Inverting the nal exponentiation of Tate pairings on ordinary elliptic curves using faults

Transcription

1 Inveting the nal exponentiation of Tate paiings on odinay elliptic cuves using faults Ronan Lashemes 1,2, Jacques Founie 1, and Louis Goubin 2 1 CEA-TechReg, Gadanne, Fance onan.lashemes@cea.f, jacques.founie@cea.f 2 UVSQ-PRiSM, Vesailles, Fance louis.goubin@pism.uvsq.f Abstact. The calculation of the Tate paiing on odinay cuves involves two majo steps: the Mille Loop (ML) followed by the Final Exponentiation (FE). The st step fo achieving a full paiing invesion would be to invet this FE, which in itself is a mathematically dicult poblem. To ou best knowledge, most fault attack schemes poposed against paiing algoithms have mainly focussed on the ML. They solved, if at all, the invesion of the FE in some special `easy' cases o even showed that the complexity of the FE is an intinsic countemeasue against a successful full fault attack on the Tate paiing. In this pape, we pesent a fault attack on the FE wheeby the invesion of the nal exponentiation becomes feasible using 3 independent faults. Keywods: Tate paiing, Ate paiing, nal exponentiation, fault attacks. 1 Intoduction Paiing-Based Cyptogaphy (PBC) uses bilinea mappings (o paiings) to constuct cyptogaphic schemes. Identity-Based Encyption (IBE) [1], anonymous IBE, one ound Die-Hellman key exchanges o seachable encyption [2] constitute the scope of pomising applications of PBC, accentuating the need fo secue implementations. An exhaustive liteatue is cuently available on the choice of cuves and associated paametes fo secue ecient PBC implementations as well as analyses coveing the issues linked to the esistance of such implementations against side channel and fault attacks [3, 4]. A paiing calculation consists of two majo steps namely the Mille Loop (ML) and the Final Exponentiation (FE). Most of the existing wok coveing fault attacks against paiing calculations focuses on the ML [57], even stating in some cases that in pactice the pesence of the complex FE afte the ML educes the pactical signicance of such fault attacks [6, 7]. In this pape, we popose a scheme whee a fault attack, using only thee faulty outputs and a coect one, is used to calculate the input to the complex nal exponentiation despite the fact that the FE invesion has been dened as a mathematical had poblem [8]. To ou best knowledge, this is the st published fault attack on the FE which allows to un-nest the complex calculations

2 2 involved in this second pat of a paiing calculation, thus opening the way to the futue building of complete fault attack schemes against Tate-like paiings ove odinay cuves. We st begin by laying some of the basic notations and concepts used to descibe PBC. We then detail the stuctue of the Tate paiing befoe eviewing existing fault attack schemes in ode to undestand how ou scheme complements them. Afte that we explain ou attack, eview some of the limitations that we have identied (up to now), discuss its pactical feasibility befoe poposing countemeasues and concluding the pape. 2 Paiing Based Cyptogaphy Detailed desciptions of the ins and outs of a paiing implementation can be found in [9]. Below we shall intoduce the notations and concepts equied to undestand the poposed fault attack scheme against the Tate paiing on odinay cuves. Let p be a big pime numbe and E(F p ) an odinay elliptic cuve ove F p. Let be a pime diviso of cad (E(F p )). We dene the embedding degee k of E with espect to as the smallest intege such that p k 1. Additionally, Φ k (p), with Φ k the k-th cyclotomic polynomial [10, 11]. A paiing maps two points ove subgoups of ode of an elliptic cuve E ( F p k) to the multiplicative eld F p. As an example, the Tate paiing is dened k as.,. : E(F p )[] E(F p k)/([]e(f p k)) F p k/ ( F p k ) In ode to wok with actual values athe than equivalence classes (i.e. guaantee the uniqueness of the paiing esult), the output of the Tate paiing is mapped to µ with a nal exponentiation to the powe of pk 1. The goup µ is fomed by the -th oots of unity in F p k: µ = {x F p x = 1}. All Tate paiing outputs k in the same equivalence class ae mapped to a unique value in µ. The educed Tate paiing is then dened as t : E(F p )[] E(F p k)/([]e(f p k)) µ (P, Q) P, Q p k 1 The evaluation of P, Q is called the Mille Loop (ML) and the exponentiation to the powe pk 1 is the Final Exponentiation (FE). Seveal othe paiings on odinay cuves deived fom the Tate paiing, such as the Ate paiing [12] o the Optimal Ate paiing [13], have this nal exponentiation step, meaning that ou attack also woks on such altenative implementations.

3 3 3 The secuity of PBC fom a fault attack pespective In a pactical case, like in Boneh & Fanklin's IBE [1], the decyption scheme involves the calculation of a paiing between a `public' point and a `secet' one. The attacke's aim in this case is to ecove the secet point in ode to impesonate the legitimate owne of the secet key. The secuity of a paiing implementation is usually measued by the ability fo an attacke to ecove one of the two input points, knowing the second input point and the paiing esult. This poblem is called Fixed Agument Paiing Invesion (FAPI) which can in-tun be subdivided into two poblems: st the Exponentiation Invesion (EI) poblem which consists in ecoveing the output of the ML; then the Mille Invesion (MI) poblem which aims at ecoveing the taget point knowing the esult of the ML. These poblems have been ecently studied in [14] and [15] based on the pevious woks of [16] and [17]. The EI poblem can be stated as nding the unique coect peimage of the educed Tate paiing unde the FE knowing one input point and the educed nal esult. Indeed, one may nd the coect peimage knowing the nal educed esult with the additional infomation bought by the Mille Loop and the knowledge of one input point. Hee we will not discuss about the Mille Loop and we will conside only the nal exponentiation on a andom element f of F p. In this context, knowing k the esult of the exponentiation does not allow an attacke to ecove f puely mathematically since he cannot distinguish the coect peimage f fom all othe peimages in this many-to-one elationship (with as many as p12 1 peimages, e.g peimages fo k = 12). To nd the esult of the Mille Loop is not enough to solve the FAPI poblem since the MI poblem still needs to be solved. But ou appoach bings us a step close to achieving the full paiing invesion by showing that it is possible to invet the nal exponentiation with fault attacks. 3.1 Fault attacks against PBC Ou attack exploits the infomation bought by faults injected duing the execution of the FE on a computing device. A fault attack aims at disupting the expected behaviou of an algoithm. Such an attack may alte the data ow (coupting a data) o the contol ow (e.g. modifying the numbe of iteations in a loop). Fault injection techniques ange fom clock glitches, voltage glitches to moe advanced techniques such as the use of a lase beam o an electomagnetic pulse. A fault injection is not an easy task as seveal paametes (intensity, spatial localisation, time of injection... ) have to be monitoed in ode to achieve the desied faulty behaviou without damaging the taget [18, 19]. Fault attacks on paiing have aleady been discussed in vaious contexts [5 7]. Schemes have been poposed in ode to evese the Mille Loop by alteing the numbe of iteations in the loop [5, 7] o by alteing the value at the last iteation [6]. In these papes, to complete thei attacks, the authos popose

4 4 stategies to invet the FE: they conside paiings with eithe a simple FE [5] o without any FE [6] at all, which ae not elevant to Tate-like paiings on odinay cuves. Fo the latte situation, the authos in [6] even conclude that the complex FE is an inheent deteent to the use of fault attacks on the entie paiing scheme ove odinay cuves since the exponentiation could not be evesed. Fo such a situation, in [7], the authos popose to shot-cicuit the entie exponentiation outine but this appoach is ticky as it means that the attack must not only bypass an entie outine but must at the same time have access to the esult of the Mille Loop. In this pape we popose what is in ou opinion a moe ealistic appoach whee, by using 3 independent faults (on 3 executions of the same paiing calculation), the FE itself can be evesed. 3.2 Fault model In the binay epesentation, a fault eect can be epesented with a bit-xor opeation (bit-ip faults), bit-and (stuck at zeo faults) o bit-or (stuck at one faults) on the data (o contol) value. One has then to tanslate the fault eect as a valid mathematical opeation in ou eld. As a consequence a fault value is intinsically dependent on the binay epesentation of an element in that eld. A fault must have a manageable limited eect. Typically, a simple fault model is to conside andom faults on a machine wod-size data. An example would be a andom single-byte fault on an 8-bit micocontolle. Such a simple model is compatible with some of the latest fault injection techniques poposed in the liteatue: fo example in [19], the authos illustate how an electomagnetic pulse might coupt the execution of an instuction, modelled by an instuction skip. With this method we can adopt a fault model whee a data couption, of the size of a machine wod, can be achieved by the skipping of an instuction. To accommodate the divesity of existing platfoms, we chose to conside a andom fault value on one wod of an l-bit achitectue. It can be modelled as the addition with e whee 2 l < e < 2 l if the fault occus on the least signicant wod of the binay epesentation of the eld element. If a fault occus on anothe wod (e.g. on the i-th wod), the fault value e should be multiplied by 2 i l to model the fault eect coectly (it may be necessay if the attacke wants to inject two dieent fault values on the same intemediate esult using instuction skips). Fo claity, fom now on we shall conside the fault model to be such that 0 < e < 2 l (it is a valid model fo andom stuck at 1 faults on one wod). The extension of ou fault attack to negative eo values is staight fowad since we guess the value of e in ou equations. 3.3 Motivations fo fault attacks against the FE Seveal elements hint at the potential eciency of a fault attack on the FE. Fist the esult of the educed Tate paiing is in µ which contains elements. But this esult is epesented as an element of the full F p k eld. To give an example, on a Baeto-Naehig (BN) cuve ove F p 12 with log 2 (p) 256, an element in µ has

5 log 2 () 256 bits of infomation but it is epesented ove 12 log 2 (p) 3072 bits! This means that = 2816 bits ae edundant. A tempting appoach fo the attacke would be to use these bits to lean infomation about the tageted peimage by inducing a fault that divets intemediate values fom thei subgoup. 5 4 Inveting the FE using fault attacks As mentioned in [6], the FE in Tate-like paiings is a complex calculation. We show how pecisely chosen faults can help in nding the citical intemediate values to nally evese the entie exponentiation. Ou wok is based on the algoithms poposed by Scott et al. in [10]. It focuses on FE in elds with an even embedding degee. We shall wite d = k/2. The optimisation technique descibed in [10], still widely used in paiing implementations, is based on the decomposition of the FE into thee stages. As pk 1 can be e-witten as pk 1 = ( p d 1 ) pd +1 Φ k (p) Φk(p), the FE can be pefomed as a succession of thee exponentiations. Two ae easy (with ( p d 1 ) and pd +1 Φ k (p) ) since they ely on exponentiations to the powe pn fo some n and can hence be computed with the help of the Fobenius endomophism which has a low computational cost. The last step is the so-called had exponentiation (because it cannot ely on the use of the Fobenius) and is the exponentiation to the powe Φ k(p). Fo example, with k = 12, we have p 12 1 = ( p 6 1 ) (p ) p4 p (1) Let f, the esult of a Mille Loop, be a andom value in F p. We name these k intemediate esults of each exponentiation p d +1 f 1 = f pd 1 Φ ; f 2 = f k (p) 1 and f 3 = f Φk(p) 2 (2) The attacke knows the esult f 3 and wants to ecove f. Note that f 1, f 2 and f 3 belong to dieent subgoups of F p k. Since f F p k, the following equations hold f pk 1 = 1 ; f pd +1 1 = 1 ; f Φ k(p) 2 = 1 and f 3 = 1 (3) Thus f 1 µ p d +1, f 2 µ Φk (p) and f 3 µ. These subgoups have sizes p d + 1, Φ k (p) and espectively. As an example fo k = 12, f 1 contains 1536 bits of infomation, f 2 contains 1024 bits of infomation and f 3 contains 256 bits of infomation. 4.1 Recoveing f 1 In this section we shall show how a fault on the intemediate value f 1 can help to etieve its value.

6 6 UI UI Easymexponentiationm1 Mp Mp Mp2 Mp UI Sq f f 1 f 2 Sq Mp6 Mp2. x. x. x. -1 Mp UI Easymexponentiationm2 Mp2 UI MpX Multiplication Invesionmofmanm unitaymelement Fobeniusmapplicationm. px UI Mp Sq Sq f 3 =f pk -1 Sq Squaing. x Exponentiationmbymx Hadmexponentiation Fig. 1. Algoithm fo the FE in F p 12. x is a public paamete of the cuve. Extacting a candidate We st have the following lemma. Lemma 1. Let F p k = F p d[w]/(w 2 v) be the constuction ule fo the F p k extension eld. v is a quadatic nonesidue in F p d and is a public paamete. Let x F p k be such that x = g +h w with g, h F p d. Then x pd +1 = g 2 v h 2 F p d. Poof. We have x pd = g h w since x pd = (g +h w) pd = g pd +h pd w pd = g +h ( w). As a esult x pd +1 = x pd x = (g h w) (g+h w) = g 2 w 2 h 2 = g 2 v h 2 since w 2 = v Let f 1 = g 1 + h 1 w with g 1, h 1 F p d. We have Thus by Lemma 1 f pd +1 1 = f 3 = 1 (4) g 2 1 v h 2 1 = 1 (5) But equation (4) holds only because f 1 µ pd +1. Let e F p d be a fault injected on f 1 (say duing the multiplication poducing f 1 o duing the loading of f 1 fo the second easy exponentiation - see Fig. 1.) such that the faulty value f1 equals f 1 = f 1 + e µ pd +1 (6) We conside that the fault e occus only on the g 1 component 3 (which is compatible with ou fault model if 2 l < p 6 ), i.e 3 If on h 1, the same agumentation can be done. f 1 = (g 1 + e) + h 1 w (7)

7 7 (f 1 ) pd +1 can be computed by the attacke using the measued faulty esult f 3 since is public knowledge Using Lemma 1 and equations (5) and (7) we have (f 1 ) pd +1 = (f 3 ) F p d (8) Finally, g 1 can be witten as: (f 1 ) pd +1 = (g 1 + e) 2 v h 2 1 = g 2 1 v h e g 1 + e 2 = e g 1 + e 2 g 1 = (f 1 ) pd +1 1 e 2 2 e Two possible values fo h 1 can hence be calculated using equation (5): (9) h + 1 = g v ; h 1 = g v (10) Veifying the candidates The two candidates f + 1 = g 1 + h + 1 w and f 1 = g 1 + h 1 w can thus be veied by checking if (f + 1 ) pd +1 = f 3 o (f 1 ) pd +1 = f 3. If the value of e is unknown, the attacke must guess the injected fault. Fo each guess, two candidates ae computed and checked. A candidate is equal to the coect f 1 only when the coect e is guessed. In ou fault model, 0 < e < 2 l thus 2 l 1 attempts have to be made to nd f 1 with 100% cetainty. At this stage one may wonde what is the chance that the attacke nds a valid f 1 candidate (and an eo value) which ts all his obsevations but is not equal to f 1 (i.e. a false positive). The f 1 candidate is noted f 1c and the coesponding eo guessed is e c. f pd +1 1c = 1 (11) (f 1c + e c ) pd +1 = (f 3 ) (12) But, the attacke obseves f 3 = f p d +1 1 and f3 = (f 1 + e) p d +1. The question is what is the pobability that f 1c f 1 but that f 3 = f p d +1 1c (13) f 3 = (f 1c + e c ) p d +1 (14)

8 8 Using equation (11), the pobability that equation (14) is veied can be infeed as being equal to 1/ fo a andom f 1c in µ p +1. Indeed we aleady know that d f p d +1 1c is in µ and 1/ is the pobability that one andom element in µ p d +1 maps to a xed value f 3 in µ. Similaly, fom equation (12), we can deduce that the pobability fo equation (13) to be veied is equal to 1/ fo a andom f 1c in F p since (f k 3 ) = (f 1c + e c ) pd +1 µ pd 1. Thus f3 µ (pd 1) and (f3 ) has peimages in µ (pd 1). As a consequence, the pobability that we obtain the coect peimage is 1/. We can combine these two pobabilities and evaluate the pobability of having an incoect candidate fo f 1 that matches the attacke's obsevations. The pobability that a andom candidate satisfying equations (11) and (12) also satises equations (13) and (14), coesponding to the obsevations of the attacke, is equal to 1/ 2. In the case whee k = 12, typically 2 256, the pobability of nding a valid candidate which is not equal to f 1 is 1/ Hence we have shown how a fault injected on f 1 can be used to ecove the latte's value, with a high pobability, using the coect output f 3 and the faulty one f3 of the FE. 4.2 Recoveing f Knowing the value of f 1, we shall now see how to ecove f. Extacting a candidate The stategy is to use simila equations to the ones used peviously and to include the new infomation about f 1 obtained by the attacke. Poof of the lemma is in Appendix A. Lemma 2. Let f = g + h w, f 1 = g + h w and f 1 = g 1 + h 1 w. Then g1 1 v h 1 = h g = h g f 1 = f pd 1. In the following, let K be the known value (known because we know g 1 and h 1 fom f 1 found peviously) K = g1 1 v h 1 = h g. As a consequence, the knowledge of f 1 allows to nd andom peimages by taking a andom g F p d and choosing h = K g. To ecove f, the attacke ceates a new fault e 2 F p d in the st easy exponentiation (see Fig. 1.). Then duing the invesion f 1 = f pd 1 = f f 1 and f 1 = f (f 1 + e 2 ) Let f1 be the dieence: f1 = f1 f 1 = f e 2. Since e 2 F p d, we can wite f1 = g1 + h1 w with g1 = e 2 g and h1 = e 2 h As f 1 is not in µ p d +1 with a high pobability equal to (1 1 2 pd 1 ), the attacke can compute (f 1 ) pd +1 = (f 3 ) F p d.

9 9 In this case (f 1 ) pd +1 = (g 1 + g1 ) 2 v (h 1 + h1 ) 2 = (g 1 + e 2 g) 2 v (h 1 e 2 h) 2 which gives the quadatic equation (using the elation h = g K) g 2 e 2 2 (1 v K 2 ) + g 2 e 2 (g 1 v K h 1 ) + 1 (f 1 ) pd +1 = 0 (15) We then solve this equation to obtain two solutions fo g: g + = v K h 1 g 1 + (g 1 v K h 1 ) 2 (1 v K 2 ) (1 (f ) 1 )pd +1 e 2 (1 v K 2 ) g = v K h 1 g 1 (g 1 v K h 1 ) 2 (1 v K 2 ) (1 (f ) 1 )pd +1 e 2 (1 v K 2 ) h can be computed with g and K: h = g K. Thus we have two potential candidates fo f. Veifying the candidates Even if e 2 is unknown, this pocedue gives two candidates by guessing e 2. Now, whethe this guess is coect o wong, evey potential candidate f c has the following popety: f pd 1 = f 1 and theefoe f p k 1 c = f 3. The attacke has found seveal valid peimages of f 3 and has to decide which is the coect one. By checking whethe ( f c (fc 1 +e 2 )) p d +1 is equal to the faulty esult f3 allows to eliminate one of the two candidates fo this guess of e 2. We nally obtain one candidate fo each e 2 guessed and this candidate satises all obsevations made by the attacke. Finally we obtain a set of candidates of the same size as the set of possible eo values. The attacke has then to geneate a thid fault e 3, dieent fom e 2, at the same location as the last one and intesect the two sets of candidates to nd the coect one. Unfotunately, this intesection does not necessaily contain only one element. We can evaluate the size of this intesection set. Fist we can neglect the pobability that a andom element of F p maps to k f 1 (the pobability is 1/(p d + 1)). Equation (15) outputs one f candidate f c1 by guessing e 2 = 1. Then the set of candidates fo this eo is {f c1, f c2,..., f c(2 1)} l with f ci coesponding to the guess e 2 = i. If we eplace the poduct g e 2 by g i (i e 2) in equation (15), we can see that the pevious set can be ewitten as {f c1, fc1 2,..., f c1 Similaly with e 3, equation (15) outputs one f candidate f c1 by guessing 2 l 1 }. e 3 = 1 and then f ci = f c1/i. The second set of candidates is {f c1, f c1 2,..., f c1 2 l 1 }. c

10 10 Let e 2t and e 3t be the two faults tuly injected. Since the coect value f is in the two sets of candidates, st equal to f c1 /e 2t then equal to f c1/e 3t, we have f = f c1 e 3t = f c1 e 2t (16) Witing a = e2t e 3t, equation (16) can be tansfomed into f c1 = f c1 /a. The second set of candidates can be ewitten as { fc1 a, fc1 2a,..., f c1 }. Thus a same (2 l 1)a candidate is in the two sets each time the equation a i = j (17) is satised with i, j [1, 2 l 1]. In ou fault model, we can take e 2t and e 3t as elements in N and the numbe of solutions to this equation becomes (2 l 1) gcd(e2t,e3t) max(e 2t,e 3t) as shown in Appendix B. Finally the size of the intesection, which also contains the coect candidate, is #intesection = (2 l 1) gcd(e 2t, e 3t ) (18) max(e 2t, e 3t ) and the numbe of wong candidates is #intesection 1 = (2 l 1) gcd(e 2t, e 3t ) 1 (19) max(e 2t, e 3t ) The intesection of the sets of candidates obtained with e 2 and with e 3 contains at least one element if we get the two guesses coect once. The computational cost of f ecovey is low since the attacke has to use the pocedue to ecove a candidate though equation (15) only once pe fault injected with guesses e 2 = 1 and e 3 = 1. Then he stoes the coesponding candidates and computes the atio a = f c1 /f c1. Finally he solves equation (17), tying all i [1, 2 l 1] and checking that a i [1, 2 l 1], which povides e 2t and e 3t (only solutions if thee is no wong candidate). With e 2t, he computes f = f c1 /e 2t. The memoy used in the ecovey of f is just one element of F p k pe fault injected. We cannot avoid the occuence of wong candidates. In ode to conclude ou attack we must have a unique candidate which satises all ou obsevations. If moe than one candidate is contained in the intesection of the two sets then othe faults must be geneated at the same location until one candidate only matches all the obsevations of the attacke. 4.3 Summay of ou fault attack on the Tate paiing's FE At least fou executions of the same paiing on the computing device ae equied to pefom ou attack. 1. The computation is executed nomally. The attacke stoes f 3 the coect esult of the exponentiation.

11 2. A st fault is ceated on f 1 accoding to Section 4.1. The attacke memoizes f 3, a st faulted esult. f 1 is found using equations (9) and (5). 3. A second fault e 2 is ceated duing the invesion in the st easy exponentiation accoding to Section 4.2. The attacke stoes f 3, the faulted esult and extacts a candidate f c1 fo f guessing e 2 = 1 with equation (15) and Lemma Similaly to the pevious step, a thid fault e 3 e 2 is ceated. With the faulted esult f 3, the attacke extacts a new candidate f c1 fo f guessing e 3 = 1. The value a = f c1 /f c1 is then computed. A pai (i, j) solution to the equation a i = j with i, j [1, 2 l 1] allows him to compute f = f c1 /j. If seveal pais (i, j) ae found, moe faults may be needed to ensue the uniqueness of the candidate fo f. The impotant featue of this scheme is that only one fault pe execution is needed to ecove f, no double o tiple faults Pactical feasibility of ou attack This attack scheme has been expeimentally checked with Sagemath [20] in F p 12 with paametes identical to [9]. Ou fault model was the injection of a andom e with 0 < e < 2 l. Fo a andom f F p k, we simulated 1000 fault injections fo f 1 ecovey with a andom fault e [1, ] and we made guesses on the fault value pe injection. As a esult, f 1 was coectly found fo evey fault injection and no wong candidate was obseved. Similaly, we simulated f ecovey knowing f 1. Two dieent eos in [1, 2 l 1] wee injected fo 100 fault injections, st fo l = 7 and then fo l = 10. The numbe of wong candidates eached, in aveage, 4.87 fo l = 7 and 5.66 fo l = 10. These examples show that even when we loosen the constaints on the possible eos (fom 2 7 to 2 10 ) the numbe of wong candidates, on aveage, does not incease damatically. But of couse, the computational cost of the attack inceases with 2 l. A detailed example of an implementation of the attack is pesented in Appendix C. 5 Countemeasues So fa in the liteatue, most countemeasues poposed against fault attacks on paiings focus on potecting the Mille Loop fo the good eason that it has been the main taget of the fault attacks [5, 21, 22]. With ou attack on the FE, we hope that othe ecient countemeasues shall be poposed by the community in addition to the suggestions made below. Invesion of unitay elements: In some implementations, an ecient countemeasue is aleady pesent. Indeed since nomally f 1 µ p +1, this element d is called unitay and has the following popety: f1 1 = f 1. As a consequence, all invesions besides the st one (necessay to compute f 1 ) ae eplaced by a

12 12 simple conjugation which has a fa lowe computational cost. As a consequence a fault injected on f 1 cannot be exploited since the esulting output is not equal to the expected value (f1 ) pd +1. The conclusion is that implementations should ensue that the invesions of unitay elements ae always eplaced with conjugations. Additionally, the use of a Boolean vaiable stating if the element is unitay and deciding which code (invesion o conjugation) is used fo the invesion of an element should be avoided since this could then become a taget in ode to allow ou fault injection. As an example, this latte Boolean vaiable is implemented in the classic Miacl libay [23]. Compessed epesentation: A genealization of the pevious countemeasue is to use a compessed epesentation of the elements duing the exponentiation as shown in [24, 25]. The eect is simila to the pevious countemeasue. A fault attack on an implementation with the compessed epesentation would have to be specically designed in ode to wok. Checking subgoup membeship: It is possible to dete this attack by checking the subgoup membeship of intemediate values. As an example, f 1 should be in µ pd +1. To check this membeship (checking f pd +1 1 = 1), one has to compute f pd +1 1 at the pice of a conjugation and a multiplication in F p k. Similaly it should be possible to check that f Φ k(p) 2 = 1 and f 3 = 1. 6 Conclusion and pespectives The possibility to invet the nal exponentiation with a fault attack has been shown. Even if we don't have any stong estiction on the eos injected, ecoveing the input of the FE with a high pobability is feasible. Ou expeimentations with Sagemath [20] allowed us to popose bounds on the numbe of wong candidates obtained with this attack. To settle the feasibility of inveting the FE with a fault attack, we must now demonstate that ou attack scheme can be implemented in pactice. The next step fom an attacke's pespective would be to pefom a full attack on paiing which would denitely settle paiings vulneability to fault attacks. One possibility to achieve this is to conside double faults - two faults duing one execution of the paiing: one to invet the Mille Loop accoding to [5] o [7] and anothe in the FE to access the faulted value of the Mille Loop. The possibility of this attack scheme is yet to be poven but does not seem out of each [26]. Acknowledgements This wok was patially founded by the Fench Agence Nationale de la Recheche (ANR) though the ECLIPSE poject. We thank N. El Mabet, H. Le Boude and G. Reymond fo thei helpful comments and discussions. We would also like to thank the anonymous eviewes fo thei constuctive comments.

13 13 Refeences 1. Boneh, D., Fanklin, M.: Identity-Based Encyption fom the Weil paiing. SIAM J. of Computing 32(3) (2003) Dutta, R., Baua, R., Saka, P.: Paiing-Based Cyptogaphic Potocols : A Suvey. Cyptology epint Achive, Repot 2004/064 (2004) 3. El Mabet, N., Di Natale, G., Flottes, M.L., Rouzeye, B., Bajad, J.C.: Dieential Powe Analysis against the Mille Algoithm. Technical epot (August 2008) Published in Pime 2009, IEEE Xploe. 4. Whelan, C., Scott, M.: Side channel analysis of pactical paiing implementations: Which path is moe secue? In Nguyen, P., ed.: Pogess in Cyptology - VI- ETCRYPT Volume 4341 of Lectue Notes in Compute Science. Spinge Belin Heidelbeg (2006) Page, D., Vecauteen, F.: A Fault Attack on Paiing-Based Cyptogaphy. Computes, IEEE Tansactions on 55(9) (sept. 2006) Whelan, C., Scott, M.: The Impotance of the Final Exponentiation in Paiings when consideing Fault Attacks. In: Paiing-Based Cyptogaphy Paiing Volume 4575 of LNCS. Spinge (2007) El Mabet, N.: What about Vulneability to a Fault Attack of the Mille's algoithm Duing an Identity Based Potocol? In: Advances in Infomation Secuity and Assuance. Volume 5576 of LNCS. Spinge (2009) Vecauteen, F.: The Hidden Root Poblem. In: Poceedings of Paiing '08. (2008) 9. Beuchat, J.L., González-Díaz, J., Mitsunai, S., Okamoto, E., Rodíguez- Heníquez, F., Teuya, T.: High-Speed Softwae Implementation of the Optimal Ate Paiing ove BaetoNaehig Cuves. In: Paiing-Based Cyptogaphy - Paiing Volume 6487 of LNCS. Spinge (2010) Scott, M., Benge, N., Chalemagne, M., P., D., Kachisa, E.: On the Final Exponentiation fo Calculating Paiings on Odinay Elliptic Cuves. In: Paiing-Based Cyptogaphy Paiing Volume 5671 of LNCS. Spinge (2009) Baeto, P., Kim, H., Lynn, B., Scott, M.: Ecient algoithms fo paiing-based cyptosystems. Advances in Cyptology CRYPTO 2002 (2002) Hess, F., Smat, N., Vecauteen, F.: The Eta Paiing Revisited. Infomation Theoy, IEEE Tansactions on 52(10) (oct. 2006) Vecauteen, F.: Optimal Paiings. Infomation Theoy, IEEE Tansactions on 56(1) (jan. 2010) Kim, S., Cheon, J.H.: Fixed Agument Paiing Invesion on Elliptic Cuves. Cyptology epint Achive, Repot 2012/657 (2012) Kanayama, N., Okamoto, E.: Appoach to Paiing Invesions Without Solving Mille Invesion. IEEE Tansactions on Infomation Theoy 58(2) (feb. 2012) Galbaith, S., Hess, F., Vecauteen, F.: Aspects of Paiing Invesion. IEEE Tansactions on Infomation Theoy 54(12) (dec. 2008) Satoh, T.: On Paiing Invesion Poblems. In: Paiing-Based Cyptogaphy Paiing Volume 4575 of LNCS. Spinge (2007) Ba-El, H., Chouki, H., Naccache, D., Tunstall, M., Whelan, C.: The Socee's Appentice Guide to Fault Attacks. Poceedings of the IEEE 94(2) (Febuay 2006) Dehbaoui, A., Dutete, J.M., Robisson, B., Tia, A.: Electomagnetic Tansient Faults Injection on a Hadwae and a Softwae Implementations of AES. In: FDTC, IEEE (2012) 715

14 Stein, W., et al.: Sage Mathematics Softwae (Vesion 5.5). The Sage Development Team. (2012) Oztuk, E., Gaubatz, G., Suna, B.: Tate Paiing with Stong Fault Resiliency. In: Poceedings of FDTC '07, IEEE Compute Society (2007) Ghosh, S., Mukhopadhyay, D., Chowdhuy, D.: Fault Attack and Countemeasues on Paiing Based Cyptogaphy. Intenational Jounal Netwok Secuity 12 (Jan. 2011) Cetivox: Miacl libay (v 5.6.1) (2012) Naehig, M., Baeto, P., Schwabe, P.: On compessible paiings and thei computation. In Vaudenay, S., ed.: Pogess in Cyptology AFRICACRYPT Volume 5023 of Lectue Notes in Compute Science. Spinge Belin Heidelbeg (2008) Aanha, D., Kaabina, K., Longa, P., Gebotys, C., López, J.: Faste explicit fomulas fo computing paiings ove odinay cuves. In Pateson, K., ed.: Advances in Cyptology EUROCRYPT Volume 6632 of Lectue Notes in Compute Science. Spinge Belin Heidelbeg (2011) Van Woudenbeg, J., Witteman, M., Menaini, F.: Pactical Optical Fault Injection on Secue Micocontolles. In: 2011 Wokshop on Fault Diagnosis and Toleance in Cyptogaphy (FDTC). (sept. 2011) A Poof of Lemma 2 f 1 = f pd 1 g1 1 v h 1 = h g = h g Poof. f 1 = f f 1 = (f 2 h w) f 1 = f f 1 2 h w f 1 = 1 2 h w (g +h w) Thus Finally Moeove So g 1 = 1 2 h h w 2 = 1 2 h h v g 1 1 v h 1 h 1 = 2 h g = 2 h h v 2 h v g = h g g = h = g 1 1 v h 1 = h g = h g f 1 = f pd 1 g 1 1 v h 1 g g 2 v h 2 h g 2 v h 2 = h g

15 15 Poof. We wite f f 1 = (g h w) (g + h w) (20) = g g v h h + (g h + h g ) w (21) with g = g g 2 v h 2 = 1 g (1 v K 2 ) and h h = g 2 v h 2 = 1 h (v 1/K 2 ) As a consequence: (22) g g v h h = 1 + v K2 1 v K 2 = v h2 1 + g1 2 2 g 1 v h 2 1 g g 1 1 = 2 g 1 (g 1 1) = g 1 2 (g 1 1) And g h + h g K = 1 v K 2 1 K (v 1/K) = 2 K 1 v K 2 = 2 (g 1 1) h 1 v h 2 1 g g 1 1 = 2 (g 1 1) h 1 = h 1 2 (g 1 1) B Size of the intesection set fo the candidates in f ecovey Let e 2t and e 3t be in ou fault model: 0 < e 2t, e 3t < 2 l 1 and p >> 2 l. Let a = e2t e 3t F p, we want to nd the numbe of pais (i, j) solutions to equation (17): a i = j with i, j [1, 2 l 1]. We can wite e 2t e 3t = j i This faction can be ewitten as u v, educing it to lowest tems: e 2t u = gcd(e 2t, e 3t ) e 3t v = gcd(e 2t, e 3t ) All pais solutions to equation (17) can be witten as (k u, k v), k N +. The conditions i, j [1, 2 l 1] ae equivalent to k 2l 1 u and k 2l 1 v which combined give k 2l 1 max(u,v).

16 16 By the denition of u and v, we have: max(u, v) = max(e2t,e3t) gcd(e 2t,e 3t). Finally, we have a solution fo each intege k in the ange [1, (2 l 1) gcd(e 2t, e 3t ) max(e 2t, e 3t ) ] The uppe bound gives us the numbe of possible solutions to ou equation (17). C Attack example In this section, we povide the numeical values fo an attack that was successfully simulated based on the methodology poposed in this pape. We used the same paiing paametes as in [9]. Ou simulated fault injection ceates eo values in [1, 2 4 1] (l = 4). Let the secet value be f = ( 15E4F6523E7C5649E05B9FB24E3C212274A268F39E ED5071CFBDF3A05 v D105A344B97BFBB195D6AAAAB2E E000432FD0866F789DB489165B v D0D8EFDE1A9DDC227267B13D7EE703699B5E3293BCE339DF0CB70AC4D0D099 v A0D208C4134E F8E7813A8D1FFB69CEBE0AD873426C181A95A5087C8 v A116F6C8A9CC97A775F672E751B3999D246DA5B056D417DE18891ED95EAE6 v + 05A9CC966050A3477C3510DAD85A6A D8907E228602D0E2AC27060) w + 06C9FA931438FD7122C BE0D95CB2A1955AA51A D8D01CD72 v F5121FE3658BE0CC4449CC7BBDA2298E5A A9FD3DC2 v DED9A829FAD5568B466E7DFC42ECA52D8F6BCE25C635CE8A6E79155C56347F v ECF9E9ED0A46FE32A4B5481C5D54A15C879B88B4A81C0AAE1254EEEAA4F226 v B7E0F2849E818D758194E503F0F691CC76207BF27065FDB18030E469F6533 v + 164C79AEC143A16DC A89DFBF4D893B5D09D4A325301ACB45863A52AC0 C.1 Step 1: Nomal execution Fist the attacke uns a nomal execution, giving f 3 = ( 14FF0ED863C56B2CF6790E35919CF0A8D33877A282EDC87C v 5 + 1A59AE711E38EEA5D CE68315AD9996B2CBFD7ACEDA5F1958E9C7CF8 v EDBE3C5643AC6028BC597E9665D7B07C948DF7BB6CC3E367ACA223B29E4 v 3 + 1F23F4F893B297ED3EB321AF4AD3F17AA580B4D5D80CE54AA42E v B00759CADCB5221D4B7CCC5C68B7980A53CD947452FB94D1B969F40624AC9 v + 0CBEE77D DC63D8A13175B2E4FCCA9E4790A471B3F86D835C25E0D1FC0) w + 18C04751B8DFEA8F9CD7C813F15B5B37FB09738B04389D9CFBCBA4EABA9BB10E v B35F3CA37C92BD73F88FA0249D736CF909208C12C32B5C22E42586E11B518E v D3C014FE5AAA1F7F74AB0CC51793BFDA2551AC15B5040AF19586B22B6BA360 v A4EAB896B1C6D0F4D701D48C5C6F0D9D1148DE267A4A90A9258E0D112FDA23 v D2014FCE1AE043A88A108C969F9D BAE75872DE5736ECF7D v + 17C81BD9014A90D8964B3B864ABB83DF1225F513E49DD432D9459F22D4EBF7ED C.2 Step 2: f 1 ecovey A st fault injection is pefomed accoding to Subsection 4.1. The obseved faulty value is

17 17 f 3 = ( 14878AB9DA8D626472C222486B6BEAFCBB9D552E42C4A95F57CBE5DE0EB58A2B v B2D29B7B9DF5F28DC92904EE751125E223938C87C D49D1BDDB1 v C8E8ECA143AC26ACC2B EEADA9DD198390C6FD v 3 + 1F3FE27B71407EF9DBD68E5AD408F94941A11DE9B27B20DF3894E7711E2C4572 v CA3F1F35B050D F351942EE6DD0D10F0FE63B7DBC8C2417A v + 0DE59F30BBE780A0D738E3B707C0A48F8C600E63857D31DDB78D DB845) w + 18AD DE86A6668FDA07CEEEE01137D06FF6F5402DD820B471FF42E2CDC v D1A8CC B7C6B3B17A5B14ABE25F22FBB74F779749FBE0DAE044D29B v DACB18FBCAD8484A8FA8F35DDD57B124F48DF3B FD6DD6485 v A2A16C9CC6CA30D8BE07717B1234D FC34F47DF6CB32CFF8B22 v AA1927DF8D8AD9DDD59A883D5918F685AAFB9ED2B196A16F0F3F8B8312F9AE v DD150D1CA399A3AF8E5FD647423F9AD4A05624D FE27ECAC42C9D Fo each eo guess e 1 [1, 2 4 1], g 1 is computed using equation (9) and h + 1 and h 1 with equation (5). Then f 1 + = g 1 + h + 1 w and f 1 = g 1 + h 1 w ae constucted and checked against the obseved f 3 = f p 1 and f3 = (f1 ) p f 1 is found which satises these citeia fo eo e 1 = 7: d +1 d +1. A f 1 = ( 1E6BC8B B74846AF6D4303D1A79D229A442435EA28865BD478D31AB1A2 v EA2429ED C99D32D5BBCA06F5018B9C64F9A62051C4919EA815B097 v C76138D0DACBE0C6BC874CB0548D84A5C367C7665A7EFA14309F52B v D8D4F4D3892C42B72799B17AF78E EA24A19B96B8E937E14E0F v FFF74B0C285EF8CC82010A422E0ADD0300E6C67C362E220ABA9CECEC20E051 v + 0F1CEA1EF6E3CA90D3FEBB5B2954A90A3F96F C1CD161D83F1768) w + 1DA86D419A0A0D17F20F0A96A A35EAC0AC80B962A CC5C8FE v A30BA4FBE1821C659E5235C3375C55A5F715F521F6E32549A7314CE3C774AC v ECE1671FD16C3E57EB95F8DB69A53EEADBA16859E5EBC BFBA1C2 v E7030B5FD4558F002D1F387B4180B9B989C813AF6B75FA5C BF251A1 v B45A029B F57B19A4093D197AA17BE66939EC67569EDE0168A3 v E0EFCFF4E4E25C594BCDC23F5D076FDC8003CB3F27618B523A6163D097A C.3 Step 3: f ecovey Two faults ae injected accoding to Subsection 4.2. The obseved faulty values ae and f 3 = ( 16F28C E9DE6E B8FC99E356EB1D9AEF299AC8FA826B33BBC6 v B505C701E6E76CFFFB9877BE4B514A8138C1E CF48777C359F5C5 v F5B35DD04E60CC85CB1AB1707C4045C F07BA4C259E545D2F9A1 v F43AF3353F93A45AF088D788D6EC32D0ADCF32CDB43B3C B4665D46 v B1712BE28ECA6F35DF C41AFB2352EA38E5D B54A v + 0AF16AD93F1FB968CC2C59FB A10E8DEFAA7C11C18DF841ABB9E) w E599390FD4DC285C9BA14BC1BAE64227C196B22CA2CF02DFA95AFC8E9B v 5 + 0C78B0BB70A87D8BBCC72E84BA382FD4EC60AA11869D37BDAC82B639F9869B7B v 4 + 1AE1AEA4A7B18D01340EB6017B5F7D0FD6134B07D764E819B64F529F07D6F980 v E832F272C86EACA35DECC0A3F5CDA59E9D7A5F9C9EC7EF0FF51BC15DC125 v EF27A88585E1A229E81877B D0623ED0BA264EF9DEA90E7FAECB1 v + 0A0BC9599DF18B044DE6522EE18E036DD76E875AC4E2C C9F009F1E716

18 18 f 3 = ( 23571DDFC0C6B8509B84F49A969AB7F7BA38A5D071BFA339AF D7F92BB v F585FE7767B3A185C3BFE5BFC9A69C9AB0089BE6CAD2BA4A2382AC1E5CCE6 v C432E52552CF26B4484ED21B37B5C73E EF9490ED5C63DCD1936DC v 3 + 1DD38AA3691BD907A78DDFC4FDB1270E1D192E97DF6ECFD49BC63EC156BBBFB8 v 2 + 1B7D2A DCA380B21CFBED319F3AEEF3C01F1E986E22E50E v + 003B7A FDF12CE78075BE D5AFB602FDD5A5E84DBA98979) w A70C46F2A429C0FD87941DEA17C3CCB29E84187D0952DCD EC62B3 v 5 + 0F686B68CF92E B8D4C7F67E0DBAF CFDF8462CF3E5BB747 v CCDF3776A4F4FDA9E02DF07C9F90E3D765C12DB3D25D49BC2CFF9401B105A v 3 + 0FEB0A0E9229D1111C8BF20AE3A2638EB6FA D2B341102CC6CC8F91560 v 2 + 0F72717DF131B16A8C69EC07A2EAE763DA688086C528EE7A9C09443B1BC0E4E0 v + 181A35AE9376E2DF2AA9BE6EA9807D24CEC537E834C9E80DDF5E810C84CD3AF6 By guessing that e 2 = e 3 = 1 and checking against obseved f3 candidates fo f ae saved using equation (15) and Lemma 2: and f c1 = ( 13D7C1CD2019B9E15AEA184A1DA41EEEA8AA745018D1D5C49CFB6004DAD90A28 v D4721BAB2536A450EFBF915D873EA6A92ACD9F8A5CAE4D41695D8B58D1C92E v CFC849E4E70ECAC254D076F24E0D12CE6455C671A3FCFCE36F6F60EB v E3763C6FA97F0768F181A01D1CE65C A8619C0CF62CC0EF42CD4C604 v 2 + 1F4A9CEAD0DF83154E325AA0A21DF DAD3330D74D6CEDCD215A v + 0F873644C594ADC50F677D191448B978D1BFDE27C1D146F1ECE1357F80D5F35F) w + 19A8D42718BFD93BEA67DA00A295E562C5456F0017CDED8D6101A679F v F1BB87794E33860D F077BE299FFB1F9ABB433536D2AB6EF9E72BCD v A0BFD2678C31535D2B5D733BE FF8DFEDBF7E43B656061C03F07D872 v 3 + 0CCCF1146B5400FD54198AC4C81FE7A058B27DCD99E8FC542AA1FC663FCC834E v DA2809CA5EC62FBE7F6A91F F39573B563B807B9A8EC6 v + 177B600DB91B5E D5A4B14D0542C F9BC4E B80CE80BB f c1 = ( 2163C67F7EDE7355C D000DB10A4A9C9281A192FCA6B8E7DEF9D024 v A11607E07D28553E29BAB2DC8BC518085ABF8A197E7CBAF9E4EDA448B2D3 v FEA5EA40D80ACEE58835E3BB42850E1CB36D3F5E719C482E C1 v 3 + 0F42A433AB DB1211A5093D8A09ABEA5EA56C399B3C0A8D4AD2843E3C v 2 + 1BD08B7B6454E64BD3BAFB3973A8D9CCCE9236D2D82B6A0BEF0C448F6CAF5730 v + 09DD69AE65440A7D93326C3E3BEE4F47AC8DDAE354483F0FC FF) w + 12DED DBCAC7A485EF9DFA CD6ABD28D3282BBA506C680E6B8F v CEA9A16843C13A2A776B6B7FABDAF66DC5D886B5183BBCB190630D4FE9EE0B v E12EDAD26BBB205B098DC6835C CE31AE6E597248AAE2B1A3F4 v 3 + 0F50F22F1B8AC9BD6FEAF01532A D2184FD40E04AFB v CD4B01CD80E F232133D993832F8DEBE987234FB2994 v + 012EE65EF7D7BCB6A0ECA7C2A276D45F E3C2C31D2955FB The atio a = fc1 f c1 is computed: a = 1F02DBA40998EDC684A F94D61F EB And one solution is found which satises equation (17): 8 a = 9. Finally we nd that f = f c1 /9 = f c1/8 and it is the coect answe! and f 3, two