Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
A practical Differential Power Analysis Attack against the Miller Algorithm Nadia El Mrabet Giorgio Di Natale Marie Lise Flottes LIRMM laboratory 161, rue Ada, 34 392 Montpellier, France Email: [email protected] LIRMM laboratory 161, rue Ada, 34 392 Montpellier, France Email: [email protected] LIRMM laboratory 161, rue Ada, 34 392 Montpellier, France Email: [email protected] Abstract— Pairings permit several protocol simplifications and original scheme creation, for example Identity Based Cryptography protocols. Initially, the use of pairings did not involve any secret entry, consequently, side channel attacks were not a threat for pairing based cryptography. On the contrary, in an Identity Based Cryptographic protocol, one of the two entries to the pairing is secret. Side Channel Attacks can be therefore applied to find this secret. We realize a Differential Power Analysis(DPA) against the Miller algorithm, the central step to compute the Weil, Tate and Ate pairing. We show that the countermeasure which consist in setting the secret during a pairing computation at the first parameter is not sufficient to prevent a DPA attack. Keywords: Pairing, Miller Algorithm, Pairing Based Cryptography, DPA. The paper is organised as follow, Section II recalls the Miller algorithm and the main pairing properties. Section III presents the circuit that has been designed in order to perform the calculation and the attack, whereas Section IV presents the results of the attack. Eventually, Section V concludes the paper and provides some perspectives for further works. II. PAIRINGS AND THE M ILLER ALGORITHM A. Short introduction to the pairing Let G1 and G2 be two abelian groups of order l, and G3 a multiplicative abelian group of the same order. A pairing is an application satisfying this definition: I. I NTRODUCTION The use of pairings in IBC involves a secret entry during the pairing calculation. Several pairing implementations exist, for example [19] and [2]. Side Channel Attacks (SCA) against pairing based cryptography were theoretically developed three years ago ([18], [21] and [11]). Page D. and Vercauteren F. suggested a Differential Power Analysis (DPA) attack against the Duursma and Lee algorithm in affine coordinates [18]; but they did not developed it. As mentionned in [20], Whelan et al. pointed out that pairings (except the ηT pairing) might not be vulnerable against DPA by setting the secret point to the first parameter. The conclusion in [21] is that Tate and Ate could withstand DPA if implemented with the secret being stationed in the first parameter. They conclude that using the secret as the first argument of the Miller algorithm is a natural countermeasure to a DPA attack of the Miller algorithm. The main contribution of this paper is the practical proof that DPA attacks can be successfully performed against IBC. Up to now, only theoretical demonstrations were published in literature. Moreover, we will show that we can successfully perform the attack, no matter the position of the secret (i.e. first or second parameter). We will focus on DPA attack against the Miller algorithm [17]. Most of the pairings calculations use the Miller algorithm as central step. It is the case for the Weil [6, chap. 16], Tate [19] and Ate [14] pairings. We will show how the attack can be carried out when Jacobian coordinates are used. At our best knowledge, it is the first time that an algorithm in Jacobian coordinates is attacked and clearly depicted by means of DPA. D EFINITION II-A: A pairing is a bilinear and non degenerate function: e : G1 × G2 → G3 We will consider pairings defined over an elliptic curve E over a finite field Fq , for q a prime number, or a power of a prime number different from 2 and 3. In characteristic 2 [11] and 3, the same scheme can be applied, but the equations are a little different. The equation of the elliptic curve E is Y 2 = X 3 + aXZ 4 + bZ 6 in Jacobian coordinates, with a and b ∈ Fq . The integer a can be considered to be (−3) as Brier and Joye have shown in [4]. Let l ∈ N∗ , and G1 ⊂ E(Fq ), G2 ⊂ E(Fqk ), G3 ⊂ F∗qk be three groups of order l, and k be the smallest integer such that l divides (q k − 1), k is called the embedding degree. The most useful property in pairing based cryptography is bilinearity: e([n]P, [m]Q) = e(P, Q)nm . A. Menezes gives a very good introduction to the pairing based cryptography [15]. Among all the pairings used in cryptography, three of them are constructed in the same way. The Miller algorithm [17] is an important step for Weil, Tate and Ate pairings computation. These pairings are described in the appendix ??. B. Miller algorithm The following description of the Miller algorithm is referenced in chap. 16 of [6]. The Miller algorithm is the central step for the Weil, Tate and Ate pairings computation. It is constructed like a double and add scheme using the construction of [l]P and based on the notion of divisor, here we will only give the indispensable elements for the pairing computation. The Miller algorithm constructs the rational function FP associated to the point P , P is a generator of G1 ⊂ E(Fq ); and at the same time, it evaluates FP (Q) for a point Q ∈ G2 ⊂ E(Fqk ). P is a lth root of the function FP ( if we use the divisor notion: Div(FP ) = lDiv(P ) − lDiv(P∞ ) ). The algorithm is such that the construction and the evaluation of the function FP at point Q are done simultaneously. Fig. 1. Miller algorithm Algorithm 1: Miller(P, Q, l) Data: l = (ln . . . l0 )(radix 2 representation), P ∈ G1 and Q ∈ G2 ; Result: FP (Q) ∈ G3 ; 1 : T ← P , f1 ← 1, f 0 1 ← 1,f2 ← 1, f 0 2 ← 1 for i = n − 1 to 0 do 2 : T ← [2]T 3 : f1 ←− f1 2 × h1 (Q) h1 equation of the tangent at point T 2 4 : f 0 1 ←− f 0 1 × h0 1 (Q) h0 1 the vertical line at point [2]T if li = 1 then 5 : T ←T +P 6 : f2 ←− f2 × h2 (Q) h2 equation of line (P T ) 7 : f 0 2 ←− f 0 2 × h0 2 (Q) h0 2 the vertical line at point T + P end end return ff011 × ff022 ∈ F∗qk We focused on an 8-bit architecture that performs all the calculations in modulo-251. Even if it is smaller than an actual circuit for pairing calculation, it allows anyway validating the principle of the attack. Indeed, DPA is performed focusing on a target node that depends on a small part of the key only (usually no more than 8 bits so that exhaustive analysis can be done). Anyway, also for a bigger architecture the DPA will concentrate on a sub-part of the circuit that operates on 8-bit only. In the case of multiplication between numbers expressed on 160 bits, the method used to detect the secret key is the following. First the attack is be performed on the least significant byte of the multiplication, so that the first 8 bits of the key are discovered. After that, the attack focuses on the second byte of the multiplier that depends on the first byte of the secret key (that now is known) and on the second byte (that is not know and whose size is 8 bit, thus 256 key hypothesis are required). The algorithm is repeat in this way up to the last byte of the secret key, so the overall time required to perform the attack is linear w.r.t the number of bytes of the secret key. C. Jacobian coordinates We consider that the elliptic curve over Fq is given in Jacobian coordinates: E : Y 2 = X 3 + aXZ 4 + bZ 6 , with a and b ∈ Fq . In Jacobian coordinates, the point P is P = (XP , YP , ZP ). To write P in affine coordinates we use YP P the relation P = ( X 2 , Z 3 , 1) for ZP 6= 0. As described in ZP P [12] and [1], for optimisation reasons point Q is in affine coordinates. We need at least two coordinates to find the point P , the third can be found using the elliptic curve equation. The equation of h1 is: h1 (x, y) = Z3 Z 2 y − 2Y 2 − 3(X − Z 2 )(X + Z 2 )(Z 2 x − X) where, T = (X, Y, Z) and [2]T = (X3 , Y3 , Z3 ) with Z3 = 2Y Z. Capital letters are elements of Fq , while lower case letters are elements of Fqk . III. D ESCRIPTION OF THE CIRCUIT In order to validate the DPA attack on the Miller algorithm, we implemented a circuit able to calculate the h1 function. Fig. 2. Circuit and algorithm for the calculation of h1 (xQ , yQ ) The circuit is sketched used as test bench in Figure 3. The datapath includes 3 registers for the 3 components of the secret key (X, Y, Z), 3 working registers (R1, R2, R3) and an ALU that implements a multiplication and a subtraction between two input variables X and Y , and the multiplications by 2 and by 3 of the result of the multiplication. The control unit (CU) drives all the signals to perform the calculation of the function h1 . In particular, the CU processes the input data (xQ , yQ ) and computes the final result in 15 clock cycles. The algorithm implemented by the CU is described in Figure 2. The circuit has been described in VHDL then synthesised using a 130nm technology provided by STm [22]. The overall area is equal to 79059 equivalent gates and the circuit can operate at 120 MHz. Fig. 3. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 element of Fqk . We demonstrate that in order to simplify the explanation, we can consider that k = 1, and then Q R1 = Z 2 × xQ coordinates are elements of Fq . This way, the multiplication R1 = Z 2 xQ − X ZP2 xQ is a multiplication in Fq . 2 R2 = X − Z Of course, the DPA attack works also when k > 1. Even R3 = X + Z 2 if the multiplication ZP2 xQ is a multiplication between an element of Fq and an element of Fqk , we can consider a R2 = 3(X − Z 2 )(X + Z 2 ) R3 = 3(X 2 − Z 4 )(Z 2 xQ − X) multiplication between two Fq elements, as explained ”ci dessous” P k−1 i Indeed, xQ ∈ Fqk is written : xQ = R1 = 2Y Z 3 i=0 xQ i ξ , 2 k−1 3 with (1, ξ, ξ , . . . , ξ ) a basis of Fqk , and; there exists R1 = 2Y Z yQ a polynomial R such that deg(R)P = k with ξ root i of k−1 2 R, (R(ξ) = 0). Then ZP2 xQ = Z × x Q R1 = 2Y Z 3 yQ − 2 × Y 2 P i=0 i ξ , is composed of k products in F . So we can focus on one q R1 = h1 (xQ , yQ ) of these k products in Fq to apply the DPA attack as described. Algorithm in the CU R1 = R3 = Z2 R1 = R1 × xQ R1 = R1 − X R2 = X − R3 R3 = X + R3 R2 = 3 × R2 × R3 R3 = R2 × R1 R1 = YZ R1 = 2R1 × Z2 R1 = R1 × yQ R2 = 2 × Y2 R1 = R1 − R2 R1 = R1 − R3 Output ready IV. DPA ATTACK AGAINST M ILLER ALGORITHM A. Context of the attack The aim of identity based encryption is that anyone is able to receive and read an encrypted message with almost no help, even if this person is not a cryptographer. The user’s public key is equal to his identity, and a trusted authority (TA ) sends him his private key. This trusted authority creates all the private keys related to an Identity Based (IB) protocol. The general scheme of identity based encryption is described in [5]. The important point during an IB protocol is that the decryption involves a pairing computation between the private key of the user and a public key. We call the public key the part of the message used during the pairing calculation involving the secret key. A potential attacker can know the algorithm used, the number of iterations and the exponent. The secret is only one of the argument of the pairing. The secret key influences neither the time execution nor the number of iterations of the algorithm, which is different from RSA or AES protocols. From here on, the secret will be denoted P and the public parameter (or the point used by the attacker) Q. We are going to describe a DPA attack against the Miller algorithm. We restrict this study to the case where the secret is used as the first argument of the pairing. If the secret is used as the second argument, the same attack can be applied. Setting the secret point to the first parameter is a countermeasure to SCA of pairing based cryptography given in [21]. We assume that the algorithm is implemented on an electronic device like a smart card and used in a protocol involving IBC. The attacker can send as many known entry Q for the decryption operation of IBC as he wants, and he can collect the power consumption curves. B. Convention 1) Multiplication in Fq : For each pairing used in IBC, Tate and twisted Ate, or Ate pairing, the target of the DPA attack is a multiplication between an element of Fq and an By the same way, to compute the difference (ZP2 xQ − X), we compute a difference between elements of Fq as in the affine case. P i 2 Indeed, if ZP2 xQ = k−1 i=0 (ZP xQ )i ξ then X k−1 2 i ZP2 xQ − X = (ZP2 xQ )0 − X + i=1 (ZP xQ )i ξ . 2) First iteration: We describe the attack for the first iteration. It is the simplest case, because we know that for this iteration T = P . We can provide the attack for the j th iteration. For this iteration we find T = [j]P , where [j]P represents the scalar multiplication of point P by the integer j. Finding j is very easy. C. Description of the attack and results In order to retrieve the secret key P = (XP , YP , ZP ), the circuit has to be used to perform some calculations while the power consumption of the physical device is monitored. In particular, the measure of the consumed power must be done during a time slot when the circuit calculates a result that depends on both the secret key and some controllable input data. We decided to observe the power consumption when the circuit performs the multiplication between ZP2 (a part of the secret key) and xQ (the input data). This operation is done during the second control step (see Figure 2). To retrieve the second part of the key (XP ) we focused on the subtraction between the previously performed multiplication and the key (third control step in Figure 2). The last part of the key (YP ) can be mathematically inferred from XP and ZP2 . Indeed, the elliptic curve equation 4 E : Y 2 = X 3 + aXZp + bZ 6 is a quadratic equation in YP . XP3 + aXP ZP4 + bZP6 gives us two The square root of possibilities for the value of YP , testing them by an execution of the Miller algorithm will give the correct coordinates for P . To avoid the cost of the circuit manufacturing and the drawbacks of the real experiments like experiment setup or noise management, we used an integrated simulation environment for the Differential Power Analysis [8] that returns power consumption traces from transistor level simulations. This DPA suite executes the statistical analysis. We used the Synopsys NanoSim [23] simulator that is an advanced circuit simulator for analog, high-performance digital and mixed-signal circuits. As proven in [8], the error obtained by electrical simulation is worthless with respect to the purpose of the validation. describe a DPA attack against pairing based cryptography and we realize the first practical DPA attack. We consider the countermeasure of [21], which consist in setting the secret at the first parameter of the pairing calculation. We demonstrate that if the secret is the first parameter in a pairing calculation, then we can find it. Our attack is also realistic when the secret is the second argument or the pairing. As a consequence Weil, Tate and Ate could not withstand such attacks, even if the secret is the first parameter. R EFERENCES Fig. 4. DPA attack against multiplication The attack of the first part of the key (Z component) has been carried out using 256 input vectors (256 transitions). As target node we considered the output of the multiplication, before the Modulo-251 operation. Since Z is coded over 8 bits, 256 = 28 key guesses must be evaluated. Figure 4 shows the result of the attack. The curve corresponding to the correct key is clearly identifiable among the 256 curves issued from the 256 key guesses since it has the most noticeable pick among all the curves. This curve, and more generally the curve corresponding to the highest integral value, corresponds to the biggest difference between power measures issued from sets P A and P B and thus means that transitions have been correctly assigned to the set P A (the target node effectively switches from 0 to 1). On the time axis, the instant 0 corresponds to beginning of the second control step. We apply the same method for the second part of the key (control step 3). Fig. 5. DPA attack against difference V. C ONCLUSION AND FURTHER WORK Previous studies of SCA against pairing based cryptography were just theoretical and did not provide any experiment. We [1] J.C. Bajard and N. El Mrabet, Pairing in cryptography: an arithmetic point of view, Advanced Signal Processing Algorithms, Architectures and Implementations XVI, SPIE, August, 2007. [2] G. M. Bertoni and L. Chen and P. Fragneto and K.A. Harrison and G. Pelosi, Computing Tate pairing on smartcards, White Paper, STMicroelectronics, [Online],2005. [3] D. Boneh and M. Franklin, Identity-based encryption from the Weil pairing, Advances in Cryptology CRYPTO 2001, LNCS,2001,vol 2139, pp 213-229. [4] , E. Brier and M. Joye, Fast Point Multiplication on Elliptic Curves through Isogenies, Applied Algebra, Algebraic Algorithms and ErrorCorrecting Codes 2003, LNCS, 2003, vol 2643, pp 43-50. [5] F. Blake and G. Seroussi and N. Smart, Advances in Elliptic Curve Cryptography,Cambridge University Press, 2005. [6] H. Cohen and G. Frey , Handbook of elliptic and hyperelliptic curve cryptography, Discrete Math. Appl., Chapman & Hall/CRC, 2006. [7] J.S. Coron, Resistance against Differential Power Analysis for elliptic curves cryptosystems, Proceedings of CHES ’99, LNCS, 1999. [8] G. Di Natale and M.-L Flottes and B. Rouzeyre, An Integrated Validation Environment for Differential Power Analysis, IEEE International Symposium on Electronic Design, Test & Applications, January 2008. [9] G. Frey and M. Muller and H.G. Ruck,The Tate Pairing and the Discrete Logarithm Applied to Elliptic Curve Cryptosystems, Information Theory, IEEE Transactions, 1999, vol 45, pp 1717-1719. [10] A. Joux,One Round Protocol for Tripartite Diffie-Hellman, Journal of Cryptology, number 17, 2004 (first version 2000), vol 17, pp 263-276. [11] K. Tae Hyun and T. Tsuyoshi and H. Dong-Guk and K. Ho Won and L. Jongin,Side Channel Attacks and Countermeasures on Pairing Based Cryptosystems over Binary Fields, The 5th International Conference on Cryptology and Network Security (CANS), 2006. [12] N. Koblitz and A. Menezes, Pairing-based cryptography at high security levels, Proceedings of the Tenth IMA International Conference on Cryptography and Coding, 2005 LNCS 3796. [13] P. Kocher and J. Jaffe and B. Jun, Differential power analysis, Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, 1999, LNCS 1666. [14] S. Matsuda and N. Kanayama and F. Hess and E. Okamoto, Optimised Versions of the Ate and Twisted Ate Pairings, Cryptography and Coding 2007, LNCS 4887pp 302-312. [15] A. Menezes, An introduction to pairing-based cryptography, Notes from lectures given in Santander, Spain, http://www.cacr.math.uwaterloo.ca/∼ajmeneze/ publications/pairings.pdf, 2005. [16] A. Menezes and T. Okamoto and S.A. Vanstone, Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field, Information Theory, IEEE Transactions, 1993 vol 39, pp 1639-1646. [17] V. Miller, The Weil pairing and its efficient calculation, Journal of Cryptology, 2004, LNCS 17, pp 235-261 [18] D. Page and F. Vercauteren, Fault and Side Channel Attacks on Pairing Based Cryptography, citeseer.ist.psu.edu/page04fault.html [19] M. Scott, Computing the Tate Pairing, Topics in Cryptology CT-RSA, 2005, LNCS 3376, pp 293-304. [20] M. Shirase and T. Takagi and E. Okamoto, An Efficient Countermeasure against Side Channel Attacks for Pairing Computation, Information Security Practice and Experience 2008, LNCS 4991, pp 290-303. [21] C. Whelan and M. Scott, Side Channel Analysis of Practical Pairing Implementation: Which Path is More Secure?, VietCrypt 2006, LNCS 4341, pp 99-114. [22] http://www.st.com [23] http://www.synopsys.com