Arithmetic of pairings, performance and weakness toward side channel - - PowerPoint PPT Presentation

Arithmetic of pairings, performance and weakness toward side channel attacks

Nadia El Mrabet

GREYC - LMNO Universit´ e de Caen

Darmstadt 29th of April 2010

1 / 59

Outline

1

Pairing over elliptic curves Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography

2

A more efficient arithmetic based on adapted bases Definition of adapted bases Multiplication in Fpk using DFT Complexity of our method

3

Fault attack Identity based cryptography Fault attack Fault attack against Miller’s algorithm

4

Conclusion and perspectives

2 / 59

Outline

1

Pairing over elliptic curves Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography

2

A more efficient arithmetic based on adapted bases Definition of adapted bases Multiplication in Fpk using DFT Complexity of our method

3

Fault attack Identity based cryptography Fault attack Fault attack against Miller’s algorithm

4

Conclusion and perspectives

3 / 59

Outline

1

Pairing over elliptic curves Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography

2

A more efficient arithmetic based on adapted bases Definition of adapted bases Multiplication in Fpk using DFT Complexity of our method

3

Fault attack Identity based cryptography Fault attack Fault attack against Miller’s algorithm

4

Conclusion and perspectives

4 / 59

What is a pairing ?

Properties

Let G1, G2 and G3 be three abelian groups of same order r. A pairing is a map : e : (G1, +) × (G2, +) → (G3, ×)

5 / 59

What is a pairing ?

Properties

Let G1, G2 and G3 be three abelian groups of same order r. A pairing is a map : e : (G1, +) × (G2, +) → (G3, ×)

With the following properties

Non degenerency : ∀P ∈ G1 = {0} , ∃Q ∈ G2 s.t. e(P, Q) = 1 Bilinearity : ∀P, P′ ∈ G1, ∀Q ∈ G2, e(P + P′, Q) = e(P, Q).e(P′, Q)

5 / 59

What is a pairing ?

Properties

Let G1, G2 and G3 be three abelian groups of same order r. A pairing is a map : e : (G1, +) × (G2, +) → (G3, ×)

With the following properties

Non degenerency : ∀P ∈ G1 = {0} , ∃Q ∈ G2 s.t. e(P, Q) = 1 Bilinearity : ∀P, P′ ∈ G1, ∀Q ∈ G2, e(P + P′, Q) = e(P, Q).e(P′, Q)

Consequences

∀j ∈ Z, e(jP, Q) = e(P, Q)j = e(P, jQ)

5 / 59

Cryptologie from pairing

The discrete logarithm problem

in G1 consists in finding the integer a knowing P ∈ G1 and aP. Let Q be a point of G2 : e(aP, Q) = e(P, Q)a.

6 / 59

Cryptologie from pairing

The discrete logarithm problem

in G1 consists in finding the integer a knowing P ∈ G1 and aP. Let Q be a point of G2 : e(aP, Q) = e(P, Q)a.

Cryptanalysis

The bilinearity of pairing shifts the discrete logarithm problem from an elliptic curve to a discrete logarithm problem on a finite field. This is the MOV and Frey R¨ uck attacks.

6 / 59

Cryptologie from pairing

Cryptography

pairing allows the construction of original protocols and the simplification

• f existing protocols ;

The tri partite Diffie Hellman key exchange (Joux 2001) Identity based cryptography (Boneh and Franklin 2001) Short signature scheme (Boneh, Lynn, Shacham 2001)

7 / 59

Cryptologie from pairing

Cryptography

pairing allows the construction of original protocols and the simplification

• f existing protocols ;

The tri partite Diffie Hellman key exchange (Joux 2001) Identity based cryptography (Boneh and Franklin 2001) Short signature scheme (Boneh, Lynn, Shacham 2001)

Example

The construction of a key between Alice and Bob based on identity.

7 / 59

Cryptography from pairing

Secure key exchange between Alice and Bob

8 / 59

Cryptography from pairing

Secure key exchange between Alice and Bob

8 / 59

Cryptography from pairing

Secure key exchange between Alice and Bob

8 / 59

Cryptography from pairing

Secure key exchange between Alice and Bob

8 / 59

Pairings used in cryptography

the Weil pairing, the Tate pairing, η pairing, Ate and Twisted Ate pairing. are used in cryptography.

9 / 59

Pairings used in cryptography

the Weil pairing, the Tate pairing, η pairing, Ate and Twisted Ate pairing. are used in cryptography. The Weil, the Tate, Ate and Twisted Ate pairing are constructed on the same model. They share the central step of their computation.

9 / 59

Outline

1

Pairing over elliptic curves Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography

2

A more efficient arithmetic based on adapted bases Definition of adapted bases Multiplication in Fpk using DFT Complexity of our method

3

Fault attack Identity based cryptography Fault attack Fault attack against Miller’s algorithm

4

Conclusion and perspectives

10 / 59

Construction of pairings

Data

To compute a pairing, we need : E an elliptic curve over a field K : E(K) :=

• (x, y) ∈ K × K, y2 = x3 + ax + b, with a, b ∈ K
• ∪ P∞.

Figure: Elliptic curve for K = R

The elliptic curve admits a group law : the addition.

11 / 59

Elliptic curve

Group law - Addition

12 / 59

Elliptic curve

Group law - Addition

12 / 59

Elliptic curve

Group law - Addition

12 / 59

Elliptic curve

Group law - Doubling

13 / 59

Elliptic curve

Group law - Doubling

13 / 59

Elliptic curve

Group law - Doubling

We denote [r]P = P + P + . . . + P

• r times

.

13 / 59

Construction of pairings

Data

To compute a pairing we need : E an elliptic curve over a finite field K ⊃ Fp, a and b ∈ Fp : E(K) :=

• (x, y) ∈ K × K, y2 = x3 + ax + b
• ∪ {P∞}.

14 / 59

Construction of pairings

Data

To compute a pairing we need : E an elliptic curve over a finite field K ⊃ Fp, a and b ∈ Fp : E(K) :=

• (x, y) ∈ K × K, y2 = x3 + ax + b
• ∪ {P∞}.

r a prime number dividing card(E(Fp)), and the set of points : E[r] =

• P ∈ E(Fp), [r]P = P∞
• .

14 / 59

Construction of pairings

Data

To compute a pairing we need : E an elliptic curve over a finite field K ⊃ Fp, a and b ∈ Fp : E(K) :=

• (x, y) ∈ K × K, y2 = x3 + ax + b
• ∪ {P∞}.

r a prime number dividing card(E(Fp)), and the set of points : E[r] =

• P ∈ E(Fp), [r]P = P∞
• .

the embedding degree k : the smallest integer such that r|(pk − 1) ; If k > 1 then E[r] ⊂ E(Fpk).

14 / 59

Construction of pairings

Data

To compute a pairing we need : E an elliptic curve over a finite field K ⊃ Fp, a and b ∈ Fp : E(K) :=

• (x, y) ∈ K × K, y2 = x3 + ax + b
• ∪ {P∞}.

r a prime number dividing card(E(Fp)), and the set of points : E[r] =

• P ∈ E(Fp), [r]P = P∞
• .

the embedding degree k : the smallest integer such that r|(pk − 1) ; If k > 1 then E[r] ⊂ E(Fpk). The Miller’s function fr,P such that : P is a zero of order r [r]P is a pole.

14 / 59

Construction of pairing

The Tate pairing

Let P ∈ E(Fp)[r], Q ∈ E(Fpk)/rE(Fpk) and k the embedding degree with respect to r.

15 / 59

Construction of pairing

The Tate pairing

Let P ∈ E(Fp)[r], Q ∈ E(Fpk)/rE(Fpk) and k the embedding degree with respect to r. The Tate pairing is the map : eT : E(Fp)[r] × E(Fpk)/rE(Fpk) → F∗

pk

(P, Q) → fr,P(Q)

pk −1 r 15 / 59

Outline

1

Pairing over elliptic curves Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography

2

A more efficient arithmetic based on adapted bases Definition of adapted bases Multiplication in Fpk using DFT Complexity of our method

3

Fault attack Identity based cryptography Fault attack Fault attack against Miller’s algorithm

4

Conclusion and perspectives

16 / 59

The Miller’s equality

The function fr,P

To compute pairings, we need the construction of the rational function fr,P for r a prime number. This function admits point P as zero of order r and point [r]P as a pole.

Victor Miller establish the equation :

fi+j,P = fi,P × fj,P × l[i]P,[j]P v[i+j]P With this equation, we construct a sequence of functions such that the point [i]P is a pole for i from 1 to r.

17 / 59

Miller’s equality

Example

We want to compute f5,P using the binary decomposition : 5 = (101)2 and the double and add principle :

18 / 59

Miller’s equality

Example

We want to compute f5,P using the binary decomposition : 5 = (101)2 and the double and add principle : Let i = 1, the second bit of 5 is 0 : i := 2 × i ⇒ i = 2.

18 / 59

Miller’s equality

Example

We want to compute f5,P using the binary decomposition : 5 = (101)2 and the double and add principle : Let i = 1, the second bit of 5 is 0 : i := 2 × i ⇒ i = 2. The third bit of 5 is 1 : i := 2 × i ⇒ i = 4 i := i + 1 ⇒ i = 5 On this scheme, we want to compute f5,P using Miller’s equality and the binary decomposition of 5.

18 / 59

Miller’s equality

Example

Let f1,P = 1 by construction and i = 1. i := 2i (i = 2) f2,P = f1,P × f1,P × lP,P

v[2]P

f2,P = lP,P

v[2]P

19 / 59

Miller’s equality

Example

Let f1,P = 1 by construction and i = 1. i := 2i (i = 2) f2,P = f1,P × f1,P × lP,P

v[2]P

f2,P = lP,P

v[2]P

i := 2i (i = 4) f4,P = f2,P × f2,P ×

l[2]P,[2]P v[4]P

f4,P = f 2

2,P × l[2]P,[2]P v[4]P

i := i + 1 (i = 5) f5,P = f4,P ×

l[4]P,P v[5]P

19 / 59

Miller’s equality

Example

Let f1,P = 1 by construction and i = 1. i := 2i (i = 2) f2,P = f1,P × f1,P × lP,P

v[2]P

f2,P = lP,P

v[2]P

i := 2i (i = 4) f4,P = f2,P × f2,P ×

l[2]P,[2]P v[4]P

f4,P = f 2

2,P × l[2]P,[2]P v[4]P

i := i + 1 (i = 5) f5,P = f4,P ×

l[4]P,P v[5]P

f5,P = lP,P v[2]P 2 × l[2]P,[2]P v[4]P

• × l[4]P,P

v[5]P

19 / 59

Computation of pairings

Miller’s algorithm returns fr,P(Q)

Data: r = (rN . . . r0)2, P ∈ G1 ⊂ E(Fp)[r] Result: [r]P T ← P for i = N − 1 to 0 do T ← [2]T if ri = 1 then T ← T + P end end return T = [r]P

20 / 59

Computation of pairings

Miller’s algorithm returns fr,P(Q)

Data: r = (rN . . . r0)2, P ∈ G1 ⊂ E(Fp)[r] et Q ∈ G2 ⊂ E(Fpk)[r] Result: fr,P(Q) ∈ G3 ⊂ F∗

pk

T ← P , f1 ← 1, f2 ← 1 for i = N − 1 to 0 do T ← [2]T if ri = 1 then T ← T + P end end return

f1 f2

21 / 59

Computation of pairings

Miller’s algorithm returns fr,P(Q)

Data: r = (rN . . . r0)2, P ∈ G1 ⊂ E(Fp)[r] et Q ∈ G2 ⊂ E(Fpk)[r] Result: fr,P(Q) ∈ G3 ⊂ F∗

pk

T ← P , f1 ← 1, f2 ← 1 for i = N − 1 to 0 do T ← [2]T f1 ← − f12 × ld(Q) f2 ← − f22 × vd(Q) if ri = 1 then T ← T + P end end return

f1 f2

21 / 59

Computation of pairings

Miller’s algorithm returns fr,P(Q)

Data: r = (rN . . . r0)2, P ∈ G1 ⊂ E(Fp)[r] et Q ∈ G2 ⊂ E(Fpk)[r] Result: fr,P(Q) ∈ G3 ⊂ F∗

pk

T ← P , f1 ← 1, f2 ← 1 for i = N − 1 to 0 do T ← [2]T f1 ← − f12 × ld(Q) f2 ← − f22 × vd(Q) if ri = 1 then T ← T + P f1 ← − f1 × la(Q) f2 ← − f2 × va(Q) end end return

f1 f2

21 / 59

Computation of pairings

Miller’s algorithm returns fr,P(Q)

Data: r = (rN . . . r0)2, P ∈ G1 ⊂ E(Fp)[r] et Q ∈ G2 ⊂ E(Fpk)[r] Result: fr,P(Q) ∈ G3 ⊂ F∗

pk

T ← P , f1 ← 1, f2 ← 1 for i = N − 1 to 0 do T ← [2]T f1 ← − f12 × ld(Q) f2 ← − f22 × vd(Q) if ri = 1 then T ← T + P f1 ← − f1 × la(Q) f2 ← − f2 × va(Q) end end return

f1 f2

21 / 59

Outline

1

Pairing over elliptic curves Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography

2

A more efficient arithmetic based on adapted bases Definition of adapted bases Multiplication in Fpk using DFT Complexity of our method

3

Fault attack Identity based cryptography Fault attack Fault attack against Miller’s algorithm

4

Conclusion and perspectives

22 / 59

The security of pairing

Security level in bit 80 128 192 256 Minimal numbers of bit for r 160 256 384 512 Minimal numbers of bit for pk 1 024 3 072 7 680 15 360

Table: Security level

23 / 59

Computing pairings over elliptic curves

Let Mp be the cost of a multiplication in Fp, Spk the cost of a square and Mpk of a multiplication in Fpk.

Miller’s algorithm needs

N = [log2(r)] + 1 iterations the complexity of the doubling step is 8Sp + (12 + 4k)Mp + 2Spk + 2Mpk the complexity of the addition step is 6Sp + (20 + 3k)Mp + 2Spk + 2Mpk

24 / 59

Computing pairings over elliptic curves

Let Mp be the cost of a multiplication in Fp, Spk the cost of a square and Mpk of a multiplication in Fpk.

Miller’s algorithm needs

N = [log2(r)] + 1 iterations the complexity of the doubling step is 8Sp + (12 + 4k)Mp + 2Spk + 2Mpk the complexity of the addition step is 6Sp + (20 + 3k)Mp + 2Spk + 2Mpk To improve pairing computation we can : reduce the number of operation inFpk. improve the arithmetic in Fpk.

24 / 59

Outline

1

Pairing over elliptic curves Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography

2

A more efficient arithmetic based on adapted bases Definition of adapted bases Multiplication in Fpk using DFT Complexity of our method

3

Fault attack Identity based cryptography Fault attack Fault attack against Miller’s algorithm

4

Conclusion and perspectives

25 / 59

The traditional representation

The representation of elements in Fp influences the arithmetic over Fp. Usually we used positional number representation, it is a representation using a base to represent integers : a =

n−1

• i=0

aiβi with ai ∈ {0, . . . , β − 1} and βn > p. Example : The decimal representation in F90001. Let β = 10, and a = 71209 in F90001. This element can be write a = 7 × 104 + 1 × 103 + 2 × 102 + 9.

26 / 59

Outline

1

Pairing over elliptic curves Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography

2

A more efficient arithmetic based on adapted bases Definition of adapted bases Multiplication in Fpk using DFT Complexity of our method

3

Fault attack Identity based cryptography Fault attack Fault attack against Miller’s algorithm

4

Conclusion and perspectives

27 / 59

An adapted base

Representation in adapted base :

Let p be a prime, 0 < γ < p and n > 0, such that γn ≡ λ mod p for a small λ.

28 / 59

An adapted base

Representation in adapted base :

Let p be a prime, 0 < γ < p and n > 0, such that γn ≡ λ mod p for a small λ. The representation in adapted base is : a =

n−1

• i=0

aiγi mod p with |ai| < ρ, where ρ ≥ p1/n.

28 / 59

An adapted base

Representation in adapted base :

Let p be a prime, 0 < γ < p and n > 0, such that γn ≡ λ mod p for a small λ. The representation in adapted base is : a =

n−1

• i=0

aiγi mod p with |ai| < ρ, where ρ ≥ p1/n. We denote a(t) =

n−1

• i=0

aiti the polynomial representation of a in adapted base.

28 / 59

An adapted base

Representation in adapted base :

Let p be a prime, 0 < γ < p and n > 0, such that γn ≡ λ mod p for a small λ. The representation in adapted base is : a =

n−1

• i=0

aiγi mod p with |ai| < ρ, where ρ ≥ p1/n.

Example

Let p = 19. Let n = 3, the element of Fp such that γ3 ≡ 1 mod p is γ = 7. The element of Fp in adapted base will be polynomials in γ of degree 2 ; and coefficients will be 0, 1 et −1.

29 / 59

An adapted base

Example

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

30 / 59

An adapted base

Example

1 2 3 4 5 6 1 γ − 1 7 8 9 10 11 12 γ γ + 1 γ2 − 1 γ2 γ2 + 1 13 14 15 16 17 18 − 1

30 / 59

An adapted base

Example

1 2 3 4 5 6 1 γ2 − γ − 1 γ − 1 7 8 9 10 11 12 γ γ + 1 γ2 − 1 γ2 γ2 + 1 13 14 15 16 17 18 − γ − 1 − 1

30 / 59

An adapted base

Example

1 2 3 4 5 6 1 γ2 − γ − 1 γ2 − γ γ2 − γ + 1 γ − 1 7 8 9 10 11 12 γ γ + 1 γ2 − 1 γ2 γ2 + 1 13 14 15 16 17 18 − γ − 1 − 1

30 / 59

An adapted base

Example

1 2 3 4 5 6 1 γ2 − γ − 1 γ2 − γ γ2 − γ + 1 γ − 1 7 8 9 10 11 12 γ γ + 1 − γ2 + 1 γ2 − 1 γ2 γ2 + 1 13 14 15 16 17 18 − γ − 1 − γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1 − 1

30 / 59

An adapted base

Example

1 2 3 4 5 6 1 − γ2 − γ − 1 γ2 − γ − 1 γ2 − γ γ2 − γ + 1 γ − 1 7 8 9 10 11 12 γ γ + 1 − γ2 + 1 γ2 − 1 γ2 γ2 + 1 13 14 15 16 17 18 − γ − 1 − γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1 − 1

30 / 59

Arithmetic in adapted base

Reduction of the coefficient using Montgomery representation (Plantard-Negre 07)

To find the representation in adapted basis, we used an algorithm due to : Thomas Plantard in 2005.

Arithmetic in adapted base

Efficient Modular Arithmetic in Adapted Modular Number System Using Lagrange Representation, of C. N` egre and T. Plantard in ACISP ’08. The arithmetic is constructed in Montgomery way, thus it has the same complexity. We have an efficient arithmetic over Fp.

31 / 59

Outline

1

Pairing over elliptic curves Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography

2

A more efficient arithmetic based on adapted bases Definition of adapted bases Multiplication in Fpk using DFT Complexity of our method

3

Fault attack Identity based cryptography Fault attack Fault attack against Miller’s algorithm

4

Conclusion and perspectives

32 / 59

The multiplication by interpolation in Fpk

Let U and V be elements of Fpk. They are polynomials U(X), V (X) ∈ Fp[X] of degree k − 1. The multiplication between U and V can be done like this :

1 Polynomial multiplication W (X) = U(X) × V (X), using

interpolation.

2 Modular reduction using a polynomial of degree k in Fp. 33 / 59

Multiplication by interpolation

Let l ≥ 2k − 1 distinct elements α0, . . . , αl−1 in Fp.

34 / 59

Multiplication by interpolation

Let l ≥ 2k − 1 distinct elements α0, . . . , αl−1 in Fp.

1 Evaluation : Let U(X) and V (X) of degree k − 1. We compute

• U = (U(α0), . . . , U(αl−1)) and

V = (V (α0), . . . , V (αl−1)) using a matrix vector product :

• U =

     1 α1 · · · αk−1

1

1 α2 · · · αk−1

2

. . . . . . 1 αl · · · αk−1

l

     ×      u0 u1 . . . uk−1      .

34 / 59

Multiplication by interpolation

Let l ≥ 2k − 1 distinct elements α0, . . . , αl−1 in Fp.

1 Evaluation : Let U(X) and V (X) of degree k − 1. We compute

• U = (U(α0), . . . , U(αl−1)) and

V = (V (α0), . . . , V (αl−1)) using a matrix vector product :

• U =

     1 α1 · · · αk−1

1

1 α2 · · · αk−1

2

. . . . . . 1 αl · · · αk−1

l

     ×      u0 u1 . . . uk−1      .

2 Multiplication :

• W = (

u0 × v0, u1 × v1, . . . , ul−1 × vl−1).

34 / 59

Multiplication by interpolation

Let l ≥ 2k − 1 distinct elements α0, . . . , αl−1 in Fp.

1 Evaluation : Let U(X) and V (X) of degree k − 1. We compute

• U = (U(α0), . . . , U(αl−1)) and

V = (V (α0), . . . , V (αl−1)) using a matrix vector product :

• U =

     1 α1 · · · αk−1

1

1 α2 · · · αk−1

2

. . . . . . 1 αl · · · αk−1

l

     ×      u0 u1 . . . uk−1      .

2 Multiplication :

• W = (

u0 × v0, u1 × v1, . . . , ul−1 × vl−1).

3 Interpolation : reconstruction of coefficients of W (X). 34 / 59

Polynomial multiplication using DFT.

Let α be a l primitive roots of unity in Fp αi = αi.

35 / 59

Polynomial multiplication using DFT.

Let α be a l primitive roots of unity in Fp αi = αi. The evaluation is the product by the matrix Ω : Ω =        1 1 1 · · · 1 1 α α2 · · · αl−1 1 α2 α4 · · · α(l−1)2 . . . . . . 1 αl−1 α2(l−1) · · · α(l−1)(l−1)       

35 / 59

Polynomial multiplication using DFT.

Let α be a l primitive roots of unity in Fp αi = αi. The evaluation is the product by the matrix Ω : Ω =        1 1 1 · · · 1 1 α α2 · · · αl−1 1 α2 α4 · · · α(l−1)2 . . . . . . 1 αl−1 α2(l−1) · · · α(l−1)(l−1)        Denoting α′ = α−1, the interpolation is the product by : Ω−1 = 1 l        1 1 1 · · · 1 1 α′ α′2 · · · α′l−1 1 α′2 α′4 · · · α′(l−1)2 . . . . . . 1 α′l−1 α′2(l−1) · · · α′(l−1)(l−1)       

35 / 59

Polynomial multiplication using DFT.

Complexity

The complexity of the multiplication is : Evaluation : product by the matrix Ω, Multiplications : 2l products in Fp , Interpolation : product by the matrix Ω−1.

36 / 59

Polynomial multiplication using DFT.

Complexity

The complexity of the multiplication is : Evaluation : product by the matrix Ω, Multiplications : 2l products in Fp , Interpolation : product by the matrix Ω−1. Products by Ω et Ω−1 are composed with multiplication with powers of αi.

36 / 59

Using the DFT with the adapted base

We combine the utilisation of the adapted base and the DFT multiplication to improve the multiplication in Fpk.

37 / 59

Using the DFT with the adapted base

We combine the utilisation of the adapted base and the DFT multiplication to improve the multiplication in Fpk. l = k, γ such that γl = −1, α = γ is a 2kprimitive root of unity in Fp.

37 / 59

Using the DFT with the adapted base

We combine the utilisation of the adapted base and the DFT multiplication to improve the multiplication in Fpk. l = k, γ such that γl = −1, α = γ is a 2kprimitive root of unity in Fp.

Consequences

Multiplications by power of γi are composed of shift and addition in Fp : aγj = (n−1

i=0 aiti)tj

mod tn + 1 = (j−1

i=0 −an−j+iti) + (n−1 i=j ai−jti).

Multiplications by Ω and Ω−1 are uniquely composed by additions in Fp.

37 / 59

Outline

1

Pairing over elliptic curves Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography

2

A more efficient arithmetic based on adapted bases Definition of adapted bases Multiplication in Fpk using DFT Complexity of our method

3

Fault attack Identity based cryptography Fault attack Fault attack against Miller’s algorithm

4

Conclusion and perspectives

38 / 59

Complexity of a multiplication in Fpk

Using Karatsuba and Toom Cook : pour k = 2i3j then Mpk = 3i5jMp. Using DFT and adapted base : Mpk = 2kMp.

39 / 59

Results

Table: Complexities of several values of k Method k Mpk Ratio # Ap # Mp

Mp Ap

Karatsuba/Toom-Cook 8 72 27 Our method t8 + 1 8 192 16 < 11 Karatsuba/Toom-Cook 9 160 25 Our method t8 + 1 9 208 18 < 7 Karatsuba/Toom-Cook 16 248 81 Our method t16 + 1 16 480 32 < 5 Karatsuba/Toom-Cook 18 480 75 Our method t16 + 1 18 576 39 < 3

40 / 59

Conclusion

[ACISP’09] avec C. N` egre

We introduced a multiplication in Fpk using DFT and adapted base. Our results are good for big values of k.

41 / 59

Outline

1

Pairing over elliptic curves Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography

2

A more efficient arithmetic based on adapted bases Definition of adapted bases Multiplication in Fpk using DFT Complexity of our method

3

Fault attack Identity based cryptography Fault attack Fault attack against Miller’s algorithm

4

Conclusion and perspectives

42 / 59

Outline

1

Pairing over elliptic curves Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography

2

A more efficient arithmetic based on adapted bases Definition of adapted bases Multiplication in Fpk using DFT Complexity of our method

3

Fault attack Identity based cryptography Fault attack Fault attack against Miller’s algorithm

4

Conclusion and perspectives

43 / 59

Cryptography from pairing

Identity based cryptography

Identity based protocols are asymmetric protocols where the user’s public key it is his identity, a trusted authority gives him the associated private key.

44 / 59

Cryptography from pairing

Identity based cryptography

Identity based protocols are asymmetric protocols where the user’s public key it is his identity, a trusted authority gives him the associated private key.

Example

Alice and Bob key exchange

44 / 59

Cryptography from pairing

Secure key exchange between Alice and Bob

45 / 59

Cryptography from pairing

Secure key exchange between Alice and Bob

45 / 59

Outline

1

Pairing over elliptic curves Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography

2

A more efficient arithmetic based on adapted bases Definition of adapted bases Multiplication in Fpk using DFT Complexity of our method

3

Fault attack Identity based cryptography Fault attack Fault attack against Miller’s algorithm

4

Conclusion and perspectives

46 / 59

Side channels attacks

During an identity based protocole, we know : the pairing algorithm, the number of iterations (N = [log2(r)] + 1). The secret is one the parameter of pairing. The secret does not influence the algorithm.

47 / 59

Side channel attacks

side channel attacks use the implementation of algorithm to find information about the secret. Fault attacks consist in disturbing the execution of an algorithm.

48 / 59

Side channel attacks

side channel attacks use the implementation of algorithm to find information about the secret. Fault attacks consist in disturbing the execution of an algorithm. First fault attack in pairing based cryptography was developed by Page and Vercauteren for the Duursma and lee algorithm.

48 / 59

Side channel attacks

side channel attacks use the implementation of algorithm to find information about the secret. Fault attacks consist in disturbing the execution of an algorithm. First fault attack in pairing based cryptography was developed by Page and Vercauteren for the Duursma and lee algorithm. We study the vulnerability of Miller’s algorithm toward fault attacks.

48 / 59

Outline

1

Pairing over elliptic curves Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography

2

A more efficient arithmetic based on adapted bases Definition of adapted bases Multiplication in Fpk using DFT Complexity of our method

3

Fault attack Identity based cryptography Fault attack Fault attack against Miller’s algorithm

4

Conclusion and perspectives

49 / 59

Description of the fault attacks

We suppose that the pairing is used in Identity based protocol. The secret is point P, first parameter during the computation of e(P, Q). The second parameter Q is known.

50 / 59

Description of the fault attacks

We suppose that the pairing is used in Identity based protocol. The secret is point P, first parameter during the computation of e(P, Q). The second parameter Q is known.

Purpose of the fault attack

The aim of the attack is to modify the number of iterations of the Miller’s algorithm, in order to obtain the result of two consecutive iterations : τ and τ + 1 iterations for τ ∈ {1, . . . , N}. We denote Fτ,P(Q) and Fτ+1,P(Q) the results of these iterations.

50 / 59

Description of the fault attack

Target of the attack

The register where N is stocked. We modify it using lasers.

51 / 59

Description of the fault attack

Target of the attack

The register where N is stocked. We modify it using lasers.

Scheme of the attack

We execute several Miller’s algorithm with the same point Q and modifying the register for each iterations.

51 / 59

Description of the fault attack

Target of the attack

The register where N is stocked. We modify it using lasers.

Scheme of the attack

We execute several Miller’s algorithm with the same point Q and modifying the register for each iterations. Using the clock cycles we can find after the number of iteration made. We repeat the operation until we obtain two consecutive iterations τ and τ + 1.

51 / 59

Description of the fault attack

Probability

We want to find two consecutive numbers randomly taken from 1 to N.

52 / 59

Description of the fault attack

Probability

We want to find two consecutive numbers randomly taken from 1 to N. This problem is like the anniversary problem. We can compute the probability of success.

Example

For r an integer of size 256 bits, 15 tries are enough to obtain two consecutive numbers with a probability higher than 0, 5 ; and 26 for a probability higher than 0, 9.

52 / 59

The ratio R = Fτ+1,P(Q)

Fτ,P(Q)2

We denote Fτ,P(Q) the result of τ-th iteration and Fτ+1,P(Q) the result of the τ + 1-th. The ratio R = Fτ+1,P(Q)

Fτ,P(Q)2 gives us information about the secret.

53 / 59

The ratio R = Fτ+1,P(Q)

Fτ,P(Q)2

We denote Fτ,P(Q) the result of τ-th iteration and Fτ+1,P(Q) the result of the τ + 1-th. The ratio R = Fτ+1,P(Q)

Fτ,P(Q)2 gives us information about the secret.

During the τ-th step, T = [j]P in Miller’s algorithm We denote [j]P = (Xj, Yj, Zj) the secret and Q = (xQ, yQ) the known point in e(P, Q).

53 / 59

The ratio R = Fτ+1,P(Q)

Fτ,P(Q)2

We denote Fτ,P(Q) the result of τ-th iteration and Fτ+1,P(Q) the result of the τ + 1-th. The ratio R = Fτ+1,P(Q)

Fτ,P(Q)2 gives us information about the secret.

During the τ-th step, T = [j]P in Miller’s algorithm We denote [j]P = (Xj, Yj, Zj) the secret and Q = (xQ, yQ) the known point in e(P, Q). Writing down the equation we fin : R = Z2jZj 2yQ − 2Yj 2 − (3Xj 2 − aZj 4)(xQZj 2 − Xj). With the theoretical decomposition of R and its value we can construct a system.

53 / 59

The ratio R = Fτ+1,P(Q)

Fτ,P(Q)2

The system is :

YjZ 3

j

= λ2 Z 2

j (X 2 j − Z 4 j )

= λ1 3Xj(X 2

j − Z 4 j ) + 2Y 2 j

= λ0. Where λ0, λ1 and λ2 are known in Fp.

54 / 59

The ratio R = Fτ+1,P(Q)

Fτ,P(Q)2

The system is :

YjZ 3

j

= λ2 Z 2

j (X 2 j − Z 4 j )

= λ1 3Xj(X 2

j − Z 4 j ) + 2Y 2 j

= λ0. Where λ0, λ1 and λ2 are known in Fp. The resolution of this system gives Xj and Yj in function of Zj. We can construct in equation admitting Zj as a solution :

54 / 59

The ratio R = Fτ+1,P(Q)

Fτ,P(Q)2

The system is :

YjZ 3

j

= λ2 Z 2

j (X 2 j − Z 4 j )

= λ1 3Xj(X 2

j − Z 4 j ) + 2Y 2 j

= λ0. Where λ0, λ1 and λ2 are known in Fp. The resolution of this system gives Xj and Yj in function of Zj. We can construct in equation admitting Zj as a solution : (λ2

0 − 9λ2 1)Z 12 − (4λ0λ2 2 + 9λ3 1)Z 6 + 4λ4 1 ≡ 0

mod p

54 / 59

Conclusion

[ISA’09]

Miller’s algorithm is vulnerable to a fault attack.

Vulnerability of pairings based on Miller’s algorithm

Weil pairing is directly sensitive to this attack. The Tate, Ate and Twisted Ate pairing are constructed in the same way : eT(P, Q) = (fr,P(Q))

pk −1 r

. This exponentiation is for the moment a countermeasure to this attack, but...

55 / 59

Outline

1

Pairing over elliptic curves Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography

2

A more efficient arithmetic based on adapted bases Definition of adapted bases Multiplication in Fpk using DFT Complexity of our method

3

Fault attack Identity based cryptography Fault attack Fault attack against Miller’s algorithm

4

Conclusion and perspectives

56 / 59

Conclusion

We discover know two aspect of pairing based cryptography performance of the arithmetic, security of pairing based cryptography.

57 / 59

Perspectives

Arithmetic of pairings

Implementation of pairings : Using original representation. For particular families of elliptic curves. Find pairing friendly elliptic curves.

58 / 59

Perspectives

Arithmetic of pairings

Implementation of pairings : Using original representation. For particular families of elliptic curves. Find pairing friendly elliptic curves.

Security of pairings

Realize the fault attack. Implementation of countermeasures to side channel attacks.

58 / 59

Thank you for your attention

59 / 59