arithmetic of pairings performance and weakness toward
play

Arithmetic of pairings, performance and weakness toward side channel - PowerPoint PPT Presentation

Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El Mrabet GREYC - LMNO Universit e de Caen Darmstadt 29th of April 2010 1 / 59 Outline Pairing over elliptic curves 1 Definition and properties of


  1. Miller’s equality Example Let f 1 , P = 1 by construction and i = 1. i := 2 i ( i = 2) f 2 , P = f 1 , P × f 1 , P × l P , P v [2] P f 2 , P = l P , P v [2] P 19 / 59

  2. Miller’s equality Example Let f 1 , P = 1 by construction and i = 1. i := 2 i ( i = 4) i := 2 i ( i = 2) l [2] P , [2] P f 4 , P = f 2 , P × f 2 , P × f 2 , P = f 1 , P × f 1 , P × l P , P v [4] P v [2] P l [2] P , [2] P f 4 , P = f 2 f 2 , P = l P , P 2 , P × v [4] P v [2] P i := i + 1 ( i = 5) l [4] P , P f 5 , P = f 4 , P × v [5] P 19 / 59

  3. Miller’s equality Example Let f 1 , P = 1 by construction and i = 1. i := 2 i ( i = 4) i := 2 i ( i = 2) l [2] P , [2] P f 4 , P = f 2 , P × f 2 , P × f 2 , P = f 1 , P × f 1 , P × l P , P v [4] P v [2] P l [2] P , [2] P f 4 , P = f 2 f 2 , P = l P , P 2 , P × v [4] P v [2] P i := i + 1 ( i = 5) l [4] P , P f 5 , P = f 4 , P × v [5] P �� l P , P � � 2 × l [2] P , [2] P × l [4] P , P f 5 , P = v [2] P v [4] P v [5] P 19 / 59

  4. Computation of pairings Miller’s algorithm returns f r , P ( Q ) Data : r = ( r N . . . r 0 ) 2 , P ∈ G 1 ⊂ E ( F p )[ r ] Result : [ r ] P T ← P for i = N − 1 to 0 do T ← [2] T if r i = 1 then T ← T + P end end return T = [ r ] P 20 / 59

  5. Computation of pairings Miller’s algorithm returns f r , P ( Q ) Data : r = ( r N . . . r 0 ) 2 , P ∈ G 1 ⊂ E ( F p )[ r ] et Q ∈ G 2 ⊂ E ( F p k )[ r ] Result : f r , P ( Q ) ∈ G 3 ⊂ F ∗ p k T ← P , f 1 ← 1, f 2 ← 1 for i = N − 1 to 0 do T ← [2] T if r i = 1 then T ← T + P end end f 1 return f 2 21 / 59

  6. Computation of pairings Miller’s algorithm returns f r , P ( Q ) Data : r = ( r N . . . r 0 ) 2 , P ∈ G 1 ⊂ E ( F p )[ r ] et Q ∈ G 2 ⊂ E ( F p k )[ r ] Result : f r , P ( Q ) ∈ G 3 ⊂ F ∗ p k T ← P , f 1 ← 1, f 2 ← 1 for i = N − 1 to 0 do T ← [2] T − f 12 × l d ( Q ) f 1 ← − f 22 × v d ( Q ) f 2 ← if r i = 1 then T ← T + P end end f 1 return f 2 21 / 59

  7. Computation of pairings Miller’s algorithm returns f r , P ( Q ) Data : r = ( r N . . . r 0 ) 2 , P ∈ G 1 ⊂ E ( F p )[ r ] et Q ∈ G 2 ⊂ E ( F p k )[ r ] Result : f r , P ( Q ) ∈ G 3 ⊂ F ∗ p k T ← P , f 1 ← 1, f 2 ← 1 for i = N − 1 to 0 do T ← [2] T − f 12 × l d ( Q ) f 1 ← − f 22 × v d ( Q ) f 2 ← if r i = 1 then T ← T + P f 1 ← − f 1 × l a ( Q ) f 2 ← − f 2 × v a ( Q ) end end f 1 return f 2 21 / 59

  8. Computation of pairings Miller’s algorithm returns f r , P ( Q ) Data : r = ( r N . . . r 0 ) 2 , P ∈ G 1 ⊂ E ( F p )[ r ] et Q ∈ G 2 ⊂ E ( F p k )[ r ] Result : f r , P ( Q ) ∈ G 3 ⊂ F ∗ p k T ← P , f 1 ← 1, f 2 ← 1 for i = N − 1 to 0 do T ← [2] T − f 12 × l d ( Q ) f 1 ← − f 22 × v d ( Q ) f 2 ← if r i = 1 then T ← T + P f 1 ← − f 1 × l a ( Q ) f 2 ← − f 2 × v a ( Q ) end end f 1 return f 2 21 / 59

  9. Outline Pairing over elliptic curves 1 Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography A more efficient arithmetic based on adapted bases 2 Definition of adapted bases Multiplication in F p k using DFT Complexity of our method Fault attack 3 Identity based cryptography Fault attack Fault attack against Miller’s algorithm Conclusion and perspectives 4 22 / 59

  10. The security of pairing Security level in bit 80 128 192 256 Minimal numbers of bit for r 160 256 384 512 Minimal numbers of bit for p k 1 024 3 072 7 680 15 360 Table : Security level 23 / 59

  11. Computing pairings over elliptic curves Let M p be the cost of a multiplication in F p , S p k the cost of a square and M p k of a multiplication in F p k . Miller’s algorithm needs N = [log 2 ( r )] + 1 iterations the complexity of the doubling step is 8 S p + (12 + 4 k ) M p + 2 S p k + 2 M p k the complexity of the addition step is 6 S p + (20 + 3 k ) M p + 2 S p k + 2 M p k 24 / 59

  12. Computing pairings over elliptic curves Let M p be the cost of a multiplication in F p , S p k the cost of a square and M p k of a multiplication in F p k . Miller’s algorithm needs N = [log 2 ( r )] + 1 iterations the complexity of the doubling step is 8 S p + (12 + 4 k ) M p + 2 S p k + 2 M p k the complexity of the addition step is 6 S p + (20 + 3 k ) M p + 2 S p k + 2 M p k To improve pairing computation we can : reduce the number of operation in F p k . improve the arithmetic in F p k . 24 / 59

  13. Outline Pairing over elliptic curves 1 Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography A more efficient arithmetic based on adapted bases 2 Definition of adapted bases Multiplication in F p k using DFT Complexity of our method Fault attack 3 Identity based cryptography Fault attack Fault attack against Miller’s algorithm Conclusion and perspectives 4 25 / 59

  14. The traditional representation The representation of elements in F p influences the arithmetic over F p . Usually we used positional number representation, it is a representation using a base to represent integers : n − 1 � a i β i with a i ∈ { 0 , . . . , β − 1 } and β n > p . a = i =0 Example : The decimal representation in F 90001 . Let β = 10, and a = 71209 in F 90001 . This element can be write a = 7 × 10 4 + 1 × 10 3 + 2 × 10 2 + 9. 26 / 59

  15. Outline Pairing over elliptic curves 1 Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography A more efficient arithmetic based on adapted bases 2 Definition of adapted bases Multiplication in F p k using DFT Complexity of our method Fault attack 3 Identity based cryptography Fault attack Fault attack against Miller’s algorithm Conclusion and perspectives 4 27 / 59

  16. An adapted base Representation in adapted base : Let p be a prime, 0 < γ < p and n > 0, such that γ n ≡ λ mod p for a small λ . 28 / 59

  17. An adapted base Representation in adapted base : Let p be a prime, 0 < γ < p and n > 0, such that γ n ≡ λ mod p for a small λ . The representation in adapted base is : n − 1 � a i γ i mod p with | a i | < ρ, where ρ ≥ p 1 / n . a = i =0 28 / 59

  18. An adapted base Representation in adapted base : Let p be a prime, 0 < γ < p and n > 0, such that γ n ≡ λ mod p for a small λ . The representation in adapted base is : n − 1 � a i γ i mod p with | a i | < ρ, where ρ ≥ p 1 / n . a = i =0 n − 1 � a i t i the polynomial representation of a in adapted We denote a ( t ) = i =0 base. 28 / 59

  19. An adapted base Representation in adapted base : Let p be a prime, 0 < γ < p and n > 0, such that γ n ≡ λ mod p for a small λ . The representation in adapted base is : n − 1 � a i γ i mod p with | a i | < ρ, where ρ ≥ p 1 / n . a = i =0 Example Let p = 19. Let n = 3, the element of F p such that γ 3 ≡ 1 mod p is γ = 7. The element of F p in adapted base will be polynomials in γ of degree 2 ; and coefficients will be 0, 1 et − 1. 29 / 59

  20. An adapted base Example 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 30 / 59

  21. An adapted base Example 1 2 3 4 5 6 1 γ − 1 7 8 9 10 11 12 γ 2 − 1 γ 2 + 1 γ 2 γ γ + 1 13 14 15 16 17 18 − 1 30 / 59

  22. An adapted base Example 1 2 3 4 5 6 γ 2 − γ − 1 1 γ − 1 7 8 9 10 11 12 γ 2 − 1 γ 2 + 1 γ 2 γ γ + 1 13 14 15 16 17 18 − γ − 1 − 1 30 / 59

  23. An adapted base Example 1 2 3 4 5 6 γ 2 − γ − 1 γ 2 − γ γ 2 − γ + 1 1 γ − 1 7 8 9 10 11 12 γ 2 − 1 γ 2 + 1 γ 2 γ γ + 1 13 14 15 16 17 18 − γ − 1 − 1 30 / 59

  24. An adapted base Example 1 2 3 4 5 6 γ 2 − γ − 1 γ 2 − γ γ 2 − γ + 1 1 γ − 1 7 8 9 10 11 12 − γ 2 + 1 γ 2 − 1 γ 2 + 1 γ 2 γ γ + 1 13 14 15 16 17 18 − γ 2 + γ + 1 − γ 2 + γ − γ 2 + γ + 1 γ 2 + γ − 1 − γ − 1 − 1 30 / 59

  25. An adapted base Example 1 2 3 4 5 6 − γ 2 − γ − 1 γ 2 − γ − 1 γ 2 − γ γ 2 − γ + 1 1 γ − 1 7 8 9 10 11 12 − γ 2 + 1 γ 2 − 1 γ 2 + 1 γ 2 γ γ + 1 13 14 15 16 17 18 − γ 2 + γ + 1 − γ 2 + γ − γ 2 + γ + 1 γ 2 + γ − 1 − γ − 1 − 1 30 / 59

  26. Arithmetic in adapted base Reduction of the coefficient using Montgomery representation (Plantard-Negre 07) To find the representation in adapted basis, we used an algorithm due to : Thomas Plantard in 2005. Arithmetic in adapted base Efficient Modular Arithmetic in Adapted Modular Number System Using Lagrange Representation , of C. N` egre and T. Plantard in ACISP ’08. The arithmetic is constructed in Montgomery way, thus it has the same complexity. We have an efficient arithmetic over F p . 31 / 59

  27. Outline Pairing over elliptic curves 1 Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography A more efficient arithmetic based on adapted bases 2 Definition of adapted bases Multiplication in F p k using DFT Complexity of our method Fault attack 3 Identity based cryptography Fault attack Fault attack against Miller’s algorithm Conclusion and perspectives 4 32 / 59

  28. The multiplication by interpolation in F p k Let U and V be elements of F p k . They are polynomials U ( X ) , V ( X ) ∈ F p [ X ] of degree k − 1. The multiplication between U and V can be done like this : 1 Polynomial multiplication W ( X ) = U ( X ) × V ( X ), using interpolation. 2 Modular reduction using a polynomial of degree k in F p . 33 / 59

  29. Multiplication by interpolation Let l ≥ 2 k − 1 distinct elements α 0 , . . . , α l − 1 in F p . 34 / 59

  30. Multiplication by interpolation Let l ≥ 2 k − 1 distinct elements α 0 , . . . , α l − 1 in F p . 1 Evaluation : Let U ( X ) and V ( X ) of degree k − 1. We compute U = ( U ( α 0 ) , . . . , U ( α l − 1 )) and � � V = ( V ( α 0 ) , . . . , V ( α l − 1 )) using a matrix vector product :     α k − 1 1 α 1 · · · u 0 1     α k − 1 1 α 2 · · · u 1     2 � U =  ×  .  . .   .  . . .   . . . α k − 1 u k − 1 1 α l · · · l 34 / 59

  31. Multiplication by interpolation Let l ≥ 2 k − 1 distinct elements α 0 , . . . , α l − 1 in F p . 1 Evaluation : Let U ( X ) and V ( X ) of degree k − 1. We compute U = ( U ( α 0 ) , . . . , U ( α l − 1 )) and � � V = ( V ( α 0 ) , . . . , V ( α l − 1 )) using a matrix vector product :     α k − 1 1 α 1 · · · u 0 1     α k − 1 1 α 2 · · · u 1     2 � U =  ×  .  . .   .  . . .   . . . α k − 1 u k − 1 1 α l · · · l 2 Multiplication : � W = ( � u 0 × � v 0 , � u 1 × � v 1 , . . . , � u l − 1 × � v l − 1 ) . 34 / 59

  32. Multiplication by interpolation Let l ≥ 2 k − 1 distinct elements α 0 , . . . , α l − 1 in F p . 1 Evaluation : Let U ( X ) and V ( X ) of degree k − 1. We compute U = ( U ( α 0 ) , . . . , U ( α l − 1 )) and � � V = ( V ( α 0 ) , . . . , V ( α l − 1 )) using a matrix vector product :     α k − 1 1 α 1 · · · u 0 1     α k − 1 1 α 2 · · · u 1     2 � U =  ×  .  . .   .  . . .   . . . α k − 1 u k − 1 1 α l · · · l 2 Multiplication : � W = ( � u 0 × � v 0 , � u 1 × � v 1 , . . . , � u l − 1 × � v l − 1 ) . 3 Interpolation : reconstruction of coefficients of W ( X ). 34 / 59

  33. Polynomial multiplication using DFT. Let α be a l primitive roots of unity in F p α i = α i . 35 / 59

  34. Polynomial multiplication using DFT. Let α be a l primitive roots of unity in F p α i = α i . The evaluation is the product by the matrix Ω :   1 1 1 · · · 1  α 2 α l − 1  1 α · · ·     α 2 α 4 α ( l − 1)2 1 · · · Ω =     . . . .   . . α l − 1 α 2( l − 1) α ( l − 1)( l − 1) 1 · · · 35 / 59

  35. Polynomial multiplication using DFT. Let α be a l primitive roots of unity in F p α i = α i . The evaluation is the product by the matrix Ω :   1 1 1 · · · 1  α 2 α l − 1  1 α · · ·     α 2 α 4 α ( l − 1)2 1 · · · Ω =     . . . .   . . α l − 1 α 2( l − 1) α ( l − 1)( l − 1) 1 · · · Denoting α ′ = α − 1 , the interpolation is the product by :   1 1 1 · · · 1   α ′ 2 α ′ l − 1 1 α ′ · · ·   Ω − 1 = 1   α ′ 2 α ′ 4 α ′ ( l − 1)2 1 · · ·   l  . .  . .   . . α ′ l − 1 α ′ 2( l − 1) α ′ ( l − 1)( l − 1) 1 · · · 35 / 59

  36. Polynomial multiplication using DFT. Complexity The complexity of the multiplication is : Evaluation : product by the matrix Ω, Multiplications : 2 l products in F p , Interpolation : product by the matrix Ω − 1 . 36 / 59

  37. Polynomial multiplication using DFT. Complexity The complexity of the multiplication is : Evaluation : product by the matrix Ω, Multiplications : 2 l products in F p , Interpolation : product by the matrix Ω − 1 . Products by Ω et Ω − 1 are composed with multiplication with powers of α i . 36 / 59

  38. Using the DFT with the adapted base We combine the utilisation of the adapted base and the DFT multiplication to improve the multiplication in F p k . 37 / 59

  39. Using the DFT with the adapted base We combine the utilisation of the adapted base and the DFT multiplication to improve the multiplication in F p k . l = k , γ such that γ l = − 1, α = γ is a 2 k primitive root of unity in F p . 37 / 59

  40. Using the DFT with the adapted base We combine the utilisation of the adapted base and the DFT multiplication to improve the multiplication in F p k . l = k , γ such that γ l = − 1, α = γ is a 2 k primitive root of unity in F p . Consequences Multiplications by power of γ i are composed of shift and addition in F p : ( � n − 1 mod t n + 1 a γ j i =0 a i t i ) t j = ( � j − 1 i =0 − a n − j + i t i ) + ( � n − 1 i = j a i − j t i ) . = Multiplications by Ω and Ω − 1 are uniquely composed by additions in F p . 37 / 59

  41. Outline Pairing over elliptic curves 1 Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography A more efficient arithmetic based on adapted bases 2 Definition of adapted bases Multiplication in F p k using DFT Complexity of our method Fault attack 3 Identity based cryptography Fault attack Fault attack against Miller’s algorithm Conclusion and perspectives 4 38 / 59

  42. Complexity of a multiplication in F p k Using Karatsuba and Toom Cook : pour k = 2 i 3 j then M p k = 3 i 5 j M p . Using DFT and adapted base : M p k = 2 kM p . 39 / 59

  43. Results Table : Complexities of several values of k Method k M p k Ratio M p # A p # M p A p Karatsuba/Toom-Cook 8 72 27 Our method t 8 + 1 8 192 16 < 11 Karatsuba/Toom-Cook 9 160 25 Our method t 8 + 1 9 208 18 < 7 Karatsuba/Toom-Cook 16 248 81 Our method t 16 + 1 16 480 32 < 5 Karatsuba/Toom-Cook 18 480 75 Our method t 16 + 1 18 576 39 < 3 40 / 59

  44. Conclusion [ACISP’09] avec C. N` egre We introduced a multiplication in F p k using DFT and adapted base. Our results are good for big values of k . 41 / 59

  45. Outline Pairing over elliptic curves 1 Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography A more efficient arithmetic based on adapted bases 2 Definition of adapted bases Multiplication in F p k using DFT Complexity of our method Fault attack 3 Identity based cryptography Fault attack Fault attack against Miller’s algorithm Conclusion and perspectives 4 42 / 59

  46. Outline Pairing over elliptic curves 1 Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography A more efficient arithmetic based on adapted bases 2 Definition of adapted bases Multiplication in F p k using DFT Complexity of our method Fault attack 3 Identity based cryptography Fault attack Fault attack against Miller’s algorithm Conclusion and perspectives 4 43 / 59

  47. Cryptography from pairing Identity based cryptography Identity based protocols are asymmetric protocols where the user’s public key it is his identity, a trusted authority gives him the associated private key. 44 / 59

  48. Cryptography from pairing Identity based cryptography Identity based protocols are asymmetric protocols where the user’s public key it is his identity, a trusted authority gives him the associated private key. Example Alice and Bob key exchange 44 / 59

  49. Cryptography from pairing Secure key exchange between Alice and Bob 45 / 59

  50. Cryptography from pairing Secure key exchange between Alice and Bob 45 / 59

  51. Outline Pairing over elliptic curves 1 Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography A more efficient arithmetic based on adapted bases 2 Definition of adapted bases Multiplication in F p k using DFT Complexity of our method Fault attack 3 Identity based cryptography Fault attack Fault attack against Miller’s algorithm Conclusion and perspectives 4 46 / 59

  52. Side channels attacks During an identity based protocole, we know : the pairing algorithm, the number of iterations ( N = [log 2 ( r )] + 1). The secret is one the parameter of pairing. The secret does not influence the algorithm. 47 / 59

  53. Side channel attacks side channel attacks use the implementation of algorithm to find information about the secret. Fault attacks consist in disturbing the execution of an algorithm. 48 / 59

  54. Side channel attacks side channel attacks use the implementation of algorithm to find information about the secret. Fault attacks consist in disturbing the execution of an algorithm. First fault attack in pairing based cryptography was developed by Page and Vercauteren for the Duursma and lee algorithm. 48 / 59

  55. Side channel attacks side channel attacks use the implementation of algorithm to find information about the secret. Fault attacks consist in disturbing the execution of an algorithm. First fault attack in pairing based cryptography was developed by Page and Vercauteren for the Duursma and lee algorithm. We study the vulnerability of Miller’s algorithm toward fault attacks. 48 / 59

  56. Outline Pairing over elliptic curves 1 Definition and properties of pairing Construction and example of pairings Computation of pairings Arithmetic of pairing based cryptography A more efficient arithmetic based on adapted bases 2 Definition of adapted bases Multiplication in F p k using DFT Complexity of our method Fault attack 3 Identity based cryptography Fault attack Fault attack against Miller’s algorithm Conclusion and perspectives 4 49 / 59

  57. Description of the fault attacks We suppose that the pairing is used in Identity based protocol. The secret is point P , first parameter during the computation of e ( P , Q ). The second parameter Q is known. 50 / 59

  58. Description of the fault attacks We suppose that the pairing is used in Identity based protocol. The secret is point P , first parameter during the computation of e ( P , Q ). The second parameter Q is known. Purpose of the fault attack The aim of the attack is to modify the number of iterations of the Miller’s algorithm, in order to obtain the result of two consecutive iterations : τ and τ + 1 iterations for τ ∈ { 1 , . . . , N } . We denote F τ, P ( Q ) and F τ +1 , P ( Q ) the results of these iterations. 50 / 59

  59. Description of the fault attack Target of the attack The register where N is stocked. We modify it using lasers. 51 / 59

  60. Description of the fault attack Target of the attack The register where N is stocked. We modify it using lasers. Scheme of the attack We execute several Miller’s algorithm with the same point Q and modifying the register for each iterations. 51 / 59

  61. Description of the fault attack Target of the attack The register where N is stocked. We modify it using lasers. Scheme of the attack We execute several Miller’s algorithm with the same point Q and modifying the register for each iterations. Using the clock cycles we can find after the number of iteration made. We repeat the operation until we obtain two consecutive iterations τ and τ + 1. 51 / 59

  62. Description of the fault attack Probability We want to find two consecutive numbers randomly taken from 1 to N. 52 / 59

  63. Description of the fault attack Probability We want to find two consecutive numbers randomly taken from 1 to N. This problem is like the anniversary problem. We can compute the probability of success. Example For r an integer of size 256 bits, 15 tries are enough to obtain two consecutive numbers with a probability higher than 0 , 5 ; and 26 for a probability higher than 0 , 9. 52 / 59

  64. The ratio R = F τ +1 , P ( Q ) F τ, P ( Q ) 2 We denote F τ, P ( Q ) the result of τ -th iteration and F τ +1 , P ( Q ) the result of the τ + 1-th. The ratio R = F τ +1 , P ( Q ) F τ, P ( Q ) 2 gives us information about the secret. 53 / 59

Recommend


More recommend