arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/presentation/... ·...
Post on 14-Oct-2020
2 Views
Preview:
TRANSCRIPT
Arithmetic of pairings, performance and weaknesstoward side channel attacks
Nadia El Mrabet
GREYC - LMNOUniversite de Caen
Darmstadt 29th of April 2010
1 / 59
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
2 / 59
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
3 / 59
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
4 / 59
What is a pairing ?Properties
Let G1, G2 and G3 be three abelian groups of same order r . A pairing is amap :
e : (G1,+)× (G2,+)→ (G3,×)
With the following properties
Non degenerency : ∀P ∈ G1 6= 0 ,∃Q ∈ G2 s.t. e(P,Q) 6= 1
Bilinearity : ∀P,P ′ ∈ G1,∀Q ∈ G2, e(P + P ′,Q) = e(P,Q).e(P ′,Q)
Consequences
∀j ∈ Z, e(jP,Q) = e(P,Q)j = e(P, jQ)
5 / 59
What is a pairing ?Properties
Let G1, G2 and G3 be three abelian groups of same order r . A pairing is amap :
e : (G1,+)× (G2,+)→ (G3,×)
With the following properties
Non degenerency : ∀P ∈ G1 6= 0 , ∃Q ∈ G2 s.t. e(P,Q) 6= 1
Bilinearity : ∀P,P ′ ∈ G1,∀Q ∈ G2, e(P + P ′,Q) = e(P,Q).e(P ′,Q)
Consequences
∀j ∈ Z, e(jP,Q) = e(P,Q)j = e(P, jQ)
5 / 59
What is a pairing ?Properties
Let G1, G2 and G3 be three abelian groups of same order r . A pairing is amap :
e : (G1,+)× (G2,+)→ (G3,×)
With the following properties
Non degenerency : ∀P ∈ G1 6= 0 , ∃Q ∈ G2 s.t. e(P,Q) 6= 1
Bilinearity : ∀P,P ′ ∈ G1,∀Q ∈ G2, e(P + P ′,Q) = e(P,Q).e(P ′,Q)
Consequences
∀j ∈ Z, e(jP,Q) = e(P,Q)j = e(P, jQ)
5 / 59
Cryptologie from pairing
The discrete logarithm problem
in G1 consists in finding the integer a knowing P ∈ G1 and aP.Let Q be a point of G2 :
e(aP,Q) = e(P,Q)a.
Cryptanalysis
The bilinearity of pairing shifts the discrete logarithm problem from anelliptic curve to a discrete logarithm problem on a finite field. This is theMOV and Frey Ruck attacks.
6 / 59
Cryptologie from pairing
The discrete logarithm problem
in G1 consists in finding the integer a knowing P ∈ G1 and aP.Let Q be a point of G2 :
e(aP,Q) = e(P,Q)a.
Cryptanalysis
The bilinearity of pairing shifts the discrete logarithm problem from anelliptic curve to a discrete logarithm problem on a finite field. This is theMOV and Frey Ruck attacks.
6 / 59
Cryptologie from pairing
Cryptography
pairing allows the construction of original protocols and the simplificationof existing protocols ;
The tri partite Diffie Hellman key exchange (Joux 2001)
Identity based cryptography (Boneh and Franklin 2001)
Short signature scheme (Boneh, Lynn, Shacham 2001)
Example
The construction of a key between Alice and Bob based on identity.
7 / 59
Cryptologie from pairing
Cryptography
pairing allows the construction of original protocols and the simplificationof existing protocols ;
The tri partite Diffie Hellman key exchange (Joux 2001)
Identity based cryptography (Boneh and Franklin 2001)
Short signature scheme (Boneh, Lynn, Shacham 2001)
Example
The construction of a key between Alice and Bob based on identity.
7 / 59
Cryptography from pairingSecure key exchange between Alice and Bob
8 / 59
Cryptography from pairingSecure key exchange between Alice and Bob
8 / 59
Cryptography from pairingSecure key exchange between Alice and Bob
8 / 59
Cryptography from pairingSecure key exchange between Alice and Bob
8 / 59
Pairings used in cryptography
the Weil pairing,
the Tate pairing,
η pairing,
Ate and Twisted Ate pairing.
are used in cryptography.
The Weil, the Tate, Ate and Twisted Ate pairing are constructed on thesame model.They share the central step of their computation.
9 / 59
Pairings used in cryptography
the Weil pairing,
the Tate pairing,
η pairing,
Ate and Twisted Ate pairing.
are used in cryptography.
The Weil, the Tate, Ate and Twisted Ate pairing are constructed on thesame model.They share the central step of their computation.
9 / 59
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
10 / 59
Construction of pairingsData
To compute a pairing, we need :
E an elliptic curve over a field K :
E (K) :=
(x , y) ∈ K×K, y 2 = x3 + ax + b, with a, b ∈ K∪ P∞.
Figure: Elliptic curve for K = R
The elliptic curve admits a group law : the addition.11 / 59
Elliptic curveGroup law - Addition
12 / 59
Elliptic curveGroup law - Addition
12 / 59
Elliptic curveGroup law - Addition
12 / 59
Elliptic curveGroup law - Doubling
13 / 59
Elliptic curveGroup law - Doubling
13 / 59
Elliptic curveGroup law - Doubling
We denote [r ]P = P + P + . . .+ P︸ ︷︷ ︸r times
.
13 / 59
Construction of pairingsData
To compute a pairing we need :
E an elliptic curve over a finite field K ⊃ Fp, a and b ∈ Fp :
E (K) :=
(x , y) ∈ K×K, y 2 = x3 + ax + b∪ P∞.
r a prime number dividing card(E (Fp)),
and the set of points : E [r ] =
P ∈ E (Fp), [r ]P = P∞
.
the embedding degree k : the smallest integer such that r |(pk − 1) ;
If k > 1 then E [r ] ⊂ E (Fpk ).
The Miller’s function fr ,P such that :
P is a zero of order r
[r ]P is a pole.
14 / 59
Construction of pairingsData
To compute a pairing we need :
E an elliptic curve over a finite field K ⊃ Fp, a and b ∈ Fp :
E (K) :=
(x , y) ∈ K×K, y 2 = x3 + ax + b∪ P∞.
r a prime number dividing card(E (Fp)),
and the set of points : E [r ] =
P ∈ E (Fp), [r ]P = P∞
.
the embedding degree k : the smallest integer such that r |(pk − 1) ;
If k > 1 then E [r ] ⊂ E (Fpk ).
The Miller’s function fr ,P such that :
P is a zero of order r
[r ]P is a pole.
14 / 59
Construction of pairingsData
To compute a pairing we need :
E an elliptic curve over a finite field K ⊃ Fp, a and b ∈ Fp :
E (K) :=
(x , y) ∈ K×K, y 2 = x3 + ax + b∪ P∞.
r a prime number dividing card(E (Fp)),
and the set of points : E [r ] =
P ∈ E (Fp), [r ]P = P∞
.
the embedding degree k : the smallest integer such that r |(pk − 1) ;
If k > 1 then E [r ] ⊂ E (Fpk ).
The Miller’s function fr ,P such that :
P is a zero of order r
[r ]P is a pole.
14 / 59
Construction of pairingsData
To compute a pairing we need :
E an elliptic curve over a finite field K ⊃ Fp, a and b ∈ Fp :
E (K) :=
(x , y) ∈ K×K, y 2 = x3 + ax + b∪ P∞.
r a prime number dividing card(E (Fp)),
and the set of points : E [r ] =
P ∈ E (Fp), [r ]P = P∞
.
the embedding degree k : the smallest integer such that r |(pk − 1) ;
If k > 1 then E [r ] ⊂ E (Fpk ).
The Miller’s function fr ,P such that :
P is a zero of order r
[r ]P is a pole.
14 / 59
Construction of pairingThe Tate pairing
Let P ∈ E (Fp)[r ], Q ∈ E (Fpk )/rE (Fpk ) and k the embedding degree withrespect to r .
The Tate pairing is the map :
eT : E (Fp)[r ]× E (Fpk )/rE (Fpk )→ F∗pk
(P,Q)→ fr ,P(Q)pk−1
r
15 / 59
Construction of pairingThe Tate pairing
Let P ∈ E (Fp)[r ], Q ∈ E (Fpk )/rE (Fpk ) and k the embedding degree withrespect to r .
The Tate pairing is the map :
eT : E (Fp)[r ]× E (Fpk )/rE (Fpk )→ F∗pk
(P,Q)→ fr ,P(Q)pk−1
r
15 / 59
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
16 / 59
The Miller’s equalityThe function fr,P
To compute pairings, we need the construction of the rational function fr ,Pfor r a prime number.This function admits point P as zero of order r and point [r ]P as a pole.
Victor Miller establish the equation :
fi+j ,P = fi ,P × fj ,P ×l[i ]P,[j]Pv[i+j]P
With this equation, we construct a sequence of functions such that thepoint [i ]P is a pole for i from 1 to r .
17 / 59
Miller’s equalityExample
We want to compute f5,P using the binary decomposition : 5 = (101)2
and the double and add principle :
Let i = 1,
the second bit of 5 is 0 :
i := 2× i ⇒ i = 2.
The third bit of 5 is 1 :
i := 2× i ⇒ i = 4
i := i + 1 ⇒ i = 5
On this scheme, we want to compute f5,P using Miller’s equality and thebinary decomposition of 5.
18 / 59
Miller’s equalityExample
We want to compute f5,P using the binary decomposition : 5 = (101)2
and the double and add principle :
Let i = 1,
the second bit of 5 is 0 :
i := 2× i ⇒ i = 2.
The third bit of 5 is 1 :
i := 2× i ⇒ i = 4
i := i + 1 ⇒ i = 5
On this scheme, we want to compute f5,P using Miller’s equality and thebinary decomposition of 5.
18 / 59
Miller’s equalityExample
We want to compute f5,P using the binary decomposition : 5 = (101)2
and the double and add principle :
Let i = 1,
the second bit of 5 is 0 :
i := 2× i ⇒ i = 2.
The third bit of 5 is 1 :
i := 2× i ⇒ i = 4
i := i + 1 ⇒ i = 5
On this scheme, we want to compute f5,P using Miller’s equality and thebinary decomposition of 5.
18 / 59
Miller’s equalityExample
Let f1,P = 1 by construction and i = 1.
i := 2i (i = 2)
f2,P = f1,P × f1,P ×lP,Pv[2]P
f2,P =lP,Pv[2]P
i := 2i (i = 4)
f4,P = f2,P × f2,P ×l[2]P,[2]P
v[4]P
f4,P = f 22,P ×
l[2]P,[2]P
v[4]P
i := i + 1 (i = 5)
f5,P = f4,P ×l[4]P,P
v[5]P
f5,P =
((lP,Pv[2]P
)2
×l[2]P,[2]P
v[4]P
)×
l[4]P,P
v[5]P
19 / 59
Miller’s equalityExample
Let f1,P = 1 by construction and i = 1.
i := 2i (i = 2)
f2,P = f1,P × f1,P ×lP,Pv[2]P
f2,P =lP,Pv[2]P
i := 2i (i = 4)
f4,P = f2,P × f2,P ×l[2]P,[2]P
v[4]P
f4,P = f 22,P ×
l[2]P,[2]P
v[4]P
i := i + 1 (i = 5)
f5,P = f4,P ×l[4]P,P
v[5]P
f5,P =
((lP,Pv[2]P
)2
×l[2]P,[2]P
v[4]P
)×
l[4]P,P
v[5]P
19 / 59
Miller’s equalityExample
Let f1,P = 1 by construction and i = 1.
i := 2i (i = 2)
f2,P = f1,P × f1,P ×lP,Pv[2]P
f2,P =lP,Pv[2]P
i := 2i (i = 4)
f4,P = f2,P × f2,P ×l[2]P,[2]P
v[4]P
f4,P = f 22,P ×
l[2]P,[2]P
v[4]P
i := i + 1 (i = 5)
f5,P = f4,P ×l[4]P,P
v[5]P
f5,P =
((lP,Pv[2]P
)2
×l[2]P,[2]P
v[4]P
)×
l[4]P,P
v[5]P
19 / 59
Computation of pairingsMiller’s algorithm returns fr,P(Q)
Data: r = (rN . . . r0)2,P ∈ G1 ⊂ E (Fp)[r ]
Result: [r ]PT ← Pfor i = N − 1 to 0 do
T ← [2]T
if ri = 1 thenT ← T + P
end
endreturn T = [r ]P
20 / 59
Computation of pairingsMiller’s algorithm returns fr,P(Q)
Data: r = (rN . . . r0)2,P ∈ G1 ⊂ E (Fp)[r ] et
Q ∈ G2 ⊂ E (Fpk )[r ]Result: fr ,P(Q) ∈ G3 ⊂ F∗
pk
T ← P , f1 ← 1, f2 ← 1for i = N − 1 to 0 do
T ← [2]T
f1 ←− f12 × ld(Q)
f2 ←− f22 × vd(Q)
if ri = 1 thenT ← T + P
f1 ←− f1 × la(Q)f2 ←− f2 × va(Q)
end
end
return f1f2
21 / 59
Computation of pairingsMiller’s algorithm returns fr,P(Q)
Data: r = (rN . . . r0)2,P ∈ G1 ⊂ E (Fp)[r ] et
Q ∈ G2 ⊂ E (Fpk )[r ]Result: fr ,P(Q) ∈ G3 ⊂ F∗
pk
T ← P , f1 ← 1, f2 ← 1for i = N − 1 to 0 do
T ← [2]Tf1 ←− f1
2 × ld(Q)f2 ←− f2
2 × vd(Q)if ri = 1 then
T ← T + P
f1 ←− f1 × la(Q)f2 ←− f2 × va(Q)
end
end
return f1f2
21 / 59
Computation of pairingsMiller’s algorithm returns fr,P(Q)
Data: r = (rN . . . r0)2,P ∈ G1 ⊂ E (Fp)[r ] et
Q ∈ G2 ⊂ E (Fpk )[r ]Result: fr ,P(Q) ∈ G3 ⊂ F∗
pk
T ← P , f1 ← 1, f2 ← 1for i = N − 1 to 0 do
T ← [2]Tf1 ←− f1
2 × ld(Q)f2 ←− f2
2 × vd(Q)if ri = 1 then
T ← T + Pf1 ←− f1 × la(Q)f2 ←− f2 × va(Q)
end
end
return f1f2
21 / 59
Computation of pairingsMiller’s algorithm returns fr,P(Q)
Data: r = (rN . . . r0)2,P ∈ G1 ⊂ E (Fp)[r ] et
Q ∈ G2 ⊂ E (Fpk )[r ]Result: fr ,P(Q) ∈ G3 ⊂ F∗
pk
T ← P , f1 ← 1, f2 ← 1for i = N − 1 to 0 do
T ← [2]Tf1 ←− f1
2 × ld(Q)f2 ←− f2
2 × vd(Q)if ri = 1 then
T ← T + Pf1 ←− f1 × la(Q)f2 ←− f2 × va(Q)
end
end
return f1f2
21 / 59
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
22 / 59
The security of pairing
Security level in bit 80 128 192 256
Minimal numbers of bit for r 160 256 384 512
Minimal numbers of bit for pk 1 024 3 072 7 680 15 360
Table: Security level
23 / 59
Computing pairings over elliptic curves
Let Mp be the cost of a multiplication in Fp, Spk the cost of a square andMpk of a multiplication in Fpk .
Miller’s algorithm needs
N = [log2(r)] + 1 iterations
the complexity of the doubling step is8Sp + (12 + 4k)Mp + 2Spk + 2Mpk
the complexity of the addition step is6Sp + (20 + 3k)Mp + 2Spk + 2Mpk
To improve pairing computation we can :
reduce the number of operation inFpk .
improve the arithmetic in Fpk .
24 / 59
Computing pairings over elliptic curves
Let Mp be the cost of a multiplication in Fp, Spk the cost of a square andMpk of a multiplication in Fpk .
Miller’s algorithm needs
N = [log2(r)] + 1 iterations
the complexity of the doubling step is8Sp + (12 + 4k)Mp + 2Spk + 2Mpk
the complexity of the addition step is6Sp + (20 + 3k)Mp + 2Spk + 2Mpk
To improve pairing computation we can :
reduce the number of operation inFpk .
improve the arithmetic in Fpk .
24 / 59
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
25 / 59
The traditional representation
The representation of elements in Fp influences the arithmetic over Fp.Usually we used positional number representation, it is a representationusing a base to represent integers :
a =n−1∑i=0
aiβi with ai ∈ 0, . . . , β − 1 and βn > p.
Example : The decimal representation in F90001. Let β = 10, anda = 71209 in F90001. This element can be writea = 7× 104 + 1× 103 + 2× 102 + 9.
26 / 59
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
27 / 59
An adapted base
Representation in adapted base :
Let p be a prime, 0 < γ < p and n > 0, such that γn ≡ λ mod p for asmall λ.
The representation in adapted base is :
a =n−1∑i=0
aiγi mod p with |ai | < ρ, where ρ ≥ p1/n.
We denote a(t) =n−1∑i=0
ai ti the polynomial representation of a in adapted
base.
28 / 59
An adapted base
Representation in adapted base :
Let p be a prime, 0 < γ < p and n > 0, such that γn ≡ λ mod p for asmall λ.The representation in adapted base is :
a =n−1∑i=0
aiγi mod p with |ai | < ρ, where ρ ≥ p1/n.
We denote a(t) =n−1∑i=0
ai ti the polynomial representation of a in adapted
base.
28 / 59
An adapted base
Representation in adapted base :
Let p be a prime, 0 < γ < p and n > 0, such that γn ≡ λ mod p for asmall λ.The representation in adapted base is :
a =n−1∑i=0
aiγi mod p with |ai | < ρ, where ρ ≥ p1/n.
We denote a(t) =n−1∑i=0
ai ti the polynomial representation of a in adapted
base.
28 / 59
An adapted base
Representation in adapted base :
Let p be a prime, 0 < γ < p and n > 0, such that γn ≡ λ mod p for asmall λ.The representation in adapted base is :
a =n−1∑i=0
aiγi mod p with |ai | < ρ, where ρ ≥ p1/n.
Example
Let p = 19.Let n = 3, the element of Fp such that γ3 ≡ 1 mod p is γ = 7.The element of Fp in adapted base will be polynomials in γ of degree 2 ;and coefficients will be 0, 1 et −1.
29 / 59
An adapted baseExample
1 2 3 4 5 6
1 − γ2 − γ − 1 γ2 − γ − 1 γ2 − γ γ2 − γ + 1 γ − 1
7 8 9 10 11 12
γ γ + 1 − γ2 + 1 γ2 − 1 γ2 γ2 + 1
13 14 15 16 17 18
− γ − 1 − γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1 − 1
30 / 59
An adapted baseExample
1 2 3 4 5 6
1
− γ2 − γ − 1 γ2 − γ − 1 γ2 − γ γ2 − γ + 1
γ − 1
7 8 9 10 11 12
γ γ + 1
− γ2 + 1
γ2 − 1 γ2 γ2 + 1
13 14 15 16 17 18
− γ − 1 − γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1
− 1
30 / 59
An adapted baseExample
1 2 3 4 5 6
1
− γ2 − γ − 1
γ2 − γ − 1
γ2 − γ γ2 − γ + 1
γ − 1
7 8 9 10 11 12
γ γ + 1
− γ2 + 1
γ2 − 1 γ2 γ2 + 1
13 14 15 16 17 18− γ − 1
− γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1
− 1
30 / 59
An adapted baseExample
1 2 3 4 5 6
1
− γ2 − γ − 1
γ2 − γ − 1 γ2 − γ γ2 − γ + 1 γ − 1
7 8 9 10 11 12
γ γ + 1
− γ2 + 1
γ2 − 1 γ2 γ2 + 1
13 14 15 16 17 18− γ − 1
− γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1
− 1
30 / 59
An adapted baseExample
1 2 3 4 5 6
1
− γ2 − γ − 1
γ2 − γ − 1 γ2 − γ γ2 − γ + 1 γ − 1
7 8 9 10 11 12
γ γ + 1 − γ2 + 1 γ2 − 1 γ2 γ2 + 1
13 14 15 16 17 18− γ − 1 − γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1 − 1
30 / 59
An adapted baseExample
1 2 3 4 5 6
1 − γ2 − γ − 1 γ2 − γ − 1 γ2 − γ γ2 − γ + 1 γ − 1
7 8 9 10 11 12
γ γ + 1 − γ2 + 1 γ2 − 1 γ2 γ2 + 1
13 14 15 16 17 18− γ − 1 − γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1 − 1
30 / 59
Arithmetic in adapted baseReduction of the coefficient using Montgomery representation (Plantard-Negre 07)
To find the representation in adapted basis, we used an algorithm dueto :
Thomas Plantard in 2005.
Arithmetic in adapted base
Efficient Modular Arithmetic in Adapted Modular Number System UsingLagrange Representation, of C. Negre and T. Plantard in ACISP ’08.The arithmetic is constructed in Montgomery way, thus it has the samecomplexity.We have an efficient arithmetic over Fp.
31 / 59
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
32 / 59
The multiplication by interpolation in Fpk
Let U and V be elements of Fpk .They are polynomials U(X ),V (X ) ∈ Fp[X ] of degree k − 1.The multiplication between U and V can be done like this :
1 Polynomial multiplication W (X ) = U(X )× V (X ), usinginterpolation.
2 Modular reduction using a polynomial of degree k in Fp.
33 / 59
Multiplication by interpolationLet l ≥ 2k − 1 distinct elements α0, . . . , αl−1 in Fp.
1 Evaluation : Let U(X ) and V (X ) of degree k − 1. We compute
U = (U(α0), . . . ,U(αl−1)) and V = (V (α0), . . . ,V (αl−1))
using a matrix vector product :
U =
1 α1 · · · αk−1
1
1 α2 · · · αk−12
......
1 αl · · · αk−1l
×
u0
u1...
uk−1
.2 Multiplication :
W = (u0 × v0, u1 × v1, . . . , ul−1 × vl−1).
3 Interpolation : reconstruction of coefficients of W (X ).
34 / 59
Multiplication by interpolationLet l ≥ 2k − 1 distinct elements α0, . . . , αl−1 in Fp.
1 Evaluation : Let U(X ) and V (X ) of degree k − 1. We compute
U = (U(α0), . . . ,U(αl−1)) and V = (V (α0), . . . ,V (αl−1))
using a matrix vector product :
U =
1 α1 · · · αk−1
1
1 α2 · · · αk−12
......
1 αl · · · αk−1l
×
u0
u1...
uk−1
.
2 Multiplication :
W = (u0 × v0, u1 × v1, . . . , ul−1 × vl−1).
3 Interpolation : reconstruction of coefficients of W (X ).
34 / 59
Multiplication by interpolationLet l ≥ 2k − 1 distinct elements α0, . . . , αl−1 in Fp.
1 Evaluation : Let U(X ) and V (X ) of degree k − 1. We compute
U = (U(α0), . . . ,U(αl−1)) and V = (V (α0), . . . ,V (αl−1))
using a matrix vector product :
U =
1 α1 · · · αk−1
1
1 α2 · · · αk−12
......
1 αl · · · αk−1l
×
u0
u1...
uk−1
.2 Multiplication :
W = (u0 × v0, u1 × v1, . . . , ul−1 × vl−1).
3 Interpolation : reconstruction of coefficients of W (X ).
34 / 59
Multiplication by interpolationLet l ≥ 2k − 1 distinct elements α0, . . . , αl−1 in Fp.
1 Evaluation : Let U(X ) and V (X ) of degree k − 1. We compute
U = (U(α0), . . . ,U(αl−1)) and V = (V (α0), . . . ,V (αl−1))
using a matrix vector product :
U =
1 α1 · · · αk−1
1
1 α2 · · · αk−12
......
1 αl · · · αk−1l
×
u0
u1...
uk−1
.2 Multiplication :
W = (u0 × v0, u1 × v1, . . . , ul−1 × vl−1).
3 Interpolation : reconstruction of coefficients of W (X ).
34 / 59
Polynomial multiplication using DFT.
Let α be a l primitive roots of unity in Fp αi = αi .
The evaluation is the product by the matrix Ω :
Ω =
1 1 1 · · · 11 α α2 · · · αl−1
1 α2 α4 · · · α(l−1)2
......
1 αl−1 α2(l−1) · · · α(l−1)(l−1)
Denoting α′ = α−1, the interpolation is the product by :
Ω−1 =1
l
1 1 1 · · · 11 α′ α′2 · · · α′l−1
1 α′2 α′4 · · · α′(l−1)2
......
1 α′l−1 α′2(l−1) · · · α′(l−1)(l−1)
35 / 59
Polynomial multiplication using DFT.
Let α be a l primitive roots of unity in Fp αi = αi .
The evaluation is the product by the matrix Ω :
Ω =
1 1 1 · · · 11 α α2 · · · αl−1
1 α2 α4 · · · α(l−1)2
......
1 αl−1 α2(l−1) · · · α(l−1)(l−1)
Denoting α′ = α−1, the interpolation is the product by :
Ω−1 =1
l
1 1 1 · · · 11 α′ α′2 · · · α′l−1
1 α′2 α′4 · · · α′(l−1)2
......
1 α′l−1 α′2(l−1) · · · α′(l−1)(l−1)
35 / 59
Polynomial multiplication using DFT.
Let α be a l primitive roots of unity in Fp αi = αi .
The evaluation is the product by the matrix Ω :
Ω =
1 1 1 · · · 11 α α2 · · · αl−1
1 α2 α4 · · · α(l−1)2
......
1 αl−1 α2(l−1) · · · α(l−1)(l−1)
Denoting α′ = α−1, the interpolation is the product by :
Ω−1 =1
l
1 1 1 · · · 11 α′ α′2 · · · α′l−1
1 α′2 α′4 · · · α′(l−1)2
......
1 α′l−1 α′2(l−1) · · · α′(l−1)(l−1)
35 / 59
Polynomial multiplication using DFT.
Complexity
The complexity of the multiplication is :
Evaluation : product by the matrix Ω,
Multiplications : 2l products in Fp ,
Interpolation : product by the matrix Ω−1.
Products by Ω et Ω−1 are composed with multiplication with powers of αi .
36 / 59
Polynomial multiplication using DFT.
Complexity
The complexity of the multiplication is :
Evaluation : product by the matrix Ω,
Multiplications : 2l products in Fp ,
Interpolation : product by the matrix Ω−1.
Products by Ω et Ω−1 are composed with multiplication with powers of αi .
36 / 59
Using the DFT with the adapted base
We combine the utilisation of the adapted base and the DFTmultiplication to improve the multiplication in Fpk .
l = k ,
γ such that γ l = −1,
α = γ is a 2kprimitive root of unity in Fp.
Consequences
Multiplications by power of γi are composed of shift and addition inFp :
aγj = (∑n−1
i=0 ai ti )t j mod tn + 1
= (∑j−1
i=0−an−j+i ti ) + (
∑n−1i=j ai−j t
i ).
Multiplications by Ω and Ω−1 are uniquely composed by additions inFp.
37 / 59
Using the DFT with the adapted base
We combine the utilisation of the adapted base and the DFTmultiplication to improve the multiplication in Fpk .
l = k ,
γ such that γ l = −1,
α = γ is a 2kprimitive root of unity in Fp.
Consequences
Multiplications by power of γi are composed of shift and addition inFp :
aγj = (∑n−1
i=0 ai ti )t j mod tn + 1
= (∑j−1
i=0−an−j+i ti ) + (
∑n−1i=j ai−j t
i ).
Multiplications by Ω and Ω−1 are uniquely composed by additions inFp.
37 / 59
Using the DFT with the adapted base
We combine the utilisation of the adapted base and the DFTmultiplication to improve the multiplication in Fpk .
l = k ,
γ such that γ l = −1,
α = γ is a 2kprimitive root of unity in Fp.
Consequences
Multiplications by power of γ i are composed of shift and addition inFp :
aγj = (∑n−1
i=0 ai ti )t j mod tn + 1
= (∑j−1
i=0−an−j+i ti ) + (
∑n−1i=j ai−j t
i ).
Multiplications by Ω and Ω−1 are uniquely composed by additions inFp.
37 / 59
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
38 / 59
Complexity of a multiplication in Fpk
Using Karatsuba and Toom Cook : pour k = 2i3j then Mpk = 3i5jMp.
Using DFT and adapted base : Mpk = 2kMp.
39 / 59
Results
Table: Complexities of several values of k
Method k Mpk Ratio
# Ap # MpMp
Ap
Karatsuba/Toom-Cook 8 72 27Our method t8 + 1 8 192 16 < 11
Karatsuba/Toom-Cook 9 160 25Our method t8 + 1 9 208 18 < 7
Karatsuba/Toom-Cook 16 248 81Our method t16 + 1 16 480 32 < 5
Karatsuba/Toom-Cook 18 480 75Our method t16 + 1 18 576 39 < 3
40 / 59
Conclusion
[ACISP’09] avec C. Negre
We introduced a multiplication in Fpk using DFT and adapted base.
Our results are good for big values of k .
41 / 59
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
42 / 59
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
43 / 59
Cryptography from pairingIdentity based cryptography
Identity based protocols are asymmetric protocols where
the user’s public key it is his identity,
a trusted authority gives him the associated private key.
Example
Alice and Bob key exchange
44 / 59
Cryptography from pairingIdentity based cryptography
Identity based protocols are asymmetric protocols where
the user’s public key it is his identity,
a trusted authority gives him the associated private key.
Example
Alice and Bob key exchange
44 / 59
Cryptography from pairingSecure key exchange between Alice and Bob
45 / 59
Cryptography from pairingSecure key exchange between Alice and Bob
45 / 59
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
46 / 59
Side channels attacks
During an identity based protocole, we know :
the pairing algorithm,
the number of iterations (N = [log2(r)] + 1).
The secret is one the parameter of pairing.
The secret does not influence the algorithm.
47 / 59
Side channel attacks
side channel attacks use the implementation of algorithm to findinformation about the secret.
Fault attacks consist in disturbing the execution of an algorithm.
First fault attack in pairing based cryptography was developed byPage and Vercauteren for the Duursma and lee algorithm.
We study the vulnerability of Miller’s algorithm toward fault attacks.
48 / 59
Side channel attacks
side channel attacks use the implementation of algorithm to findinformation about the secret.
Fault attacks consist in disturbing the execution of an algorithm.
First fault attack in pairing based cryptography was developed byPage and Vercauteren for the Duursma and lee algorithm.
We study the vulnerability of Miller’s algorithm toward fault attacks.
48 / 59
Side channel attacks
side channel attacks use the implementation of algorithm to findinformation about the secret.
Fault attacks consist in disturbing the execution of an algorithm.
First fault attack in pairing based cryptography was developed byPage and Vercauteren for the Duursma and lee algorithm.
We study the vulnerability of Miller’s algorithm toward fault attacks.
48 / 59
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
49 / 59
Description of the fault attacks
We suppose that the pairing is used in Identity based protocol.
The secret is point P, first parameter during the computation ofe(P,Q).
The second parameter Q is known.
Purpose of the fault attack
The aim of the attack is to modify the number of iterations of the Miller’salgorithm, in order to obtain the result of two consecutive iterations : τand τ + 1 iterations for τ ∈ 1, . . . ,N.We denote Fτ,P(Q) and Fτ+1,P(Q) the results of these iterations.
50 / 59
Description of the fault attacks
We suppose that the pairing is used in Identity based protocol.
The secret is point P, first parameter during the computation ofe(P,Q).
The second parameter Q is known.
Purpose of the fault attack
The aim of the attack is to modify the number of iterations of the Miller’salgorithm, in order to obtain the result of two consecutive iterations : τand τ + 1 iterations for τ ∈ 1, . . . ,N.We denote Fτ,P(Q) and Fτ+1,P(Q) the results of these iterations.
50 / 59
Description of the fault attack
Target of the attack
The register where N is stocked. We modify it using lasers.
Scheme of the attack
We execute several Miller’s algorithm with the same point Q andmodifying the register for each iterations.
Using the clock cycles we can find after the number of iteration made.
We repeat the operation until we obtain two consecutive iterations τand τ + 1.
51 / 59
Description of the fault attack
Target of the attack
The register where N is stocked. We modify it using lasers.
Scheme of the attack
We execute several Miller’s algorithm with the same point Q andmodifying the register for each iterations.
Using the clock cycles we can find after the number of iteration made.
We repeat the operation until we obtain two consecutive iterations τand τ + 1.
51 / 59
Description of the fault attack
Target of the attack
The register where N is stocked. We modify it using lasers.
Scheme of the attack
We execute several Miller’s algorithm with the same point Q andmodifying the register for each iterations.
Using the clock cycles we can find after the number of iteration made.
We repeat the operation until we obtain two consecutive iterations τand τ + 1.
51 / 59
Description of the fault attack
Probability
We want to find two consecutive numbers randomly taken from 1 to N.
This problem is like the anniversary problem.We can compute the probability of success.
Example
For r an integer of size 256 bits,15 tries are enough to obtain two consecutive numbers with a probabilityhigher than 0, 5 ;and 26 for a probability higher than 0, 9.
52 / 59
Description of the fault attack
Probability
We want to find two consecutive numbers randomly taken from 1 to N.This problem is like the anniversary problem.We can compute the probability of success.
Example
For r an integer of size 256 bits,15 tries are enough to obtain two consecutive numbers with a probabilityhigher than 0, 5 ;and 26 for a probability higher than 0, 9.
52 / 59
The ratio R =Fτ+1,P(Q)Fτ,P(Q)2
We denote Fτ,P(Q) the result of τ -th iteration and Fτ+1,P(Q) the result ofthe τ + 1-th.The ratio R =
Fτ+1,P(Q)Fτ,P(Q)2 gives us information about the secret.
During the τ -th step, T = [j ]P in Miller’s algorithm
We denote [j ]P = (Xj ,Yj ,Zj) the secret and Q = (xQ , yQ) the knownpoint in e(P,Q).
Writing down the equation we fin :
R = Z2jZj2yQ − 2Yj
2 − (3Xj2 − aZj
4)(xQZj2 − Xj).
With the theoretical decomposition of R and its value we can construct asystem.
53 / 59
The ratio R =Fτ+1,P(Q)Fτ,P(Q)2
We denote Fτ,P(Q) the result of τ -th iteration and Fτ+1,P(Q) the result ofthe τ + 1-th.The ratio R =
Fτ+1,P(Q)Fτ,P(Q)2 gives us information about the secret.
During the τ -th step, T = [j ]P in Miller’s algorithm
We denote [j ]P = (Xj ,Yj ,Zj) the secret and Q = (xQ , yQ) the knownpoint in e(P,Q).
Writing down the equation we fin :
R = Z2jZj2yQ − 2Yj
2 − (3Xj2 − aZj
4)(xQZj2 − Xj).
With the theoretical decomposition of R and its value we can construct asystem.
53 / 59
The ratio R =Fτ+1,P(Q)Fτ,P(Q)2
We denote Fτ,P(Q) the result of τ -th iteration and Fτ+1,P(Q) the result ofthe τ + 1-th.The ratio R =
Fτ+1,P(Q)Fτ,P(Q)2 gives us information about the secret.
During the τ -th step, T = [j ]P in Miller’s algorithm
We denote [j ]P = (Xj ,Yj ,Zj) the secret and Q = (xQ , yQ) the knownpoint in e(P,Q).
Writing down the equation we fin :
R = Z2jZj2yQ − 2Yj
2 − (3Xj2 − aZj
4)(xQZj2 − Xj).
With the theoretical decomposition of R and its value we can construct asystem.
53 / 59
The ratio R =Fτ+1,P(Q)Fτ,P(Q)2
The system is :
YjZ3j = λ2
Z 2j (X 2
j − Z 4j ) = λ1
3Xj(X 2j − Z 4
j ) + 2Y 2j = λ0.
Where λ0, λ1 and λ2 are known in Fp.
The resolution of this system gives Xj and Yj in function of Zj .We can construct in equation admitting Zj as a solution :
(λ20 − 9λ2
1)Z 12 − (4λ0λ22 + 9λ3
1)Z 6 + 4λ41 ≡ 0 mod p
54 / 59
The ratio R =Fτ+1,P(Q)Fτ,P(Q)2
The system is :
YjZ3j = λ2
Z 2j (X 2
j − Z 4j ) = λ1
3Xj(X 2j − Z 4
j ) + 2Y 2j = λ0.
Where λ0, λ1 and λ2 are known in Fp.
The resolution of this system gives Xj and Yj in function of Zj .We can construct in equation admitting Zj as a solution :
(λ20 − 9λ2
1)Z 12 − (4λ0λ22 + 9λ3
1)Z 6 + 4λ41 ≡ 0 mod p
54 / 59
The ratio R =Fτ+1,P(Q)Fτ,P(Q)2
The system is :
YjZ3j = λ2
Z 2j (X 2
j − Z 4j ) = λ1
3Xj(X 2j − Z 4
j ) + 2Y 2j = λ0.
Where λ0, λ1 and λ2 are known in Fp.
The resolution of this system gives Xj and Yj in function of Zj .We can construct in equation admitting Zj as a solution :
(λ20 − 9λ2
1)Z 12 − (4λ0λ22 + 9λ3
1)Z 6 + 4λ41 ≡ 0 mod p
54 / 59
Conclusion
[ISA’09]
Miller’s algorithm is vulnerable to a fault attack.
Vulnerability of pairings based on Miller’s algorithm
Weil pairing is directly sensitive to this attack.
The Tate, Ate and Twisted Ate pairing are constructed in the same
way : eT (P,Q) = (fr ,P(Q))pk−1
r .This exponentiation is for the moment a countermeasure to thisattack, but...
55 / 59
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
56 / 59
Conclusion
We discover know two aspect of pairing based cryptography
performance of the arithmetic,
security of pairing based cryptography.
57 / 59
Perspectives
Arithmetic of pairings
Implementation of pairings :
Using original representation.
For particular families of elliptic curves.
Find pairing friendly elliptic curves.
Security of pairings
Realize the fault attack.
Implementation of countermeasures to side channel attacks.
58 / 59
Perspectives
Arithmetic of pairings
Implementation of pairings :
Using original representation.
For particular families of elliptic curves.
Find pairing friendly elliptic curves.
Security of pairings
Realize the fault attack.
Implementation of countermeasures to side channel attacks.
58 / 59
Thank you for
your attention
59 / 59
top related