Cryptography and Communications

, Volume 7, Issue 1, pp 185–205 | Cite as

A survey of fault attacks in pairing based cryptography

  • Nadia El Mrabet
  • Jacques J. A. Fournier
  • Louis Goubin
  • Ronan Lashermes


The latest implementations of pairings allow efficient schemes for Pairing Based Cryptography. These make the use of pairings suitable for small and constrained devices (smart phones, smart cards…) in addition to more powerful platforms. As for any cryptographic algorithm which may be deployed in insecure locations, these implementations must be secure against physical attacks, and in particular fault attacks. In this paper, we present the state-of-the-art of fault attacks against pairing algorithms, more precisely fault attacks against the Miller algorithm and the final exponentiation which are the two parts of a pairing calculation.


Pairing based cryptography Miller’s algorithm Fault attacks 

Mathematics Subject Classifications (2010)

14G50 68P25 


  1. 1.
    Anderson, R., Kuhn, M.: Tamper resistance – a cautionary note. In: The Second USENIX Workshop on Electronic Commerce Proceedings, pp. 1–11 (1996)Google Scholar
  2. 2.
    Aranha, D.F., Beuchat, J.-L., Detrey, J., Estibals, N.: Optimal eta pairing on supersingular genus-2 binary hyperelliptic curves. In: Orr Dunkelman (ed.) CT-RSA, volume 7178 of Lecture Notes in Computer Science, pp. 98–115. Springer, Berlin (2012)Google Scholar
  3. 3.
    Bae, K., Moon, S., Ha, J.: Instruction fault attack on the miller algorithm in a pairing-based cryptosystem. In: Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2013 Seventh International Conference on July 2013, pp. 167–174 (2013)Google Scholar
  4. 4.
    Bajard, J.-C., El Mrabet, N.: Pairing in cryptography: An arithmetic point de view. In: Advanced Signal Processing Algorithms, Architectures, and Implementations XVI. part of SPIE (2007)Google Scholar
  5. 5.
    Barenghi, A, Bertoni, G., Breveglieri, L., Pelosi, G.: A fpga coprocessor for the cryptographic tate pairing over fp. In: Fifth International Conference on Information Technology: New Generations, 2008. ITNG 2008, pp. 112–119 (2008)Google Scholar
  6. 6.
    Barreto, P.S.L.M., Galbraith, S.D., O’Eigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular abelian varieties. Des. Codes Crypt. 42(3), 239–271 (2007)CrossRefzbMATHGoogle Scholar
  7. 7.
    Blake, I.F., Seroussi, G., Smart, N., Cassels, J.W.S.: Advances in Elliptic Curve Cryptography (London Mathematical Society Lecture Note Series). Cambridge University Press, New York (2005)CrossRefGoogle Scholar
  8. 8.
    Blömer, J., Gomes da Silva, R., Günther, P., Krämer, J., Seifert, J.-P.: A practical second-order fault attack against a real-world pairing implementation. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC) (2014)Google Scholar
  9. 9.
    Blomer, J., Otto, M., Seifert, J.-P.: Sign change fault attacks on elliptic curve cryptosystems. In: Breveglieri, L., Koren, I., Naccache, D., Seifert, J.-P. (eds.) FDTC, volume 4236 of Lecture Notes in Computer Science, pp. 36–52. Springer, Berlin (2006)Google Scholar
  10. 10.
    Boneh, D., Matthew, F.: Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)CrossRefzbMATHMathSciNetGoogle Scholar
  11. 11.
    Cheung, R.C.C., Duquesne, S., Fan, J., Guillermin, N., Verbauwhede, I., Yao, G.: Fpga implementation of pairings using residue number system and lazy reduction. In: Preneel, B., Takagi, T. (eds.) Cryptographic Hardware and Embedded Systems? CHES 2011, volume 6917 of Lecture Notes in Computer Science, pp. 421–441. Springer, Berlin (2011)Google Scholar
  12. 12.
    Cohen, H., Frey, G. (eds.) Handbook of elliptic and hyperelliptic curve cryptography. Discrete Math Application. Chapman & Hall, London (2006)Google Scholar
  13. 13.
    Mulder, E.D., Örs, S.B., Preneel, B., Verbauwhede, I.: Differential power and electromagnetic attacks on a FPGA implementation of elliptic curve cryptosystems. Comput. Electr. Eng. 33(5-6), 367–382 (2007)CrossRefzbMATHGoogle Scholar
  14. 14.
    Dehbaoui, A., Dutertre, J.-M., Robisson, B., Tria, A.: Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES. In: FDTC, pp. 7–15 IEEE (2012)Google Scholar
  15. 15.
    Duursma, I.M., Lee, H.-S.: Tate pairing implementation for hyperelliptic curves y 2 = x px+d. In: Laih, C.-S. (ed.) ASIACRYPT, volume 2894 of Lecture Notes in Computer Science, pp. 111–123. Springer, Berlin (2003)Google Scholar
  16. 16.
    El Mrabet, N.: What about Vulnerability to a Fault Attack of the Miller’s algorithm During an Identity Based Protocol?. In: Advances in Information Security and Assurance, volume 5576 of LNCS, pp. 122–134. Springer, Berlin (2009)Google Scholar
  17. 17.
    El Mrabet, N.: Fault attack against Miller’s algorithm. IACR Cryptol. ePrint Arch. 2011, 709 (2011)Google Scholar
  18. 18.
    El Mrabet, N.: Side channel attacks against pairing over theta functions. In: Muntean, T., Poulakis, D., Rolland, R. (eds.) CAI, volume 8080 of Lecture Notes in Computer Science, pp. 132–146. Springer, Berlin (2013)Google Scholar
  19. 19.
    El Mrabet, N., Fournier, J.J.A., Goubin, L., Lashermes, R., Paindavoine, M.: Practical validation of several fault attacks against the Miller algorithm. In: 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC) (2014)Google Scholar
  20. 20.
    El Mrabet, N., Page, D., Vercauteren, F.: Fault attacks on pairing-based cryptography. In: Joye, M., Tunstall, M. (eds.) Fault Analysis in Cryptography, Information Security and Cryptography, pp. 221–236. Springer, Berlin (2012)CrossRefGoogle Scholar
  21. 21.
    Ghosh, S., Mukhopadhyay, D., Chowdhury, D.R.: Fault attack and countermeasures on pairing based cryptography. Int. J. Comput. Netw. Secur. (IJNS) 12(1), 26–33 (2011)Google Scholar
  22. 22.
    Grewal, G., Azarderakhsh, R., Longa, P., Shi, H., Jao, D.: Efficient implementation of bilinear pairings on arm processors. In: Knudsen, L.R., Wu, H. (eds.) Selected Areas in Cryptography, volume 7707 of Lecture Notes in Computer Science, pp. 149–165. Springer, Berlin (2012)Google Scholar
  23. 23.
    Habing, D.: The use of lasers to simulate radiation-induced transients in semiconductor devices and circuits. In: Transactions on Nuclear Science, vol. 39, pp. 1647–1653 (1992)Google Scholar
  24. 24.
    Hess, F.: Pairing lattices. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing, volume 5209 of Lecture Notes in Computer Science, pp. 18–38. Springer, Berlin (2008)Google Scholar
  25. 25.
    Hess, F., Smart, N., Vercauteren, F.: The eta pairing revisited. In: IEEE Transactions on Information Theory, vol. 52, pp. 4595–4602 (2006)Google Scholar
  26. 26.
    Joux, A.: A one round protocol for tripartite diffie–hellman. In: Bosma, W. (ed.) Algorithmic Number Theory, volume 1838 of Lecture Notes in Computer Science, pp. 385–393. Springer, Berlin (2000)Google Scholar
  27. 27.
    Joux, A.: A new index calculus algorithm with complexity l(1/4 + o(1)) in very small characteristic. IACR Cryptol. ePrint Arch. 2013, 95 (2013)Google Scholar
  28. 28.
    Joye, M., Neven, G.: Identity-based Cryptography. Cryptology and information security series. IOS Press, Amsterdam (2009)Google Scholar
  29. 29.
    Kim, C.H., Quisquater, J.-J.: Faults, injection methods, and fault attacks. Des. Test Comput., IEEE 24(6), 544–545 (2007)CrossRefGoogle Scholar
  30. 30.
    Kim, T.H., Takagi, T., Han, D.-G., Kim, H.W., Lim, J.: Side channel attacks and countermeasures on pairing based cryptosystems over binary fields. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) Cryptology and Network Security, volume 4301 of Lecture Notes in Computer Science, pp. 168–181. Springer, Berlin (2006)Google Scholar
  31. 31.
    Lashermes, R., Fournier, J., Goubin, L.: Inverting the final exponentiation of tate pairings on ordinary elliptic curves using faults. In: Bertoni, G., Coron, J.-S. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2013, volume 8086 of Lecture Notes in Computer Science, pp. 365–382. Springer, Berlin (2013)Google Scholar
  32. 32.
    Lidl, R., Niederreiter, H.: Finite Fields. Number vol. 20, ptie. 1 in Encyclopedia of Mathematics and its Applications. Cambridge University Press, Cambridge (1997)Google Scholar
  33. 33.
    Lubicz, D., Robert, D.: Efficient pairing computation with theta functions. In: Algorithmic Number Theory, 9th International Symposium, ANTS-IX, Nancy, France, July 19-23, 2010. Proceedings, volume 6197 of Lecture Notes in Computer Science, pp. 251–269. Springer, Berlin (2010)Google Scholar
  34. 34.
    Miller, V.: The weil pairing and its efficient calculation. J. Cryptol. 17, 235–261 (2004)zbMATHGoogle Scholar
  35. 35.
    Ozturk, E., Gaubatz, G., Sunar, B.: Tate pairing with strong fault resiliency. In: Proceedings of the Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC ’07, pp. 103–111. IEEE Computer Society, Washington, DC (2007)Google Scholar
  36. 36.
    Page, D., Vercauteren, F.: A fault attack on pairing-based cryptography. IEEE Trans. Comput. 55(9), 1075–1080 (2006)CrossRefzbMATHGoogle Scholar
  37. 37.
    Park, J.H., Sohn, G.Y., Moon, S.J.: A simplifying method of fault attacks on pairing computation. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E94-A(6), 1473–1475 (2011)CrossRefGoogle Scholar
  38. 38.
    Scott, M.: On the efficient implementation of pairing-based protocols. In: Chen, L. (ed.) IMA International Conference, volume 7089 of Lecture Notes in Computer Science, pp. 296–308. Springer, Berlin (2011)Google Scholar
  39. 39.
    Scott, M., Benger, N., Charlemagne, M., Dominguez, L., Kachisa, E.: On the Final Exponentiation for Calculating Pairings on Ordinary Elliptic Curves. In: Pairing-Based Cryptography Pairing 2009, volume 5671 of LNCS, pp. 78–88. Springer, Berlin (2009)Google Scholar
  40. 40.
    Shamir, A.: Identity-based cryptosystems and signature schemes. In: Proceedings of CRYPTO 84 on Advances in cryptology, pp. 47–53. Springer, New York (1984)Google Scholar
  41. 41.
    Shirase, M., Takagi, T., Okamoto, E.: An efficient countermeasure against side channel attacks for pairing computation. In: Chen, L., Mu, Y., Susilo, W. (eds.) Information Security Practice and Experience, volume 4991 of Lecture Notes in Computer Science, pp. 290–303. Springer, Berlin Heidelberg (2008)Google Scholar
  42. 42.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics. Springer, Berlin (2009)CrossRefGoogle Scholar
  43. 43.
    Trichina, E., Korkikyan, R.: Multi fault laser attacks on protected crt-rsa. In: 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 75–86. IEEE (2010)Google Scholar
  44. 44.
    Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theor. 56 (1), 455–461 (2010)CrossRefMathSciNetGoogle Scholar
  45. 45.
    Weng, J., Dou, Y., Ma, C.: Fault attacks against the miller algorithm in hessian coordinates. In: Wu, C., Yung, M., Lin, D. (eds.) Inscrypt, volume 7537 of Lecture Notes in Computer Science, pp. 102–112. Springer, Berlin (2011)Google Scholar
  46. 46.
    Whelan, C., Scott, M.: The Importance of the Final Exponentiation in Pairings when considering Fault Attacks. In: Pairing-Based Cryptography–Pairing 2007, volume 4575 of LNCS, pp. 225–246. Springer, Berlin (2007)Google Scholar
  47. 47.
    Whelan, C., Scott, M.: Side channel analysis of practical pairing implementations: Which path is more secure? In: Nguyen, P. Q. (ed.) Progress in Cryptology - VIETCRYPT 2006, volume 4341 of Lecture Notes in Computer Science, pp. 99–114. Springer, Berlin (2006)Google Scholar
  48. 48.
    Yang, B., Wu, K., Karri, R.: Scan based side channel attack on dedicated hardware implementation of data encryption standard. In: Test Conference 2004, proceedings ITC 2004, pp. 339–344 (2004)Google Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  • Nadia El Mrabet
    • 1
  • Jacques J. A. Fournier
    • 2
  • Louis Goubin
    • 3
  • Ronan Lashermes
    • 2
    • 3
  1. 1.LIASD - Université Paris 8Saint-DenisFrance
  2. 2.CEA-TechRegGardanneFrance
  3. 3.UVSQ-PRiSMVersaillesFrance

Personalised recommendations