Fault Attacks on Pairing-Based Protocols Revisited

Several papers have studied fault attacks on computing a pairing value e(P,Q), where P is a public point and Q is a secret point. In this paper, we observe that these attacks are in fact effective only on a small number of pairing-based protocols, and that too only when the protocols are implemented with specific symmetric pairings. We demonstrate the effectiveness of the fault attacks on a public-key encryption scheme, an identity-based encryption scheme, and an oblivious transfer protocol when implemented with a symmetric pairing derived from a supersingular elliptic curve with embedding degree 2.

[1]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[2]  Francisco Rodríguez-Henríquez,et al.  Weakness of 𝔽36·509 for Discrete Logarithm Cryptography , 2013, Pairing.

[3]  Brent Waters,et al.  Anonymous Hierarchical Identity-Based Encryption (Without Random Oracles) , 2006, CRYPTO.

[4]  Francisco Rodríguez-Henríquez,et al.  Computing Discrete Logarithms in F36*137 using Magma , 2014, IACR Cryptol. ePrint Arch..

[5]  Oliver Schirokauer The number field sieve for integers of low weight , 2010, Math. Comput..

[6]  Alice Silverberg,et al.  Torus-Based Cryptography , 2003, CRYPTO.

[7]  Thorsten Kleinjung,et al.  Breaking '128-bit Secure' Supersingular Binary Curves (or how to solve discrete logarithms in 𝔽24·1223 and 𝔽212·367) , 2014, IACR Cryptol. ePrint Arch..

[8]  Sanjit Chatterjee,et al.  Construction of a Hybrid HIBE Protocol Secure Against Adaptive Attacks , 2007, ProvSec.

[9]  Antoine Joux,et al.  A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic , 2013, IACR Cryptol. ePrint Arch..

[10]  Frederik Vercauteren,et al.  A Fault Attack on Pairing-Based Cryptography , 2006, IEEE Transactions on Computers.

[11]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[12]  Antoine Joux,et al.  A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic , 2014, EUROCRYPT.

[13]  Alfred Menezes,et al.  Pairing-Based Cryptography at High Security Levels , 2005, IMACC.

[14]  Antoine Joux,et al.  A New Index Calculus Algorithm with Complexity $$L(1/4+o(1))$$ in Small Characteristic , 2013, Selected Areas in Cryptography.

[15]  Yevgeniy Vahlis,et al.  CCA2 Secure IBE: Standard Model Efficiency through Authenticated Symmetric Encryption , 2008, CT-RSA.

[16]  Francisco Rodríguez-Henríquez,et al.  Weakness of 𝔽66·1429 and 𝔽24·3041 for discrete logarithm cryptography , 2013, Finite Fields Their Appl..

[17]  Richard J. Lipton,et al.  On the Importance of Eliminating Errors in Cryptographic Computations , 2015, Journal of Cryptology.

[18]  Eric R. Verheul,et al.  Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems , 2001, Journal of Cryptology.

[19]  Xavier Boyen,et al.  Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems , 2007, RFC.

[20]  Michael Scott,et al.  Computing the Tate Pairing , 2005, CT-RSA.

[21]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[22]  Sanjit Chatterjee,et al.  Practical hybrid (hierarchical) identity-based encryption schemes based on the decisional bilinear Diffie-Hellman assumption , 2013, Int. J. Appl. Cryptogr..

[23]  Amr M. Youssef,et al.  Selected Areas in Cryptography -- SAC 2014 , 2014, Lecture Notes in Computer Science.

[24]  Faruk Göloglu,et al.  On the Function Field Sieve and the Impact of Higher Splitting Probabilities: Application to Discrete Logarithms in F21971 , 2013, IACR Cryptol. ePrint Arch..

[25]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[26]  J. Silverman,et al.  Rational Points on Elliptic Curves , 1992 .

[27]  Craig Gentry,et al.  Practical Identity-Based Encryption Without Random Oracles , 2006, EUROCRYPT.

[28]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[29]  Abhi Shelat,et al.  Simulatable Adaptive Oblivious Transfer , 2007, EUROCRYPT.

[30]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[31]  Qixiang Mei,et al.  Direct chosen ciphertext security from identity-based techniques , 2005, CCS '05.

[32]  Thorsten Kleinjung,et al.  Fe b 20 14 Breaking ‘ 128-bit Secure ’ Supersingular Binary Curves ⋆ ( or how to solve discrete logarithms in F , 2014 .

[33]  Frederik Vercauteren,et al.  The Hidden Root Problem , 2008, Pairing.

[34]  Michael Scott,et al.  The Importance of the Final Exponentiation in Pairings When Considering Fault Attacks , 2007, Pairing.

[35]  Frederik Vercauteren,et al.  Fault Attacks on Pairing-Based Cryptography , 2012, Fault Analysis in Cryptography.

[36]  Dan Boneh,et al.  Efficient Selective Identity-Based Encryption Without Random Oracles , 2011, Journal of Cryptology.

[37]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[38]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[39]  Gennadij Liske,et al.  Fault attacks in pairing-based cryptography , 2011 .

[40]  Francisco Rodríguez-Henríquez,et al.  Weakness of F 3 6*1429 and F 2 4*3041 for Discrete Logarithm Cryptography. , 2013 .

[41]  Louis Goubin,et al.  Inverting the Final Exponentiation of Tate Pairings on Ordinary Elliptic Curves Using Faults , 2013, CHES.