Based Cryptography ?
D. Page 1
andF.Vercauteren 2
1
DepartmentofComputerScience,
UniversityofBristol,
MerchantVenturersBuilding,
WoodlandRoad,
Bristol,BS81UB,
UnitedKingdom.
2
DepartmentofElectricalEngineering,
KatholiekeUniversiteitLeuven,
KasteelparkArenberg10,
B-3001Leuven-Heverlee,
Belgium.
Abstract. Currentside-channelanalyticattacksagainstpublickey
cryp-tographyfocusontraditionalschemessuchasRSAandECC,andtoa
lesserextentprimitivessuchas XTR.However, bilinearmaps, or
pair-ings,havepresentedtheoristswithanewand increasinglypopularway
ofconstructingcryptographicprotocols.Mostnotably,thishasresulted
ineÆcientmethodsforIdentityBasedEncryption(IBE).Sinceidentity
based cryptography seems anideal partner for identity aware devices
suchassmart-cards, inthispaperwe examinethesecurity ofconcrete
pairinginstantiationsintermsofside-channelanalysis.
1 Introduction
Theincreasingubiquityofcomputingdevicesiscontinuingtooerexcitingnew
applications to consumers, but also multiplies the numberof securityissues a
systemdesignermustconsider.Sincesuchdeviceswillbecarriedintoandusedin
hostileenvironmentsandoftenhousesensitiveinformation,forexampleidentity
related tokens or nancialinformation, thethreatof attackis signicant. This
threat is magnied by boththe potential pay-o and level of anonymity that
side-channelattacksallow.
?
TheworkdescribedinthispaperhasbeensupportedinpartbytheEuropean
Com-mission throughthe ISTProgramme underContract IST-2002-507932 ECRYPT.
Theinformationinthisdocumentreectsonlytheauthor'sviews, isprovidedasis
ofexternallymonitoringadevicewhileitexecutessomealgorithmthatincludes
secretinformation.Bycarefulproling of,forexample,powerorEMemissions
andcorrelationofsaidproleswiththetargetalgorithm,anattackercanoften
uncoverthesecretinformation.Thissortofattackisgenerallydescribedinthe
contextofsmart-cardswhereanattackercouldhaveeasyphysicalaccesstothe
card and details of the power consumption while it is connected to a malign
terminal. However, the fact that one can attack a device somewhat remotely
via timing [8] and EM emission [2,3] means that most ubiquitous computing
devicesneedtobeawareofsimilarproblemsin theiroperationalenvironments.
We can extend this passive denition of side-channel attack to include active
attacks such asfault injection whereby an attacker canphysically manipulate
thetargetdevice,tamperwithinternalstateandperformerroneousoperations.
Althoughacloserproximityofaccessisrequiredbytheattacker,activeattacks
canoftenbeappliednon-destructivelyanddothereforeprovideafeasiblemeans
ofrecoveringthesamesecretinformationaspassiveattacks.
Althoughside-channel attackanddefence techniques are becoming
increas-ingly well understood, the currentemphasis in terms of public keysystems is
mainly on traditional cryptographic schemes such as RSA and ECC. For
ex-ample, in ECC based systems, one generally derives security from a discrete
logarithm problem posed over the curve group. That is, one constructs some
privatevaluedandperformstheoperation
Q=dP
for apublicpoint P.Forlargeenoughcurvegroups,reversalof this operation
is intractable and henceone cantransmitQ without revealing d.A multitude
ofside-channelattacksagainstimplementationsofthisprimitivehavebeen
pro-posed.An equally large range of innovativecountermeasuresmean that when
correctlyimplemented,thethreats cangenerallybeat leastmanagedand
pos-sibly nullied.
NewerprimitivessuchasXTRhavereceivedsomeinvestigation[22,15],but
there has beenno previouswork onthe side-channel security of pairingbased
cryptography[11].Sincepairings,formallydescribedasbilinearmaps,underpin
cryptographicprotocolssuchasIdentityBasedEncryption(IBE)[9],onemight
seethemasanidealapplicationforthesameidentityaware,ubiquitous
comput-ingdevices that arevulnerableto side-channelattack. Onereasonfor thislack
of analysis is thefact that earlyimplementation techniquesfor computingthe
Tatepairing such as theBKLS algorithm [7]are eectivelyrealised asapoint
multiplicationwithaxedmultiplierandsomeauxiliaryoperationstocompute
thepairingvalue.Fromsuchadescription,thefactthatthealgorithmperforms
axedsequenceofoperationsandhasnosecretinaconventionalsensehasled
people to believe that thepairingis secure againstcurrentside-channelattack
methods.Inpart,thisistrue.However,theroleofthepairinginassociated
pro-tocolsissomewhatdierentandmuchmorediversethanpointmultiplicationin
F 3 79 t 79 +t 26
+2 Y 2
=X 3
X 1 3
79
+3 40
+1 750
F 3 97 t 97 +t 12
+2 Y 2
=X 3
X+1(3 97
+3 49
+1)=7 906
F 3 16 3 t 163 +t 80
+2 Y 2
=X 3
X 1 3
163
+3 82
+1 1548
F
3 19 3 t
193
+t 12
+2 Y 2
=X 3
X 1 3
193
3 97
+1 1830
F
3 23 9 t
239
+t 24
+2 Y 2
=X 3
X 1 3 239
3 120
+1 2268
F
3 35 3 t
353
+t 142
+2 Y 2
=X 3
X 1 3 353
+3 177
+1 3354
Table 1. Atableofeld denitionsandcurveequations usedinpairingbased
cryp-tography.
Tobridgetheresultinggap,inthispaperwepresentaninvestigationof
pair-ingsandassociatedprotocolsintermsoftheirsecurityagainstfaultattacksand
side-channel analysis. Although one can parameterise pairing based protocols
accordingto a largenumberof optionswetryto consider general cases,
oer-ingconcreteexampleswhendiscussingspecicissues.Furthermore,weconsider
bothsoftwareand hardwareimplementationgiven that dierent methods may
beused torealiseeach.
Weorganiseourworkbyrstpresentingabriefintroductiontopairingsand
algorithms for their evaluation in Section 2. We then investigate applications
of active, fault injection attacks against the Duursma-Lee algorithm and the
Baek-Zheng (t;n)-threshold decryption scheme in Section 3. In Section 4 we
then present a method of passive side-channel attack and associated defence
techniques,focusingonBoneh-Franklin[9]encryption.Finally,wepresentsome
concludingremarksinSection 5.
2 An Introduction to Pairings
Toeasedescriptionin thecontextofside-channelanalysis,weusetheconcrete
exampleofpairingswherethebase eldisof characteristicthree,i.e. F
q where
q=3 m
.Althoughmostofourresultstranslateeasily tosituations whereother
eldsareused,selectingcharacteristicthreeallowsustopresentandconsidera
unieddescriptionofallknownmethodsofpairingevaluation.
LetEbeanellipticcurveoveraniteeldF
q
,andletOdenotetheidentity
element of the associated group of rational points E(F
q
). We include a table
of suitablecurveparameterisationsin Table1.Fora positiveintegerlj#E(F
q )
coprimetoq,letF
q
k bethesmallestextensioneldofF
q
whichcontainsthel-th
rootsofunityinF
q
.Also,letE(F
q
)[l]denotethesubgroupofE(F
q
)ofallpoints
oforder dividingl, andsimilarly forthedegreek extensionofF
q
. Tounifythe
notationusedinmostprotocols,weusethreegroupsG
1 ,G
2 andG
3
.Thegroups
G
1 andG
2
willalwaysbesubgroupsofellipticcurvegroups,whereasthegroup
G
3
isasubgroupof themultiplicativegroupof aniteeld. Inalltheschemes
weconsiderhere,wesetG
1 =G
2
to be even [7]. Fora thorough treatment of the following, we referthe reader
to[7]andalso[12],andto[25]foranintroductiontodivisors.ThereducedTate
pairingoforderlisthemap
e
l :E(F
q
)[l]E(F
q
k)[l]!F q k =(F q k ) l ;
givenbye
l
(P;Q)=f
P;l
(D).Heref
P;l
isafunctiononEwhosedivisoris
equiva-lenttol(P) l(O),Disadivisorequivalentto(Q) (O),whosesupportisdisjoint
from the support of f
P;l , and f
P;l (D) = Q i f P;l (P i ) ai
, where D = P i a i P i . It
satisesthefollowingproperties:
{ For each P 6= O there exists Q 2 E(F
q k
)[l] such that e
l
(P;Q) 6= 1 2
F q k =(F q k ) l (non-degeneracy).
{ For anyintegern, e
l
([n]P;Q)=e
l
(P;[n]Q)=e
l (P;Q)
n
forallP 2E(F
q )[l]
andQ2E(F
q
k)[l] (bilinearity).
{ LetL=hl.Thene
l (P;Q) (q k 1)=l =e L (P;Q) (q k 1)=L .
{ ItiseÆcientlycomputable.
Thenon-degeneracyconditionrequiresthatQisnotamultipleofP,i.e.thatQ
isinsomeorderlsubgroupofE(F
q
k)disjointfromE(F
q
)[l].Whenonecomputes
f
P;l
(D), the valueobtained belongs to the quotient groupF q k =(F q k ) l
, and not
F
q k
.Inthisquotient,foraandbinF
q k
,abifandonlyifthereexistsc2F
q k
suchthata=bc l
.Clearly,this isequivalentto
ab ifandonlyif a (q k 1)=l =b (q k 1)=l ;
andhenceoneordinarilyusesthisvalueasthecanonicalrepresentativeofeach
coset.The isomorphismbetweenF q k =(F q k ) l
andthe elementsof orderl in F
q k
given bythis exponentiationmakesitpossibleto computef
P;l
(Q)rather than
f
P;l
(D). In fact we can consider the Tate pairing as a pairing of the groups
G 1 G 2 !G 3
, withG
1 =G
2 =E(F
q
k)[l]andG
3 =
l F
q
k,thegroupofl-th
rootsofunity.
TheBKLS[7]algorithmtakesadvantageofthisfact toevaluatethepairing
using Miller'salgorithm but withoutthe costlydenominators.Using this
algo-rithm, we operateon tuples wecall T-pointssuch that (P;) 2 G
1 G
3 . We
thendeneadditionofthese objects
(P
3
;)=(P
1
;)+(P
2 ;)
usingAlgorithm1.Notethatthisisessentiallynormalpointadditionwithsome
auxiliaryoperationsto compute andthat amethod fortripling T-points
fol-lowsdirectlyfromtheabove.Weusetriplingratherthandoublingbecausethe
eÆciencyofcubingin F
q
allowsaparticularlyconcisepointtriplingformula;in
other characteristicsdoublingwould obviously be moreappropriate.Also note
as mentioned above, we can ignore the division by V(x
P
3 ;y
P
3
Input :T-pointP
1 =(P
1
;),pointP
2 =(P
2 ;)
Output :T-pointP3=(P3;)=P1+P2
1 P3 P1+P2
2 letL(X;Y)=0denotethelinethroughP
1 andP
2
3 if P36=Othen
4 letV(X;Y)=0denotethelinethroughP
3 andO
5 else
6 letV(X;Y)=1denotethelinethroughP3 andO
7
L(x
P
3 ;y
P
3 )
V(x
P
3 ;y
P
3 )
8 return(P3;)
Algorithm2:TheDuursma-Lee algorithm.
Input :pointP =(x1;y1),pointQ=(x2;y2)
Output :f
P
((Q))2F
q 6
=F
q 3
1 f 1
2 fori=1tomdo
3 x1 x
3
1
4 y
1 y
3
1
5 x1+x2+b
6 y1y2
2
7 g
2
8 f fg
9 x
2 x
1=3
2
10 y2 y
1=3
2
11 returnf
OncetherequisitetriplingandadditionmethodsasconstructedforT-points,
tocomputethepairingwesimplyperformtheequivalentofapointmultiplication
ofPusingthesemethodsinplaceofconventionalECCpointarithmeticandthe
curve order as the multiplier. At the end of this multiplication, we will have
calculated(O;)such that when we power by (q k
1)=l wehave theresult
wewant.
The Modied Tate Pairing Duursma and Lee introduced their algorithm
in thecontextofpairingsonafamilyofhyperellipticcurves.Restrictingtothe
ellipticcurvecase,itappliestoafamilyofsupersingularcurvesincharacteristic
three,includingthosein Table1.
Letq=3 m
andE(F
q ):Y
2
=X 3
X+b,withb=1,andletP =(x
1 ;y
1 )
and Q =(x
2 ;y
2
) be points of order l. Let F
q 3 =F
q []=(
3
b), with b =
1 depending onthecurveequation, and letF
q 6 =F
q 3[]=(
2
+1). Then the
modiedTatepairingonEisthemappingf
P
((Q))where:E(F
q
)!E(F
q 6)
isshownin Figure2,notingthatthenalresultispoweredbyq 1toforma
compatibleresultwiththeBLKSmethod.
3 Active Attacks
3.1 A Faulty Duursma-LeeAlgorithm
Recovering a Secret Point Given the secret point P = (x
1 ;y
1
) and Q =
(x
2 ;y
2
), a point chosen by the attacker, assume for the moment that we can
eliminatethe nalpowering.Let e
denotepairingviathe Duursma-Lee
algo-rithmwherethroughtamperingweinduce sometransientfaultandreplacethe
loop bound m with .This couldbeachievedby using glitch attack [4,19] to
tamperwiththelooptest and branchmechanism,orgiventhat the
Duursma-Leealgorithmisessentiallyparameterisedbymgiventherighteld arithmetic
and that m is thereforelikelyto beheld in memory somewhere,by selectively
provokingerrorsinmemoryorregisters[26,5].Inthislattercase,itmayevenby
feasibleto mountbuer-overowtypeattackstochangethe valueof m. Given
thisability,insteadofproducingaproductofpolynomialsoftheform
m Y i=1 h ( y 3 i 1 y 1=3 i 1 2 (x 3 i 1 +x 1=3 i 1 2 +b) 2 ) (x 3 i 1 +x 1=3 i 1 2 +b) 2 i
thealgorithminsteadproduces
Y i=1 h ( y 3 i 1 y 1=3 i 1 2 (x 3 i 1 +x 1=3 i 1 2 +b) 2 ) (x 3 i 1 +x 1=3 i 1 2 +b) 2 i
forsomevalueand rememberingthat fornow,weignorethenal powering.
Ifwewereabletoinduceafaultsothat=m+1,forexamplebyglitching
theloopiterationsoitexecutesoncetoooften,thenrecoveringthesecretpoint
ittrivial:wecomputetwopairings,onecorrectandonetamperedwith
R 1 =e m (P;Q) R 2 =e m+1 (P;Q):
Ifweuseg
(i)
todenotethei-thfactorofaproductproducedbytheDuursma-Lee
algorithm,bydividingthetworesultsaboveweareleftwithasinglefactor
g
(m+1) =( y
3 m+1 1 y 1=3 m 2 (x 3 m+1 1 +x 1=3 m 2 +b) 2 ) (x 3 m+1 1 +x 1=3 m 2 +b) 2 :
Sincewehavethat
z 3 m =z 1=3 m =z
forallelementsz2F
q
,wecanextractx
1 ory
1
, giventhatweknowx
2 andy
2 ,
andhencereconstructthesecretpoint.
valuewiththeaimofcollectingapair
R
1 =e
mr (P;Q)
R
2 =e
mr+1 (P;Q);
so that weare again left with a single termof the product g
(mr+1)
and can
hence runa similar method asabovealthough needing to compensate for the
dieringpowersofx
1 ;y
1 ;x
2 andy
2
introducedbyr.
The problem with this approach is detecting when wehave induced faults
with the correct values for use. This is also quite an easy task. Since the
algorithmisstraight-lineandtakesaxednumberofoperations,giventhetime
taken to compute the pairing ora power prole, it seems simple to work out
howmanyloopiterationswereperformedinthesamewaythatonecanobserve
and count thesixteen rounds of DES.Giventhe valueof r, this approach will
deterministically recover the correct value of P and requires reasonably few
invocationsofthepairingonthetargetdeviceduetoasimilarargumentasthe
birthday paradox: we simplykeep provoking randomfaults until werecovera
pairofresultsthatsatisfyourconditions.
Reversing the Final Powering The remaining problem then, is to reverse
thenalpoweringwhichtakestheoutputofthepairingfunctionandproducesa
uniquerepresentativeforthecosetinF
q k
=(F
q k
) l
.Toreversethisoperationgiven
theresult
R=e(P;Q)
wewanttorecoverS,thevaluethatwascomputedbythealgorithmbeforethe
nal poweringso that R = S (q
k
1)=l
. For the Duursma-Lee method shown in
Algorithm2,thissimpliestoR=S q
3
1
.ItisclearthatgivenR ,thevalueofS
isnotuniquelydetermined,but onlyuptoanon-zerofactorin F
q
3.Indeed,for
non-zeroc2F
q
3 wehavec q
3
1
=1.Furthermore,givenonesolutionS2F
q 6 to
X q
3
1
R=0,allothersareoftheformcSfornon-zeroc2F
q
3.Asanaside,
notethatthisissimilartotheT
2
compressionanddecompressionmechanismof
RubinandSilverberg[23].
However,giventheattackdescriptionabovewearenottryingtoreversethe
poweringonthefullproductoffactorscomputedbytheDuursma-Leealgorithm,
ratheronlyoneofthese factorswhichhasafairlyspecialform.That is,given
R= R
2
R
1 =
e
mr+1 (P;Q)
e
mr (P;Q)
=g q
3
1
(mr+1)
wewanttorecoverg
(mr+1)
whichwill,in turn,allowustorecoverthecorrect
x
1 andy
1
forthesecretpoint.
We therefore need a method to compute one valid root of R = g q
3
1
theequationX q
3
1
R=0byX toobtain
X q
3
RX =0;
andnotethattheoperatorX q
3
RXisalinearoperatoronthetwodimensional
vectorspaceF
q 6=F
q
3.Since F
q 6 = F q 3[]=( 2
1)wecanwrite X =x
0 +x
1
and R = r
0 +r
1
, with x
0 ;x 1 ;r 0 ;r 1 2 F q
3. Using this representation, we see
that theaboveequationisequivalentto
MX = 1 r 0 r 1 r 1
1+r
0 x 0 x 1
=0:
ThekernelofthematrixM isaone-dimensionalvectorspaceoverF
q
3 andthus
providesallthesolutionstoX q
3
1
R=0.
Tochoosethecorrectrootamongstallq 3
1possibilities,weusethespecic
form of the factors in the product computed in the Duursma-Lee algorithm.
Indeed,each factorg isoftheform
g=g
0 +g 1 2 +g 2 ; with g 0 ;g 1 ;g 2 2F q
. Torecoverg from R=g q
3
1
, werst obtaing 0
=cg for
somec2F
q
3 usingtherootndingalgorithmabove,andthencomputec 1
and
thus g itself. Againthis boils down to a simplelinear systemof equations: by
multiplyingg 0
withanappropriatefactorinF
q
3,wecanassumethatg 0
isofthe
form g 0
= 1+(g 0 0 +g 0 1 +g 0 2 2
). Let d=c 1
=g=g 0
2F
q
3, then dclearly is
of theform d =d
0 +d
1
2
. Todetermined
0 ;d
1 2 F
q
, weuse thefact that
theterms and 2
donotappear ing.Thisnallygivesthefollowinglinear
systemofequations:
g 0 1 g 0 0 +g 0 2 g 0 2 g 0 1 d 0 d 1 = g 0 1 +g 0 2 g 0 0 +g 0 2 :
An Example Tomakethisalittleclearer,wepresentanexampleattackusing
the described method. Assume that we wantto discoverthe secretpoint P =
(x
1 ;y
1
),aregrantedcontrolofQ=(x
2 ;y
2
), andreceiveresultsfromthefaulty
pairing R
i = e
(P;Q). We perform many executions of the pairing, invoking
dierenterrorsuntilwerecovertwovalues
R j =e mr (P;Q) R k =e mr+1 (P;Q):
Forthesake of concretenessbut without lossof generality, letus assume that
m=97,i.e.q=3 97
,andr= 7which gives
R
j =e
90 (P;Q)
j k
of monitoring some other side-channel, we can tell how many loop iterations
wereperformedintheDuursma-Lee algorithmandhencethevalueofr. Given
thisinformation,wenextcompute
R= Rk
R
j =g
q 3
+1
(91)
whichisthe91-sttermoftheproductproducedbytheDuursma-Leealgorithm
includingthenalpowering.Thisnalpoweringisthenremovedandthecorrect
g valuerecoveredasdescribedaboveso thatweareleftonlywith
g
(91) =( y
3 91
1 y
1=3 90
2
(x
3 91
1 +x
1=3 90
2
+b) 2
) (x 3
91
1 +x
1=3 90
2
+b)
2
:
Fromthis polynomialwecanclearlyextractthecoeÆcients
x
3 =x
3 91
1 +x
1=3 90
2
y
3 =y
3 91
1 y
1=3 90
2
giventhatweknowb.Wealsoknowx
2 andy
2
sobycomputingthevaluesx 1=3
90
2
andy 1=3
90
2
,possiblesincewealsoknowr,wecaneliminatethesetermsfrom x
3
andy
3
to leave
x
3 =x
3 91
1
y
3 =y
3 91
1 :
Finally,sinceforallz2F
3
97 wehavez=z 3
97
,ifwepowerx
3 andy
3 by3
6
,we
areproduce
x
3 =x
1
y
3 =y
1
whichrecoversthesecretpoint.Intheaboveexamplealterationstotheprocess
clearly need to be made for dierent situations but the attack clearly works
againstanyrandomlyprovokedvalueofr.
3.2 Baek-Zheng (t;n)-ThresholdDecryption
AttackDescriptionBaekandZheng[6]proposedamethodfor(t;n)-threshold
decryption that is based on extensive use of pairings; we provide an overview
of thisscheme inthe Appendix. Thebasicideais thatacentralentity,termed
theauthoriseddealer,is grantedaprivatekeyassociatedwithhisidentitybya
trustedauthority.Hethenrunsanalgorithmtosharethisprivatekeybetweenn
decryptionserverswiththeserversstoringtheirkeyshareandthecorresponding
vericationkey:theprivatekeysharesarekeptsecret,thevericationkeyshares
arepublished.
Anyone can encrypt a message to the authorised dealer using his identity
messageisrecovered.
Inshort,anattackercanfeedasmanychosenciphertextsastheywanttoeach
decryptionserverandgetbackdecryptionshares.Thisisthepartofschemethat
isvulnerabletoattack.Inasimpliedform,agivendecryptionservercomputes
thevalues
a=e(S;U)
b=e(R ;U)
c=e(R ;P)
where S is the key share the attacker would like to recover, R is a random
unknown elementin G
1
and P is a publicgenerator of G
2
. Thevalue of U is
parsed from the ciphertext C = (U;V;W) and is hence under control of the
attacker.Havingcomputedthese values,theserverreturnsthetuple (a;b;c) as
wellas someothervaluestotheattacker.
Ifweassumetheattackercanprovokefaultsintherstofthepairings,then
weare in thecase where we control oneinput to the pairing, the other input
is secret and we get the result back. Hence, we canrun the attack described
previously and recover S, the key share for each server. Even if the original
secretkeycannotberecovered,theattackercandecrypt any messagesincehe
knowseverythingthateachdecryptionserverdoes.
Defence via Improved Design This is hardlya devastatingattacksince it
issomewhatunrealistictoassumethattheattackercouldprovokefaults inthe
pairinggiventhat theserveris onlyremotely accessible.However,itdoeshint
that the transmission or raw pairing values to an attacker who has provided
the inputcould generallybeseenasbad designpractise. Forexample,
Boneh-Franklin encryption is savedfrom the sameattack because raw pairingvalues
arenevertransmitted:theyrstpassthroughahashfunctionwhichmaskstheir
actualform.Thisseemstheonlystrongdefenceagainstthefaultattackthatdoes
notdependontaking theobviousrouteof preventingthefaultusing hardware
assistance.
Using Point Blinding Techniques If raw pairing values really need to be
transmitted,onecanutilisethepointblindingtechniquesdescribedinSection4
to construct a defence mechanism. Such techniques apply a blinding factor to
one or both of the input points before the pairing and eliminate this factor
afterwards.If we blind thepoint under control of theattacker,any tampering
4.1 Boneh-Franklin Encryption
Attack Description ConsideringBoneh-Franklin encryption [9], as outlined
brieyintheAppendix,weseethatthepairingisappliedonceduringencryption
and once during decryption. During encryption, the pairing operates only on
public valuesand furthermore, the result may bepre-computed by thesender
foreachrecipientofencrypted messages.This operationis thereforeunsuitable
formanipulationbytheattacker.
However,therecipientofaciphertextC=(U;V)fromtheattackermustuse
their private key S
ID
to decrypt the correspondingmessage. This information
isfed intothepairingto compute
M =V H
2 (e(S
ID ;U)):
In this case an attacker can control one of the points supplied to the pairing,
i.e.thevalueofU,whiletheotherisbothxedandprivate.Furthermore,since
the attackercontrols thevalue ofC hecanprompt repeated executionsof the
pairing,adaptinghisinputasrequired.Forexample,asmart-cardimplementing
theBoneh-Franklinschememightberepeatedlyaskedbytheattackertodecrypt
dierent messagesthat he has constructed so that monitoring the decryption
yieldsinformation:assumingS
ID =(x
1 ;y
1
)isthesecretpointandU =(x
2 ;y
2 )
is controlled by the attacker, manipulating y
2
to recover y
1
would allow the
attackertoreconstructS
ID .
TorecovertheprivatekeyS
ID
,theattackermustmonitoranoperationthat
combinesitinsomewaywiththecontrolledpointU.Thus,through
understand-ingofsaidoperationandmanipulationofthecontrolledpoint,hecanrevealthe
value of the secret point. Such an operation is clearly accessible in Step 6 of
Algorithm 2, theDuursma-Lee algorithm, where onecomputesthe product of
y
1 and y
2
. Similarly, in the BKLSalgorithm, one needsto computea product
whenupdatingthepairingvalueduringatriplingoperation
=
3
(ax
P1
+b+y
P1 )
whereaandb arederivedfromthecoordinatesofoneinputpointandx
P
1 and
y
P
1
from theother.Theproductax
P
1
thushasoneoperandderivedfromS
ID
and one from U. Careful analysis of how these values are derived followed by
controlofU allowsarouteofattacktobeestablished.
SPA-like Attack Inthemostnaivesituationwhere theeld multiplicationis
implementedusingtheshift-and-addmethod,onecanmountanattackby
mon-itoringexecutioninthesamewayasonewouldmonitorbinaryexponentiation.
Simply put, if a shift-and-add multiplication algorithm is employed and y
1 is
ID 1 1
guessingy
1
onebitatatime.
setyg to0
setS
hi andS
lo
toempty
fori=0ton 1do
guessthei-thbitofyg toone
fork=0tor 1do
selectatrandomU=(xu;yu)andV =(xv;yv)
calculateX=y
g y
u
usesmart-cardtodecryptC=(U;V),collectpowersignalSk[j]
if thei-thbitofX is1then
addSk[j]toShi
else
addS
k [j]toS
lo
average powersignalstogetDPAbiasD[j]=S
hi [j] S
lo [j]
if DPAbiassignalhasaspikethen
theguesswasright:seti-thbitofyg to1
else
theguesswaswrong:seti-thbitofyg to0
reconstructxg fromyg andreturnSID=(xg;yg)
Althoughclearlyviablegiven someassumptions abouttheimplementation,
thereareanumberofdrawbackstothisapproach.Forexample,incharacteristic
three the shift-and-add method performs an addition when thecurrent
multi-pliercoeÆcientisequaltoone andasubtractionwhenitis equaltotwo.Since
theattackerisunlikelytobeabletodistinguishbetweenanadditionanda
sub-traction,SPAanalysisoftheoperationtracewillonlyyieldthefactthatagiven
coeÆcientiseitherzeroornon-zeroratherthantheactualmagnitude.
DPA-like Attack A method for revealing one operand of an integer
multi-plicationgivenknowledgeof the other ispresentedby Messerges[20][Page93]
in the context ofan attackagainstECDSA. It is easyto see howan analogue
wouldapplyin thecaseof niteelds andwhere insteadof oneoperandbeing
producedbythealgorithm,asin ECDSAwhere therin rdisanoutput,itis
under controlofthe attackerasaninput.Algorithm3outlinessuchanattack,
guessingthevalueofy
1
onebitatatimeandusingacorrelationwiththepower
output of the smart-cardas an indicator to tell ifthe guess is correct. In this
description we use n to denote the length of y
1
and r to represent alimit on
thenumberofruns ofdecryption onthesmart-card.Note thatunliketheSPA
method where characteristic three seemstroublesome, this attack is easily
ex-tendedto copebyconsideringaeldelementassimplyrepresentedbyaset of
bitsandguessing eachoneinturn.
invocation of the pairing, the attacker can no longer perform any correlation
between successiveruns in a DPA-like attack and any successful analysis of a
singlerunusinganSPA-likeattackwillsimplyyieldtherandomisedratherthan
secretdata.Sinceweknowthattherelationship
e(aP;bQ)=e(P;Q) ab
holds, wecanrandomisethe pointsP andQ byselecting randomvaluesfor a
and b.Although this results in an additionalfactor of ab in the exponent of
theresult,wecaneliminatethisbycarefulselectionofaandbsuchthat
ab=1 (mod l):
If one cannot accept the cost of a GCD-like operation to compute arbitrary
randomaandb pairsoftherightform,itispossibletoemployadeterministic
update procedure akin to traditional point blinding. Onecomputesand stores
tworandompairssuch that
ab=1 (mod l)
cd=1 (mod l):
This isonlyeverdoneonce,perhapswhenthedeviceis initialised.Updatinga
andb canthenbeachievedbymultiplicationwithc andd
a ac (mod l)
b bd (modl)
which onlycoststwoeld multiplicationsperupdate and retainsthefact that
ab=1modl.Insummary,thedefencecoststwoadditionalpointmultiplications
andtwoeld multiplicationstoinstrument.
Altering Traditional Point Blinding Traditional point blinding for ECC
hasthehostdevicestoretwoextrapointsthatareretainedacrossinvocationsof
thepointmultiplicationalgorithm.Givenasecretmultiplierd,thecardstoresa
randompointRand thepointS =dR .ThepointmultiplicationdP isthen
computedas
dP =d(P +R ) S
sothatthepointfedintothemultiplicationroutineisrandomlyblindedbyrst
addingRwiththeresultrecoveredbysubtractingS.Consideringtherelationship
e(P;Q+R )=e(P;Q)e(P;R )
we can apply an augmented point blinding technique to the pairing so that
the controlled point is again randomised before use. For the DPA-like attack
described above,this seemssuÆcientdefencesince by randomisingthe control
wewantto randomise,R is arandom point and S = e(P;R ) 1
, weapply the
mapas
e(P;Q)=e(P;Q+R )S:
By blinding Q, the point under control of the attacker,we eectively remove
thiscontrolandhencedefeat anyattackbasedonit:theattackercannolonger
reasonaboutinternaloperationbasedonthepointtheysentintothepairing.
SincePandRareknowntothedeviceatinitialisation,wecanstorethepoint
R andeldelementS in ordertoimplementthemethod.Usingthistechnique,
the overhead in performance is equalto onepoint addition and a eld
multi-plicationin G
3
. However,the issueof updatingthe blindingvariables presents
adrawback. UpdatingR andS isperformedbefore orafter themultiplication
routineisexecutedinordertoprovidechangingandhopefullynon-deterministic
blindingfactorstotherealpoint.Inthetraditionalblindingdefence,onemight
performthefollowingupdateoperations
b f 2;+2g
R bR
S bS:
That is, onedoubles the pointsand mayrandomly also invertthem, although
this is inexpensive. However, this simple form of update has been shown to
bevulnerable to attack[21].Furthermore,in our caseweneed to perform the
operations
b f 2;+2g
R bR
S S
b
:
Squaringaeldelementisreasonablyinexpensivebutinordertoaccommodate
bothpotentialvaluesofb,weneedtostoresomeextrainformationsothat
inver-sionisequallyinexpensive.Todothis, wecanuseatechniquein characteristic
threewhere afractional representationofG
3
rendersinversioninexpensive[13]
orsimplestoreandupdatethevalueS 1
alongwithSifthereisenoughspace.
5 Conclusion
Wehavepresentedtherstinvestigationintothesecurityofpairingbased
cryp-tographyagainstside-channelattack.Althoughtheuseofpairingsinthesortsof
environmentwhereside-channelattackismostprevalentisstillsomewayo,the
couplingofidentitybasedcryptographywithidentityawaredevices seemsvery
attractive.Naiveearlyassumptionsaboutthesecurityofpairingsinthissetting
wereas aresult ofdirectlyapplying existing knowledge ofRSA andECC
itiesdoinevitablyexist,creativeuse ofthebilinearitypropertyofpairingsand
sensibleimplementationmethodshelpto minimisesuchriskwithlowoverhead.
Thereareclearlymanyotherareasthat couldbefollowedupin lightofthis
work.Thediversewayinwhichpairingsareusedincomparisontoconventional
exponentiationinRSAorECCmeansthatvulnerabilitiesareequallyasdiverse
in theirmanifestation:
Furtherpassiveattacks ThesignatureschemeofHesspresentsanadditional
avenueofattackrelatedtoconventionalpointmultiplication:ndinganunknown
pointgivencontrolofthemultiplier.Thatis,canonediscoverP bymonitoring
theexecutionoftheoperationdP where disknownandcontrolledbythe
at-tacker.Thisisclearlydierentfromconventionalattacksonpointmultiplication
in thecontext ofECCsincethere,disthesecretandP istypicallyknownand
only potentially controllable. As well asthe scheme ofHess, this problem also
relatesto several of ourcountermeasuressoat least seemsworthinvestigating
further.
Furtheractiveattacks CietandJoye[10]describedtwodierentfaultattacks
onECCwhichworkbycomputingpointmultiplicationswithinvalidpointsand
erroneous eld arithmetic. Translating these concepts to the context of
pair-ingsseemsinterestingbut diÆcult.Forexample,feeding invalidpointsintothe
pairinggenerallycausesittobecomedegenerateorproducegarbageresults.
Ad-ditionally, weneed toconsider twopoints, oneofwhich isunknown and xed:
itisnotclearwhat wouldhappeniftheoneunder controloftheattackerisnot
ontheexpectedcurve.
Special point attacks Goubin [14] proposed anattackonECC point
multi-plicationwherebyspecialpointswerefedintotheimplementation.Thesepoints
triggererrorsinexecutionthat,whencarriedthroughtotheresult,reveal
infor-mationabouttheinternaloperationandhenceprivateinformation.Thismethod
waslaterenhancedbyAkishitaandTakagi[1].Althoughsuchattacksareeasily
countered[27]itseemsinterestingtoconsiderwhathappenswhenasimilar
ap-proachis usedforpoints fedinto thepairing.Clearly theattacksdonotapply
directly:there is nosecretscalarmultiplier to reveal byusingso called special
points.However,itis notclearwhat happensifeitherinput tothepairingisa
specialpointinsomemorepairing-specicsense.
Acknowledgements
The authors would liketo thank Steven Galbraith, RobGranger, NigelSmart
1. T.AkishitaandT.Takagi. Zero-ValuePointAttacksonEllipticCurve
Cryptosys-tem. In Information Security Conference (ISC), Springer-Verlag LNCS 2851,
218{233,2003.
2. D.Agrawal,B.Archambeault,J.R.RaoandP.Rohatgi. TheEMSide-Channel(s).
InCryptographicHardwareandEmbeddedSystems(CHES),Springer-VerlagLNCS
2523,29{45,2002.
3. D. Agrawal, J.R.Raoand P.Rohatgi. Multi-channel Attacks. InCryptographic
Hardware and Embedded Systems (CHES), Springer-Verlag LNCS 2779, 2{16,
2003.
4. R.J.AndersonandM.G.Kuhn.LowCostAttacksonTamperResistantDevices.In
InternationalSecurity Protocols Workshop(IWSP), Springer-VerlagLNCS1361,
125{136,1997.
5. H.Bar-El,H.Choukri,D.Naccache,M.TunstallandC.Whelan. TheSorcerer's
ApprenticeGuidetoFaultAttacks,InCryptologyePrintArchive,Report2004/10,
2004.
6. J. Baek and Y. Zheng. Identity-Based Threshold Decryption. In Public Key
Cryptography(PKC), Springer-VerlagLNCS2947,262{276,2004.
7. P.S.L.M.Barreto,H.Kim,B.LynnandM.Scott.EÆcientAlgorithmsfor
Pairing-Based Cryptosystems. InAdvances in Cryptology (CRYPTO), Springer-Verlag
LNCS2442,354{368,2002.
8. D.BonehandD.Brumley.RemoteTimingAttacksArePractical.In12thUSENIX
Security Symposium, USENIXPress,2003.
9. D.Bonehand M.Franklin. Identity-BasedEncryptionfromtheWeilPairing. In
SIAMJournalonComputing, Volume32,no.3,586-615,2003.
10. M.CietandM.Joye. EllipticCurveCryptosystemsinthePresenceofPermanent
andTransientFaults. ToappearinDesigns,CodesandCryptography,2004.
11. R. Dutta, R. Baruaand P.Sarkar, Pairing-Based Cryptographic Protocols :A
Survey. InCryptologyePrintArchive,Report2004/064,2004.
12. S. Galbraith, K. Harrison and D. Soldera. Implementing the Tate pairing. In
Algorithmic Number Theory Symposium (ANTS-V), Springer LNCS2369, 324{
337,2002.
13. R. Granger, D. Page and M. Stam. OnSmall Characteristic Algebraic Tori in
Pairing-Based Cryptography. In Cryptology ePrint Archive, Report 2004/132,
2004.
14. L.Goubin.ARenedPower-AnalysisAttackonEllipticCurveCryptosystems.In
PublicKeyCryptography (PKC), Springer-VerlagLNCS2567,199{210,2003.
15. D-G.Han,J.Lim,andK.Sakurai. OnInsecurityoftheSideChannelAttackon
XTR. InSymposiumonCryptographyandInformationSecurity(SCIS),2004.
16. F.Hess.EÆcientIdentityBasedSignatureSchemesBasedonPairings.InSelected
AreasinCryptography(SAC), Springer-VerlagLNCS2595, 310{324,2003.
17. P.C. Kocher. Timing AttacksonImplementationsof DiÆe-Hellman,RSA,DSS,
andOtherSystems.InAdvancesinCryptology(CRYPTO),Springer-VerlagLNCS
1109,104{113,1996.
18. P.C. Kocher, J. Jae and B.Jun. Dierential Power Analysis. InAdvances in
Cryptology(CRYPTO), Springer-VerlagLNCS2139,388{397,1999.
Smart-Algorithms. PhDThesis, UniversityofIllinois,2000.
21. K. Okeya and K. Sakurai. Power Analysis Breaks Elliptic Curve
Cryptosys-tems Even Secure Against the Timing Attack. In Progress in Cryptology
(IN-DOCRYPT), Springer-VerlagLNCS1977,178{190,2002.
22. D.PageandM.Stam. OnXTRandSide-ChannelAnalysis.ToappearinSelected
AreasinCryptography(SAC),2004.
23. K.RubinandA.Silverberg.Torus-BasedCryptography.InAdvancesinCryptology
(CRYPTO), Springer-VerlagLNCS2729,349{365,2003.
24. M.ScottandP.Barreto. CompressedPairings. Toappear inAdvancesin
Cryp-tology(CRYPTO),2004.
25. J.Silverman.TheArithmeticofEllipticCurves. Springer-VerlagGTM106,1986.
26. S.P.Skorobogatov andR.J.Anderson. OpticalFaultInductionAttacks.In
Cryp-tographicHardware andEmbeddedSystems(CHES), Springer-VerlagLNCS2523,
2{12,2002.
27. N.P.Smart. An Analysisof Goubin'sRenedPower AnalysisAttack. In
Cryp-tographicHardware andEmbeddedSystems(CHES), Springer-VerlagLNCS2779,
281{290,2003.
Appendix: An Overview of Pairing Based Protocols
Forconvenience,wepresentanoverviewofthetwomainpairingbasedprotocols
thatarereferredtointhebodyofthepaper.Inordertoachieveauniednotation
fortheschemes,andhencemakeouranalysiseasier,thesedescriptionsmaydier
slightlyfromtheoriginalpapers.
All theschemes relyonthe existenceof three groupsG
1 , G
2 andG
3 all of
orderl,thatareadditiveandmultiplicativerespectivelyandareselectedbythe
TrustAuthority(TA). In allcaseswecanactually takeG
1 =G
2
and denea
bilinearmap
e:G
1 G
1 !G
3
andselectsomegeneratorP 2G
1
.Finally,weselectanumberofcryptographic
hashfunctions withthefollowingsignatures
H
1 :f0;1g
!G
1
H
2 :G
3
!f0;1g N
H
3 :f0;1g
G
3 !Z
l :
forsomevalueN andafewextraonesfortheBaek-Zhengscheme
H
4 :G
3
!f0;1g N
H
5 :G
1
f0;1g N
!G
1
H
6 :G
3 G
3 G
3 !Z
Setup Generatearandommastersecrets2Z
l
andset P
TA
,thepublickeyof
theTA, tobesP.
Extract DenethepublickeyforID asP
ID =H
1
(ID)andreturntheprivate
keyS
ID =sP
ID .
Encrypt Selectsomerandomr2Z
l
andconstructtheciphertextforamessage
M as thepair
C=(rP;MH
2 (e(P
ID ;P
TA )
r
):
Decrypt GiventheciphertextparsedasC=(U;V),compute
M =V H
2 (e(S
ID ;U)):
5.2 Baek-Zheng (t;n)-ThresholdDecryption [6]
Setup Generatearandommastersecrets2Z
l
andset P
TA
,thepublickeyof
theTA, tobesP.
Extract GivenanidentityID,thealgorithmcomputesthecorrespondingpublic
keyasP
ID =H
1
(ID)andthenreturnstheprivatekeyS
ID =sP
ID .
Distribution Given a private key S
ID
, n decryption shares and a threshold
parameter1tn<q,thealgorithmselectelements
R
1 ;R
2 ;:::;R
t 1 2
R G
1
andcomputes
F(u)=S
ID +
t 1
X
j=0 u
j
R
j
foru2f0g[N. It then computesaprivatekeyfor server
i asS
i
=F(i)and
vericationkeyy
i
=e(P;S
i
) for 1 i n. Finally, the algorithm distributes
theprivatekeyS
i
andvericationkeyy
i
toserver
i
beforemakingy
i
publicto
allparties.
Encrypt Given a plaintext M 2 f0;1g N
and an identity ID, the algorithm
selectssomer2
R Z
l
andcomputesthepublic keyP
ID =H
1
(ID)followedby
thevalue=e(P
ID ;P
TA )
r
. Itthencomputesthevalues
U =rP
V =H
4
()M
W =rH
and aprivatekeyS
i
from each decryptionserver,the algorithmcomputesh=
H
5
(U;V)andchecksiftheequalitye(P;W)=e(U;h) holds.Ifthetestholds
{ Calculatethefollowingvalues
i =e(S
i ;U)
~
i =e(T
i ;U)
~ y
i =e(T
i ;P)
i =H 6 ( i ;~ i ;y~
i ) L i =T i + i S i
forpreviouslyselectedT
i 2 R G 1 .
{ ReturnÆ
i;C =(i;
i ;~
i ;y~
i ; i ;L i ). Otherwise
{ ReturnÆ
i;C
=(i;\invalidciphertext").
DecryptionShareVerication GivenaciphertextparsedasC=(U;V;W),a
setofvericationkeysfy
1 ;y
2 ;:::;y
n
g,andadecryptionshareÆ
i;C
,thealgorithm
computesh =H
5
(U;V)and checks ifthe equality e(P;W) =e(U;h) holds. If
thetestholds
{ IfÆ
i;C
isoftheform(i;\invalidciphertext"),return\invalidshare".
{ OtherwiseparseÆ
i;C
as(i;
i ;~
i ;y~
i ;
i ;L
i
)andcompute
i 0=H
6 (
i ;~
i ;y~
i ). Checkif i 0= i ,e(L i ;U)= i0 i =~ i ande(L i ;P)=y i0 i =y~
i .
If the abovetests hold, return \valid share"; otherwise return\invalid
share".
Otherwise
{ IfÆ
i;C
isoftheform(i;\invalidciphertext"),return\validshare";otherwise
return\invalidshare".
Share Combining Givenaciphertext C andaset of validdecryption shares
fd
j;C g
j2
where jj t forthe threshold t, the algorithm h= H
5
(U;V) and
checksiftheequalitye(P;W)=e(U;h)holds.Ifthetestholds
{ Compute= Q j2 c 0;j j
andreturnM =H
4
()V.
Otherwise
