Side Channel Analysis of Practical Pairing Implementations: Which Path Is More Secure?

We present an investigation into the security of three practical pairing algorithms; the Tate, truncated Eta (ηT) and Ate pairing, in terms of side channel vulnerability. These three algorithms have recently shown to be efficiently computable on the resource constrained smart card, however no in depth side channel analysis of these specific pairing implementations has yet appeared in the literature. We assess these algorithms based on two main avenues of attack since the secret parameter input to the pairing can potentially be entered in two possible positions, i.e. e(P,Q) or e(Q,P) where P is public and Q is private. We analyse the core operations fundamental to pairings and propose how they can be attacked in a computationally efficient way. Building on this we show how each implementation may potentially succumb to a side channel attack and demonstrate how one path is more susceptible than the other in Tate and Ate. For those who wish to deploy pairing based systems we make a simple suggestion to improve resistance to side channel attacks.

[1]  Frederik Vercauteren,et al.  The Eta Pairing Revisited , 2006, IEEE Transactions on Information Theory.

[2]  C. D. Walter,et al.  Simple Power Analysis of Unified Code for ECC Double and Add , 2004, CHES.

[3]  Paulo S. L. M. Barreto,et al.  Efficient pairing computation on supersingular Abelian varieties , 2007, IACR Cryptol. ePrint Arch..

[4]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[5]  Frederik Vercauteren,et al.  Fault and Side-Channel Attacks on Pairing Based Cryptography , 2004, IACR Cryptology ePrint Archive.

[6]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[7]  Paulo S. L. M. Barreto,et al.  On the Selection of Pairing-Friendly Groups , 2003, Selected Areas in Cryptography.

[8]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[9]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[10]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[11]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[12]  Michael Scott,et al.  Computing the Tate Pairing , 2005, CT-RSA.

[13]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[14]  Alfred Menezes,et al.  Field inversion and point halving revisited , 2004, IEEE Transactions on Computers.

[15]  Iwan M. Duursma,et al.  Tate Pairing Implementation for Hyperelliptic Curves y2 = xp-x + d , 2003, ASIACRYPT.

[16]  Michael Scott,et al.  Implementing Cryptographic Pairings on Smartcards , 2006, CHES.