attacks on PBC. Our results, including the practical realizations of our attacks, show that physical attacks are a threat for PBC and need further investigation. Our work also shows that the community should agree on parameters, algorithms, and schemes to reduce the complexity of PBC with respect to physical attacks.Peter Günther ; Supervisor: Prof. Dr. rer. nat. Johannes BlömerTag der Verteidigung: 14.03.2016Universität Paderborn, Univ., Dissertation, 201