Fault Attacks on Efficient Pairing Implementations

Pierre-Alain Fouque, Chen Qian
{"title":"Fault Attacks on Efficient Pairing Implementations","authors":"Pierre-Alain Fouque, Chen Qian","doi":"10.1145/2897845.2897907","DOIUrl":null,"url":null,"abstract":"This paper studies the security of efficient pairing implementations with compressed and standard representations against fault attacks. We show that these attacks solve the Fixed Argument Pairing Inversion and recover the first or second argument of the pairing inputs if we can inject double-faults on the loop counters. Compared to the first attack of Page and Vercauteren on supersingular elliptic curves in characteristic three, these are the first attacks which address efficient pairing implementations. Most efficient Tate pairings are computed using a Miller loop followed by a Final Exponentiation. Many papers show how it is possible to invert only the Miller loop and a recent paper of Lashermes et al. at CHES 2013 shows how to invert only the final exponentiation. During a long time, the final exponentiation was used as a countermeasure against the inversion of the Miller loop. However, the CHES attack cannot be used to invert this step on efficient and concrete implementations. Indeed, the two first steps of the Final Exponentiation use the Frobenius map to compute them efficiently. The drawback of the CHES 2013 attack is that it only works if these steps are implemented using very expensive inversions, but in general, these inversions are computed by using a conjugate since elements at the end of the first exponentiation are unicity roots. If this natural implementation is used, the CHES 2013 attack is avoided since it requires to inject a fault so that the faulted elements are not unicity roots. Consequently, it is highly probable that for concrete implementations, this attack will not work. For the same reasons, it is not possible to invert the Final Exponentiation in case of compressed pairing and both methods (conjugate and compressed) were proposed by Lashermes et al. as countermeasures against their attack. Here, we demonstrate that we can solve the FAPI-1 and FAPI-2 problems for compressed and standard pairing implementations. We demonstrate the efficiency of our attacks by using simulations with Sage on concrete implementations.","PeriodicalId":166633,"journal":{"name":"Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security","volume":"15 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2897845.2897907","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1

Abstract

This paper studies the security of efficient pairing implementations with compressed and standard representations against fault attacks. We show that these attacks solve the Fixed Argument Pairing Inversion and recover the first or second argument of the pairing inputs if we can inject double-faults on the loop counters. Compared to the first attack of Page and Vercauteren on supersingular elliptic curves in characteristic three, these are the first attacks which address efficient pairing implementations. Most efficient Tate pairings are computed using a Miller loop followed by a Final Exponentiation. Many papers show how it is possible to invert only the Miller loop and a recent paper of Lashermes et al. at CHES 2013 shows how to invert only the final exponentiation. During a long time, the final exponentiation was used as a countermeasure against the inversion of the Miller loop. However, the CHES attack cannot be used to invert this step on efficient and concrete implementations. Indeed, the two first steps of the Final Exponentiation use the Frobenius map to compute them efficiently. The drawback of the CHES 2013 attack is that it only works if these steps are implemented using very expensive inversions, but in general, these inversions are computed by using a conjugate since elements at the end of the first exponentiation are unicity roots. If this natural implementation is used, the CHES 2013 attack is avoided since it requires to inject a fault so that the faulted elements are not unicity roots. Consequently, it is highly probable that for concrete implementations, this attack will not work. For the same reasons, it is not possible to invert the Final Exponentiation in case of compressed pairing and both methods (conjugate and compressed) were proposed by Lashermes et al. as countermeasures against their attack. Here, we demonstrate that we can solve the FAPI-1 and FAPI-2 problems for compressed and standard pairing implementations. We demonstrate the efficiency of our attacks by using simulations with Sage on concrete implementations.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
高效配对实现中的故障攻击
本文研究了具有压缩和标准表示的高效配对实现对故障攻击的安全性。我们证明,如果我们可以在循环计数器上注入双故障,这些攻击解决了固定参数配对反转并恢复配对输入的第一个或第二个参数。与Page和Vercauteren在特征三中的超奇异椭圆曲线上的第一次攻击相比,这些攻击是第一次解决有效配对实现的攻击。最有效的Tate对是使用Miller循环和Final Exponentiation来计算的。许多论文展示了如何仅反转米勒环,Lashermes等人在2013年CHES上的一篇最新论文展示了如何仅反转最终幂次。在很长一段时间里,最终幂被用作对抗米勒循环反转的对策。然而,在有效和具体的实现中,不能使用CHES攻击来反转这一步。实际上,最终幂运算的前两个步骤使用了Frobenius映射来有效地计算它们。CHES 2013攻击的缺点是,它只有在使用非常昂贵的反转来实现这些步骤时才有效,但通常,这些反转是通过使用共轭来计算的,因为第一次幂的末尾的元素是唯一根。如果使用这种自然实现,则可以避免CHES 2013攻击,因为它需要注入一个故障,以便故障元素不是唯一根。因此,对于具体实现来说,这种攻击很可能不起作用。出于同样的原因,在压缩配对的情况下,不可能反转Final Exponentiation, Lashermes等人提出了两种方法(共轭和压缩)作为对抗它们攻击的对策。在这里,我们演示了我们可以解决压缩和标准配对实现的FAPI-1和FAPI-2问题。我们通过使用Sage对具体实现进行模拟来证明我们的攻击的效率。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
相关文献
Nephrography; simplified technic.
IF 19.7 1区 医学RadiologyPub Date : 1950-12-01 DOI: 10.1148/55.6.827
J VESEY, C T DOTTER, I STEINBERG
[Simplified suture technic].
IF 0 Die QuintessenzPub Date : 1970-10-01 DOI:
H Erdmann
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Generally Hybrid Proxy Re-Encryption: A Secure Data Sharing among Cryptographic Clouds Hardening OpenStack Cloud Platforms against Compute Node Compromises Data Exfiltration in the Face of CSP Anonymous Identity-Based Broadcast Encryption with Constant Decryption Complexity and Strong Security FLEX: A Flexible Code Authentication Framework for Delegating Mobile App Customization
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1