A Practical Second-Order Fault Attack against a Real-World Pairing Implementation

Several fault attacks against pairing-based cryptography have been described theoretically in recent years. Interestingly, none of these have been practically evaluated. We accomplished this task and prove that fault attacks against pairing-based cryptography are indeed possible and are even practical — thus posing a serious threat. Moreover, we successfully conducted a second-order fault attack against an open source implementation of the eta pairing on an AVR XMEGA A1. We injected the first fault into the computation of the Miller Algorithm and applied the second fault to skip the final exponentiation completely. We introduce a low-cost setup that allowed us to generate multiple independent faults in one computation. The setup implements these faults by clock glitches which induce instruction skips. With this setup we conducted the first practical fault attack against a complete pairing computation

Memory-saving computation of the pairing final exponentiation on BN curves

In this paper, we describe and improve efficient methods for computing the hard part of the final exponentiation of pairings on Barreto-Naehrig curves. Thanks to the variants of pairings which decrease the length of the Miller loop, the final exponentiation has become a significant component of the overall calculation. Here we exploit the structure of BN curves to improve this computation. We will first present the most famous methods in the literature that en- sure the computing of the hard part of the final exponentiation. We are particularly interested in the memory resources necessary for the implementation of these methods. Indeed, this is an important constraint in restricted environments. More precisely, we are studying Devegili et al. method, Scott et al. addition chain method and Fuentes et al. method. After recalling these methods and their complexities, we determine the number of required registers to compute the final result, because this is not always given in the literature. Then, we will present new versions of these methods which require less memory resources (up to 37%). Moreover, some of these variants are providing algorithms which are also more efficient than the original ones

Algorithmes de délégation de calcul de couplage

International audienceWe address the question of how a computationally limited device may outsource pairing computation in cryptography to another, potentially malicious, but much more computationally powerful device. We introduce two new efficient protocols for securely outsourcing pairing computations to an untrusted helper. The first generic scheme is proven computationally secure (and can be proven statistically secure at the expense of worse performance). It allows various communication-efficiency trade-offs. The second specific scheme -- for optimal Ate pairing on a Barreto-Naehrig curve -- is unconditionally secure, and do not rely on any hardness assumptions. Both protocols are more efficient than the actual computation of the pairing by the restricted device and in particular they are more efficient than all previous proposals

Formulas for p-th root computations in finite fields of characteristic p using polynomial basis

Dissertação (mestrado) - Universidade Federal de Santa Catarina, Centro Tecnológico, Programa de Pós-Graduação em Ciência da Computação, Florianópolis, 2016.Motivado por algoritmos criptográficos de emparelhamento bilinear, a computação da raiz cúbica em corpos finitos de característica 3 já fora abordada na literatura. Adicionalmente, novos estudos sobre a computação da raiz p-ésima em corpos finitos de característica p, onde p é um número primo, têm surgido. Estas contribuições estão centradas na computação de raízes para corpos de característica fixa ou para polinômios irredutíveis com poucos termos não nulos. Esta dissertação propõe novas famílias de polinômios irredutíveis em ??p, com k termos não nulos onde k = 2 e p = 3, para a computação eficiente da raiz p-ésima em corpos finitos de característica p. Além disso, para o caso onde p = 3, são obtidas novas extensões onde a computação da raiz cúbica é eficiente e polinômios cujo desempenho é ligeiramente melhor em comparação aos resultados da literatura. Palavras-chave: Criptografia, Teoria de Números, Aritmética em Corpos Finitos.Abstract : Efficient cube root computations in extensions fields of characteristic three have been studied, in part motivated by pairing cryptography implementations. Additionally, recent studies have emerged on the computation of p-th roots of finite fields of characteristic p, where p prime. These contributions have either considered a fixed characteristics for the extension field or irreducible polynomials with few nonzero terms. We provide new families of irreducible polynomials over ??p, taking into account polynomials with k = 2 nonzero terms and p = 3. Moreover, for the particular case p = 3, we slightly improve some previous results and we provide new extensions where efficient cube root computations are possible

Software implementation of an Attribute-Based Encryption scheme

A ciphertext-policy attribute-based encryption protocol uses bilinear pairings to provide control access mechanisms, where the set of user\u27s attributes is specified by means of a linear secret sharing scheme. In this paper we present the design of a software cryptographic library that achieves record timings for the computation of a 126-bit security level attribute-based encryption scheme. We developed all the required auxiliary building blocks and compared the computational weight that each of them adds to the overall performance of this protocol. In particular, our single pairing and multi-pairing implementations achieve state-of-the-art time performance at the 126-bit security level

Prover-Efficient Commit-And-Prove Zero-Knowledge SNARKs

Zk-SNARKs (succinct non-interactive zero-knowledge arguments of knowledge) are needed in many applications. Unfortunately, all previous zk-SNARKs for interesting languages are either inefficient for the prover, or are non-adaptive and based on a commitment scheme that depends both on the prover\u27s input and on the language, i.e., they are not commit-and-prove (CaP) SNARKs. We propose a proof-friendly extractable commitment scheme, and use it to construct prover-efficient adaptive CaP succinct zk-SNARKs for different languages, that can all reuse committed data. In new zk-SNARKs, the prover computation is dominated by a linear number of cryptographic operations. We use batch-verification to decrease the verifier\u27s computation; importantly, batch-verification can be used also in QAP-based zk-SNARKs

Choosing and generating parameters for low level pairing implementation on BN curves

Many hardware and software pairing implementations can be found in the literature and some pairing friendly parameters are given. However, depending on the situation, it could be useful to generate other nice parameters (e.g. resistance to subgroup attacks, larger security levels, database of pairing friendly curves). The main purpose of this paper is to describe explicitly and exhaustively what should be done to generate the best possible parameters and to make the best choices depending on the implementation context (in terms of pairing algorithm, ways to build the tower field, $\mathbb{F}_{p^{12}}$ arithmetic, groups involved and their generators, system of coordinates). We focus on low level implementations, assuming that $\mathbb{F}_p$ additions have a significant cost compared to other $\mathbb{F}_p$ operations. However, the results obtained are still valid in the case where $\mathbb{F}_p$ additions can be neglected. We also explain why the best choice for the polynomials defining the tower field $\mathbb{F}_{p^{12}}$ is only depending on the value of the BN parameter $u$ modulo small integers like $12$ as a nice application of old elementary arithmetic results. Moreover, we use this opportunity to give some new improvements on $\mathbb{F}_{p^{12}}$ arithmetic (in a pairing context) in terms of $\mathbb{F}_p$-addition allowing to save around $10\%$ of them depending on the context

Encriptação parcialmente homomórfica CCA1-segura

Orientadores: Ricardo Dahab, Diego de Freitas AranhaTese (doutorado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: Nesta tese nosso tema de pesquisa é a encriptação homomórfica, com foco em uma solução prática e segura para encriptação parcialmente homomórfica (somewhat homomorphic encryption - SHE), considerando o modelo de segurança conhecido como ataque de texto encriptado escolhido (chosen ciphertext attack - CCA). Este modelo pode ser subdividido em duas categorias, a saber, CCA1 e CCA2, sendo CCA2 o mais forte. Sabe-se que é impossível construir métodos de encriptação homomórfica que sejam CCA2-seguros. Por outro lado, é possível obter segurança CCA1, mas apenas um esquema foi proposto até hoje na literatura; assim, seria interessante haver outras construções oferecendo este tipo de segurança. Resumimos os principais resultados desta tese de doutorado em duas contribuições. A primeira é mostrar que a família NTRU de esquemas SHE é vulnerável a ataques de recuperação de chave privada, e portanto não são CCA1-seguros. A segunda é a utilização de computação verificável para obter esquemas SHE que são CCA1-seguros e que podem ser usados para avaliar polinômios multivariáveis quadráticos. Atualmente, métodos de encriptação homomórfica são construídos usando como substrato dois problemas de difícil solução: o MDC aproximado (approximate GCD problem - AGCD) e o problema de aprendizado com erros (learning with errors - LWE). O problema AGCD leva, em geral, a construções mais simples mas com desempenho inferior, enquanto que os esquemas baseados no problema LWE correspondem ao estado da arte nesta área de pesquisa. Recentemente, Cheon e Stehlé demonstraram que ambos problemas estão relacionados, e é uma questão interessante investigar se esquemas baseados no problema AGCD podem ser tão eficientes quanto esquemas baseados no problema LWE. Nós respondemos afirmativamente a esta questão para um cenário específico: estendemos o esquema de computação verificável proposto por Fiore, Gennaro e Pastro, de forma que use a suposição de que o problema AGCD é difícil, juntamente com o esquema DGHV adaptado para uso do Teorema Chinês dos Restos (Chinese remainder theorem - CRT) de forma a evitar ataques de recuperação de chave privadaAbstract: In this thesis we study homomorphic encryption with focus on practical and secure somewhat homomorphic encryption (SHE), under the chosen ciphertext attack (CCA) security model. This model is classified into two different main categories: CCA1 and CCA2, with CCA2 being the strongest. It is known that it is impossible to construct CCA2-secure homomorphic encryption schemes. On the other hand, CCA1-security is possible, but only one scheme is known to achieve it. It would thus be interesting to have other CCA1-secure constructions. The main results of this thesis are summarized in two contributions. The first is to show that the NTRU-family of SHE schemes is vulnerable to key recovery attacks, hence not CCA1-secure. The second is the utilization of verifiable computation to obtain a CCA1-secure SHE scheme that can be used to evaluate quadratic multivariate polynomials. Homomorphic encryption schemes are usually constructed under the assumption that two distinct problems are hard, namely the Approximate GCD (AGCD) Problem and the Learning with Errors (LWE) Problem. The AGCD problem leads, in general, to simpler constructions, but with worse performance, wheras LWE-based schemes correspond to the state-of-the-art in this research area. Recently, Cheon and Stehlé proved that both problems are related, and thus it is an interesting problem to investigate if AGCD-based SHE schemes can be made as efficient as their LWE counterparts. We answer this question positively for a specific scenario, extending the verifiable computation scheme proposed by Fiore, Gennaro and Pastro to work under the AGCD assumption, and using it together with the Chinese Remainder Theorem (CRT)-version of the DGHV scheme, in order to avoid key recovery attacksDoutoradoCiência da ComputaçãoDoutor em Ciência da Computação143484/2011-7CNPQCAPE

Batch Verification of Elliptic Curve Digital Signatures

This thesis investigates the efficiency of batching the verification of elliptic curve signatures. The first signature scheme considered is a modification of ECDSA proposed by Antipa et al.\ along with a batch verification algorithm by Cheon and Yi. Next, Bernstein's EdDSA signature scheme and the Bos-Coster multi-exponentiation algorithm are presented and the asymptotic runtime is examined. Following background on bilinear pairings, the Camenisch-Hohenberger-Pedersen (CHP) pairing-based signature scheme is presented in the Type 3 setting, along with the derivative BN-IBV due to Zhang, Lu, Lin, Ho and Shen. We proceed to count field operations for each signature scheme and an exact analysis of the results is given. When considered in the context of batch verification, we find that the Cheon-Yi and Bos-Coster methods have similar costs in practice (assuming the same curve model). We also find that when batch verifying signatures, CHP is only 11\% slower than EdDSA with Bos-Coster, a significant improvement over the gap in single verification cost between the two schemes

Why Cryptography Should Not Rely on Physical Attack Complexity

This book presents two practical physical attacks. It shows how attackers can reveal the secret key of symmetric as well as asymmetric cryptographic algorithms based on these attacks, and presents countermeasures on the software and the hardware level that can help to prevent them in the future. Though their theory has been known for several years now, since neither attack has yet been successfully implemented in practice, they have generally not been considered a serious threat. In short, their physical attack complexity has been overestimated and the implied security threat has been underestimated. First, the book introduces the photonic side channel, which offers not only temporal resolution, but also the highest possible spatial resolution. Due to the high cost of its initial implementation, it has not been taken seriously. The work shows both simple and differential photonic side channel analyses. Then, it presents a fault attack against pairing-based cryptography. Due to the need for at least two independent precise faults in a single pairing computation, it has not been taken seriously either. Based on these two attacks, the book demonstrates that the assessment of physical attack complexity is error-prone, and as such cryptography should not rely on it. Cryptographic technologies have to be protected against all physical attacks, whether they have already been successfully implemented or not. The development of countermeasures does not require the successful execution of an attack but can already be carried out as soon as the principle of a side channel or a fault attack is sufficiently understood