A Dierential Power Analysis attack against the Miller's Algorithm

Transcription

1 A Dierential Power Analysis attack against the Miller's Algorithm Nadia El Mrabet (1), G. Di Natale (2) and M.L. Flottes (2) (1) Team Arith, (2) Team CCSI/LIRMM, Université Montpellier 2 Prime 2009, UCC, Ireland, July 2009

2 Pairings Properties of pairings Pairing based cryptography Identity Based Cryptography Construction Miller's algorithm Properties Construction Outline of the presentation Dierential Power Analysis Attack Denition Against the Miller's algorithm Conclusion

3 Pairings Properties of pairings Pairing based cryptography Identity Based Cryptography Construction Miller's algorithm Properties Construction Outline Dierential Power Analysis Attack Denition Against the Miller's algorithm Conclusion

4 What is a pairing? Let G 1, G 2 and G 3 be three groups with the same order r. A pairing is a map : e : G 1 G 2 G 3 which veries the following properties : Non degenerate ; Bilinearity ;

5 What is a pairing? Let G 1, G 2 and G 3 be three groups with the same order r. A pairing is a map : e : G 1 G 2 G 3 which veries the following properties : Non degenerate ; Bilinearity ; Consequences j N, e([j]p, Q) = e(p, Q) j = e(p, [j]q)

6 Elliptic Curve Cryptography and pairings Part 1 - Cryptanalyse The MOV/Frey Rück attack against the DLP on elliptic curves in 1993, 1994 : using pairings, the DLP on elliptic curves becomes a DLP on nite eld.

7 Elliptic Curve Cryptography and pairings Part 1 - Cryptanalyse The MOV/Frey Rück attack against the DLP on elliptic curves in 1993, 1994 : using pairings, the DLP on elliptic curves becomes a DLP on nite eld. Given P and Q = αp E(F q ), the DLP on E(F q ) consists in nding α.

8 Elliptic Curve Cryptography and pairings Part 1 - Cryptanalyse The MOV/Frey Rück attack against the DLP on elliptic curves in 1993, 1994 : using pairings, the DLP on elliptic curves becomes a DLP on nite eld. Given P and Q = αp E(F q ), the DLP on E(F q ) consists in nding α. Let S E(F q ) be a point such that e(p, S) 1, let e(p, S) = g and e(q, S) = h E(F q ), then the DLP becomes nding α such that h = g α in a nite eld.

9 Elliptic Curve Cryptography and pairings Part 2 - Cryptography Pairings allow the construction of novel protocols and simplication of existing protocols. The tri partite Die Hellman key exchange protocol (Joux 2001) The Identity Based Encryption (Boneh and Franklin 2001) Short signature scheme (Boneh, Lynn, Schackamm 2001) Group signatures schemes (Boneh, Schackamm, 2004)

10 Elliptic Curve Cryptography and pairings Identity Based Cryptography (IBC) An Identity Based protocol is an asymetric system where : The public key of Alice its her identity, her private Key is constructed by a Trusted authority. Example We illustrate the notion of Identity Based Cryptography with the example of a key exchange between Alice and Bob.

11 IBC Secure key exchange between Alice and Bob

12 IBC Secure key exchange between Alice and Bob

13 IBC Secure key exchange between Alice and Bob

14 Elliptic Curve Cryptography and pairings Pairings used Four pairings are principally used in cryptography : the Weil pairing, the Tate pairing, the η T pairing, the Ate pairing. The Miller's algorithm constructing the function f r,p step for the Weil, Tate and Ate pairings. is a central

15 Construction of the pairings Data To compute a pairing, we need the following elements : E an elliptic curve over F q = {0, 1, 2,..., q 1} : E : y 2 = x 3 + ax + b, where a, b F q.

16 Construction of the pairings Data To compute a pairing, we need the following elements : E an elliptic curve over F q = {0, 1, 2,..., q 1} : E : y 2 = x 3 + ax + b, where a, b F q. r a prime dividing card(e(f q )), consider E[r] : E[r] = { P E(F q ), [r]p = P }.

17 Construction of the pairings Data To compute a pairing, we need the following elements : E an elliptic curve over F q = {0, 1, 2,..., q 1} : E : y 2 = x 3 + ax + b, where a, b F q. r a prime dividing card(e(f q )), consider E[r] : E[r] = { P E(F q ), [r]p = P }. The embedding degree k : minimal integer such that r (q k 1) :

18 Construction of the pairings Data To compute a pairing, we need the following elements : E an elliptic curve over F q = {0, 1, 2,..., q 1} : E : y 2 = x 3 + ax + b, where a, b F q. r a prime dividing card(e(f q )), consider E[r] : E[r] = { P E(F q ), [r]p = P }. The embedding degree k : minimal integer such that r (q k 1) : P E(F q )[r] Q E(F q k )[r]

19 Construction of the pairings Data To compute a pairing, we need the following elements : E an elliptic curve over F q = {0, 1, 2,..., q 1} : E : y 2 = x 3 + ax + b, where a, b F q. r a prime dividing card(e(f q )), consider E[r] : E[r] = { P E(F q ), [r]p = P }. The embedding degree k : minimal integer such that r (q k 1) : P E(F q )[r] Q E(F q k )[r] A function f r,p constructed with the Miller's algorithm.

20 Construction of the pairings The Tate pairing Let P E(F q )[r], Q E(F q k )/re(f q k ) and k be the embedding degree of the elliptic curve.

21 Construction of the pairings The Tate pairing Let P E(F q )[r], Q E(F q k )/re(f q k ) and k be the embedding degree of the elliptic curve. The Tate pairing is the bilinear map : e T : E(F q )[r] E(F q k )/re(f q k ) F q k (P, Q) f r,p (Q) q k 1 r

22 Pairings Properties of pairings Pairing based cryptography Identity Based Cryptography Construction Miller's algorithm Properties Construction Outline Dierential Power Analysis Attack Denition Against the Miller's algorithm Conclusion

23 The function f r,p In order to compute the pairings, we need to compute the function f r,p. Victor Miller's established the Miller's equation : f i+j,p = f i,p f j,p l [i]p,[j]p v [i+j]p

24 The function f r,p In order to compute the pairings, we need to compute the function f r,p. Victor Miller's established the Miller's equation : where l [i]p+[j]p f i+j,p = f i,p f j,p l [i]p,[j]p v [i+j]p is the line joining the points [i]p and [j]p,

25 The function f r,p In order to compute the pairings, we need to compute the function f r,p. Victor Miller's established the Miller's equation : f i+j,p = f i,p f j,p l [i]p,[j]p v [i+j]p where l [i]p+[j]p is the line joining the points [i]p and [j]p, and v [i+j]p is the vertical line passing through point [i + j]p.

26 Example We want to compute f 7,P :

27 Example We want to compute f 7,P : 7 = 6 + 1

28 Example We want to compute f 7,P : 7 = f 7,P = f 6,P f 1,P l [6]P,P v [7]P

29 Example We want to compute f 7,P : 7 = f 7,P = f 6,P f 1,P l [6]P,P v [7]P f 1,P = 1 f 7,P = f 6,P l [6]P,P v [7]P

30 Example We want to compute f 7,P : 7 = f 7,P = f 6,P f 1,P l [6]P,P v [7]P f 1,P = 1 f 7,P = f 6,P l [6]P,P v [7]P f 6,P = f 3,P f 3,P l [3]P,[3]P v [6]P when i = j, the line l is the tangent at point [i]p

31 Example We want to compute f 7,P : 7 = f 7,P = f 6,P f 1,P l [6]P,P v [7]P f 1,P = 1 f 7,P = f 6,P l [6]P,P v [7]P f 6,P = f 3,P f 3,P l [3]P,[3]P v [6]P when i = j, the line l is the tangent at point [i]p f 6,P = f 2 3,P l [3]P,[3]P v [6]P f 7,P = f 2 3,P l [3]P,[3]P v [6]P l [6]P,P v [7]P

32 Example We want to compute f 7,P : f 7,P = f 2 3,P l [3]P,[3]P v [6]P l [6]P,P v [7]P

33 Example We want to compute f 7,P : f 7,P = f 2 3,P l [3]P,[3]P v [6]P l [6]P,P v [7]P f 3,P = f 2,P f 1,P l [2]P,P v [3]P f 3,P = f 2,P l [2]P,P v [3]P f 2,P = f 1,P f 1,P l P,P v [2]P

34 Example We want to compute f 7,P : f 7,P = f 2 3,P l [3]P,[3]P v [6]P l [6]P,P v [7]P f 3,P = f 2,P f 1,P l [2]P,P v [3]P f 3,P = f 2,P l [2]P,P v [3]P f 2,P = f 1,P f 1,P l P,P v [2]P f 7,P = ( lp,p v [2]P ) 2 l [2]P,P l v [3]P,[3]P [3]P v [6]P l [6]P,P v [7]P

35 Computation of pairings Data: r = (r n... r 0 ) 2, P E(F q ) and Q E(F q k ) ; Result: f r,p (Q) F q k ; 1 : T P, f 1 1, f 2 1 ; for i = n 1 to 0 do ; end if r i = 1 then end return ; ; ; ; ;

36 Computation of pairings Data: r = (r n... r 0 ) 2, P E(F q ) and Q E(F q k ) ; Result: f r,p (Q) F q k ; 1 : T P, f 1 1, f 2 1 ; for i = n 1 to 0 do 2 : T [2]T ; end if r i = 1 then 5 : T T + P ; ; ; end return ; ;

37 Computation of pairings Data: r = (r n... r 0 ) 2, P E(F q ) and Q E(F q k ) ; Result: f r,p (Q) F q k ; 1 : T P, f 1 1, f 2 1 ; for i = n 1 to 0 do 2 : T [2]T ; 3 : f 1 f 1 2 h 1 (Q) ; 4 : f 2 f 2 2 v 2 (Q) ; end if r i = 1 then 5 : T T + P ; ; ; end return

38 Computation of pairings Data: r = (r n... l 0 ) 2, P E(F q ) and Q E(F q k ) ; Result: f r,p (Q) F q k ; 1 : T P, f 1 1, f 2 1 ; for i = n 1 to 0 do 2 : T [2]T ; 3 : f 1 f 1 2 h d (Q) ; 4 : f 2 f 2 2 v d (Q) ; end if r i = 1 then 5 : T T + P ; 6 : f 1 f 1 h a (Q) ; 7 : f 2 f 2 v a (Q); end return

39 Computation of pairings Data: r = (r n... l 0 ) 2, P E(F q ) and Q E(F q k ) ; Result: f r,p (Q) F q k ; 1 : T P, f 1 1, f 2 1 ; for i = n 1 to 0 do 2 : T [2]T ; 3 : f 1 f 1 2 h 1 (Q) ; 4 : f 2 f 2 2 v 1 (Q) ; end if r i = 1 then 5 : T T + P ; 6 : f 1 f 1 h 2 (Q) ; 7 : f 2 f 2 v 2 (Q); end return f 1 f2

40 Pairings Properties of pairings Pairing based cryptography Identity Based Cryptography Construction Miller's algorithm Properties Construction Outline Dierential Power Analysis Attack Denition Against the Miller's algorithm Conclusion

41 Side Channel Attacks Side Channel Attacks are attacks based on information gained from the physical implementation of a cryptosystem. DPA attacks are such that the pieces of the secret are discovered with the analysis of power consumption. There were rst introduiced for pairing based cryptography in 2006 by Page and Vercauteren against the Duursma and Lee algorithm.

42 Side Channel Attacks In an Identity Based protocol : an attacker knows the algorithm used and the number of iterations. The secret is only one of the arguments of the pairing. The secret key inuences neither the execution time nor the number of iterations of the algorithm.

43 Description of the DPA attack We assume that the pairing is used during an Identity Based Protocol. The secret is the point P, rst argument of the pairing e(p, Q). Aim of the DPA attack We want to recover the value of X P, Y P et Z P. The equation of h 1 is h 1 (Q) = Z 3 Z 2 P y Q 2Y 2 P (3X 2 P az 4 P )(x Q Z 2 P X P)

44 Description of the DPA attack We assume that the pairing is used during an Identity Based Protocol. The secret is the point P, rst argument of the pairing e(p, Q). Aim of the DPA attack We want to recover the value of X P, Y P et Z P. The equation of h 1 is h 1 (Q) = Z 3 Z 2 P y Q 2Y 2 P (3X 2 P az 4 P )(x Q Z 2 P X P) First, we nd Z P using the product x Q Z 2 P.

45 Description of the DPA attack We assume that the pairing is used during an Identity Based Protocol. The secret is the point P, rst argument of the pairing e(p, Q). Aim of the DPA attack We want to recover the value of X P, Y P et Z P. The equation of h 1 is h 1 (Q) = Z 3 Z 2 P y Q 2Y 2 P (3X 2 P az 4 P )(x Q Z 2 P X P) First, we nd Z P using the product x Q Z 2 P. Then, we nd Y P using the product Z 3 Z 2 P y Q = 2Y P Z P Z 2 P y Q.

46 Description of the DPA attack We assume that the pairing is used during an Identity Based Protocol. The secret is the point P, rst argument of the pairing e(p, Q). Aim of the DPA attack We want to recover the value of X P, Y P et Z P. The equation of h 1 is h 1 (Q) = Z 3 Z 2 P y Q 2Y 2 P (3X 2 P az 4 P )(x Q Z 2 P X P) First, we nd Z P using the product x Q Z 2. P Then, we nd Y P using the product Z 3 Z 2 P y Q = 2Y P Z P Z 2 P y Q. Finally, we nd X P using the elliptic curve equation.

47 Implementation We used an integrated simulation environment for the Dierential Power Analysis proposed by Di Natale, Flottes and Rouzeire that returns power consumption traces from transistor level simulations. This DPA suite executes the statistical analysis. For example, this is the curves we obtain for the DPA attack against the product

48 Pairings Properties of pairings Pairing based cryptography Identity Based Cryptography Construction Miller's algorithm Properties Construction Outline Dierential Power Analysis Attack Denition Against the Miller's algorithm Conclusion

49 Conclusion The Miller's algorithm is vulnerable to a DPA attack. Vulnerability of pairings based on the Miller's algorithm We demonstrate that if the secret is the rst parameter in a pairing calculation, then we can nd it. Our attack is also realistic when the secret is the second argument or the pairing. As a consequence Weil, Tate and Ate could not withstand such attacks, even if the secret is the rst parameter.

50 The end Thank you for your attention. Any question?