Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... ·...
Transcript of Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... ·...
![Page 1: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/1.jpg)
Arithmetic of pairings, performance and weaknesstoward side channel attacks
Nadia El Mrabet
GREYC - LMNOUniversite de Caen
Darmstadt 29th of April 2010
1 / 59
![Page 2: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/2.jpg)
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
2 / 59
![Page 3: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/3.jpg)
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
3 / 59
![Page 4: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/4.jpg)
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
4 / 59
![Page 5: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/5.jpg)
What is a pairing ?Properties
Let G1, G2 and G3 be three abelian groups of same order r . A pairing is amap :
e : (G1,+)× (G2,+)→ (G3,×)
With the following properties
Non degenerency : ∀P ∈ G1 6= 0 ,∃Q ∈ G2 s.t. e(P,Q) 6= 1
Bilinearity : ∀P,P ′ ∈ G1,∀Q ∈ G2, e(P + P ′,Q) = e(P,Q).e(P ′,Q)
Consequences
∀j ∈ Z, e(jP,Q) = e(P,Q)j = e(P, jQ)
5 / 59
![Page 6: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/6.jpg)
What is a pairing ?Properties
Let G1, G2 and G3 be three abelian groups of same order r . A pairing is amap :
e : (G1,+)× (G2,+)→ (G3,×)
With the following properties
Non degenerency : ∀P ∈ G1 6= 0 , ∃Q ∈ G2 s.t. e(P,Q) 6= 1
Bilinearity : ∀P,P ′ ∈ G1,∀Q ∈ G2, e(P + P ′,Q) = e(P,Q).e(P ′,Q)
Consequences
∀j ∈ Z, e(jP,Q) = e(P,Q)j = e(P, jQ)
5 / 59
![Page 7: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/7.jpg)
What is a pairing ?Properties
Let G1, G2 and G3 be three abelian groups of same order r . A pairing is amap :
e : (G1,+)× (G2,+)→ (G3,×)
With the following properties
Non degenerency : ∀P ∈ G1 6= 0 , ∃Q ∈ G2 s.t. e(P,Q) 6= 1
Bilinearity : ∀P,P ′ ∈ G1,∀Q ∈ G2, e(P + P ′,Q) = e(P,Q).e(P ′,Q)
Consequences
∀j ∈ Z, e(jP,Q) = e(P,Q)j = e(P, jQ)
5 / 59
![Page 8: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/8.jpg)
Cryptologie from pairing
The discrete logarithm problem
in G1 consists in finding the integer a knowing P ∈ G1 and aP.Let Q be a point of G2 :
e(aP,Q) = e(P,Q)a.
Cryptanalysis
The bilinearity of pairing shifts the discrete logarithm problem from anelliptic curve to a discrete logarithm problem on a finite field. This is theMOV and Frey Ruck attacks.
6 / 59
![Page 9: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/9.jpg)
Cryptologie from pairing
The discrete logarithm problem
in G1 consists in finding the integer a knowing P ∈ G1 and aP.Let Q be a point of G2 :
e(aP,Q) = e(P,Q)a.
Cryptanalysis
The bilinearity of pairing shifts the discrete logarithm problem from anelliptic curve to a discrete logarithm problem on a finite field. This is theMOV and Frey Ruck attacks.
6 / 59
![Page 10: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/10.jpg)
Cryptologie from pairing
Cryptography
pairing allows the construction of original protocols and the simplificationof existing protocols ;
The tri partite Diffie Hellman key exchange (Joux 2001)
Identity based cryptography (Boneh and Franklin 2001)
Short signature scheme (Boneh, Lynn, Shacham 2001)
Example
The construction of a key between Alice and Bob based on identity.
7 / 59
![Page 11: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/11.jpg)
Cryptologie from pairing
Cryptography
pairing allows the construction of original protocols and the simplificationof existing protocols ;
The tri partite Diffie Hellman key exchange (Joux 2001)
Identity based cryptography (Boneh and Franklin 2001)
Short signature scheme (Boneh, Lynn, Shacham 2001)
Example
The construction of a key between Alice and Bob based on identity.
7 / 59
![Page 12: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/12.jpg)
Cryptography from pairingSecure key exchange between Alice and Bob
8 / 59
![Page 13: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/13.jpg)
Cryptography from pairingSecure key exchange between Alice and Bob
8 / 59
![Page 14: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/14.jpg)
Cryptography from pairingSecure key exchange between Alice and Bob
8 / 59
![Page 15: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/15.jpg)
Cryptography from pairingSecure key exchange between Alice and Bob
8 / 59
![Page 16: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/16.jpg)
Pairings used in cryptography
the Weil pairing,
the Tate pairing,
η pairing,
Ate and Twisted Ate pairing.
are used in cryptography.
The Weil, the Tate, Ate and Twisted Ate pairing are constructed on thesame model.They share the central step of their computation.
9 / 59
![Page 17: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/17.jpg)
Pairings used in cryptography
the Weil pairing,
the Tate pairing,
η pairing,
Ate and Twisted Ate pairing.
are used in cryptography.
The Weil, the Tate, Ate and Twisted Ate pairing are constructed on thesame model.They share the central step of their computation.
9 / 59
![Page 18: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/18.jpg)
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
10 / 59
![Page 19: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/19.jpg)
Construction of pairingsData
To compute a pairing, we need :
E an elliptic curve over a field K :
E (K) :=
(x , y) ∈ K×K, y 2 = x3 + ax + b, with a, b ∈ K∪ P∞.
Figure: Elliptic curve for K = R
The elliptic curve admits a group law : the addition.11 / 59
![Page 20: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/20.jpg)
Elliptic curveGroup law - Addition
12 / 59
![Page 21: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/21.jpg)
Elliptic curveGroup law - Addition
12 / 59
![Page 22: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/22.jpg)
Elliptic curveGroup law - Addition
12 / 59
![Page 23: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/23.jpg)
Elliptic curveGroup law - Doubling
13 / 59
![Page 24: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/24.jpg)
Elliptic curveGroup law - Doubling
13 / 59
![Page 25: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/25.jpg)
Elliptic curveGroup law - Doubling
We denote [r ]P = P + P + . . .+ P︸ ︷︷ ︸r times
.
13 / 59
![Page 26: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/26.jpg)
Construction of pairingsData
To compute a pairing we need :
E an elliptic curve over a finite field K ⊃ Fp, a and b ∈ Fp :
E (K) :=
(x , y) ∈ K×K, y 2 = x3 + ax + b∪ P∞.
r a prime number dividing card(E (Fp)),
and the set of points : E [r ] =
P ∈ E (Fp), [r ]P = P∞
.
the embedding degree k : the smallest integer such that r |(pk − 1) ;
If k > 1 then E [r ] ⊂ E (Fpk ).
The Miller’s function fr ,P such that :
P is a zero of order r
[r ]P is a pole.
14 / 59
![Page 27: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/27.jpg)
Construction of pairingsData
To compute a pairing we need :
E an elliptic curve over a finite field K ⊃ Fp, a and b ∈ Fp :
E (K) :=
(x , y) ∈ K×K, y 2 = x3 + ax + b∪ P∞.
r a prime number dividing card(E (Fp)),
and the set of points : E [r ] =
P ∈ E (Fp), [r ]P = P∞
.
the embedding degree k : the smallest integer such that r |(pk − 1) ;
If k > 1 then E [r ] ⊂ E (Fpk ).
The Miller’s function fr ,P such that :
P is a zero of order r
[r ]P is a pole.
14 / 59
![Page 28: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/28.jpg)
Construction of pairingsData
To compute a pairing we need :
E an elliptic curve over a finite field K ⊃ Fp, a and b ∈ Fp :
E (K) :=
(x , y) ∈ K×K, y 2 = x3 + ax + b∪ P∞.
r a prime number dividing card(E (Fp)),
and the set of points : E [r ] =
P ∈ E (Fp), [r ]P = P∞
.
the embedding degree k : the smallest integer such that r |(pk − 1) ;
If k > 1 then E [r ] ⊂ E (Fpk ).
The Miller’s function fr ,P such that :
P is a zero of order r
[r ]P is a pole.
14 / 59
![Page 29: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/29.jpg)
Construction of pairingsData
To compute a pairing we need :
E an elliptic curve over a finite field K ⊃ Fp, a and b ∈ Fp :
E (K) :=
(x , y) ∈ K×K, y 2 = x3 + ax + b∪ P∞.
r a prime number dividing card(E (Fp)),
and the set of points : E [r ] =
P ∈ E (Fp), [r ]P = P∞
.
the embedding degree k : the smallest integer such that r |(pk − 1) ;
If k > 1 then E [r ] ⊂ E (Fpk ).
The Miller’s function fr ,P such that :
P is a zero of order r
[r ]P is a pole.
14 / 59
![Page 30: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/30.jpg)
Construction of pairingThe Tate pairing
Let P ∈ E (Fp)[r ], Q ∈ E (Fpk )/rE (Fpk ) and k the embedding degree withrespect to r .
The Tate pairing is the map :
eT : E (Fp)[r ]× E (Fpk )/rE (Fpk )→ F∗pk
(P,Q)→ fr ,P(Q)pk−1
r
15 / 59
![Page 31: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/31.jpg)
Construction of pairingThe Tate pairing
Let P ∈ E (Fp)[r ], Q ∈ E (Fpk )/rE (Fpk ) and k the embedding degree withrespect to r .
The Tate pairing is the map :
eT : E (Fp)[r ]× E (Fpk )/rE (Fpk )→ F∗pk
(P,Q)→ fr ,P(Q)pk−1
r
15 / 59
![Page 32: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/32.jpg)
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
16 / 59
![Page 33: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/33.jpg)
The Miller’s equalityThe function fr,P
To compute pairings, we need the construction of the rational function fr ,Pfor r a prime number.This function admits point P as zero of order r and point [r ]P as a pole.
Victor Miller establish the equation :
fi+j ,P = fi ,P × fj ,P ×l[i ]P,[j]Pv[i+j]P
With this equation, we construct a sequence of functions such that thepoint [i ]P is a pole for i from 1 to r .
17 / 59
![Page 34: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/34.jpg)
Miller’s equalityExample
We want to compute f5,P using the binary decomposition : 5 = (101)2
and the double and add principle :
Let i = 1,
the second bit of 5 is 0 :
i := 2× i ⇒ i = 2.
The third bit of 5 is 1 :
i := 2× i ⇒ i = 4
i := i + 1 ⇒ i = 5
On this scheme, we want to compute f5,P using Miller’s equality and thebinary decomposition of 5.
18 / 59
![Page 35: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/35.jpg)
Miller’s equalityExample
We want to compute f5,P using the binary decomposition : 5 = (101)2
and the double and add principle :
Let i = 1,
the second bit of 5 is 0 :
i := 2× i ⇒ i = 2.
The third bit of 5 is 1 :
i := 2× i ⇒ i = 4
i := i + 1 ⇒ i = 5
On this scheme, we want to compute f5,P using Miller’s equality and thebinary decomposition of 5.
18 / 59
![Page 36: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/36.jpg)
Miller’s equalityExample
We want to compute f5,P using the binary decomposition : 5 = (101)2
and the double and add principle :
Let i = 1,
the second bit of 5 is 0 :
i := 2× i ⇒ i = 2.
The third bit of 5 is 1 :
i := 2× i ⇒ i = 4
i := i + 1 ⇒ i = 5
On this scheme, we want to compute f5,P using Miller’s equality and thebinary decomposition of 5.
18 / 59
![Page 37: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/37.jpg)
Miller’s equalityExample
Let f1,P = 1 by construction and i = 1.
i := 2i (i = 2)
f2,P = f1,P × f1,P ×lP,Pv[2]P
f2,P =lP,Pv[2]P
i := 2i (i = 4)
f4,P = f2,P × f2,P ×l[2]P,[2]P
v[4]P
f4,P = f 22,P ×
l[2]P,[2]P
v[4]P
i := i + 1 (i = 5)
f5,P = f4,P ×l[4]P,P
v[5]P
f5,P =
((lP,Pv[2]P
)2
×l[2]P,[2]P
v[4]P
)×
l[4]P,P
v[5]P
19 / 59
![Page 38: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/38.jpg)
Miller’s equalityExample
Let f1,P = 1 by construction and i = 1.
i := 2i (i = 2)
f2,P = f1,P × f1,P ×lP,Pv[2]P
f2,P =lP,Pv[2]P
i := 2i (i = 4)
f4,P = f2,P × f2,P ×l[2]P,[2]P
v[4]P
f4,P = f 22,P ×
l[2]P,[2]P
v[4]P
i := i + 1 (i = 5)
f5,P = f4,P ×l[4]P,P
v[5]P
f5,P =
((lP,Pv[2]P
)2
×l[2]P,[2]P
v[4]P
)×
l[4]P,P
v[5]P
19 / 59
![Page 39: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/39.jpg)
Miller’s equalityExample
Let f1,P = 1 by construction and i = 1.
i := 2i (i = 2)
f2,P = f1,P × f1,P ×lP,Pv[2]P
f2,P =lP,Pv[2]P
i := 2i (i = 4)
f4,P = f2,P × f2,P ×l[2]P,[2]P
v[4]P
f4,P = f 22,P ×
l[2]P,[2]P
v[4]P
i := i + 1 (i = 5)
f5,P = f4,P ×l[4]P,P
v[5]P
f5,P =
((lP,Pv[2]P
)2
×l[2]P,[2]P
v[4]P
)×
l[4]P,P
v[5]P
19 / 59
![Page 40: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/40.jpg)
Computation of pairingsMiller’s algorithm returns fr,P(Q)
Data: r = (rN . . . r0)2,P ∈ G1 ⊂ E (Fp)[r ]
Result: [r ]PT ← Pfor i = N − 1 to 0 do
T ← [2]T
if ri = 1 thenT ← T + P
end
endreturn T = [r ]P
20 / 59
![Page 41: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/41.jpg)
Computation of pairingsMiller’s algorithm returns fr,P(Q)
Data: r = (rN . . . r0)2,P ∈ G1 ⊂ E (Fp)[r ] et
Q ∈ G2 ⊂ E (Fpk )[r ]Result: fr ,P(Q) ∈ G3 ⊂ F∗
pk
T ← P , f1 ← 1, f2 ← 1for i = N − 1 to 0 do
T ← [2]T
f1 ←− f12 × ld(Q)
f2 ←− f22 × vd(Q)
if ri = 1 thenT ← T + P
f1 ←− f1 × la(Q)f2 ←− f2 × va(Q)
end
end
return f1f2
21 / 59
![Page 42: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/42.jpg)
Computation of pairingsMiller’s algorithm returns fr,P(Q)
Data: r = (rN . . . r0)2,P ∈ G1 ⊂ E (Fp)[r ] et
Q ∈ G2 ⊂ E (Fpk )[r ]Result: fr ,P(Q) ∈ G3 ⊂ F∗
pk
T ← P , f1 ← 1, f2 ← 1for i = N − 1 to 0 do
T ← [2]Tf1 ←− f1
2 × ld(Q)f2 ←− f2
2 × vd(Q)if ri = 1 then
T ← T + P
f1 ←− f1 × la(Q)f2 ←− f2 × va(Q)
end
end
return f1f2
21 / 59
![Page 43: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/43.jpg)
Computation of pairingsMiller’s algorithm returns fr,P(Q)
Data: r = (rN . . . r0)2,P ∈ G1 ⊂ E (Fp)[r ] et
Q ∈ G2 ⊂ E (Fpk )[r ]Result: fr ,P(Q) ∈ G3 ⊂ F∗
pk
T ← P , f1 ← 1, f2 ← 1for i = N − 1 to 0 do
T ← [2]Tf1 ←− f1
2 × ld(Q)f2 ←− f2
2 × vd(Q)if ri = 1 then
T ← T + Pf1 ←− f1 × la(Q)f2 ←− f2 × va(Q)
end
end
return f1f2
21 / 59
![Page 44: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/44.jpg)
Computation of pairingsMiller’s algorithm returns fr,P(Q)
Data: r = (rN . . . r0)2,P ∈ G1 ⊂ E (Fp)[r ] et
Q ∈ G2 ⊂ E (Fpk )[r ]Result: fr ,P(Q) ∈ G3 ⊂ F∗
pk
T ← P , f1 ← 1, f2 ← 1for i = N − 1 to 0 do
T ← [2]Tf1 ←− f1
2 × ld(Q)f2 ←− f2
2 × vd(Q)if ri = 1 then
T ← T + Pf1 ←− f1 × la(Q)f2 ←− f2 × va(Q)
end
end
return f1f2
21 / 59
![Page 45: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/45.jpg)
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
22 / 59
![Page 46: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/46.jpg)
The security of pairing
Security level in bit 80 128 192 256
Minimal numbers of bit for r 160 256 384 512
Minimal numbers of bit for pk 1 024 3 072 7 680 15 360
Table: Security level
23 / 59
![Page 47: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/47.jpg)
Computing pairings over elliptic curves
Let Mp be the cost of a multiplication in Fp, Spk the cost of a square andMpk of a multiplication in Fpk .
Miller’s algorithm needs
N = [log2(r)] + 1 iterations
the complexity of the doubling step is8Sp + (12 + 4k)Mp + 2Spk + 2Mpk
the complexity of the addition step is6Sp + (20 + 3k)Mp + 2Spk + 2Mpk
To improve pairing computation we can :
reduce the number of operation inFpk .
improve the arithmetic in Fpk .
24 / 59
![Page 48: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/48.jpg)
Computing pairings over elliptic curves
Let Mp be the cost of a multiplication in Fp, Spk the cost of a square andMpk of a multiplication in Fpk .
Miller’s algorithm needs
N = [log2(r)] + 1 iterations
the complexity of the doubling step is8Sp + (12 + 4k)Mp + 2Spk + 2Mpk
the complexity of the addition step is6Sp + (20 + 3k)Mp + 2Spk + 2Mpk
To improve pairing computation we can :
reduce the number of operation inFpk .
improve the arithmetic in Fpk .
24 / 59
![Page 49: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/49.jpg)
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
25 / 59
![Page 50: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/50.jpg)
The traditional representation
The representation of elements in Fp influences the arithmetic over Fp.Usually we used positional number representation, it is a representationusing a base to represent integers :
a =n−1∑i=0
aiβi with ai ∈ 0, . . . , β − 1 and βn > p.
Example : The decimal representation in F90001. Let β = 10, anda = 71209 in F90001. This element can be writea = 7× 104 + 1× 103 + 2× 102 + 9.
26 / 59
![Page 51: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/51.jpg)
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
27 / 59
![Page 52: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/52.jpg)
An adapted base
Representation in adapted base :
Let p be a prime, 0 < γ < p and n > 0, such that γn ≡ λ mod p for asmall λ.
The representation in adapted base is :
a =n−1∑i=0
aiγi mod p with |ai | < ρ, where ρ ≥ p1/n.
We denote a(t) =n−1∑i=0
ai ti the polynomial representation of a in adapted
base.
28 / 59
![Page 53: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/53.jpg)
An adapted base
Representation in adapted base :
Let p be a prime, 0 < γ < p and n > 0, such that γn ≡ λ mod p for asmall λ.The representation in adapted base is :
a =n−1∑i=0
aiγi mod p with |ai | < ρ, where ρ ≥ p1/n.
We denote a(t) =n−1∑i=0
ai ti the polynomial representation of a in adapted
base.
28 / 59
![Page 54: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/54.jpg)
An adapted base
Representation in adapted base :
Let p be a prime, 0 < γ < p and n > 0, such that γn ≡ λ mod p for asmall λ.The representation in adapted base is :
a =n−1∑i=0
aiγi mod p with |ai | < ρ, where ρ ≥ p1/n.
We denote a(t) =n−1∑i=0
ai ti the polynomial representation of a in adapted
base.
28 / 59
![Page 55: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/55.jpg)
An adapted base
Representation in adapted base :
Let p be a prime, 0 < γ < p and n > 0, such that γn ≡ λ mod p for asmall λ.The representation in adapted base is :
a =n−1∑i=0
aiγi mod p with |ai | < ρ, where ρ ≥ p1/n.
Example
Let p = 19.Let n = 3, the element of Fp such that γ3 ≡ 1 mod p is γ = 7.The element of Fp in adapted base will be polynomials in γ of degree 2 ;and coefficients will be 0, 1 et −1.
29 / 59
![Page 56: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/56.jpg)
An adapted baseExample
1 2 3 4 5 6
1 − γ2 − γ − 1 γ2 − γ − 1 γ2 − γ γ2 − γ + 1 γ − 1
7 8 9 10 11 12
γ γ + 1 − γ2 + 1 γ2 − 1 γ2 γ2 + 1
13 14 15 16 17 18
− γ − 1 − γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1 − 1
30 / 59
![Page 57: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/57.jpg)
An adapted baseExample
1 2 3 4 5 6
1
− γ2 − γ − 1 γ2 − γ − 1 γ2 − γ γ2 − γ + 1
γ − 1
7 8 9 10 11 12
γ γ + 1
− γ2 + 1
γ2 − 1 γ2 γ2 + 1
13 14 15 16 17 18
− γ − 1 − γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1
− 1
30 / 59
![Page 58: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/58.jpg)
An adapted baseExample
1 2 3 4 5 6
1
− γ2 − γ − 1
γ2 − γ − 1
γ2 − γ γ2 − γ + 1
γ − 1
7 8 9 10 11 12
γ γ + 1
− γ2 + 1
γ2 − 1 γ2 γ2 + 1
13 14 15 16 17 18− γ − 1
− γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1
− 1
30 / 59
![Page 59: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/59.jpg)
An adapted baseExample
1 2 3 4 5 6
1
− γ2 − γ − 1
γ2 − γ − 1 γ2 − γ γ2 − γ + 1 γ − 1
7 8 9 10 11 12
γ γ + 1
− γ2 + 1
γ2 − 1 γ2 γ2 + 1
13 14 15 16 17 18− γ − 1
− γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1
− 1
30 / 59
![Page 60: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/60.jpg)
An adapted baseExample
1 2 3 4 5 6
1
− γ2 − γ − 1
γ2 − γ − 1 γ2 − γ γ2 − γ + 1 γ − 1
7 8 9 10 11 12
γ γ + 1 − γ2 + 1 γ2 − 1 γ2 γ2 + 1
13 14 15 16 17 18− γ − 1 − γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1 − 1
30 / 59
![Page 61: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/61.jpg)
An adapted baseExample
1 2 3 4 5 6
1 − γ2 − γ − 1 γ2 − γ − 1 γ2 − γ γ2 − γ + 1 γ − 1
7 8 9 10 11 12
γ γ + 1 − γ2 + 1 γ2 − 1 γ2 γ2 + 1
13 14 15 16 17 18− γ − 1 − γ2 + γ + 1 − γ2 + γ − γ2 + γ + 1 γ2 + γ − 1 − 1
30 / 59
![Page 62: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/62.jpg)
Arithmetic in adapted baseReduction of the coefficient using Montgomery representation (Plantard-Negre 07)
To find the representation in adapted basis, we used an algorithm dueto :
Thomas Plantard in 2005.
Arithmetic in adapted base
Efficient Modular Arithmetic in Adapted Modular Number System UsingLagrange Representation, of C. Negre and T. Plantard in ACISP ’08.The arithmetic is constructed in Montgomery way, thus it has the samecomplexity.We have an efficient arithmetic over Fp.
31 / 59
![Page 63: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/63.jpg)
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
32 / 59
![Page 64: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/64.jpg)
The multiplication by interpolation in Fpk
Let U and V be elements of Fpk .They are polynomials U(X ),V (X ) ∈ Fp[X ] of degree k − 1.The multiplication between U and V can be done like this :
1 Polynomial multiplication W (X ) = U(X )× V (X ), usinginterpolation.
2 Modular reduction using a polynomial of degree k in Fp.
33 / 59
![Page 65: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/65.jpg)
Multiplication by interpolationLet l ≥ 2k − 1 distinct elements α0, . . . , αl−1 in Fp.
1 Evaluation : Let U(X ) and V (X ) of degree k − 1. We compute
U = (U(α0), . . . ,U(αl−1)) and V = (V (α0), . . . ,V (αl−1))
using a matrix vector product :
U =
1 α1 · · · αk−1
1
1 α2 · · · αk−12
......
1 αl · · · αk−1l
×
u0
u1...
uk−1
.2 Multiplication :
W = (u0 × v0, u1 × v1, . . . , ul−1 × vl−1).
3 Interpolation : reconstruction of coefficients of W (X ).
34 / 59
![Page 66: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/66.jpg)
Multiplication by interpolationLet l ≥ 2k − 1 distinct elements α0, . . . , αl−1 in Fp.
1 Evaluation : Let U(X ) and V (X ) of degree k − 1. We compute
U = (U(α0), . . . ,U(αl−1)) and V = (V (α0), . . . ,V (αl−1))
using a matrix vector product :
U =
1 α1 · · · αk−1
1
1 α2 · · · αk−12
......
1 αl · · · αk−1l
×
u0
u1...
uk−1
.
2 Multiplication :
W = (u0 × v0, u1 × v1, . . . , ul−1 × vl−1).
3 Interpolation : reconstruction of coefficients of W (X ).
34 / 59
![Page 67: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/67.jpg)
Multiplication by interpolationLet l ≥ 2k − 1 distinct elements α0, . . . , αl−1 in Fp.
1 Evaluation : Let U(X ) and V (X ) of degree k − 1. We compute
U = (U(α0), . . . ,U(αl−1)) and V = (V (α0), . . . ,V (αl−1))
using a matrix vector product :
U =
1 α1 · · · αk−1
1
1 α2 · · · αk−12
......
1 αl · · · αk−1l
×
u0
u1...
uk−1
.2 Multiplication :
W = (u0 × v0, u1 × v1, . . . , ul−1 × vl−1).
3 Interpolation : reconstruction of coefficients of W (X ).
34 / 59
![Page 68: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/68.jpg)
Multiplication by interpolationLet l ≥ 2k − 1 distinct elements α0, . . . , αl−1 in Fp.
1 Evaluation : Let U(X ) and V (X ) of degree k − 1. We compute
U = (U(α0), . . . ,U(αl−1)) and V = (V (α0), . . . ,V (αl−1))
using a matrix vector product :
U =
1 α1 · · · αk−1
1
1 α2 · · · αk−12
......
1 αl · · · αk−1l
×
u0
u1...
uk−1
.2 Multiplication :
W = (u0 × v0, u1 × v1, . . . , ul−1 × vl−1).
3 Interpolation : reconstruction of coefficients of W (X ).
34 / 59
![Page 69: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/69.jpg)
Polynomial multiplication using DFT.
Let α be a l primitive roots of unity in Fp αi = αi .
The evaluation is the product by the matrix Ω :
Ω =
1 1 1 · · · 11 α α2 · · · αl−1
1 α2 α4 · · · α(l−1)2
......
1 αl−1 α2(l−1) · · · α(l−1)(l−1)
Denoting α′ = α−1, the interpolation is the product by :
Ω−1 =1
l
1 1 1 · · · 11 α′ α′2 · · · α′l−1
1 α′2 α′4 · · · α′(l−1)2
......
1 α′l−1 α′2(l−1) · · · α′(l−1)(l−1)
35 / 59
![Page 70: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/70.jpg)
Polynomial multiplication using DFT.
Let α be a l primitive roots of unity in Fp αi = αi .
The evaluation is the product by the matrix Ω :
Ω =
1 1 1 · · · 11 α α2 · · · αl−1
1 α2 α4 · · · α(l−1)2
......
1 αl−1 α2(l−1) · · · α(l−1)(l−1)
Denoting α′ = α−1, the interpolation is the product by :
Ω−1 =1
l
1 1 1 · · · 11 α′ α′2 · · · α′l−1
1 α′2 α′4 · · · α′(l−1)2
......
1 α′l−1 α′2(l−1) · · · α′(l−1)(l−1)
35 / 59
![Page 71: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/71.jpg)
Polynomial multiplication using DFT.
Let α be a l primitive roots of unity in Fp αi = αi .
The evaluation is the product by the matrix Ω :
Ω =
1 1 1 · · · 11 α α2 · · · αl−1
1 α2 α4 · · · α(l−1)2
......
1 αl−1 α2(l−1) · · · α(l−1)(l−1)
Denoting α′ = α−1, the interpolation is the product by :
Ω−1 =1
l
1 1 1 · · · 11 α′ α′2 · · · α′l−1
1 α′2 α′4 · · · α′(l−1)2
......
1 α′l−1 α′2(l−1) · · · α′(l−1)(l−1)
35 / 59
![Page 72: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/72.jpg)
Polynomial multiplication using DFT.
Complexity
The complexity of the multiplication is :
Evaluation : product by the matrix Ω,
Multiplications : 2l products in Fp ,
Interpolation : product by the matrix Ω−1.
Products by Ω et Ω−1 are composed with multiplication with powers of αi .
36 / 59
![Page 73: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/73.jpg)
Polynomial multiplication using DFT.
Complexity
The complexity of the multiplication is :
Evaluation : product by the matrix Ω,
Multiplications : 2l products in Fp ,
Interpolation : product by the matrix Ω−1.
Products by Ω et Ω−1 are composed with multiplication with powers of αi .
36 / 59
![Page 74: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/74.jpg)
Using the DFT with the adapted base
We combine the utilisation of the adapted base and the DFTmultiplication to improve the multiplication in Fpk .
l = k ,
γ such that γ l = −1,
α = γ is a 2kprimitive root of unity in Fp.
Consequences
Multiplications by power of γi are composed of shift and addition inFp :
aγj = (∑n−1
i=0 ai ti )t j mod tn + 1
= (∑j−1
i=0−an−j+i ti ) + (
∑n−1i=j ai−j t
i ).
Multiplications by Ω and Ω−1 are uniquely composed by additions inFp.
37 / 59
![Page 75: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/75.jpg)
Using the DFT with the adapted base
We combine the utilisation of the adapted base and the DFTmultiplication to improve the multiplication in Fpk .
l = k ,
γ such that γ l = −1,
α = γ is a 2kprimitive root of unity in Fp.
Consequences
Multiplications by power of γi are composed of shift and addition inFp :
aγj = (∑n−1
i=0 ai ti )t j mod tn + 1
= (∑j−1
i=0−an−j+i ti ) + (
∑n−1i=j ai−j t
i ).
Multiplications by Ω and Ω−1 are uniquely composed by additions inFp.
37 / 59
![Page 76: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/76.jpg)
Using the DFT with the adapted base
We combine the utilisation of the adapted base and the DFTmultiplication to improve the multiplication in Fpk .
l = k ,
γ such that γ l = −1,
α = γ is a 2kprimitive root of unity in Fp.
Consequences
Multiplications by power of γ i are composed of shift and addition inFp :
aγj = (∑n−1
i=0 ai ti )t j mod tn + 1
= (∑j−1
i=0−an−j+i ti ) + (
∑n−1i=j ai−j t
i ).
Multiplications by Ω and Ω−1 are uniquely composed by additions inFp.
37 / 59
![Page 77: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/77.jpg)
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
38 / 59
![Page 78: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/78.jpg)
Complexity of a multiplication in Fpk
Using Karatsuba and Toom Cook : pour k = 2i3j then Mpk = 3i5jMp.
Using DFT and adapted base : Mpk = 2kMp.
39 / 59
![Page 79: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/79.jpg)
Results
Table: Complexities of several values of k
Method k Mpk Ratio
# Ap # MpMp
Ap
Karatsuba/Toom-Cook 8 72 27Our method t8 + 1 8 192 16 < 11
Karatsuba/Toom-Cook 9 160 25Our method t8 + 1 9 208 18 < 7
Karatsuba/Toom-Cook 16 248 81Our method t16 + 1 16 480 32 < 5
Karatsuba/Toom-Cook 18 480 75Our method t16 + 1 18 576 39 < 3
40 / 59
![Page 80: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/80.jpg)
Conclusion
[ACISP’09] avec C. Negre
We introduced a multiplication in Fpk using DFT and adapted base.
Our results are good for big values of k .
41 / 59
![Page 81: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/81.jpg)
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
42 / 59
![Page 82: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/82.jpg)
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
43 / 59
![Page 83: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/83.jpg)
Cryptography from pairingIdentity based cryptography
Identity based protocols are asymmetric protocols where
the user’s public key it is his identity,
a trusted authority gives him the associated private key.
Example
Alice and Bob key exchange
44 / 59
![Page 84: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/84.jpg)
Cryptography from pairingIdentity based cryptography
Identity based protocols are asymmetric protocols where
the user’s public key it is his identity,
a trusted authority gives him the associated private key.
Example
Alice and Bob key exchange
44 / 59
![Page 85: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/85.jpg)
Cryptography from pairingSecure key exchange between Alice and Bob
45 / 59
![Page 86: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/86.jpg)
Cryptography from pairingSecure key exchange between Alice and Bob
45 / 59
![Page 87: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/87.jpg)
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
46 / 59
![Page 88: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/88.jpg)
Side channels attacks
During an identity based protocole, we know :
the pairing algorithm,
the number of iterations (N = [log2(r)] + 1).
The secret is one the parameter of pairing.
The secret does not influence the algorithm.
47 / 59
![Page 89: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/89.jpg)
Side channel attacks
side channel attacks use the implementation of algorithm to findinformation about the secret.
Fault attacks consist in disturbing the execution of an algorithm.
First fault attack in pairing based cryptography was developed byPage and Vercauteren for the Duursma and lee algorithm.
We study the vulnerability of Miller’s algorithm toward fault attacks.
48 / 59
![Page 90: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/90.jpg)
Side channel attacks
side channel attacks use the implementation of algorithm to findinformation about the secret.
Fault attacks consist in disturbing the execution of an algorithm.
First fault attack in pairing based cryptography was developed byPage and Vercauteren for the Duursma and lee algorithm.
We study the vulnerability of Miller’s algorithm toward fault attacks.
48 / 59
![Page 91: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/91.jpg)
Side channel attacks
side channel attacks use the implementation of algorithm to findinformation about the secret.
Fault attacks consist in disturbing the execution of an algorithm.
First fault attack in pairing based cryptography was developed byPage and Vercauteren for the Duursma and lee algorithm.
We study the vulnerability of Miller’s algorithm toward fault attacks.
48 / 59
![Page 92: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/92.jpg)
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
49 / 59
![Page 93: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/93.jpg)
Description of the fault attacks
We suppose that the pairing is used in Identity based protocol.
The secret is point P, first parameter during the computation ofe(P,Q).
The second parameter Q is known.
Purpose of the fault attack
The aim of the attack is to modify the number of iterations of the Miller’salgorithm, in order to obtain the result of two consecutive iterations : τand τ + 1 iterations for τ ∈ 1, . . . ,N.We denote Fτ,P(Q) and Fτ+1,P(Q) the results of these iterations.
50 / 59
![Page 94: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/94.jpg)
Description of the fault attacks
We suppose that the pairing is used in Identity based protocol.
The secret is point P, first parameter during the computation ofe(P,Q).
The second parameter Q is known.
Purpose of the fault attack
The aim of the attack is to modify the number of iterations of the Miller’salgorithm, in order to obtain the result of two consecutive iterations : τand τ + 1 iterations for τ ∈ 1, . . . ,N.We denote Fτ,P(Q) and Fτ+1,P(Q) the results of these iterations.
50 / 59
![Page 95: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/95.jpg)
Description of the fault attack
Target of the attack
The register where N is stocked. We modify it using lasers.
Scheme of the attack
We execute several Miller’s algorithm with the same point Q andmodifying the register for each iterations.
Using the clock cycles we can find after the number of iteration made.
We repeat the operation until we obtain two consecutive iterations τand τ + 1.
51 / 59
![Page 96: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/96.jpg)
Description of the fault attack
Target of the attack
The register where N is stocked. We modify it using lasers.
Scheme of the attack
We execute several Miller’s algorithm with the same point Q andmodifying the register for each iterations.
Using the clock cycles we can find after the number of iteration made.
We repeat the operation until we obtain two consecutive iterations τand τ + 1.
51 / 59
![Page 97: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/97.jpg)
Description of the fault attack
Target of the attack
The register where N is stocked. We modify it using lasers.
Scheme of the attack
We execute several Miller’s algorithm with the same point Q andmodifying the register for each iterations.
Using the clock cycles we can find after the number of iteration made.
We repeat the operation until we obtain two consecutive iterations τand τ + 1.
51 / 59
![Page 98: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/98.jpg)
Description of the fault attack
Probability
We want to find two consecutive numbers randomly taken from 1 to N.
This problem is like the anniversary problem.We can compute the probability of success.
Example
For r an integer of size 256 bits,15 tries are enough to obtain two consecutive numbers with a probabilityhigher than 0, 5 ;and 26 for a probability higher than 0, 9.
52 / 59
![Page 99: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/99.jpg)
Description of the fault attack
Probability
We want to find two consecutive numbers randomly taken from 1 to N.This problem is like the anniversary problem.We can compute the probability of success.
Example
For r an integer of size 256 bits,15 tries are enough to obtain two consecutive numbers with a probabilityhigher than 0, 5 ;and 26 for a probability higher than 0, 9.
52 / 59
![Page 100: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/100.jpg)
The ratio R =Fτ+1,P(Q)Fτ,P(Q)2
We denote Fτ,P(Q) the result of τ -th iteration and Fτ+1,P(Q) the result ofthe τ + 1-th.The ratio R =
Fτ+1,P(Q)Fτ,P(Q)2 gives us information about the secret.
During the τ -th step, T = [j ]P in Miller’s algorithm
We denote [j ]P = (Xj ,Yj ,Zj) the secret and Q = (xQ , yQ) the knownpoint in e(P,Q).
Writing down the equation we fin :
R = Z2jZj2yQ − 2Yj
2 − (3Xj2 − aZj
4)(xQZj2 − Xj).
With the theoretical decomposition of R and its value we can construct asystem.
53 / 59
![Page 101: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/101.jpg)
The ratio R =Fτ+1,P(Q)Fτ,P(Q)2
We denote Fτ,P(Q) the result of τ -th iteration and Fτ+1,P(Q) the result ofthe τ + 1-th.The ratio R =
Fτ+1,P(Q)Fτ,P(Q)2 gives us information about the secret.
During the τ -th step, T = [j ]P in Miller’s algorithm
We denote [j ]P = (Xj ,Yj ,Zj) the secret and Q = (xQ , yQ) the knownpoint in e(P,Q).
Writing down the equation we fin :
R = Z2jZj2yQ − 2Yj
2 − (3Xj2 − aZj
4)(xQZj2 − Xj).
With the theoretical decomposition of R and its value we can construct asystem.
53 / 59
![Page 102: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/102.jpg)
The ratio R =Fτ+1,P(Q)Fτ,P(Q)2
We denote Fτ,P(Q) the result of τ -th iteration and Fτ+1,P(Q) the result ofthe τ + 1-th.The ratio R =
Fτ+1,P(Q)Fτ,P(Q)2 gives us information about the secret.
During the τ -th step, T = [j ]P in Miller’s algorithm
We denote [j ]P = (Xj ,Yj ,Zj) the secret and Q = (xQ , yQ) the knownpoint in e(P,Q).
Writing down the equation we fin :
R = Z2jZj2yQ − 2Yj
2 − (3Xj2 − aZj
4)(xQZj2 − Xj).
With the theoretical decomposition of R and its value we can construct asystem.
53 / 59
![Page 103: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/103.jpg)
The ratio R =Fτ+1,P(Q)Fτ,P(Q)2
The system is :
YjZ3j = λ2
Z 2j (X 2
j − Z 4j ) = λ1
3Xj(X 2j − Z 4
j ) + 2Y 2j = λ0.
Where λ0, λ1 and λ2 are known in Fp.
The resolution of this system gives Xj and Yj in function of Zj .We can construct in equation admitting Zj as a solution :
(λ20 − 9λ2
1)Z 12 − (4λ0λ22 + 9λ3
1)Z 6 + 4λ41 ≡ 0 mod p
54 / 59
![Page 104: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/104.jpg)
The ratio R =Fτ+1,P(Q)Fτ,P(Q)2
The system is :
YjZ3j = λ2
Z 2j (X 2
j − Z 4j ) = λ1
3Xj(X 2j − Z 4
j ) + 2Y 2j = λ0.
Where λ0, λ1 and λ2 are known in Fp.
The resolution of this system gives Xj and Yj in function of Zj .We can construct in equation admitting Zj as a solution :
(λ20 − 9λ2
1)Z 12 − (4λ0λ22 + 9λ3
1)Z 6 + 4λ41 ≡ 0 mod p
54 / 59
![Page 105: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/105.jpg)
The ratio R =Fτ+1,P(Q)Fτ,P(Q)2
The system is :
YjZ3j = λ2
Z 2j (X 2
j − Z 4j ) = λ1
3Xj(X 2j − Z 4
j ) + 2Y 2j = λ0.
Where λ0, λ1 and λ2 are known in Fp.
The resolution of this system gives Xj and Yj in function of Zj .We can construct in equation admitting Zj as a solution :
(λ20 − 9λ2
1)Z 12 − (4λ0λ22 + 9λ3
1)Z 6 + 4λ41 ≡ 0 mod p
54 / 59
![Page 106: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/106.jpg)
Conclusion
[ISA’09]
Miller’s algorithm is vulnerable to a fault attack.
Vulnerability of pairings based on Miller’s algorithm
Weil pairing is directly sensitive to this attack.
The Tate, Ate and Twisted Ate pairing are constructed in the same
way : eT (P,Q) = (fr ,P(Q))pk−1
r .This exponentiation is for the moment a countermeasure to thisattack, but...
55 / 59
![Page 107: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/107.jpg)
Outline
1 Pairing over elliptic curvesDefinition and properties of pairingConstruction and example of pairingsComputation of pairingsArithmetic of pairing based cryptography
2 A more efficient arithmetic based on adapted basesDefinition of adapted basesMultiplication in Fpk using DFTComplexity of our method
3 Fault attackIdentity based cryptographyFault attackFault attack against Miller’s algorithm
4 Conclusion and perspectives
56 / 59
![Page 108: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/108.jpg)
Conclusion
We discover know two aspect of pairing based cryptography
performance of the arithmetic,
security of pairing based cryptography.
57 / 59
![Page 109: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/109.jpg)
Perspectives
Arithmetic of pairings
Implementation of pairings :
Using original representation.
For particular families of elliptic curves.
Find pairing friendly elliptic curves.
Security of pairings
Realize the fault attack.
Implementation of countermeasures to side channel attacks.
58 / 59
![Page 110: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/110.jpg)
Perspectives
Arithmetic of pairings
Implementation of pairings :
Using original representation.
For particular families of elliptic curves.
Find pairing friendly elliptic curves.
Security of pairings
Realize the fault attack.
Implementation of countermeasures to side channel attacks.
58 / 59
![Page 111: Arithmetic of pairings, performance and weakness toward ...nadia.el-mrabet/Presentation/... · Arithmetic of pairings, performance and weakness toward side channel attacks Nadia El](https://reader036.fdocuments.in/reader036/viewer/2022071217/604e2de18415d666b57001bd/html5/thumbnails/111.jpg)
Thank you for
your attention
59 / 59