The Importance of the Final Exponentiation in Pairings When Considering Fault Attacks

We investigate the possibilities for injecting faults on pairings and assess their consequences. We assess the effect of faults that seek to corrupt the data being operated on and show that pairings with either no or a straightforward final exponentiation are less secure than pairings with a more complex final exponentiation when considering such fault attacks. As evidence, we describe two types of fault attacks on the Weil and η pairing that recover the secret point, which cannot be applied to the Tate pairing. This can be accredited to its more complex final exponentiation.

[1]  Steven D. Galbraith,et al.  Simplified pairing computation and security implications , 2007, J. Math. Cryptol..

[2]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[3]  Victor S. Miller,et al.  The Weil Pairing, and Its Efficient Calculation , 2004, Journal of Cryptology.

[4]  Chi Sung Laih,et al.  Advances in Cryptology - ASIACRYPT 2003 , 2003 .

[5]  Frederik Vercauteren,et al.  The Eta Pairing Revisited , 2006, IEEE Transactions on Information Theory.

[6]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.

[7]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[8]  Paulo S. L. M. Barreto,et al.  Efficient pairing computation on supersingular Abelian varieties , 2007, IACR Cryptol. ePrint Arch..

[9]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[10]  Michael Scott,et al.  Computing the Tate Pairing , 2005, CT-RSA.

[11]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[12]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[13]  Eric R. Verheul,et al.  Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems , 2001, EUROCRYPT.

[14]  Marc Joye,et al.  Efficient computation of full Lucas sequences , 1996 .

[15]  Iwan M. Duursma,et al.  Tate Pairing Implementation for Hyperelliptic Curves y2 = xp-x + d , 2003, ASIACRYPT.

[16]  Frederik Vercauteren,et al.  Fault and Side-Channel Attacks on Pairing Based Cryptography , 2004, IACR Cryptology ePrint Archive.

[17]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[18]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[19]  Soonhak Kwon Efficient Tate Pairing Computation for Supersingular Elliptic Curves over Binary Fields , 2004, IACR Cryptol. ePrint Arch..

[20]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[21]  Jean-Pierre Seifert,et al.  Sign Change Fault Attacks on Elliptic Curve Cryptosystems , 2006, FDTC.

[22]  Mitsuru Matsui,et al.  Cryptographic Hardware and Embedded Systems - CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Proceedings , 2006, CHES.

[23]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[24]  Michael Scott,et al.  Implementing Cryptographic Pairings on Smartcards , 2006, CHES.

[25]  Alfred Menezes,et al.  Topics in Cryptology – CT-RSA 2005 , 2005 .

[26]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .