A Practical Second-Order Fault Attack against a Real-World Pairing Implementation

Several fault attacks against pairing-based cryptography have been described theoretically in recent years. Interestingly, none of these have been practically evaluated. We accomplished this task and prove that fault attacks against pairing-based cryptography are indeed possible and are even practical — thus posing a serious threat. Moreover, we successfully conducted a second-order fault attack against an open source implementation of the eta pairing on an AVR XMEGA A1. We injected the first fault into the computation of the Miller Algorithm and applied the second fault to skip the final exponentiation completely. We introduce a low-cost setup that allowed us to generate multiple independent faults in one computation. The setup implements these faults by clock glitches which induce instruction skips. With this setup we conducted the first practical fault attack against a complete pairing computation

Miller Inversion is Easy for the Reduced Tate Pairing on Supersingular Curves of Embedding Degree Two and Three

We present a simple algorithm for Miller inversion for the reduced Tate pairing on supersingular elliptic curve of trace zero defined over the finite fields with q elements. Our algorithm runs with O((log q)^3) bit operations

Fixed Argument Pairing Inversion on Elliptic Curves

Let $E$ be an elliptic curve over a finite field ${\mathbb F}_q$ with a power of prime $q$, $r$ a prime dividing $\#E({\mathbb F}_q)$, and $k$ the smallest positive integer satisfying $r | \Phi_k(p)$, called embedding degree. Then a bilinear map $t: E({\mathbb F}_q)[r] \times E({\mathbb F}_{q^k})/rE({\mathbb F}_{q^k}) \rightarrow {\mathbb F}_{q^k}^*$ is defined, called the Tate pairing. And the Ate pairing and other variants are obtained by reducing the domain for each argument and raising it to some power. In this paper we consider the {\em Fixed Argument Pairing Inversion (FAPI)} problem for the Tate pairing and its variants. In 2012, considering FAPI for the Ate$_i$ pairing, Kanayama and Okamoto formulated the {\em Exponentiation Inversion (EI)} problem. However the definition gives a somewhat vague description of the hardness of EI. We point out that the described EI can be easily solved, and hence clarify the description so that the problem does contain the actual hardness connection with the prescribed domain for given pairings. Next we show that inverting the Ate pairing (including other variants of the Tate pairing) defined on the smaller domain is neither easier nor harder than inverting the Tate pairing defined on the lager domain. This is very interesting because it is commonly believed that the structure of the Ate pairing is so simple and good (that is, the Miller length is short, the solution domain is small and has an algebraic structure induced from the Frobenius map) that it may leak some information, thus there would be a chance for attackers to find further approach to solve FAPI for the Ate pairing, differently from the Tate pairing

Inverting the Final exponentiation of Tate pairings on ordinary elliptic curves using faults

The calculation of the Tate pairing on ordinary curves involves two major steps: the Miller Loop (ML) followed by the Final Exponentiation (FE). The first step for achieving a full pairing inversion would be to invert this FE, which in itself is a mathematically difficult problem. To our best knowledge, most fault attack schemes proposed against pairing algorithms have mainly focussed on the ML. They solved, if at all, the inversion of the FE in some special `easy\u27 cases or even showed that the complexity of the FE is an intrinsic countermeasure against a successful full fault attack on the Tate pairing. In this paper, we present a fault attack on the FE whereby the inversion of the final exponentiation becomes feasible using $3$ independent faults

Fault attacks on pairing-based protocols revisited

Several papers have studied fault attacks on computing a pairing value e(P,Q), where P is a public point and Q is a secret point. In this paper, we observe that these attacks are in fact effective only on a small number of pairing-based protocols, and that too only when the protocols are implemented with specific symmetric pairings. We demonstrate the effectiveness of the fault attacks on a public-key encryption scheme, an identity-based encryption scheme, and an oblivious transfer protocol when implemented with a symmetric pairing derived from a supersingular elliptic curve with embedding degree 2

Why Cryptography Should Not Rely on Physical Attack Complexity

This book presents two practical physical attacks. It shows how attackers can reveal the secret key of symmetric as well as asymmetric cryptographic algorithms based on these attacks, and presents countermeasures on the software and the hardware level that can help to prevent them in the future. Though their theory has been known for several years now, since neither attack has yet been successfully implemented in practice, they have generally not been considered a serious threat. In short, their physical attack complexity has been overestimated and the implied security threat has been underestimated. First, the book introduces the photonic side channel, which offers not only temporal resolution, but also the highest possible spatial resolution. Due to the high cost of its initial implementation, it has not been taken seriously. The work shows both simple and differential photonic side channel analyses. Then, it presents a fault attack against pairing-based cryptography. Due to the need for at least two independent precise faults in a single pairing computation, it has not been taken seriously either. Based on these two attacks, the book demonstrates that the assessment of physical attack complexity is error-prone, and as such cryptography should not rely on it. Cryptographic technologies have to be protected against all physical attacks, whether they have already been successfully implemented or not. The development of countermeasures does not require the successful execution of an attack but can already be carried out as soon as the principle of a side channel or a fault attack is sufficiently understood

Physical attacks on pairing-based cryptography

In dieser Dissertation analysieren wir Schwächen paarungsbasierter kryptographischer Verfahren gegenüber physikalischen Angriffen wie Seitenkanalangriffen und Fehlerangriffen. Verglichen mit weitverbreiteten Primitiven, beispielsweise basierend auf elliptischen Kurven, ist noch relativ wenig über Angriffsmöglichkeiten aufpaarungsbasierte Verfahren bekannt. Ein Grund dafür ist die hohe Komplexität paarungsbasierter Kryptographie und fehlende Standards für die Festlegung von Parametern, Algorithmen und Verfahren. Des Weiteren läßt sich Wissen aus dem Zusammenhang mit elliptischen Kurven aufgrundstruktureller Unterschiede nicht direkt übertragen. Um ein besseres Verständnis des Problems zu erlangen, präsentieren wir in dieser Arbeit neue physikalische Angriffe auf paarungsbasierte Kryptographie. Unsere Ergebnisse, einschließlich deren praktische Umsetzung, machen deutlich, dass physikalische Angriffe eine Gefahr für die Implementierung paarungsbasierter kryptographischer Verfahren darstellen. Diese Gefahr sollte weiter untersucht und bei der Realisierung dieser Verfahren berücksichtig werden. Weiterhin zeigen unsere Ergebnisse, dass eine Einigung über verwendete Parameter, Algorithmen und Verfahren erzielt werden sollte, um die Komplexität von paarungsbasierter Kryptographie hinischtlich physikalische rAngriffe zu vermindern.In this thesis, we analyze the vulnerability of pairing-based cryptographic schemes against physical attacks like side-channel attacks (SCAs) or fault attacks (FAs). Compared to well-established cryptographic schemes, for example, from standard elliptic curve cryptography (ECC), less is known about weaknesses of pairing-based cryptography (PBC) against those attacks. Reasons for this shortcoming are the complexity of PBC and a missing consensus on parameters, algorithms, and schemes,e.g., in the form of standards. Furthermore, the structural difference between ECC and PBC prevents a direct application of the results from ECC. To get a better understanding of the subject, we present new physical attacks on PBC. Our results, including the practical realizations of our attacks, show that physical attacks are a threat for PBC and need further investigation. Our work also shows that the community should agree on parameters, algorithms, and schemes to reduce the complexity of PBC with respect to physical attacks.Peter Günther ; Supervisor: Prof. Dr. rer. nat. Johannes BlömerTag der Verteidigung: 14.03.2016Universität Paderborn, Univ., Dissertation, 201