Implementation of a leakageresilient ElGamal key encapsulation mechanism
 1.2k Downloads
 3 Citations
Abstract
Leakageresilient cryptography aims to extend the rigorous guarantees achieved through the provable security paradigm to physical implementations. The constructions designed on basis of this new approach inevitably suffer from an Achilles heel: a bounded leakage assumption is needed. Currently, a huge gap exists between the theory of such designs and their implementation to confirm the leakage resilience in practice. The present work tries to narrow this gap for the leakageresilient bilinear ElGamal key encapsulation mechanism (BEGKEM) proposed by Kiltz and Pietrzak in 2010. Our first contribution is a variant of the bounded leakage and the onlycomputationleaks model that is closer to practice. We weaken the restriction on the image size of the leakage functions in these models and only insist that the inputs to the leakage functions have sufficient minentropy left, in spite of the leakage, with no limitation on the quantity of this leakage. We provide a novel security reduction for BEGKEM in this relaxed leakage model using the generic bilinear group axiom. Secondly, we show that a naive implementation of the exponentiation in BEGKEM makes it impossible to meet the leakage bound. Instead of trying to find an exponentiation algorithm that meets the leakage axiom (which is a nontrivial problem in practice), we propose an advanced scheme, BEGKEM+, that avoids exponentiation by a secret value, but rather uses an encoding into the base group due to Fouque and Tibouchi. Thirdly, we present a software implementation of BEGKEM+ based on the Miracl library and provide detailed experimental results. We also assess its (theoretical) resistance against power analysis attacks from a practical perspective, taking into account the stateoftheart in sidechannel cryptanalysis.
Keywords
Secure implementation Sidechannel cryptanalysis Leakageresilient cryptography Security proof Publickey encryption Pairings1 Introduction
How to secure cryptographic algorithms embedded in devices that can eventually “fall in the hands” of an adversary? Answering this question is probably the holy grail in cryptography nowadays. Two paths are taken to explore the possible solutions, a destructive one and a constructive one. In the first path, we find the rich contributions of the practice and theory of sidechannel attacks. In the second path, we find the no less precious body of countermeasures against the attacks unveiled in the first path. Lately, a novel approach called leakageresilient cryptography is being studied, which aims at extending the guarantees delivered by the provable security paradigm to the physical world. Despite the clever discoveries and constructions provided by this new approach, it persistently presents an Achilles heel: a bounded leakage assumption is needed. Ensuring this is unfortunately a challenging endeavor on its own and, admittedly, the leakageresilient cryptography body of work has not significantly helped to argue why this could be a reasonable assumption.
In this work, we consider the only computation leaks information (OCL) leakage model by Micali and Reyzin [22]. In this model only actual computations are supposed to leak sensitive information. This captures the usual situation in sidechannel attacks, where leakage data only depend on the current state of the target device and some independent randomness [32]. The internal data of the device are divided into two parts, an active and a passive part, the active part being the input data used in the current computation. Therefore, at a given time frame, only the active data is leaking. The main noninvasive attacks against embedded devices, like the attacks based on power consumption [21], electromagnetic radiations [15] or runningtime [20] measurements, belong to this category.
It is currently agreed upon that not only the OCL model but also the bounded retrieval/memory leakage models [1, 2] or the auxiliary input model [8], rely on a strange combination of both strong and weak assumptions. On the one side, the information leakage is supposed to be bounded in a somewhat artificial manner; on the other side, the leakage considered is overly general, for instance it might come from any polynomial time function. However, these assumptions are actually far from the reality that practitioners experience in their daily work in a sidechannel analysis lab.
Several contemporary works [4, 27, 32] have put forward ways to redefine the above models and bring them closer to practice, for symmetric cryptography primitives. This comes at the cost of algorithmiclevel specialization, providing models that are indeed more realistic, but which apply to a more restrained class of primitives (i.e., pseudorandom generators, block ciphers).
We aim at contributing to the challenge of bringing leakageresilient cryptography closer to the practice. In this work, we do so by analyzing, modifying, implementing and evaluating a previous leakageresilient key encapsulation mechanism proposed by Kiltz and Pietrzak [18]. This is one of the very few schemes admitting continual leakage (maybe the only one?) that one could dare to implement in an embedded processor, for instance in a smartphone. It is a pairingbased stateful variant of the ElGamal encryption scheme (called BEGKEM), where the secret key is an element of the pairing base group (essentially a point in the group of points of an elliptic curve). The secret key is divided into two shares, which are reshared at each new decryption call using multiplicative blinding. To decrypt, one takes the first half of the secret key, refreshes it, and uses it as the input to a pairing calculation. In the second step, the second half of the secret key is updated with the blinding used for refreshing; it is then used as the input to a new pairing calculation; and finally the two pairing values are multiplied to obtain a decapsulated symmetric key (for the details see Sect. 2).
The result proven in [18], which holds under a variant of the generic group model tailored to pairing groups uses a bounded leakage assumption. Roughly speaking, it is required that the data leaked against sidechannel attacks that satisfy the OCL axiom, shall be significantly smaller than \(\kappa \) for a single measurement, where \(\kappa \) is the security parameter (e.g., \(\kappa =128\)). These leakages are modeled as an oracle that answers values \(f(\cdot )\) for adaptively chosen arbitrary (but efficiently computable) functions f on input the secret data being used in the calculation. This kind of requirement that may look reasonable for a theoretician used to study cryptographic primitives in the socalled blackbox model might seem completely unrealistic to the practitioner. As an example, let us recall the figure gathered in [32], where it is pointed out that the leaking of a block cipher recently reported in [24], consisted of 200,000 traces leading to more than 1.5 Gb of data storage.
We start our investigation by proposing and testing a relaxation on the requirement of ‘bounded leakage size’ in the OCL model. We weaken the restriction on the image size of the leakage functions in these models to asking that the random variables used to refresh the secret key shall have enough minentropy left given the leakage, with no limitation on the ‘size’ of this leakage. This is an altogether more reasonable leakage bound assumption, which could eventually be met by clever implementations (in fact we provide an implementation candidate). We give a new security reduction using the generic bilinear group axiom for BEGKEM in this relaxed leakage model, which turns out to be tighter than the original reduction in [18] in the OCL model. Due to space limitations, we only include here a short description of the proof. The complete proof can be found in the full version [11].
Secondly, we observe that the blinding mechanism originally proposed is susceptible to invalidate the leakage bound assumption. This is because to perform blinding, one computes an exponentiation \(G^{r_i}\) for a random integer \(r_i\), which if implemented in a naive way, can almost completely leak \(r_i\), even with a simple power analysis attack (i.e., with a single power trace), as we discuss in Sect. 5. The authors in [18] did not discuss how exponentiation shall be implemented to meet the leakage bound, nor we can currently find a exponentiation algorithm with these guarantees. Thus, their positive result risks to be void.
This is why we propose an advanced BEGKEM+, where we avoid blinding by an exponentiation \(G^{r_i}\) for a random integer \(r_i\). Our modification is based on the observation that knowledge of the exponent \(r_i\) is not needed to perform a successful decryption, but it suffices to build a random element in a suitable pairing base group. We propose instead to use a random encoding into asymmetric pairing groups by Fouque and Tibouchi [10]. It turns out that this encoding produces a random element in the base group, and can naturally be implemented in such a way that the leakage expected against a single measurement is arguably minimal (see Sect. 5).
Fourthly, we stress that the idea of leakageresilient cryptography—like any other theoretical concept—can only be brought into practice by actual implementation. For this reason, we implemented BEGKEM+ in ANSI C on an ARMbased microcontroller. BEGKEM+ is, to our knowledge, the first implementation and evaluation of a publickey scheme from the leakageresilient literature.
2 Stateful bilinear ElGamal KEM
In this section we present the stateful bilinear ElGamal key encapsulation mechanism (BEGKEM) from [18]. First, we recall the basics of the notion of minentropy. Then we introduce the concept of stateful KEM and security under nonadaptive chosenciphertext attacks in the presence of continual minentropy leakage (CCmLA1). We note again that the class of leakage functions allowed in our model (based on lowering minentropy) is broader than the bounded length model (CCLA1) used in [18].^{1}
2.1 Minentropy
Lemma 1
[9] Let \(f:X\rightarrow \{0,1\}^{\lambda '}\) be a function on X. Then \(\tilde{\mathbf {H}}_{\infty }(X\,\, f(X))\) \(\ge \) \(\mathbf {H}_{\infty }(X)\lambda '\).
The following result is a variant of the Schwartz–Zippel Lemma [13, 28, 38].
Lemma 2
(Schwartz–Zippel; minentropy version) Let \(\mathsf {F}\in \mathbb {Z}_{q}[\mathsf {X}_{1},\ldots ,\mathsf {X}_{n}]\) be a nonzero polynomial of (total) degree at most d. Let \(P_{i}\) \((i=1,\ldots ,n)\) be probability distributions on \(\mathbb {Z}_{q}\) such that \(\mathbf {H}_{\infty }(P_{i})\ge \log q\lambda '\), where \(0\le \lambda '\le \log q\). If \(x_{i}\overset{P_{i}}{\leftarrow }\mathbb {Z}_{q}\) \((i=1,\ldots ,n)\) are independent, then \(\text {Pr}[\mathsf {F}(x_{1},\ldots ,x_{n})=0]\le {\displaystyle 2^{\lambda '}\frac{d}{q}}\).
Corollary 1
If \(\lambda '<\log q\omega \left( \log \log q\right) \) in Lemma 2, then \(\text {Pr}[\mathsf {F}(x_{1},\ldots ,x_{n})=0]\) is negligible (in \(\log q\)).
2.2 Stateful key encapsulation mechanism
CCmLA1 security experiment for KEM
KEMCCmLA1\(_{\mathsf {KEM}}(\mathcal {A},\kappa ,\lambda )\)  KEMLeakOracle \(O^{\text {CCmLA1}}(C,f_{i},h_{i})\) 

\((pk,(\sigma _{0},\sigma '_{0}))\leftarrow \mathsf {KG}\left( \kappa ,\lambda \right) \)  
\( i:=1\), \(w\leftarrow \mathcal {A}^{O^{\text {CCmLA1}}(\cdot )}\left( pk\right) \)  \((\sigma _{i},w_{i})\overset{r_{i}}{\leftarrow }\mathsf {Dec1}(\sigma _{i\text {1}},C)\) 
\(b\overset{\$}{\leftarrow }\left\{ 0,1\right\} \)  \( (\sigma '_{i},K)\overset{r'_{i}}{\leftarrow }\mathsf {Dec2}(\sigma '_{i\text {1}},w_{i})\) 
\(\left( C,K_{0}\right) \leftarrow \mathsf {Enc}\left( pk\right) \)  \(\Lambda _{i}:=f_{i}(\sigma _{i1},r_{i})\) 
\( K_{1}\overset{\$}{\leftarrow }\mathcal {K}\)  \( \Lambda '_{i}:=h_{i}(\sigma '_{i1},r'_{i},w_{i})\) 
\(b'\leftarrow \mathcal {A}\left( w,CK_{b}\right) \)  \(i:=i+1\) 
Return \((K,\Lambda _{i},\Lambda '_{i})\) 
Definition 1
(CCmLA1 security for KEM) A key encapsulation mechanism \(\mathsf {KEM}\) is secure under nonadaptive chosenciphertext attacks in the presence of continual splitstate leakage (CCmLA1), with minentropy leakage bound \(\lambda \), if \(\Pr \,[b'=b]\) is at most negligibly greater than \(\frac{1}{2}\) in the Experiment \(\mathrm {KEM}\)\(\mathrm {CCmLA1}_{\mathsf {KEM}}(\mathcal {A},\kappa ,\lambda )\) for any efficient adversary \(\mathcal {A}\).
Note that if in the above definition we would force the leakage functions to have output length of at most \(\lambda \) bits, then we would obtain the CCLA1 security for KEM as defined in [18]. From Lemma 1, we have that the conditional minentropy of a random variable, given the leakage output of at most \(\lambda \) bits, cannot decrease by more than \(\lambda \) bits. Hence, if a KEM is CCLA1 secure, then it is also CCmLA1 secure.
2.2.1 Bilinear groups
 1.
\(\mathbb {G}=\langle g\rangle \) and \(\mathbb {G}_{T}\) are (multiplicatively written) cyclic groups of prime order q with binary operations \(\cdot \) and \(\star ,\) respectively. The size of q is \(\kappa \) bits.
 2.\(e':\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_{T}\) is a map that is:
 (a)
bilinear: \(\forall u,v\in \mathbb {G}\) and \(\forall a,b\in \mathbb {Z}\), \(e'(u^{a},v^{b})\) \(=\) \(e'(u,v)^{ab}\).
 (b)
nondegenerate: \(e'(g,g)\ne 1\).
 (a)
2.2.2 Generic bilinear group model

\(\mathcal {O}(\xi (a),\xi (b)):=\xi (a+b\,\text {mod}\, q)\)

\(\mathcal {O}_{T}(\xi _{T}(a),\xi _{T}(b)):=\xi _{T}(a+b\,\text {mod}\, q)\)

\(\mathcal {O}_{e}(\xi (a),\xi (b)):=\xi _{T}(ab\,\text {mod}\, q)\)
We further assume that \(\varXi \cap \varXi _{T}=\phi \), \(\varXi =\varXi _{T}=q\), and that the elements of \(\varXi \) and \(\varXi _{T}\) are efficiently recognizable. For instance, the encodings in \(\varXi \) can comprise of the binary representation of the set \(\{0,1,\ldots ,q1\}\), where every string begins with ‘0’ and all are of uniform length. The encodings in \(\varXi _{T}\) are similarly defined but instead begin with ‘1’. Since the encodings are efficiently recognizable, the queries to a group oracle with an invalid encoding can be detected and an error can be raised. For simplicity, we assume that the users’ queries to the oracles are all valid.
2.3 Bilinear ElGamal KEM
 1.\(\mathsf {KG}_{\mathsf {BEG}}(\kappa )\): Compute \(\mathbb {PP}{=}\left( \mathbb {G},\mathbb {G}_{T},e',q,g\right) \leftarrow \mathsf {BGen'}(\kappa ,\lambda )\) and randomly choose \(x,t_{0}\overset{\$}{\leftarrow }\mathbb {F}_{q}\). Set \(X=g^{x}\), \(\sigma _{0}=g^{t_{0}}\), \(\sigma '_{0}=g^{xt_{0}}\), and \(X_{T}=e'\left( g,g\right) ^{x}\). Return \(\left( pk,sk_{0}\right) \), where
 (a)
the public key is \(pk{=}\left( \mathbb {PP},X_{T}\right) \).
 (b)
the secret state is \(sk_{0}=\left( \sigma _{0},\sigma '_{0}\right) \in \mathbb {G\times G}\).
 (a)
 2.
\(\mathsf {Enc}_{\mathsf {BEG}}(pk)\): Choose a random \(r\overset{\$}{\leftarrow }\mathbb {F}_{q}\). Compute the ciphertext \(C=g^{r}\), and the derived key \(K=X_{T}^{r}\). Return (C, K).
 3.
\(\mathsf {Dec}1_{\mathsf {BEG}}(\sigma _{i1},C)\): Choose a random \(t_{i}\overset{\$}{\leftarrow }\mathbb {F}_{q}\), set \(\sigma _{i}=\sigma _{i1}\cdot g^{t_{i}}\), \(Y_{i}=e'\left( \sigma _{i},C\right) \). Return \(\left( t_{i},Y_{i}\right) \).
 4.
\(\mathsf {Dec}2_{\mathsf {BEG}}(\sigma '_{i1},\left( t_{i},Y_{i}\right) ,C)\): Set \(\sigma '_{i}=\sigma '_{i1}\cdot g^{t_{i}}\), and \(Y'_{i} = e'\left( \sigma '_{i},C\right) \). Compute the derived key \(K=Y_{i}\cdot Y'_{i}\in \mathbb {G}_{T}\). Return K.
Theorem 1
[18, Theorem 1] The scheme \(\mathsf {BEG}\) (also called BEGKEM) is CCLA1 secure in the generic bilinear group model. The advantage of an squery adversary who gets at most \(\lambda \) bits of leakage per each invocation of \(\mathsf {Dec}1_{\mathsf {BEG}}\) or \(\mathsf {Dec}2_{\mathsf {BEG}}\) is at most \(\frac{s^{3}}{q}2^{2\lambda +1}\).
3 A CCmLA1 security reduction in the generic bilinear group Model
We show that BEGKEM is also leakage resilient in the minentropy leakage model introduced above, where leakage functions are not necessarily size bounded. The only restriction is that the inputs to the leakage functions shall have enough minentropy left, as a function of a leakage parameter \(\lambda \), given the corresponding outputs. Interestingly, using a different proof technique than [19], we obtain a tighter bound on the adversarial CCLmA1 advantage than the bound claimed in [18] for the adversarial CCLA1 advantage, w.r.t. the number of oracle queries s. In other words, with respect to the previous work, we provide here a new security reduction under a more realistic leakage model, and surprisingly we achieve better tightness.
Theorem 2
The scheme BEGKEM is CCmLA1 secure in the GBG model. The advantage of an squery adversary with minentropy leakage bound \(\lambda \) is \(\left( \frac{9s^{2}+3s}{q}\right) 2^{2\lambda }\).
At a high level, the proof of this theorem proceeds in two steps as in [12, 13]. First we show in Theorem 3 that the scheme is secure if there is no leakage, i.e., CCA1 security. Note that the adversary is transparent to the internal details of secret state updates. Then, we complete the proof of CCmLA1 security by analyzing the effect of leakage on the CCA1 security.
The main idea to prove the CCA1 security is that the adversary will not be able to compute the derived symmetric key \(K_{0}\) even after seeing the challenge ciphertext. To show this we just need to prove that \(K_{0}\) cannot be written as a “linear combination” of the elements of \(\mathbb {G}_{T}\) that it has got as input or can compute itself using the pairing oracle along with the input elements of \(\mathbb {G}\). Hence, in the GBG model it will not be able to distinguish the actual derived key or a randomly chosen key in \(\mathbb {G}_{T}.\) The challenger simulates the security game \(\mathcal {G}\) to the adversary in the naive way. In addition, the challenger simulates the generic bilinear group oracles in the usual way by maintaining lists of pairs of encodings and polynomials that represent the relation amongst group elements.
We then argue that the proof for the nonleakage setting (i.e. proof of Theorem 3) and that for the leakage setting would be the same conditioned on the fact that the adversary is unable to derive useful relation amongst the elements it has seen or guessed, and that it will not be able to compute and hence leak the full secret key X through the leakage functions, if \(\lambda \) is sufficiently small. Finally, we show that the probability of this event is increased by a factor of at most \(2^{2\lambda }\) compared to the nonleakage setting. The formal proof of the next theorem can be found in [11].
Theorem 3
The scheme \(\mathsf {BEG}\) is CCA1 secure in the generic bilinear group model, i.e., it is secure against nonadaptive chosenciphertext attacks if there is no leakage of the secret states. The advantage of an squery adversary is at most \(\frac{1}{2}+\frac{9s^{2}}{q}\).
3.1 Leakage setting: completing proof of Theorem 2
Let us first briefly sketch the main ideas of the proof. Working on the lines of the proof of the previous theorem, the advantage of \(\mathcal {A}\) is bounded by its success probabilities conditioned on the event whether or not a collision has occurred in the lists consisting of elements of \(\mathbb {G}\) and \(\mathbb {G}_{T}\). It is important to note that the proof for the nonleakage setting (i.e., proof of Theorem 3) and the leakage setting would be the same conditioned on the fact that a collision has not occurred, and that the leakage functions will not be able to compute the “polynomial \(\mathsf {X}\)” corresponding to the secret key nor guess the correct representations of the group elements for which it only partially obtains information through the leakage functions. The reason is that in the event of no collision, the adversary gets to see only distinct group elements and hence it will not have enough information on the relation amongst the group elements it can compute. The fact that the leakage functions cannot compute the full secret key shows that the adversary will never be able to continually leak the whole of the secret key. Hence, leakage on the secret state will not be useful in this case. Hence, the success probability of \(\mathcal {A}\) is the same in the event of no collision (that includes the event of guessing the representations of group elements using partial information about them).
However, the probability that a collision occurs in the leakage setting is increased by a factor of at most \(2^{2\lambda }\). This is because when \(\mathcal {A}\) has access to leakage output \(f{}_{i}(\sigma _{i1},t_{i})\) and \(h{}_{i}(\sigma '_{i1},(t_{i},Y_{i}))\) during \(i\mathrm{{th}}\) decryption query, then in adversary’s view the parameters \(t_{i}\) \((i\ge 1)\) are no longer uniformly distributed even though they are still independent. Hence, \(\mathcal {A}\) can now cause collisions among polynomials with increased probability. Since \(t_{i}\) appears in both \(f{}_{i}()\) and \(h{}_{i}()\), its (average conditional) minentropy will be reduced by at most \(2\lambda \) bits.
The only useful information that the leakage functions can provide to \(\mathcal {A}\) is about the secret key X. This is because the values \(t_{i}\) are independent of the derived shared secret key. However, \(\mathcal {A}\) can use the leakages of \(t_{i}\) to eventually leak X. If \(\mathcal {A}\) is able to compute X, then it can trivially compute the symmetric key corresponding to the challenge ciphertext. The event of no collision, and the fact that X is not a “linear combination” of the inputs to the leakage functions, guarantees that \(\mathcal {A}\) is unable to compute X. Note that because the representations of group elements in the GBG model are randomized, the probability of guessing the complete representations of each of \(\sigma _{i1}\), \(\sigma '_{i1}\) and \(Y_{i}\), given the leakages, is increased by a factor of at most \(2^{2\lambda }\). For a formal proof see [11].
4 BEGKEM+: a leakageresilient KEM closer to practice
Our choice of BEGKEM for this investigation is entirely motivated by the fact that a similar leakage resilience result as that proven in [18] cannot be expected for a pairingless group, as shown in [14]. This motivates using pairing groups to implement ElGamal.
On the other hand, while Theorem ensures a protection against sidechannel attacks that combine traces of different computations (e.g., differential power analysis attacks), we still need protection against single trace attacks, i.e. Simple Power Analysis (SPA). The use of pairing groups can help on this respect, as pointed out by Scott in [29]:
“[...] it is of interest to consider the resistance of pairingbased protocols to socalled SPA attacks [...] one might with reasonable confidence expect that the power consumption profile of (and execution time for) such protocols will be constant and independent of any secret values.”
We continue by proposing a tweak to BEGKEM with the aim to make the most, from a minimizing leakage perspective, out of our choice of using pairing groups to realize leakageresilient publickey cryptographic primitives.
4.1 An advanced BEGKEM+ more resistant to sidechannel attacks
Let us first make the observation that \(\mathsf {Dec}1_{\mathsf {BEG}}^{*}\) is picking a random point in the pairingbased group \(\mathbb {G}\) by computing an exponentiation \(g^r\) for a random r. As is well known, a naïve implementation of exponentiation can leak the entire exponent r, which would, of course, invalidate the required bound of maximum leakage in our new (as well as in the old) model. This leads us to the question whether it is possible, given the large body of sidechannelresistant exponentiation techniques, to find an algorithm that would likely meet the leakage bound for single measurements. In other words, we have to answer the question of whether the exponentiation can be made resistant against SPA attacks.
Exponentiation in a multiplicative group (or scalar multiplication in an elliptic curve group) of large order involves hundreds or even thousands of lowlevel arithmetic operations such as modular multiplication. Unfortunately, all these lowlevel operations are (either directly or indirectly) controlled by the secret exponent, which means that each of them can potentially leak sensitive information (see e.g., [33, 35, 36] for further details). Consequently, we need both an SPAresistant exponentiation algorithm and an SPAresistant implementation of the underlying multipleprecision operations. The latter is difficult to achieve in software due to sidechannel leakage induced by certain microarchitectural features such as the earlytermination mechanism of integer multipliers in ARM processors [16]. For example, it was shown in [16] that highly regular exponentiation (resp. scalar multiplication) techniques, which are (in theory) perfectly SPAresistant, succumb to an SPA attack when exploiting the earlytermination mechanism. Therefore, we avoid exponentiation with a secret exponent in our modified scheme.^{2}
A careful analysis of BEGKEM reveals that \(\mathsf {Dec}1_{\mathsf {BEG}}^{*}\) only needs to sample uniformly at random an element u of \(\mathbb {G}\), and that knowledge of \(\log _g u\) is not necessary. It suffices then to use a method that computes a random point in the base group.
One possibility is to use a variant of the socalled tryandincrement approach [7, 34], where a random coordinate x for an elliptic curve point is chosen; next if a point in the curve exists with that xcoordinate, its ycoordinate is computed and the procedure is stopped. Otherwise, the procedure is iterated until a point in the curve is found. We have chosen not to follow this approach, in particular because its running time depends on the consecutive seeds \(x_1,x_2,\ldots \) used, which could eventually lead to timing leakages or attacks. It should be noted that the original tryandincrement approach has been found to be vulnerable to timing attacks in some contexts (when used to build a Password Authenticated KeyExchange protocol, see [34, Section 3.2] for details). We prefer to use instead a method that will run in (almost) constant time, which is a common approach when thwarting timing attacks.
For this reason, we decided to build a random element in the pairing base group using a socalled encoding to the base group [10, 17, 30]. Roughly speaking, an encoding is a deterministic function mapping an arbitrary string to a point in an elliptic curve. Recently, Fouque and Tibouchi [10] proposed a modification of the Shallue and van de Woestijne encoding into arbitrary elliptic curves [30] that maps arbitrary strings to BarretoNaehrig asymmetric pairing groups [3]. Let \(f : \mathbb {F}_p^* \rightarrow E(\mathbb {F}_p)\) be the FouqueTibouchi encoding. Then, \((t_1,t_2) \mapsto u=u_1\cdot _E u_2\) builds a point \(u\in E(\mathbb {F}_p)\) distributed uniformly at random if \(t_1,t_2 \mathop {\leftarrow }\limits ^{\$}\mathbb {F}_p^* \), where \(\cdot _E\) is the addition operation in \(E(\mathbb {F}_p)\). Additionally, [10] points out that f can be naturally implemented so that its computation is completely independent of the inputs, which clearly helps us towards meeting our desired minentropy leakage bound.
4.2 BEGKEM+
Let \(\mathsf {ABGen}\) be an asymmetric bilinear group generator that outputs \((\mathbb {G}_{1},\mathbb {G}_{2},\mathbb {G}_{T},e,\) \(q,g_{1},g_{2})\) with \(\left \mathbb {G}_{1}\right =\left \mathbb {G}_{2}\right =\left \mathbb {G}_{T}\right =q\), where q is a prime, \(\kappa \) be the security parameter, and \(\lambda \) be the leakage parameter. We will again use the multiplicative notation for group operations in \(\mathbb {G}_{1}\), \(\mathbb {G}_{2}\), and \(\mathbb {G}_{T}\). Let \(e:\mathbb {G}_{1}\times \mathbb {G}_{2}\rightarrow \mathbb {G}_{T}\) be a type 3 pairing map, i.e., e is a nondegenerate bilinear map with no known efficiently computable isomorphism \(\psi :\mathbb {G}_{2}\rightarrow \mathbb {G}_{1}\). These groups are instantiated using the BN curves, denoted \(E(\mathbb {F}_p)\), of the form \(y^2 = x^3 + b\), where \(b \in \mathbb {F}_p\) [3]. In addition, let \(G_{1}\) and \(G_{2}\) be generators of \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\), respectively, and \(f:\mathbb {F}_{p}^{*}\rightarrow \mathbb {G}_{1}\) be the Fouque–Tibouchi encoding of the elements of \(\mathbb {G}_{1}\).
The advanced \(\mathsf {BEGKEM+}\) \(=\) \(\bigl (\mathsf {KG}_{\mathsf {BEG}}^{+}\), \(\mathsf {Enc}_{\mathsf {BEG}}^{+}\),
 1.\(\mathsf {KG}_{\mathsf {BEG}}^{+}(\kappa )\): Compute \(\mathbb {PP}=\left( \mathbb {G}_{1},\mathbb {G}_{2},\mathbb {G}_{T},e,q,G_{1},G_{2}\right) \leftarrow \mathsf {ABGen}(\kappa )\) and randomly choose \(x,t_{0}\overset{\$}{\leftarrow }\mathbb {F}_{q}\). Set \(X= G_{1}^{x}\), \(\sigma _{0}= G_{1}^{t_{0}}\), \(\sigma '_{0}= G_{1}^{\left( xt_{0}\right) }\), and \(X_{T}=e\left( G_{1},G_{2}\right) ^{x}\). Return \(\left( pk,sk_{0}\right) \), where
 (a)
the public key is \(pk=\left( \mathbb {PP},X_{T}\right) \).
 (b)
the secret state is \(sk_{0}=\left( \sigma _{0},\sigma '_{0}\right) \).
 (a)
 2.
\(\mathsf {Enc}_{\mathsf {BEG}}^{+}(pk)\): Choose a random \(r\overset{\$}{\leftarrow }\mathbb {F}_{p}\). Compute the ciphertext \(C=G_{2}^r\), and the derived key \(K=X_{T}^{r}\). Return (C, K).
 3.
\(\mathsf {Dec}1_{\mathsf {BEG}}^{+}(\sigma _{i1},C)\): Choose random \(t_{i},z_{i}\overset{\$}{\leftarrow }\mathbb {F}_{p}^{*}\), set \(u_{i}=f\left( t_{i}\right) \cdot f\left( z_{i}\right) \), and compute \(\sigma _{i}=\sigma _{i1}\cdot u_{i}\), \(Y_{i}=e\left( \sigma _{i},C\right) \). Return \(\left( u_{i},Y_{i}\right) \).
 4.
\(\mathsf {Dec}2_{\mathsf {BEG}}^{+}(\sigma '_{i1},\left( u_{i},Y_{i}\right) ,C)\): Set \(\sigma '_{i}=\sigma '_{i1} \cdot (u_{i})^{1}\), and \(Y'_{i}\) \(=e\left( \sigma '_{i},C\right) \). Compute the derived key \(K=Y_{i}\cdot Y'_{i}\in \mathbb {G}_{T}\). Return K.
Algorithm 1 describes the constanttime hashing function to BN curves from [10]. As described in the original paper, implementing this algorithm against timing and simple power analysis (SPA) attacks is not difficult to be achieved. In step 6 and 7, instead of computing the values \(\chi _q(x_1^3+b)\) and \(\chi _q(x_2^3+b)\) in a straightforward way, which can leak secret data, the authors suggested to use blinding. Namely, to get \(\alpha \) and \(\beta \), we actually evaluate \(\chi _q(r_1^2 \cdot (x_1^3+b))\) and \(\chi _q(r_2^2 \cdot (x_2^3+b))\), where \(r_1\) and \(r_2\) are random field elements generated in Step 5. On the other hand, to prevent the leakage while computing the index i, they employ a specific algebraic function \(\phi (\alpha , \beta ) = [(\alpha 1)\cdot \beta \hbox { mod }3]+1\), which runs in constant time.
5 Secure implementation and performance analysis
In this section, we first describe a software implementation of BEGKEM+ (along with the instantiation of the underlying pairing groups) and present the execution times we measured on an ARM Cortex M3 processor. The second part of this section is devoted to a “practical” security evaluation of BEGKEM+ by analyzing potential sources of information leakage in the underlying arithmetic operations that could be exploited to mount a sidechannel attack.
5.1 Implementation details and performance analysis
We implemented both BEGKEM and BEGKEM+ in Magma and ANSI C, whereby the former implementation served as a reference for the latter. The C implementation is based on the MIRACL library to ensure an efficient execution of the pairing evaluation and all other arithmetic operations in the diverse groups and fields. We instantiated both BEGKEM and our improved scheme using the Ate pairing over a 254bit Barreto–Naehrig (BN) curve. More specifically, our implementations adopts the curve BN254 from [26], which provides a security level roughly comparable to that of 128bit AES. BN curves are defined by a Weierstrass equation of the form \(y^2 = x^3 + b\) over a prime field \(\mathbb {F}_q\), whereby q can be written as polynomial \(p(u) = 36u^4 + 36u^3 + 24u^2 + 6u + 1\) for some parameter u [3]. In our case, \(u = (2^{62} + 2^{55} + 1) = \text {0x4080000000000001}\) and, hence, q has a length of 254 bits. The curve BN254 is given by the equation \(y^2 = x^3 + 2\) (i.e. \(b=2\)) and has prime order with embedding degree \(k=12\).
Running times for field exponentiation, square root, inversion, group exponentiation and pairing operations (in \(10^6\) clock cycles)
Operation  Running time 

Square root \(\mathbb {F}_q\)  0.7 
Inversion \(\mathbb {F}_q\)  0.087 
Encoding to \(\mathbb {G}_2\)  3.7 
Exponentiation \(\mathbb {G}_1\)  4.5 
Exponentiation \(\mathbb {G}_2\)  10.0 
Exponentiation \(\mathbb {G}_T\)  27.1 
Pairing  65.0 
Comparison of running times for key generation, encapsulation and decapsulation for BEGKEM and BEGKEM+ (in \(10^6\) clock cycles)
Operation  BEGKEM  BEGKEM+ 

KeyGen  108  108 
Encryption  34  34 
Decryption  131  140 
The execution times for key generation, encapsulation as well as decapsulation for both BEGKEM and BEGKEM+ are given in Table 3. Our results show that an encapsulation can be carried out in 34 million clock cycles, while the decapsulation takes about 140 million cycles. We observe that our modified decapsulation algorithm is roughly 6 % slower than the original one.
5.2 Sidechannel resistance from a practical point of view
One of the fundamental principles of leakageresilient cryptography is to use a critical secret only once (or a few times), which ensures that an attacker is not able to retrieve the secret key if the perinvocation leakage is in some way “limited” or “bounded.” In every invocation of the scheme or function, the secret is either “refreshed” or a completely new secret is generated randomly. The original BEGKEM scheme from [18], and also our variant BEGKEM+, follow this principle. As a consequence, all forms of sidechannel attack that require several executions of a cryptographic function with one and the same secret key, e.g., differential power analysis (DPA), are obviously not applicable to BEGKEM+ (and in fact the latter is guaranteed by Theorem 2). However, attacks that aim to recover the secret key from information leaked from a single invocation of a cryptographic function (i.e. SPA attacks) may succeed under certain conditions. The group exponentiation computed in the BEGKEM scheme to derive a random group element \(\sigma _{0}=g^{t_0}\) serves as a good example. If this exponentiation is implemented in completely straightforward way (e.g., using the squareandmultiply method) an attacker can obtain \(t_0\) if he is able to distinguish group squarings from group products in the power consumption profile. Such SPA attacks on unprotected or insufficiently protected ECC implementations are fairly easy and have been reported extensively in the literature, see, e.g., [5, Chapter IV] and the references therein. Therefore, we advocated to replace the aforementioned group exponentiation by a deterministic encoding into an elliptic curve group [10].
5.2.1 SPA resistance of pairing evaluation
Section 4.1 quotes a statement of Scott [29, Section 3.1] saying that one can expect the power consumption profile of a pairingbased protocol to be independent of any secret values. An intuitive explanation why pairings are fairly “robust” against SPA leakage is also given in [29]: the target of the attack is a secret point, which is generally much harder to reveal than, e.g., a secret scalar or a secret exponent. As mentioned before, our implementation uses the Ate pairing instantiated on a BN curve over a 254bit prime field \(\mathbb {F}_{p}\). Consequently, the secret is the x and y coordinate of an elliptic curve point, which are in our case simply elements of \(\mathbb {F}_{p}\). The only way in which an attacker can hope to gain information about x and y is by inspecting the power consumption and execution time of the \(\mathbb {F}_{p}\)arithmetic operations (e.g., addition, multiplication) performed on them. However, the operandrelated SPA leakage from fieldarithmetic operations is generally very small. To explain this in detail, let us use the addition in \(\mathbb {F}_{p}\) as example, which is nothing else than a modular addition \(r = a + b \hbox { mod }{p}\). We assume that a is a secret value and that b is known to the attacker. A modular addition consists of an ordinary addition \(s = a+b\), followed by a subtraction if the sum s is equal to or bigger than p. Conventional wisdom from the sidechannel community says that such a conditional subtraction causes differences in the power consumption profile (and also execution time), which is observable by an attacker. However, the information content is very small; in fact, when the subtraction is executed the attacker just knows that \(a + b \ge p\), i.e. he has learned that \(a \ge pb\).
5.2.2 SPA resistance of encoding function
The encoding function shown in Algorithm 1 consists of a number of basic arithmetic operations (e.g., addition, multiplication) in the field \(\mathbb {F}_{p}\). Furthermore, two inversions are executed, one in step 1 and the other in step 4. The straightforward approach to invert an element of a finite field is the Extended Euclidean Algorithm (EEA). Conventional wisdom from the sidechannel community says that the EEA is a highly irregular algorithm, executing many conditional operations, which is likely to leak SPArelevant information about the operand to be inverted. To prevent an SPA attack on the inversion operation, we apply a simple multiplicative masking; that is, instead of inverting a field element v directly, we first multiply it by a random number r, which yields the product \(t = v \cdot r\). Then, we invert this product using the EEA to obtain \(1/t = 1/(v \cdot r)\), which we finally multiply again by r to get 1 / v as result.
The function \(\chi \) in step 6 and 7 of Algorithm 1 is essentially an evaluation of the Legendre Symbol, which, in turn, consists of an exponentiation using a constant public exponent (i.e., \((p+1)/4\)). The input to the \(\chi \) function is “blinded” by the random value \(r_1^2\) and \(r_2^2\), which means the underlying exponentiation cannot leak any SPArelevant information. As mentioned in Sect. 4.1, a constanttime algebraic function is adopted for the calculation of the index i in step 8, which also cannot leak.
6 Conclusion
In this paper, we aimed to bring the concept of leakageresilient cryptography closer to practice. Most of the leakageresilient publickey cryptography schemes proposed until now are too inefficient for realworld applications. Even though they provide provable security against a large class of sidechannel attacks, they do so under certain leakage models and leakage bound requirements that are far from what we can ensure in practice. On the other hand, the sidechannel countermeasures are often ad hoc and do not provide enough security guarantees. We addressed this problem by bringing best practices from both worlds together. First, we argued that a naive implementation of the pairing group exponentiation in the leakageresilient ElGamal key encapsulation mechanism proposed by Kiltz and Pietrzak makes it impossible to reach the required leakage bound. To overcome this problem, we have made two additional contributions. On the one hand, we have proposed a relaxed leakage model, that we call minentropy leakage, that lifts the restriction on the image size of leakage functions, and proposes instead to require that the inputs to the leakage functions have sufficient minentropy left, in spite of the leakage. On the other hand, we adopted a different mechanism for finding a random point in an elliptic curve group, namely the encoding of Fouque and Tibouchi. We assessed the security of our implementation from both a theoretical and a practical perspective and argued that it is indeed secure in both the worlds. BEGKEM+ is, to our knowledge, the first leakageresilient publickey scheme that has been successfully implemented and evaluated on an embedded 32bit processor.
Footnotes
 1.
 2.
As mentioned previously, the secret exponent controls a large number of multipleprecision arithmetic operations, which execute an even larger number of mul instructions. Each of these mul instructions can potentially trigger the earlytermination mechanism and, hence, leak information about the secret exponent. In our modified scheme, the secret value is only used as input of a multipleprecision operation and does not control any other operations.
References
 1.Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and cryptography against memory attacks. In: Reingold, O. (ed.) TCC, LNCS, vol. 5444, pp. 474–495. Springer (2009)Google Scholar
 2.Alwen, J., Dodis, Y., Wichs, D.: Leakageresilient publickey cryptography in the boundedretrieval model. In: CRYPTO, pp. 36–54 (2009)Google Scholar
 3.Barreto, P.S.L.M., Naehrig, M.: Pairingfriendly elliptic curves of prime order. In: Preneel, B., Tavares, S.E. (eds.) Selected Areas in Cryptography, LNCS, vol. 3897, pp. 319–331. Springer (2005)Google Scholar
 4.Belaïd, S., Grosso, V., Standaert, F.X.: Masking and leakageresilient primitives: one, the other(s) or both? Cryptology ePrint archive, report 2014/053 (2014)Google Scholar
 5.Blake, I.F., Seroussi, G., Smart, N.P.: Advances in Elliptic Curve Cryptography, London Mathematical Society Lecture Notes Series, vol. 317. Cambridge University Press, Cambridge (2005)CrossRefGoogle Scholar
 6.Boneh, D., Boyen, X., Goh, E.J.: Hierarchical Identity Based Encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT, LNCS, vol. 3494, pp. 440–456. Springer (2005)Google Scholar
 7.Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. In: Boyd, C. (ed.) Advances in Cryptology—ASIACRYPT 2001, 7th International Conference on the Theory and Application of Cryptology and Information Security, Gold Coast, Australia, 9–13 December 2001, Proceedings, Lecture Notes in Computer Science, vol. 2248, pp. 514–532. Springer (2001). doi: 10.1007/3540456821_30
 8.Dodis, Y., Goldwasser, S., Kalai, Y.T., Peikert, C., Vaikuntanathan, V.: Publickey encryption schemes with auxiliary inputs. In: Micciancio, D. (ed.) TCC, LNCS, vol. 5978, pp. 361–381. Springer (2010)Google Scholar
 9.Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
 10.Fouque, P.A., Tibouchi, M.: Indifferentiable hashing to Barreto–Naehrig curves. In: LATINCRYPT, pp. 1–17 (2012)Google Scholar
 11.Galindo, D., Großschädl, J., Liu, Z., Vadnala, P.K., Vivek, S.: Implementation and evaluation of a leakageresilient elgamal key encapsulation mechanism. Cryptology ePrint archive, report 2014/835 (2014)Google Scholar
 12.Galindo, D., Vivek, S.: A leakageresilient pairingbased variant of the Schnorr signature scheme. In: Stam, M. (ed.) IMA International Conference, LNCS, vol. 8308, pp. 173–192. Springer (2013)Google Scholar
 13.Galindo, D., Vivek, S.: A practical leakageresilient signature scheme in the generic group model. In: SAC 2012, LNCS, vol. 7707, pp. 50–65. Springer (2013)Google Scholar
 14.Galindo, D., Vivek, S.: Limits of a conjecture on a leakageresilient cryptosystem. Inf. Process. Lett. 114(4), 192–196 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
 15.Gandolfi, K., Mourtel, C., Olivier, F.: Electromagnetic analysis: Concrete results. In: Çetin Kaya Koç, D. Naccache, C. Paar (eds.) CHES, LNCS, vol. 2162, pp. 251–261. Springer (2001)Google Scholar
 16.Großschädl, J., Oswald, E., Page, D., Tunstall, M.: Sidechannel analysis of cryptographic software via earlyterminating multiplications. In: Lee, D., Hong, S. (eds.) Information Security and Cryptology—ICISC 2009, LNCS, vol. 5984, pp. 176–192. Springer (2010)Google Scholar
 17.Icart, T.: How to hash into elliptic curves. In: CRYPTO, pp. 303–316 (2009)Google Scholar
 18.Kiltz, E., Pietrzak, K.: Leakage resilient ElGamal encryption. In: Abe, M. (ed.) ASIACRYPT, LNCS, vol. 6477, pp. 595–612. Springer (2010)Google Scholar
 19.Kiltz, E., Pietrzak, K.: Leakage resilient ElGamal encryption. Full version of [18]. http://homepage.ruhrunibochum.de/Eike.Kiltz/papers/elgamal_leak.pdf. Accessed 4 June 2014 (2010)
 20.Kocher, P.C.: Timing attacks on implementations of DiffieHellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO, LNCS, vol. 1109, pp. 104–113. Springer (1996)Google Scholar
 21.Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M.J. (ed.) CRYPTO, LNCS, vol. 1666, pp. 388–397. Springer (1999)Google Scholar
 22.Micali, S., Reyzin, L.: Physically observable cryptography (extended abstract). In: Naor, M. (ed.) TCC, LNCS, vol. 2951, pp. 278–296. Springer (2004)Google Scholar
 23.Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44(170), 519–521 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
 24.Moradi, A.: Statistical tools flavor sidechannel collision attacks. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT, LNCS, vol. 7237, pp. 428–445. Springer (2012)Google Scholar
 25.Page, D., Vercauteren, F.: Fault and sidechannel attacks on pairing based cryptography. IACR Cryptol. ePrint Arch. 2004, 283 (2004)Google Scholar
 26.Pereira, G.C., Simplício, M.A., Naehrig, M., Barreto, P.S.: A family of implementationfriendly BN elliptic curves. J. Syst. Softw. 84(8), 1319–1326 (2011)CrossRefGoogle Scholar
 27.Prouff, E., Rivain, M.: Masking against sidechannel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT, LNCS, vol. 7881, pp. 142–159. Springer (2013)Google Scholar
 28.Schwartz, J.T.: Fast probabilistic algorithms for verification of polynomial identities. J. ACM 27(4), 701–717 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
 29.Scott, M.: Computing the tate pairing. In: Menezes, A. (ed.) CTRSA, LNCS, vol. 3376, pp. 293–304. Springer (2005)Google Scholar
 30.Shallue, A., van de Woestijne, C.: Construction of rational points on elliptic curves over finite fields. In: Hess, F., Pauli, S., Pohst, M.E. (eds.) ANTS, LNCS, vol. 4076, pp. 510–524. Springer (2006)Google Scholar
 31.Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT, LNCS, vol. 1233, pp. 256–266. Springer (1997)Google Scholar
 32.Standaert, F.X., Pereira, O., Yu, Y.: Leakageresilient symmetric cryptography under empirically verifiable assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO (1), LNCS, vol. 8042, pp. 335–352. Springer (2013)Google Scholar
 33.Stebila, D., Thériault, N.: Unified point addition formulæ and sidechannel attacks. In: Goubin, L., Matsui, M. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2006, LNCS, vol. 4249, pp. 354–368. Springer (2006)Google Scholar
 34.Tibouchi, M.: A note on hashing to bn curves. In: 29th Japanese Symposium on Cryptography and Information Security—SCIS 2012. http://www.normalesup.org/~tibouchi/papers/bnhashscis.pdf (2012). Accessed 27 Feb 2016
 35.Walter, C.D.: Simple power analysis of unified code for ECC double and add. In: Joye, M., Quisquater, J.J. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2004, LNCS, vol. 3156, pp. 191–204. Springer (2004)Google Scholar
 36.Walter, C.D., Thompson, S.: Distinguishing exponent digits by observing modular subtractions. In: Naccache, D. (ed.) Topics in Cryptology—CTRSA 2001, LNCS, vol. 2020, pp. 192–207. Springer (2001)Google Scholar
 37.Whelan, C., Scott, M.: Side channel analysis of practical pairing implementations: Which path is more secure? In: Nguyen, P.Q. (ed.) VIETCRYPT, LNCS, vol. 4341, pp. 99–114. Springer (2006)Google Scholar
 38.Zippel, R.: Probabilistic algorithms for sparse polynomials. In: Ng, E.W. (ed.) EUROSAM, LNCS, vol. 72, pp. 216–226. Springer (1979)Google Scholar
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.