Tampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014

Size: px

Start display at page:

Download "Tampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014"

Delphia Eaton
6 years ago
Views:

1 Tampering attacks in pairing-based cryptography Johannes Blömer University of Paderborn September 22, / 16

2 Pairings Definition 1 A pairing is a bilinear, non-degenerate, and efficiently computable map e : G G G T, where G, G, G T are finite groups of the same size. Bilinearity: e(p + Q, R) = e(p, R) e(q, R) for all P, Q G, R G e(p, R + Q) = e(p, R) e(p, Q) for all P G, Q, R G. Non-degeneracy: for all P G \ {O} there is a Q G such that e(p, Q) 1. 2 / 16

3 Pairings Definition 1 A pairing is a bilinear, non-degenerate, and efficiently computable map e : G G G T, where G, G, G T are finite groups of the same size. Bilinearity: e(p + Q, R) = e(p, R) e(q, R) for all P, Q G, R G e(p, R + Q) = e(p, R) e(p, Q) for all P G, Q, R G. Non-degeneracy: for all P G \ {O} there is a Q G such that e(p, Q) 1. plus crypto assumptions 2 / 16

4 Pairings Definition 1 A pairing is a bilinear, non-degenerate, and efficiently computable map e : G G G T, where G, G, G T are finite groups of the same size. Bilinearity: e(p + Q, R) = e(p, R) e(q, R) for all P, Q G, R G e(p, R + Q) = e(p, R) e(p, Q) for all P G, Q, R G. Non-degeneracy: for all P G \ {O} there is a Q G such that e(p, Q) 1. plus crypto assumptions e(a P, b Q) = e(b P, a Q) = e(ab P, Q) = e(p, Q) ab can be used to combine and recombine shares of secrets or secrets and nonces 2 / 16

5 Pairings Applications identity-based encryption attribute-based encryption group signatures key agreement anonymous credentials... 3 / 16

6 Pairings Applications identity-based encryption attribute-based encryption group signatures key agreement anonymous credentials... Attribute-based encryption encrypt data under attributes, not for individual users, users get rights, if rights and attributes match, data can be decrypted 3 / 16

7 Pairings Applications identity-based encryption attribute-based encryption group signatures key agreement anonymous credentials... Attribute-based encryption encrypt data under attributes, not for individual users, users get rights, if rights and attributes match, data can be decrypted 3 / 16

8 Pairings Applications identity-based encryption attribute-based encryption group signatures key agreement anonymous credentials... Attribute-based encryption encrypt data under attributes, not for individual users, users get rights, if rights and attributes match, data can be decrypted 3 / 16

9 Pairings Applications identity-based encryption attribute-based encryption group signatures key agreement anonymous credentials... Attribute-based encryption encrypt data under attributes, not for individual users, users get rights, if rights and attributes match, data can be decrypted 3 / 16

10 Elliptic curves Elliptic curves F a field (finite or infinite), F algebraic closure a, b F E := {(x, y) F 2 : y 2 = x 3 + ax + b = 0} {O} elliptic curve over F O point at infinity elliptic curves have group structure using chord and tangent law 4 / 16

11 Elliptic curves Elliptic curves F a field (finite or infinite), F algebraic closure a, b F E := {(x, y) F 2 : y 2 = x 3 + ax + b = 0} {O} elliptic curve over F O point at infinity elliptic curves have group structure using chord and tangent law 4 / 16

12 Elliptic curves Elliptic curves F a field (finite or infinite), F algebraic closure a, b F E := {(x, y) F 2 : y 2 = x 3 + ax + b = 0} {O} elliptic curve over F O point at infinity elliptic curves have group structure using chord and tangent law Q P (P + Q) P + Q 4 / 16

13 Elliptic curves Elliptic curves F a field (finite or infinite), F algebraic closure a, b F E := {(x, y) F 2 : y 2 = x 3 + ax + b = 0} {O} elliptic curve over F O point at infinity elliptic curves have group structure using chord and tangent law Q P 2P 2P (P + Q) P + Q 4 / 16

14 Torsion points and embedding degree 5 / 16

15 Torsion points and embedding degree Torsion points on elliptic curves E elliptic curve, P E, r N P torsion point of order r, iff r P = O E[r] := set of points of order r E[r] is subgroup of E 5 / 16

16 Torsion points and embedding degree Torsion points on elliptic curves E elliptic curve, P E, r N P torsion point of order r, iff r P = O E[r] := set of points of order r E[r] is subgroup of E points of order 2 5 / 16

17 Torsion points and embedding degree Torsion points on elliptic curves E elliptic curve, P E, r N P torsion point of order r, iff r P = O E[r] := set of points of order r E[r] is subgroup of E point of order 4 R 5 / 16

18 Torsion points and embedding degree Torsion points on elliptic curves E elliptic curve, P E, r N P torsion point of order r, iff r P = O E[r] := set of points of order r E[r] is subgroup of E point of order 4 R Embedding degree F = F q finite field, r N smallest k s.th. r (q k 1) called embedding degree E[r] E(F q k ) := E (F q k F q k ) 5 / 16

19 Miller s algorithm Miller Algorithm (MA) input : r N, P, Q E, Q P, O, r = t j=0 r j2 j, r j {0, 1} T P ; for j = t do T 2T ; if r j = 1 then T T + P; 6 / 16

20 Miller s algorithm Miller Algorithm (MA) input : r N, P, Q E, Q P, O, r = t j=0 r j2 j, r j {0, 1} output: f r,p (Q) T P, f 1; for j = t do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f ; l U,V := equation of line through U, V 6 / 16

21 The Weil pairing µ r := {u F q k : u r = 1} (set of r-th roots of unity) Definition 2 (Weil/Miller) The Weil pairing w r is the map defined by w r : E[r] E[r] µ r (P, Q) ( 1) r f r,p (Q) f r,q (P). 7 / 16

22 The Weil pairing µ r := {u F q k : u r = 1} (set of r-th roots of unity) Definition 2 (Weil/Miller) The Weil pairing w r is the map defined by w r : E[r] E[r] µ r (P, Q) ( 1) r f r,p (Q) f r,q (P). w r is bilinear and non-degenerate, but rather inefficient, two invocations of MA 7 / 16

23 The reduced Tate pairing Definition 3 The reduced Tate pairing t r is the map defined by t r : E[r] E ( ) / ( ) F q k re Fq k µr (P, Q) f r,p (Q) (qk 1)/r. 8 / 16

24 The reduced Tate pairing Definition 3 The reduced Tate pairing t r is the map defined by t r : E[r] E ( ) / ( ) F q k re Fq k µr (P, Q) f r,p (Q) (qk 1)/r. t r requires one MA invocation and one exponentiation, the final exponentiation (FE) more efficient to compute than w r variants of t r lead to pairings currently proposed for applications most variants have the structure MA + FE 8 / 16

25 Fault attacks on pairings most applications don t just compute a pairing - never mind MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; 9 / 16

26 Fault attacks on pairings most applications don t just compute a pairing - never mind secret is not the scalar r, rather it is P or Q MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; 9 / 16

27 Fault attacks on pairings most applications don t just compute a pairing - never mind secret is not the scalar r, rather it is P or Q both MA and FE individually are usually hard to invert MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; 9 / 16

28 Fault attacks on pairings most applications don t just compute a pairing - never mind secret is not the scalar r, rather it is P or Q both MA and FE individually are usually hard to invert FE many-to-one, need to find the right preimage MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; 9 / 16

29 Fault attacks on pairings most applications don t just compute a pairing - never mind secret is not the scalar r, rather it is P or Q both MA and FE individually are usually hard to invert FE many-to-one, need to find the right preimage MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; game is different from standard elliptic curve cryptography (ECC) for practical evaluation see Marie s talk. 9 / 16

30 Attacking a pairing - how to deal with FE 1 Ignore the problem. 2 Show that you can use correlated faults to induce faults in Miller s algorithm and skip the final exponentiation. (see Peter s talk) 3 Assume that you can induce faults into Miller s algorithm and additional faults into the final exponentiation that facilitate the inversion problem for the exponentiation. 4 Use particular curves and pairings for which the inversion problem for the final exponentiation can be solved efficiently. 10 / 16

31 The strategies MA + FE input : r N, P, Q E output: f r,p (Q) 1 T P, f 1; 2 for j = t do 3 f f 2 l T,T (Q) /l 2T, 2T (Q); 4 T 2T ; 5 if r j = 1 then 6 f f l T,P (Q) /l T +P, (T +P) (Q); 7 T T + P; 8 return f (qk 1)/r ; 11 / 16

32 The strategies attack operations in lines 3,4,6,7 lines 4 and 7 seem difficult MA + FE input : r N, P, Q E output: f r,p (Q) 1 T P, f 1; 2 for j = t do 3 f f 2 l T,T (Q) /l 2T, 2T (Q); 4 T 2T ; 5 if r j = 1 then 6 f f l T,P (Q) /l T +P, (T +P) (Q); 7 T T + P; 8 return f (qk 1)/r ; 11 / 16

33 The strategies attack operations in lines 3,4,6,7 lines 4 and 7 seem difficult lines 3,6: attack by Wheelan, Scott and others MA + FE input : r N, P, Q E output: f r,p (Q) 1 T P, f 1; 2 for j = t do 3 f f 2 l T,T (Q) /l 2T, 2T (Q); 4 T 2T ; 5 if r j = 1 then 6 f f l T,P (Q) /l T +P, (T +P) (Q); 7 T T + P; 8 return f (qk 1)/r ; 11 / 16

34 The strategies attack operations in lines 3,4,6,7 lines 4 and 7 seem difficult lines 3,6: attack by Wheelan, Scott and others attack loop in lines 2-7 (Page-Vercauteren) MA + FE input : r N, P, Q E output: f r,p (Q) 1 T P, f 1; 2 for j = t do 3 f f 2 l T,T (Q) /l 2T, 2T (Q); 4 T 2T ; 5 if r j = 1 then 6 f f l T,P (Q) /l T +P, (T +P) (Q); 7 T T + P; 8 return f (qk 1)/r ; 11 / 16

35 The strategies attack operations in lines 3,4,6,7 lines 4 and 7 seem difficult lines 3,6: attack by Wheelan, Scott and others attack loop in lines 2-7 (Page-Vercauteren) leave the loop after completing a certain number of iterations MA + FE input : r N, P, Q E output: f r,p (Q) 1 T P, f 1; 2 for j = t do 3 f f 2 l T,T (Q) /l 2T, 2T (Q); 4 T 2T ; 5 if r j = 1 then 6 f f l T,P (Q) /l T +P, (T +P) (Q); 7 T T + P; 8 return f (qk 1)/r ; 11 / 16

36 The strategies attack operations in lines 3,4,6,7 lines 4 and 7 seem difficult lines 3,6: attack by Wheelan, Scott and others attack loop in lines 2-7 (Page-Vercauteren) leave the loop after completing a certain number of iterations leave the loop within an iteration and before executing the if-instruction in line 5 MA + FE input : r N, P, Q E output: f r,p (Q) 1 T P, f 1; 2 for j = t do 3 f f 2 l T,T (Q) /l 2T, 2T (Q); 4 T 2T ; 5 if r j = 1 then 6 f f l T,P (Q) /l T +P, (T +P) (Q); 7 T T + P; 8 return f (qk 1)/r ; 11 / 16

37 Skipping iterations with two independent faults induce single fault in two independent runs of algorithm MA + FE 12 / 16

38 Skipping iterations with two independent faults induce single fault in two independent runs of algorithm MA + FE in first run leave for-loop after iteration s to obtain f (qk 1)/r s MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t 2... s do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; 12 / 16

39 Skipping iterations with two independent faults induce single fault in two independent runs of algorithm MA + FE in first run leave for-loop after iteration s to obtain f (qk 1)/r s in first run leave for-loop after iteration s 1 to obtain f (qk 1)/r s 1 MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t 2... s 1 do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; 12 / 16

40 Skipping iterations with two independent faults - analysis P known, Q secret f s 1 l r fs 2 = P,r P(Q) l 2r P,P(Q) r s 1 l 2r P, 2r P(Q) l r P, r P(Q) r s 1 in coordinates of Q determine Q using computer algebra (system) low degree function 13 / 16

41 Skipping iterations with two independent faults - analysis P known, Q secret f s 1 l r fs 2 = P,r P(Q) l 2r P,P(Q) r s 1 l 2r P, 2r P(Q) l r P, r P(Q) r s 1 in coordinates of Q determine Q using computer algebra (system) only get ( f s 1 /fs 2 ) (q k 1)/r (final exponentiation) low degree function 13 / 16

42 Skipping iterations with two independent faults - analysis P known, Q secret f s 1 l r fs 2 = P,r P(Q) l 2r P,P(Q) r s 1 l 2r P, 2r P(Q) l r P, r P(Q) r s 1 in coordinates of Q determine Q using computer algebra (system) only get ( f s 1 /fs 2 ) (q k 1)/r (final exponentiation) similar analysis for other fault attacks low degree function 13 / 16

43 Final exponentiation (q k 1)/r may be small, i.e. 4 by choice of q, E, r 14 / 16

44 Final exponentiation (q k 1)/r may be small, i.e. 4 by choice of q, E, r (q k 1)/r may be of special structure, that can be exploited due to optimizations of reduced Tate pairing 14 / 16

45 Final exponentiation (q k 1)/r may be small, i.e. 4 by choice of q, E, r (q k 1)/r may be of special structure, that can be exploited due to optimizations of reduced Tate pairing final exponentiation can be skipped with correlated fault exponent can be simplified with correlated fault 14 / 16

46 Final exponentiation (q k 1)/r may be small, i.e. 4 by choice of q, E, r (q k 1)/r may be of special structure, that can be exploited due to optimizations of reduced Tate pairing final exponentiation can be skipped with correlated fault exponent can be simplified with correlated fault final exponentiation should not be considered a countermeasure against fault attacks 14 / 16

47 Conclusion fault attacks against pairings possible and realistic (see last two talks today) but more complex than in ECC, both in realization and in analysis combination of Miller algorithm and final exponentiation main difficulty 15 / 16

48 Conclusion fault attacks against pairings possible and realistic (see last two talks today) but more complex than in ECC, both in realization and in analysis combination of Miller algorithm and final exponentiation main difficulty timing and power analysis attacks also possible since points not scalars are the secrets need to attack arithmetic/elliptic curve operations 15 / 16

49 Conclusion fault attacks against pairings possible and realistic (see last two talks today) but more complex than in ECC, both in realization and in analysis combination of Miller algorithm and final exponentiation main difficulty timing and power analysis attacks also possible since points not scalars are the secrets need to attack arithmetic/elliptic curve operations MA + FE input : r N, P, Q E output: f r,p (Q) T P, f 1; for j = t 2... s do f f 2 l T,T (Q) /l 2T, 2T (Q); T 2T ; if r j = 1 then f f l T,P (Q) /l T +P, (T +P) (Q); T T + P; return f (qk 1)/r ; 15 / 16

50 thank you Thank you! 16 / 16

Ate Pairing on Hyperelliptic Curves

Ate Pairing on Hyperelliptic Curves R. Granger, F. Hess, R. Oyono, N. Thériault F. Vercauteren EUROCRYPT 2007 - Barcelona Pairings Pairings Let G 1, G 2, G T be groups of prime order l. A pairing is a