Download A practical Differential Power Analysis Attack against the Miller

A practical Differential Power Analysis
Attack against the Miller Algorithm
Nadia El Mrabet
Giorgio Di Natale
Marie Lise Flottes
LIRMM laboratory
161, rue Ada, 34 392
Montpellier, France
Email: [email protected]
LIRMM laboratory
161, rue Ada, 34 392
Montpellier, France
Email: [email protected]
LIRMM laboratory
161, rue Ada, 34 392
Montpellier, France
Email: [email protected]
Abstract— Pairings permit several protocol simplifications and
original scheme creation, for example Identity Based Cryptography protocols. Initially, the use of pairings did not involve any
secret entry, consequently, side channel attacks were not a threat
for pairing based cryptography. On the contrary, in an Identity
Based Cryptographic protocol, one of the two entries to the
pairing is secret. Side Channel Attacks can be therefore applied
to find this secret. We realize a Differential Power Analysis(DPA)
against the Miller algorithm, the central step to compute the Weil,
Tate and Ate pairing. We show that the countermeasure which
consist in setting the secret during a pairing computation at the
first parameter is not sufficient to prevent a DPA attack.
Keywords: Pairing, Miller Algorithm, Pairing Based Cryptography, DPA.
The paper is organised as follow, Section II recalls the
Miller algorithm and the main pairing properties. Section III
presents the circuit that has been designed in order to perform
the calculation and the attack, whereas Section IV presents
the results of the attack. Eventually, Section V concludes the
paper and provides some perspectives for further works.
II. PAIRINGS AND THE M ILLER ALGORITHM
A. Short introduction to the pairing
Let G1 and G2 be two abelian groups of order l, and G3
a multiplicative abelian group of the same order. A pairing is
an application satisfying this definition:
I. I NTRODUCTION
The use of pairings in IBC involves a secret entry during
the pairing calculation. Several pairing implementations exist,
for example [19] and [2]. Side Channel Attacks (SCA) against
pairing based cryptography were theoretically developed three
years ago ([18], [21] and [11]). Page D. and Vercauteren F.
suggested a Differential Power Analysis (DPA) attack against
the Duursma and Lee algorithm in affine coordinates [18]; but
they did not developed it. As mentionned in [20], Whelan et
al. pointed out that pairings (except the ηT pairing) might not
be vulnerable against DPA by setting the secret point to the
first parameter. The conclusion in [21] is that Tate and Ate
could withstand DPA if implemented with the secret being
stationed in the first parameter. They conclude that using the
secret as the first argument of the Miller algorithm is a natural
countermeasure to a DPA attack of the Miller algorithm.
The main contribution of this paper is the practical proof
that DPA attacks can be successfully performed against IBC.
Up to now, only theoretical demonstrations were published in
literature. Moreover, we will show that we can successfully
perform the attack, no matter the position of the secret (i.e.
first or second parameter).
We will focus on DPA attack against the Miller algorithm
[17]. Most of the pairings calculations use the Miller algorithm
as central step. It is the case for the Weil [6, chap. 16], Tate
[19] and Ate [14] pairings. We will show how the attack can
be carried out when Jacobian coordinates are used. At our best
knowledge, it is the first time that an algorithm in Jacobian
coordinates is attacked and clearly depicted by means of DPA.
D EFINITION II-A:
A pairing is a bilinear and non degenerate function: e :
G1 × G2 → G3
We will consider pairings defined over an elliptic curve E
over a finite field Fq , for q a prime number, or a power of
a prime number different from 2 and 3. In characteristic 2
[11] and 3, the same scheme can be applied, but the equations
are a little different. The equation of the elliptic curve E is
Y 2 = X 3 + aXZ 4 + bZ 6 in Jacobian coordinates, with a and
b ∈ Fq . The integer a can be considered to be (−3) as Brier
and Joye have shown in [4]. Let l ∈ N∗ , and G1 ⊂ E(Fq ),
G2 ⊂ E(Fqk ), G3 ⊂ F∗qk be three groups of order l, and k be
the smallest integer such that l divides (q k − 1), k is called
the embedding degree.
The most useful property in pairing based cryptography is
bilinearity: e([n]P, [m]Q) = e(P, Q)nm . A. Menezes gives a
very good introduction to the pairing based cryptography [15].
Among all the pairings used in cryptography, three of them
are constructed in the same way. The Miller algorithm [17] is
an important step for Weil, Tate and Ate pairings computation.
These pairings are described in the appendix ??.
B. Miller algorithm
The following description of the Miller algorithm is referenced in chap. 16 of [6]. The Miller algorithm is the
central step for the Weil, Tate and Ate pairings computation.
It is constructed like a double and add scheme using the
construction of [l]P and based on the notion of divisor, here
we will only give the indispensable elements for the pairing
computation.
The Miller algorithm constructs the rational function FP
associated to the point P , P is a generator of G1 ⊂ E(Fq );
and at the same time, it evaluates FP (Q) for a point
Q ∈ G2 ⊂ E(Fqk ). P is a lth root of the function FP ( if we
use the divisor notion: Div(FP ) = lDiv(P ) − lDiv(P∞ ) ).
The algorithm is such that the construction and the evaluation
of the function FP at point Q are done simultaneously.
Fig. 1.
Miller algorithm
Algorithm 1: Miller(P, Q, l)
Data: l = (ln . . . l0 )(radix 2 representation), P ∈ G1 and
Q ∈ G2 ;
Result: FP (Q) ∈ G3 ;
1 : T ← P , f1 ← 1, f 0 1 ← 1,f2 ← 1, f 0 2 ← 1
for i = n − 1 to 0 do
2 : T ← [2]T
3 : f1 ←− f1 2 × h1 (Q) h1 equation of the tangent at
point T
2
4 : f 0 1 ←− f 0 1 × h0 1 (Q) h0 1 the vertical line at
point [2]T
if li = 1 then
5 : T ←T +P
6 : f2 ←− f2 × h2 (Q) h2 equation of line (P T )
7 : f 0 2 ←− f 0 2 × h0 2 (Q) h0 2 the vertical line at
point T + P
end
end
return ff011 × ff022 ∈ F∗qk
We focused on an 8-bit architecture that performs all the
calculations in modulo-251. Even if it is smaller than an actual
circuit for pairing calculation, it allows anyway validating the
principle of the attack. Indeed, DPA is performed focusing on
a target node that depends on a small part of the key only
(usually no more than 8 bits so that exhaustive analysis can
be done). Anyway, also for a bigger architecture the DPA will
concentrate on a sub-part of the circuit that operates on 8-bit
only.
In the case of multiplication between numbers expressed
on 160 bits, the method used to detect the secret key is
the following. First the attack is be performed on the least
significant byte of the multiplication, so that the first 8 bits of
the key are discovered. After that, the attack focuses on the
second byte of the multiplier that depends on the first byte of
the secret key (that now is known) and on the second byte (that
is not know and whose size is 8 bit, thus 256 key hypothesis
are required). The algorithm is repeat in this way up to the last
byte of the secret key, so the overall time required to perform
the attack is linear w.r.t the number of bytes of the secret key.
C. Jacobian coordinates
We consider that the elliptic curve over Fq is given in
Jacobian coordinates: E : Y 2 = X 3 + aXZ 4 + bZ 6 , with
a and b ∈ Fq . In Jacobian coordinates, the point P is
P = (XP , YP , ZP ). To write P in affine coordinates we use
YP
P
the relation P = ( X
2 , Z 3 , 1) for ZP 6= 0. As described in
ZP
P
[12] and [1], for optimisation reasons point Q is in affine
coordinates. We need at least two coordinates to find the point
P , the third can be found using the elliptic curve equation.
The equation of h1 is:
h1 (x, y) = Z3 Z 2 y − 2Y 2 − 3(X − Z 2 )(X + Z 2 )(Z 2 x − X)
where, T = (X, Y, Z) and [2]T = (X3 , Y3 , Z3 ) with Z3 =
2Y Z.
Capital letters are elements of Fq , while lower case letters are
elements of Fqk .
III. D ESCRIPTION OF THE CIRCUIT
In order to validate the DPA attack on the Miller algorithm,
we implemented a circuit able to calculate the h1 function.
Fig. 2.
Circuit and algorithm for the calculation of h1 (xQ , yQ )
The circuit is sketched used as test bench in Figure 3. The
datapath includes 3 registers for the 3 components of the secret
key (X, Y, Z), 3 working registers (R1, R2, R3) and an ALU
that implements a multiplication and a subtraction between
two input variables X and Y , and the multiplications by 2
and by 3 of the result of the multiplication. The control unit
(CU) drives all the signals to perform the calculation of the
function h1 . In particular, the CU processes the input data
(xQ , yQ ) and computes the final result in 15 clock cycles.
The algorithm implemented by the CU is described in Figure
2.
The circuit has been described in VHDL then synthesised
using a 130nm technology provided by STm [22]. The overall
area is equal to 79059 equivalent gates and the circuit can
operate at 120 MHz.
Fig. 3.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
element of Fqk . We demonstrate that in order to simplify
the explanation, we can consider that k = 1, and then Q
R1 = Z 2 × xQ
coordinates are elements of Fq . This way, the multiplication
R1 = Z 2 xQ − X
ZP2 xQ is a multiplication in Fq .
2
R2 = X − Z
Of course, the DPA attack works also when k > 1. Even
R3 = X + Z 2
if the multiplication ZP2 xQ is a multiplication between an
element of Fq and an element of Fqk , we can consider a
R2 = 3(X − Z 2 )(X + Z 2 )
R3 = 3(X 2 − Z 4 )(Z 2 xQ − X) multiplication between two Fq elements, as explained ”ci
dessous”
P k−1
i
Indeed, xQ ∈ Fqk is written : xQ =
R1 = 2Y Z 3
i=0 xQ i ξ ,
2
k−1
3
with (1, ξ, ξ , . . . , ξ
) a basis of Fqk , and; there exists
R1 = 2Y Z yQ
a polynomial R such that deg(R)P = k with ξ root
i of
k−1
2
R, (R(ξ) = 0). Then ZP2 xQ =
Z
×
x
Q
R1 = 2Y Z 3 yQ − 2 × Y 2
P
i=0
i ξ , is
composed
of
k
products
in
F
.
So
we
can
focus
on one
q
R1 = h1 (xQ , yQ )
of these k products in Fq to apply the DPA attack as described.
Algorithm in the CU
R1 = R3 = Z2
R1 = R1 × xQ
R1 = R1 − X
R2 = X − R3
R3 = X + R3
R2 = 3 × R2 × R3
R3 = R2 × R1
R1 = YZ
R1 = 2R1 × Z2
R1 = R1 × yQ
R2 = 2 × Y2
R1 = R1 − R2
R1 = R1 − R3
Output ready
IV. DPA ATTACK AGAINST M ILLER ALGORITHM
A. Context of the attack
The aim of identity based encryption is that anyone is able
to receive and read an encrypted message with almost no help,
even if this person is not a cryptographer. The user’s public key
is equal to his identity, and a trusted authority (TA ) sends him
his private key. This trusted authority creates all the private
keys related to an Identity Based (IB) protocol. The general
scheme of identity based encryption is described in [5].
The important point during an IB protocol is that the
decryption involves a pairing computation between the private
key of the user and a public key. We call the public key the part
of the message used during the pairing calculation involving
the secret key.
A potential attacker can know the algorithm used, the
number of iterations and the exponent. The secret is only
one of the argument of the pairing. The secret key influences
neither the time execution nor the number of iterations of the
algorithm, which is different from RSA or AES protocols.
From here on, the secret will be denoted P and the public
parameter (or the point used by the attacker) Q. We are going
to describe a DPA attack against the Miller algorithm. We
restrict this study to the case where the secret is used as the
first argument of the pairing. If the secret is used as the second
argument, the same attack can be applied. Setting the secret
point to the first parameter is a countermeasure to SCA of
pairing based cryptography given in [21].
We assume that the algorithm is implemented on an electronic device like a smart card and used in a protocol involving
IBC. The attacker can send as many known entry Q for the
decryption operation of IBC as he wants, and he can collect
the power consumption curves.
B. Convention
1) Multiplication in Fq : For each pairing used in IBC,
Tate and twisted Ate, or Ate pairing, the target of the DPA
attack is a multiplication between an element of Fq and an
By the same way, to compute the difference (ZP2 xQ − X),
we compute a difference between elements of Fq as in the
affine case.
P
i
2
Indeed, if ZP2 xQ = k−1
i=0 (ZP xQ )i ξ then
X k−1 2
i
ZP2 xQ − X = (ZP2 xQ )0 − X +
i=1 (ZP xQ )i ξ .
2) First iteration: We describe the attack for the first
iteration. It is the simplest case, because we know that for
this iteration T = P . We can provide the attack for the j th
iteration. For this iteration we find T = [j]P , where [j]P
represents the scalar multiplication of point P by the integer
j. Finding j is very easy.
C. Description of the attack and results
In order to retrieve the secret key P = (XP , YP , ZP ),
the circuit has to be used to perform some calculations
while the power consumption of the physical device is
monitored. In particular, the measure of the consumed power
must be done during a time slot when the circuit calculates
a result that depends on both the secret key and some
controllable input data. We decided to observe the power
consumption when the circuit performs the multiplication
between ZP2 (a part of the secret key) and xQ (the input
data). This operation is done during the second control
step (see Figure 2). To retrieve the second part of the key
(XP ) we focused on the subtraction between the previously
performed multiplication and the key (third control step in
Figure 2). The last part of the key (YP ) can be mathematically
inferred from XP and ZP2 . Indeed, the elliptic curve equation
4
E : Y 2 = X 3 + aXZp
+ bZ 6 is a quadratic equation in YP .
XP3 + aXP ZP4 + bZP6 gives us two
The square root of
possibilities for the value of YP , testing them by an execution
of the Miller algorithm will give the correct coordinates for P .
To avoid the cost of the circuit manufacturing and the
drawbacks of the real experiments like experiment setup or
noise management, we used an integrated simulation environment for the Differential Power Analysis [8] that returns
power consumption traces from transistor level simulations.
This DPA suite executes the statistical analysis. We used
the Synopsys NanoSim [23] simulator that is an advanced
circuit simulator for analog, high-performance digital and
mixed-signal circuits. As proven in [8], the error obtained by
electrical simulation is worthless with respect to the purpose
of the validation.
describe a DPA attack against pairing based cryptography and
we realize the first practical DPA attack. We consider the
countermeasure of [21], which consist in setting the secret at
the first parameter of the pairing calculation. We demonstrate
that if the secret is the first parameter in a pairing calculation,
then we can find it. Our attack is also realistic when the secret
is the second argument or the pairing. As a consequence Weil,
Tate and Ate could not withstand such attacks, even if the
secret is the first parameter.
R EFERENCES
Fig. 4.
DPA attack against multiplication
The attack of the first part of the key (Z component) has
been carried out using 256 input vectors (256 transitions). As
target node we considered the output of the multiplication,
before the Modulo-251 operation. Since Z is coded over 8
bits, 256 = 28 key guesses must be evaluated. Figure 4 shows
the result of the attack. The curve corresponding to the correct
key is clearly identifiable among the 256 curves issued from
the 256 key guesses since it has the most noticeable pick
among all the curves. This curve, and more generally the
curve corresponding to the highest integral value, corresponds
to the biggest difference between power measures issued from
sets P A and P B and thus means that transitions have been
correctly assigned to the set P A (the target node effectively
switches from 0 to 1). On the time axis, the instant 0
corresponds to beginning of the second control step. We apply
the same method for the second part of the key (control step
3).
Fig. 5.
DPA attack against difference
V. C ONCLUSION AND FURTHER WORK
Previous studies of SCA against pairing based cryptography
were just theoretical and did not provide any experiment. We
[1] J.C. Bajard and N. El Mrabet, Pairing in cryptography: an arithmetic
point of view, Advanced Signal Processing Algorithms, Architectures and
Implementations XVI, SPIE, August, 2007.
[2] G. M. Bertoni and L. Chen and P. Fragneto and K.A. Harrison and G.
Pelosi, Computing Tate pairing on smartcards, White Paper, STMicroelectronics, [Online],2005.
[3] D. Boneh and M. Franklin, Identity-based encryption from the Weil
pairing, Advances in Cryptology CRYPTO 2001, LNCS,2001,vol 2139,
pp 213-229.
[4] , E. Brier and M. Joye, Fast Point Multiplication on Elliptic Curves
through Isogenies, Applied Algebra, Algebraic Algorithms and ErrorCorrecting Codes 2003, LNCS, 2003, vol 2643, pp 43-50.
[5] F. Blake and G. Seroussi and N. Smart, Advances in Elliptic Curve
Cryptography,Cambridge University Press, 2005.
[6] H. Cohen and G. Frey , Handbook of elliptic and hyperelliptic curve
cryptography, Discrete Math. Appl., Chapman & Hall/CRC, 2006.
[7] J.S. Coron, Resistance against Differential Power Analysis for elliptic
curves cryptosystems, Proceedings of CHES ’99, LNCS, 1999.
[8] G. Di Natale and M.-L Flottes and B. Rouzeyre, An Integrated Validation
Environment for Differential Power Analysis, IEEE International Symposium on Electronic Design, Test & Applications, January 2008.
[9] G. Frey and M. Muller and H.G. Ruck,The Tate Pairing and the Discrete
Logarithm Applied to Elliptic Curve Cryptosystems, Information Theory,
IEEE Transactions, 1999, vol 45, pp 1717-1719.
[10] A. Joux,One Round Protocol for Tripartite Diffie-Hellman, Journal of
Cryptology, number 17, 2004 (first version 2000), vol 17, pp 263-276.
[11] K. Tae Hyun and T. Tsuyoshi and H. Dong-Guk and K. Ho Won and
L. Jongin,Side Channel Attacks and Countermeasures on Pairing Based
Cryptosystems over Binary Fields, The 5th International Conference on
Cryptology and Network Security (CANS), 2006.
[12] N. Koblitz and A. Menezes, Pairing-based cryptography at high security levels, Proceedings of the Tenth IMA International Conference on
Cryptography and Coding, 2005 LNCS 3796.
[13] P. Kocher and J. Jaffe and B. Jun, Differential power analysis, Proceedings of the 19th Annual International Cryptology Conference on Advances
in Cryptology, 1999, LNCS 1666.
[14] S. Matsuda and N. Kanayama and F. Hess and E. Okamoto, Optimised
Versions of the Ate and Twisted Ate Pairings, Cryptography and Coding
2007, LNCS 4887pp 302-312.
[15] A. Menezes, An introduction to pairing-based cryptography, Notes from lectures given in Santander, Spain,
http://www.cacr.math.uwaterloo.ca/∼ajmeneze/
publications/pairings.pdf, 2005.
[16] A. Menezes and T. Okamoto and S.A. Vanstone, Reducing Elliptic Curve
Logarithms to Logarithms in a Finite Field, Information Theory, IEEE
Transactions, 1993 vol 39, pp 1639-1646.
[17] V. Miller, The Weil pairing and its efficient calculation, Journal of
Cryptology, 2004, LNCS 17, pp 235-261
[18] D. Page and F. Vercauteren, Fault and Side Channel Attacks on Pairing
Based Cryptography, citeseer.ist.psu.edu/page04fault.html
[19] M. Scott, Computing the Tate Pairing, Topics in Cryptology CT-RSA,
2005, LNCS 3376, pp 293-304.
[20] M. Shirase and T. Takagi and E. Okamoto, An Efficient Countermeasure
against Side Channel Attacks for Pairing Computation, Information
Security Practice and Experience 2008, LNCS 4991, pp 290-303.
[21] C. Whelan and M. Scott, Side Channel Analysis of Practical Pairing
Implementation: Which Path is More Secure?, VietCrypt 2006, LNCS
4341, pp 99-114.
[22] http://www.st.com
[23] http://www.synopsys.com