Fault Attacks In Pairing-Based Cryptography

With the development of integrated circuits and smart card technology, and the large-scale applications of embedded systems, reverse analysis and attack of cryptographic devices have become important research content of cryptography. There are many public researches on side channel attack technology and fault attack technology. The fault attacks against block cipher and public key cryptosystem have yielded fruitful results, and the actual effect of the attacks also poses a potential threat to the cryptographic device. However, there are only few works about the fault attacks against pairing based cryptography. We mainly study on the fault attacks against pairing based cryptography in this paper. The main results are listed as follows:1. Firstly, we make a study on fault attack against Miller’s algorithm, and present detailed process of the attack scheme. By interfering with the algorithm execution repeatedly, we select the faulty outputs of consecutive iterations from all faulty results, which can be used to construct nonlinear system. The secret point can be recovered through solving the nonlinear system with resultant or Grobner basis algorithm. According to the case that k=6, the detailed process of fault attack against Miller’s algorithm in Jacobian coordinates is presented. Furthermore, we make an analysis to the case of arbitrary even embedding degree.2. We design and implement the fault attack simulation of Miller’s algorithm using Magma software through a number of experiments. From the elliptic curve parameters selection, Miller’s algorithm programming implementation, the construction and solution of the equations to the verification of secret point, the detailed process is given. We complete the attack simulation according to the case that k=6, the secret point can be recovered whether P or Q is the secret. In addation, we make a further discussion of the fault attack scheme.3. Based on the fault attack against Miller’s algorithm, we design the fault attacks against the Eta and Weil pairing using the byte-oriented random fault induced model. This paper also performs attack experiments of Eta pairing under standard parameters. As Weil pairing is composed of two Miller’s algorithm executions, it increases the difficulty of the attack to some extent. We take k=4as an example to discuss the fault attack against Weil pairing. Compared with the scheme of Whelan and Scott, the model assumption of our scheme is more easily satisfied and implemented. Lastly, we make a summary of defense strategies against fault attacks. A new defense measurement is proposed using the idea of randomization.