Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El

Arithmetic of pairings, performance and weaknesstoward side channel attacks

Nadia El Mrabet

GREYC - LMNOUniversite de Caen

Darmstadt 29th of April 2010

1 / 59

Outline

1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography

2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method

3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm

4 Conclusion and perspectives

2 / 59

Outline





3 / 59

Outline





4 / 59

What is a pairing ?Properties

Let G1, G2 and G3 be three abelian groups of same order r . A pairing is amap :

e : (G1,+)× (G2,+)→ (G3,×)

With the following properties

Non degenerency : ∀P ∈ G1 6= 0 ,∃Q ∈ G2 s.t. e(P,Q) 6= 1

Bilinearity : ∀P,P ′ ∈ G1,∀Q ∈ G2, e(P + P ′,Q) = e(P,Q).e(P ′,Q)

Consequences

∀j ∈ Z, e(jP,Q) = e(P,Q)j = e(P, jQ)

5 / 59



e : (G1,+)× (G2,+)→ (G3,×)


Non degenerency : ∀P ∈ G1 6= 0 , ∃Q ∈ G2 s.t. e(P,Q) 6= 1


Consequences

∀j ∈ Z, e(jP,Q) = e(P,Q)j = e(P, jQ)

5 / 59



e : (G1,+)× (G2,+)→ (G3,×)


Non degenerency : ∀P ∈ G1 6= 0 , ∃Q ∈ G2 s.t. e(P,Q) 6= 1


Consequences

∀j ∈ Z, e(jP,Q) = e(P,Q)j = e(P, jQ)

5 / 59

Cryptologie from pairing

The discrete logarithm problem

in G1 consists in finding the integer a knowing P ∈ G1 and aP.Let Q be a point of G2 :

e(aP,Q) = e(P,Q)a.

Cryptanalysis

The bilinearity of pairing shifts the discrete logarithm problem from anelliptic curve to a discrete logarithm problem on a finite field. This is theMOV and Frey Ruck attacks.

6 / 59


The discrete logarithm problem

in G1 consists in finding the integer a knowing P ∈ G1 and aP.Let Q be a point of G2 :

e(aP,Q) = e(P,Q)a.

Cryptanalysis

The bilinearity of pairing shifts the discrete logarithm problem from anelliptic curve to a discrete logarithm problem on a finite field. This is theMOV and Frey Ruck attacks.

6 / 59


Cryptography

pairing allows the construction of original protocols and the simplificationof existing protocols ;

The tri partite Diffie Hellman key exchange (Joux 2001)

Identity based cryptography (Boneh and Franklin 2001)

Short signature scheme (Boneh, Lynn, Shacham 2001)

Example

The construction of a key between Alice and Bob based on identity.

7 / 59


Cryptography

pairing allows the construction of original protocols and the simplificationof existing protocols ;

The tri partite Diffie Hellman key exchange (Joux 2001)

Identity based cryptography (Boneh and Franklin 2001)

Short signature scheme (Boneh, Lynn, Shacham 2001)

Example

The construction of a key between Alice and Bob based on identity.

7 / 59

Cryptography from pairingSecure key exchange between Alice and Bob

8 / 59


8 / 59


8 / 59


8 / 59

Pairings used in cryptography

the Weil pairing,

the Tate pairing,

η pairing,

Ate and Twisted Ate pairing.

are used in cryptography.

The Weil, the Tate, Ate and Twisted Ate pairing are constructed on thesame model.They share the central step of their computation.

9 / 59

Pairings used in cryptography

the Weil pairing,

the Tate pairing,

η pairing,

Ate and Twisted Ate pairing.

are used in cryptography.

The Weil, the Tate, Ate and Twisted Ate pairing are constructed on thesame model.They share the central step of their computation.

9 / 59

Outline





10 / 59

Construction of pairingsData

To compute a pairing, we need :

E an elliptic curve over a field K :

E (K) :=

(x , y) ∈ K×K, y 2 = x3 + ax + b, with a, b ∈ K∪ P∞.

Figure: Elliptic curve for K = R

The elliptic curve admits a group law : the addition.11 / 59

Elliptic curveGroup law - Addition

12 / 59


12 / 59


12 / 59

Elliptic curveGroup law - Doubling

13 / 59


13 / 59


We denote [r ]P = P + P + . . .+ P︸︷︷︸r times

.

13 / 59


To compute a pairing we need :

E an elliptic curve over a finite field K ⊃ Fp, a and b ∈ Fp :

E (K) :=

(x , y) ∈ K×K, y 2 = x3 + ax + b∪ P∞.

r a prime number dividing card(E (Fp)),

and the set of points : E [r ] =

P ∈ E (Fp), [r ]P = P∞

.

the embedding degree k : the smallest integer such that r |(pk − 1) ;

If k > 1 then E [r ] ⊂ E (Fpk ).

The Miller’s function fr ,P such that :

P is a zero of order r

[r ]P is a pole.

14 / 59




E (K) :=

(x , y) ∈ K×K, y 2 = x3 + ax + b∪ P∞.



P ∈ E (Fp), [r ]P = P∞

.





[r ]P is a pole.

14 / 59




E (K) :=

(x , y) ∈ K×K, y 2 = x3 + ax + b∪ P∞.



P ∈ E (Fp), [r ]P = P∞

.





[r ]P is a pole.

14 / 59




E (K) :=

(x , y) ∈ K×K, y 2 = x3 + ax + b∪ P∞.



P ∈ E (Fp), [r ]P = P∞

.





[r ]P is a pole.

14 / 59

Construction of pairingThe Tate pairing

Let P ∈ E (Fp)[r ], Q ∈ E (Fpk )/rE (Fpk ) and k the embedding degree withrespect to r .

The Tate pairing is the map :

eT : E (Fp)[r ]× E (Fpk )/rE (Fpk )→ F∗pk

(P,Q)→ fr ,P(Q)pk−1

r

15 / 59

Construction of pairingThe Tate pairing

Let P ∈ E (Fp)[r ], Q ∈ E (Fpk )/rE (Fpk ) and k the embedding degree withrespect to r .

The Tate pairing is the map :

eT : E (Fp)[r ]× E (Fpk )/rE (Fpk )→ F∗pk

(P,Q)→ fr ,P(Q)pk−1

r

15 / 59

Outline





16 / 59

The Miller’s equalityThe function fr,P

To compute pairings, we need the construction of the rational function fr ,Pfor r a prime number.This function admits point P as zero of order r and point [r ]P as a pole.

Victor Miller establish the equation :

fi+j ,P = fi ,P × fj ,P ×l[i ]P,[j]Pv[i+j]P

With this equation, we construct a sequence of functions such that thepoint [i ]P is a pole for i from 1 to r .

17 / 59

Miller’s equalityExample

We want to compute f5,P using the binary decomposition : 5 = (101)2

and the double and add principle :

Let i = 1,

the second bit of 5 is 0 :

i := 2× i ⇒ i = 2.

The third bit of 5 is 1 :

i := 2× i ⇒ i = 4

i := i + 1 ⇒ i = 5

On this scheme, we want to compute f5,P using Miller’s equality and thebinary decomposition of 5.

18 / 59




Let i = 1,


i := 2× i ⇒ i = 2.


i := 2× i ⇒ i = 4

i := i + 1 ⇒ i = 5


18 / 59




Let i = 1,


i := 2× i ⇒ i = 2.


i := 2× i ⇒ i = 4

i := i + 1 ⇒ i = 5


18 / 59


Let f1,P = 1 by construction and i = 1.

i := 2i (i = 2)

f2,P = f1,P × f1,P ×lP,Pv[2]P

f2,P =lP,Pv[2]P

i := 2i (i = 4)

f4,P = f2,P × f2,P ×l[2]P,[2]P

v[4]P

f4,P = f 22,P ×

l[2]P,[2]P

v[4]P

i := i + 1 (i = 5)

f5,P = f4,P ×l[4]P,P

v[5]P

f5,P =

((lP,Pv[2]P

)2

×l[2]P,[2]P

v[4]P

)×

l[4]P,P

v[5]P

19 / 59



i := 2i (i = 2)

f2,P = f1,P × f1,P ×lP,Pv[2]P

f2,P =lP,Pv[2]P

i := 2i (i = 4)

f4,P = f2,P × f2,P ×l[2]P,[2]P

v[4]P

f4,P = f 22,P ×

l[2]P,[2]P

v[4]P

i := i + 1 (i = 5)

f5,P = f4,P ×l[4]P,P

v[5]P

f5,P =

((lP,Pv[2]P

)2

×l[2]P,[2]P

v[4]P

)×

l[4]P,P

v[5]P

19 / 59



i := 2i (i = 2)

f2,P = f1,P × f1,P ×lP,Pv[2]P

f2,P =lP,Pv[2]P

i := 2i (i = 4)

f4,P = f2,P × f2,P ×l[2]P,[2]P

v[4]P

f4,P = f 22,P ×

l[2]P,[2]P

v[4]P

i := i + 1 (i = 5)

f5,P = f4,P ×l[4]P,P

v[5]P

f5,P =

((lP,Pv[2]P

)2

×l[2]P,[2]P

v[4]P

)×

l[4]P,P

v[5]P

19 / 59

Computation of pairingsMiller’s algorithm returns fr,P(Q)

Data: r = (rN . . . r0)2,P ∈ G1 ⊂ E (Fp)[r ]

Result: [r ]PT ← Pfor i = N − 1 to 0 do

T ← [2]T

if ri = 1 thenT ← T + P

end

endreturn T = [r ]P

20 / 59


Data: r = (rN . . . r0)2,P ∈ G1 ⊂ E (Fp)[r ] et

Q ∈ G2 ⊂ E (Fpk )[r ]Result: fr ,P(Q) ∈ G3 ⊂ F∗

pk

T ← P , f1 ← 1, f2 ← 1for i = N − 1 to 0 do

T ← [2]T

f1 ←− f12 × ld(Q)

f2 ←− f22 × vd(Q)

if ri = 1 thenT ← T + P

f1 ←− f1 × la(Q)f2 ←− f2 × va(Q)

end

end

return f1f2

21 / 59




pk

T ← P , f1 ← 1, f2 ← 1for i = N − 1 to 0 do

T ← [2]Tf1 ←− f1

2 × ld(Q)f2 ←− f2

2 × vd(Q)if ri = 1 then

T ← T + P

f1 ←− f1 × la(Q)f2 ←− f2 × va(Q)

end

end

return f1f2

21 / 59




pk

T ← P , f1 ← 1, f2 ← 1for i = N − 1 to 0 do

T ← [2]Tf1 ←− f1

2 × ld(Q)f2 ←− f2


T ← T + Pf1 ←− f1 × la(Q)f2 ←− f2 × va(Q)

end

end

return f1f2

21 / 59




pk

T ← P , f1 ← 1, f2 ← 1for i = N − 1 to 0 do

T ← [2]Tf1 ←− f1

2 × ld(Q)f2 ←− f2


T ← T + Pf1 ←− f1 × la(Q)f2 ←− f2 × va(Q)

end

end

return f1f2

21 / 59

Outline





22 / 59

The security of pairing

Security level in bit 80 128 192 256

Minimal numbers of bit for r 160 256 384 512

Minimal numbers of bit for pk 1 024 3 072 7 680 15 360

Table: Security level

23 / 59

Computing pairings over elliptic curves

Let Mp be the cost of a multiplication in Fp, Spk the cost of a square andMpk of a multiplication in Fpk .

Miller’s algorithm needs

N = [log2(r)] + 1 iterations

the complexity of the doubling step is8Sp + (12 + 4k)Mp + 2Spk + 2Mpk

the complexity of the addition step is6Sp + (20 + 3k)Mp + 2Spk + 2Mpk

To improve pairing computation we can :

reduce the number of operation inFpk .

improve the arithmetic in Fpk .

24 / 59

Computing pairings over elliptic curves

Let Mp be the cost of a multiplication in Fp, Spk the cost of a square andMpk of a multiplication in Fpk .

Miller’s algorithm needs

N = [log2(r)] + 1 iterations

the complexity of the doubling step is8Sp + (12 + 4k)Mp + 2Spk + 2Mpk

the complexity of the addition step is6Sp + (20 + 3k)Mp + 2Spk + 2Mpk

To improve pairing computation we can :

reduce the number of operation inFpk .

improve the arithmetic in Fpk .

24 / 59

Outline





25 / 59

The traditional representation

The representation of elements in Fp influences the arithmetic over Fp.Usually we used positional number representation, it is a representationusing a base to represent integers :

a =n−1∑i=0

aiβi with ai ∈ 0, . . . , β − 1 and βn > p.

Example : The decimal representation in F90001. Let β = 10, anda = 71209 in F90001. This element can be writea = 7× 104 + 1× 103 + 2× 102 + 9.

26 / 59

Outline





27 / 59

An adapted base

Representation in adapted base :

Let p be a prime, 0 < γ < p and n > 0, such that γn ≡ λ mod p for asmall λ.

The representation in adapted base is :

a =n−1∑i=0

aiγi mod p with |ai | < ρ, where ρ ≥ p1/n.

We denote a(t) =n−1∑i=0

ai ti the polynomial representation of a in adapted

base.

28 / 59

An adapted base


Let p be a prime, 0 < γ < p and n > 0, such that γn ≡ λ mod p for asmall λ.The representation in adapted base is :

a =n−1∑i=0




base.

28 / 59

An adapted base



a =n−1∑i=0




base.

28 / 59

An adapted base



a =n−1∑i=0


Example

Let p = 19.Let n = 3, the element of Fp such that γ3 ≡ 1 mod p is γ = 7.The element of Fp in adapted base will be polynomials in γ of degree 2 ;and coefficients will be 0, 1 et −1.

29 / 59

An adapted baseExample

1 2 3 4 5 6

1 − γ2 − γ − 1 γ2 − γ − 1 γ2 − γ γ2 − γ + 1 γ − 1

7 8 9 10 11 12

γ γ + 1 − γ2 + 1 γ2 − 1 γ2 γ2 + 1

13 14 15 16 17 18

− γ − 1 − γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1 − 1

30 / 59


1 2 3 4 5 6

1

− γ2 − γ − 1 γ2 − γ − 1 γ2 − γ γ2 − γ + 1

γ − 1

7 8 9 10 11 12

γ γ + 1

− γ2 + 1

γ2 − 1 γ2 γ2 + 1

13 14 15 16 17 18

− γ − 1 − γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1

− 1

30 / 59


1 2 3 4 5 6

1

− γ2 − γ − 1

γ2 − γ − 1

γ2 − γ γ2 − γ + 1

γ − 1

7 8 9 10 11 12

γ γ + 1

− γ2 + 1

γ2 − 1 γ2 γ2 + 1

13 14 15 16 17 18− γ − 1

− γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1

− 1

30 / 59


1 2 3 4 5 6

1

− γ2 − γ − 1

γ2 − γ − 1 γ2 − γ γ2 − γ + 1 γ − 1

7 8 9 10 11 12

γ γ + 1

− γ2 + 1

γ2 − 1 γ2 γ2 + 1

13 14 15 16 17 18− γ − 1

− γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1

− 1

30 / 59


1 2 3 4 5 6

1

− γ2 − γ − 1

γ2 − γ − 1 γ2 − γ γ2 − γ + 1 γ − 1

7 8 9 10 11 12

γ γ + 1 − γ2 + 1 γ2 − 1 γ2 γ2 + 1

13 14 15 16 17 18− γ − 1 − γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1 − 1

30 / 59


1 2 3 4 5 6

1 − γ2 − γ − 1 γ2 − γ − 1 γ2 − γ γ2 − γ + 1 γ − 1

7 8 9 10 11 12

γ γ + 1 − γ2 + 1 γ2 − 1 γ2 γ2 + 1

13 14 15 16 17 18− γ − 1 − γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1 − 1

30 / 59

Arithmetic in adapted baseReduction of the coefficient using Montgomery representation (Plantard-Negre 07)

To find the representation in adapted basis, we used an algorithm dueto :

Thomas Plantard in 2005.

Arithmetic in adapted base

Efficient Modular Arithmetic in Adapted Modular Number System UsingLagrange Representation, of C. Negre and T. Plantard in ACISP ’08.The arithmetic is constructed in Montgomery way, thus it has the samecomplexity.We have an efficient arithmetic over Fp.

31 / 59

Outline





32 / 59

The multiplication by interpolation in Fpk

Let U and V be elements of Fpk .They are polynomials U(X ),V (X ) ∈ Fp[X ] of degree k − 1.The multiplication between U and V can be done like this :

1 Polynomial multiplication W (X ) = U(X )× V (X ), usinginterpolation.

2 Modular reduction using a polynomial of degree k in Fp.

33 / 59

Multiplication by interpolationLet l ≥ 2k − 1 distinct elements α0, . . . , αl−1 in Fp.

1 Evaluation : Let U(X ) and V (X ) of degree k − 1. We compute

U = (U(α0), . . . ,U(αl−1)) and V = (V (α0), . . . ,V (αl−1))

using a matrix vector product :

U =

1 α1 · · · αk−1

1

1 α2 · · · αk−12

......

1 αl · · · αk−1l

×

u0

u1...

uk−1

.2 Multiplication :

W = (u0 × v0, u1 × v1, . . . , ul−1 × vl−1).

3 Interpolation : reconstruction of coefficients of W (X ).

34 / 59





U =

1 α1 · · · αk−1

1

1 α2 · · · αk−12

......

1 αl · · · αk−1l

×

u0

u1...

uk−1

.

2 Multiplication :

W = (u0 × v0, u1 × v1, . . . , ul−1 × vl−1).


34 / 59





U =

1 α1 · · · αk−1

1

1 α2 · · · αk−12

......

1 αl · · · αk−1l

×

u0

u1...

uk−1

.2 Multiplication :

W = (u0 × v0, u1 × v1, . . . , ul−1 × vl−1).


34 / 59





U =

1 α1 · · · αk−1

1

1 α2 · · · αk−12

......

1 αl · · · αk−1l

×

u0

u1...

uk−1

.2 Multiplication :

W = (u0 × v0, u1 × v1, . . . , ul−1 × vl−1).


34 / 59

Polynomial multiplication using DFT.

Let α be a l primitive roots of unity in Fp αi = αi .

The evaluation is the product by the matrix Ω :

Ω =

1 1 1 · · · 11 α α2 · · · αl−1

1 α2 α4 · · · α(l−1)2

......

1 αl−1 α2(l−1) · · · α(l−1)(l−1)

Denoting α′ = α−1, the interpolation is the product by :

Ω−1 =1

l

1 1 1 · · · 11 α′ α′2 · · · α′l−1

1 α′2 α′4 · · · α′(l−1)2

......

1 α′l−1 α′2(l−1) · · · α′(l−1)(l−1)

35 / 59




Ω =

1 1 1 · · · 11 α α2 · · · αl−1

1 α2 α4 · · · α(l−1)2

......

1 αl−1 α2(l−1) · · · α(l−1)(l−1)


Ω−1 =1

l

1 1 1 · · · 11 α′ α′2 · · · α′l−1

1 α′2 α′4 · · · α′(l−1)2

......

1 α′l−1 α′2(l−1) · · · α′(l−1)(l−1)

35 / 59




Ω =

1 1 1 · · · 11 α α2 · · · αl−1

1 α2 α4 · · · α(l−1)2

......

1 αl−1 α2(l−1) · · · α(l−1)(l−1)


Ω−1 =1

l

1 1 1 · · · 11 α′ α′2 · · · α′l−1

1 α′2 α′4 · · · α′(l−1)2

......

1 α′l−1 α′2(l−1) · · · α′(l−1)(l−1)

35 / 59


Complexity

The complexity of the multiplication is :

Evaluation : product by the matrix Ω,

Multiplications : 2l products in Fp ,

Interpolation : product by the matrix Ω−1.

Products by Ω et Ω−1 are composed with multiplication with powers of αi .

36 / 59


Complexity

The complexity of the multiplication is :

Evaluation : product by the matrix Ω,

Multiplications : 2l products in Fp ,

Interpolation : product by the matrix Ω−1.

Products by Ω et Ω−1 are composed with multiplication with powers of αi .

36 / 59

Using the DFT with the adapted base

We combine the utilisation of the adapted base and the DFTmultiplication to improve the multiplication in Fpk .

l = k ,

γ such that γ l = −1,

α = γ is a 2kprimitive root of unity in Fp.

Consequences

Multiplications by power of γi are composed of shift and addition inFp :

aγj = (∑n−1

i=0 ai ti )t j mod tn + 1

= (∑j−1

i=0−an−j+i ti ) + (

∑n−1i=j ai−j t

i ).

Multiplications by Ω and Ω−1 are uniquely composed by additions inFp.

37 / 59



l = k ,



Consequences

Multiplications by power of γi are composed of shift and addition inFp :

aγj = (∑n−1


= (∑j−1

i=0−an−j+i ti ) + (


i ).


37 / 59



l = k ,



Consequences

Multiplications by power of γ i are composed of shift and addition inFp :

aγj = (∑n−1


= (∑j−1

i=0−an−j+i ti ) + (


i ).


37 / 59

Outline





38 / 59

Complexity of a multiplication in Fpk

Using Karatsuba and Toom Cook : pour k = 2i3j then Mpk = 3i5jMp.

Using DFT and adapted base : Mpk = 2kMp.

39 / 59

Results

Table: Complexities of several values of k

Method k Mpk Ratio

# Ap # MpMp

Ap

Karatsuba/Toom-Cook 8 72 27Our method t8 + 1 8 192 16 < 11




40 / 59

Conclusion

[ACISP’09] avec C. Negre

We introduced a multiplication in Fpk using DFT and adapted base.

Our results are good for big values of k .

41 / 59

Outline





42 / 59

Outline





43 / 59

Cryptography from pairingIdentity based cryptography

Identity based protocols are asymmetric protocols where

the user’s public key it is his identity,

a trusted authority gives him the associated private key.

Example

Alice and Bob key exchange

44 / 59

Cryptography from pairingIdentity based cryptography

Identity based protocols are asymmetric protocols where

the user’s public key it is his identity,

a trusted authority gives him the associated private key.

Example

Alice and Bob key exchange

44 / 59


45 / 59


45 / 59

Outline





46 / 59

Side channels attacks

During an identity based protocole, we know :

the pairing algorithm,

the number of iterations (N = [log2(r)] + 1).

The secret is one the parameter of pairing.

The secret does not influence the algorithm.

47 / 59

Side channel attacks

side channel attacks use the implementation of algorithm to findinformation about the secret.

Fault attacks consist in disturbing the execution of an algorithm.

First fault attack in pairing based cryptography was developed byPage and Vercauteren for the Duursma and lee algorithm.

We study the vulnerability of Miller’s algorithm toward fault attacks.

48 / 59






48 / 59






48 / 59

Outline





49 / 59

Description of the fault attacks

We suppose that the pairing is used in Identity based protocol.

The secret is point P, first parameter during the computation ofe(P,Q).

The second parameter Q is known.

Purpose of the fault attack

The aim of the attack is to modify the number of iterations of the Miller’salgorithm, in order to obtain the result of two consecutive iterations : τand τ + 1 iterations for τ ∈ 1, . . . ,N.We denote Fτ,P(Q) and Fτ+1,P(Q) the results of these iterations.

50 / 59

Description of the fault attacks

We suppose that the pairing is used in Identity based protocol.

The secret is point P, first parameter during the computation ofe(P,Q).

The second parameter Q is known.

Purpose of the fault attack

The aim of the attack is to modify the number of iterations of the Miller’salgorithm, in order to obtain the result of two consecutive iterations : τand τ + 1 iterations for τ ∈ 1, . . . ,N.We denote Fτ,P(Q) and Fτ+1,P(Q) the results of these iterations.

50 / 59

Description of the fault attack

Target of the attack

The register where N is stocked. We modify it using lasers.

Scheme of the attack

We execute several Miller’s algorithm with the same point Q andmodifying the register for each iterations.

Using the clock cycles we can find after the number of iteration made.

We repeat the operation until we obtain two consecutive iterations τand τ + 1.

51 / 59








51 / 59








51 / 59


Probability

We want to find two consecutive numbers randomly taken from 1 to N.

This problem is like the anniversary problem.We can compute the probability of success.

Example

For r an integer of size 256 bits,15 tries are enough to obtain two consecutive numbers with a probabilityhigher than 0, 5 ;and 26 for a probability higher than 0, 9.

52 / 59


Probability

We want to find two consecutive numbers randomly taken from 1 to N.This problem is like the anniversary problem.We can compute the probability of success.

Example

For r an integer of size 256 bits,15 tries are enough to obtain two consecutive numbers with a probabilityhigher than 0, 5 ;and 26 for a probability higher than 0, 9.

52 / 59

The ratio R =Fτ+1,P(Q)Fτ,P(Q)2

We denote Fτ,P(Q) the result of τ -th iteration and Fτ+1,P(Q) the result ofthe τ + 1-th.The ratio R =

Fτ+1,P(Q)Fτ,P(Q)2 gives us information about the secret.

During the τ -th step, T = [j ]P in Miller’s algorithm

We denote [j ]P = (Xj ,Yj ,Zj) the secret and Q = (xQ , yQ) the knownpoint in e(P,Q).

Writing down the equation we fin :

R = Z2jZj2yQ − 2Yj

2 − (3Xj2 − aZj

4)(xQZj2 − Xj).

With the theoretical decomposition of R and its value we can construct asystem.

53 / 59








2 − (3Xj2 − aZj

4)(xQZj2 − Xj).


53 / 59








2 − (3Xj2 − aZj

4)(xQZj2 − Xj).


53 / 59


The system is :

YjZ3j = λ2

Z 2j (X 2

j − Z 4j ) = λ1

3Xj(X 2j − Z 4

j ) + 2Y 2j = λ0.

Where λ0, λ1 and λ2 are known in Fp.

The resolution of this system gives Xj and Yj in function of Zj .We can construct in equation admitting Zj as a solution :

(λ20 − 9λ2

1)Z 12 − (4λ0λ22 + 9λ3

1)Z 6 + 4λ41 ≡ 0 mod p

54 / 59


The system is :

YjZ3j = λ2

Z 2j (X 2

j − Z 4j ) = λ1

3Xj(X 2j − Z 4

j ) + 2Y 2j = λ0.



(λ20 − 9λ2

1)Z 12 − (4λ0λ22 + 9λ3

1)Z 6 + 4λ41 ≡ 0 mod p

54 / 59


The system is :

YjZ3j = λ2

Z 2j (X 2

j − Z 4j ) = λ1

3Xj(X 2j − Z 4

j ) + 2Y 2j = λ0.



(λ20 − 9λ2

1)Z 12 − (4λ0λ22 + 9λ3

1)Z 6 + 4λ41 ≡ 0 mod p

54 / 59

Conclusion

[ISA’09]

Miller’s algorithm is vulnerable to a fault attack.

Vulnerability of pairings based on Miller’s algorithm

Weil pairing is directly sensitive to this attack.

The Tate, Ate and Twisted Ate pairing are constructed in the same

way : eT (P,Q) = (fr ,P(Q))pk−1

r .This exponentiation is for the moment a countermeasure to thisattack, but...

55 / 59

Outline





56 / 59

Conclusion

We discover know two aspect of pairing based cryptography

performance of the arithmetic,

security of pairing based cryptography.

57 / 59

Perspectives

Arithmetic of pairings

Implementation of pairings :

Using original representation.

For particular families of elliptic curves.

Find pairing friendly elliptic curves.

Security of pairings

Realize the fault attack.

Implementation of countermeasures to side channel attacks.

58 / 59

Perspectives

Arithmetic of pairings

Implementation of pairings :

Using original representation.

For particular families of elliptic curves.

Find pairing friendly elliptic curves.

Security of pairings

Realize the fault attack.

Implementation of countermeasures to side channel attacks.

58 / 59

Thank you for

your attention

59 / 59

Documents

Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El