Resistance of the Point Randomisation Countermeasure for Pairings Against Side-Channel Attack

  • Damien JauvartEmail author
  • Nadia El Mrabet
  • Jacques J. A. Fournier
  • Louis Goubin
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 990)


Pairing-based cryptography (PBC) has been significantly studied over the last decade, both in the areas of computational performance and in establishing security and privacy protocols. PBC implementations on embedded devices are exposed to physical attacks such as side channel attacks. Such attacks which are able to recover the secret input used in some PBC-based schemes are our main focus in this paper. Various countermeasures have consequently been proposed in the literature. The present paper provides an updated review of the state of the art countermeasures against side channel attacks against PBC implementations. We especially focus on a technique based on point blinding using randomization. Furthermore, we propose a collision based side-channel attack against an implementation embedding the point randomization countermeasure. This raises questions about the validation of countermeasures for complex cryptographic schemes such as PBC. We also discuss about ways of defeat our attack. This article is in part an extension of the paper [20] published at Secrypt 2017.


Pairing-based cryptography Miller’s algorithm Side-channel attack Collision side-channel attack Countermeasures 



This work was supported in part by the EUREKA Catrene programme under contract CAT208 MobiTrust and by a French DGA-MRIS scholarship.


  1. 1.
    Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., López, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 48–68. Springer, Heidelberg (2011). Scholar
  2. 2.
    Bajard, J.C., El Mrabet, N.: Pairing in cryptography: an arithmetic point of view. In: Proceedings of SPIE: ASPAAI (2007)Google Scholar
  3. 3.
    Barbulescu, R., Gaudry, P., Guillevic, A., Morain, F.: Improving NFS for the discrete logarithm problem in non-prime finite fields. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 129–155. Springer, Heidelberg (2015). Scholar
  4. 4.
    Barbulescu, R., Gaudry, P., Kleinjung, T.: The tower number field sieve. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part II. LNCS, vol. 9453, pp. 31–55. Springer, Heidelberg (2015). Scholar
  5. 5.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006). Scholar
  6. 6.
    Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–369. Springer, Heidelberg (2002). Scholar
  7. 7.
    Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal collision correlation attack on elliptic curves. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 553–570. Springer, Heidelberg (2014). Scholar
  8. 8.
    Beuchat, J.-L., González-Díaz, J.E., Mitsunari, S., Okamoto, E., Rodríguez-Henríquez, F., Teruya, T.: High-speed software implementation of the optimal ate pairing over barreto–naehrig curves. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 21–39. Springer, Heidelberg (2010). Scholar
  9. 9.
    Blömer, J., Günther, P., Liske, G.: Improved side channel attacks on pairing based cryptography. In: Prouff, E. (ed.) COSADE 2013. LNCS, vol. 7864, pp. 154–168. Springer, Heidelberg (2013). Scholar
  10. 10.
    Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). Scholar
  11. 11.
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999). Scholar
  12. 12.
    Duursma, I., Lee, H.-S.: Tate Pairing Implementation for Hyperelliptic Curves y2 = xpx + d. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 111–123. Springer, Heidelberg (2003). Scholar
  13. 13.
    Eisenträger, K., Lauter, K., Montgomery, P.L.: Improved weil and tate pairings for elliptic and hyperelliptic curves. In: Buell, D. (ed.) ANTS 2004. LNCS, vol. 3076, pp. 169–183. Springer, Heidelberg (2004). Scholar
  14. 14.
    El Mrabet, N., Di Natale, G., Flottes, M.L.: A practical differential power analysis attack against the miller algorithm. In: PRIME, pp. 308–311, July 2009Google Scholar
  15. 15.
    Fouque, P.-A., Valette, F.: The doubling attack – why upwards is better than downwards. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 269–280. Springer, Heidelberg (2003). Scholar
  16. 16.
    Galbraith, S.D., Harrison, K., Soldera, D.: Implementing the tate pairing. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, pp. 324–337. Springer, Heidelberg (2002). Scholar
  17. 17.
    Ghosh, S., Roychowdhury, D.: Security of prime field pairing cryptoprocessor against differential power attack. In: Joye, M., Mukhopadhyay, D., Tunstall, M. (eds.) InfoSecHiComNet 2011. LNCS, vol. 7011, pp. 16–29. Springer, Heidelberg (2011). Scholar
  18. 18.
    Hutter, M., Medwed, M., Hein, D., Wolkerstorfer, J.: Attacking ECDSA-enabled RFID devices. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 519–534. Springer, Heidelberg (2009). Scholar
  19. 19.
    Jauvart, D.: Sécurisation des algorithmes de couplages contre les attaques physiques. Ph.D thesis, Université Paris-Saclay (2017)Google Scholar
  20. 20.
    Jauvart, D., Fournier, J.J.A., Goubin, L.: First practical side-channel attack to defeat point randomization in secure implementations of pairing-based cryptography. In: Proceedings of the 14th International Joint Conference on e-Business and Telecommunications - Volume 6: SECRYPT (ICETE 2017), pp. 104–115. INSTICC, SciTePress (2017)Google Scholar
  21. 21.
    Jauvart, D., Fournier, J.J.A., El-Mrabet, N., Goubin, L.: Improving side-channel attacks against pairing-based cryptography. In: Cuppens, F., Cuppens, N., Lanet, J.-L., Legay, A. (eds.) CRiSIS 2016. LNCS, vol. 10158, pp. 199–213. Springer, Cham (2017). Scholar
  22. 22.
    Joux, A.: A one round protocol for tripartite Diffie-Hellman. J. Cryptol. 17, 263–276 (2004)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Joux, A., Odlyzko, A., Pierrot, C.: The past, evolving present, and future of the discrete logarithm. In: Koç, Ç.K. (ed.) Open Problems in Mathematics and Computational Science, pp. 5–36. Springer, Cham (2014). Scholar
  24. 24.
    Joye, M., Neven, G. (eds).: Identity-Based Cryptography. IOS Press (2008)Google Scholar
  25. 25.
    Kim, T.H., Takagi, T., Han, D.-G., Kim, H.W., Lim, J.: Side channel attacks and countermeasures on pairing based cryptosystems over binary fields. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) CANS 2006. LNCS, vol. 4301, pp. 168–181. Springer, Heidelberg (2006). Scholar
  26. 26.
    Kim, T., Barbulescu, R.: Extended Tower Number Field Sieve: A New Complexity for the Medium Prime Case. Cryptology ePrint Archive (2015)Google Scholar
  27. 27.
    Koblitz, N., Menezes, A.: Pairing-based cryptography at high security levels. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 13–36. Springer, Heidelberg (2005). Scholar
  28. 28.
    Koc, C.K., Acar, T., Kaliski, B.S.: Analyzing and comparing montgomery multiplication algorithms. IEEE Micro 16(3), 26–33 (1996)CrossRefGoogle Scholar
  29. 29.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). Scholar
  30. 30.
    Kusaka, T., et al.: Solving 114-Bit ECDLP for a barreto-naehrig Curve. In: Kim, H., Kim, D.-C. (eds.) ICISC 2017. LNCS, vol. 10779, pp. 231–244. Springer, Cham (2018). Scholar
  31. 31.
    Menezes, A., Sarkar, P., Singh, S.: Challenges with Assessing the Impact of NFS Advances on the Security of Pairing-based Cryptography. Cryptology ePrint Archive (2016)Google Scholar
  32. 32.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). Scholar
  33. 33.
    Montgomery, P.L.: Modular multiplication without trial division. Math. Comput. 44, 519–519 (1985)MathSciNetCrossRefGoogle Scholar
  34. 34.
    Moradi, A., Mischke, O., Eisenbarth, T.: Correlation-enhanced power analysis collision attack. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 125–139. Springer, Heidelberg (2010). Scholar
  35. 35.
    Naehrig, M., Niederhagen, R., Schwabe, P.: New software speed records for cryptographic pairings. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 109–123. Springer, Heidelberg (2010). Scholar
  36. 36.
    Page, D., Vercauteren, F.: Fault and Side-Channel Attacks on Pairing Based Cryptography. IEEE Trans. Comput. (2004)Google Scholar
  37. 37.
    Pan, W., Marnane, W.P.: A correlation power analysis attack against tate pairing on FPGA. In: Koch, A., Krishnamurthy, R., McAllister, J., Woods, R., El-Ghazawi, T. (eds.) ARC 2011. LNCS, vol. 6578, pp. 340–349. Springer, Heidelberg (2011). Scholar
  38. 38.
    Schramm, K., Wollinger, T., Paar, C.: A new class of collision attacks and its application to DES. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 206–222. Springer, Heidelberg (2003). Scholar
  39. 39.
    Scott, M.: Computing the Tate pairing. CT-RSA, pp. 293–304 (2005)Google Scholar
  40. 40.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. GTM, vol. 106. Springer, New York (2009). Scholar
  41. 41.
    Unterluggauer, T., Wenger, E.: Practical attack on bilinear pairings to disclose the secrets of embedded devices. In: ARES, pp. 69–77 (2014)Google Scholar
  42. 42.
    Varchola, M., Drutarovsky, M., Repka, M., Zajac, P.: Side channel attack on multiprecision multiplier used in protected ECDSA implementation. In: ReConFig, pp. 1–6, December 2015Google Scholar
  43. 43.
    Whelan, C., Scott, M.: Side channel analysis of practical pairing implementations: which path is more secure? In: Nguyen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 99–114. Springer, Heidelberg (2006). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Damien Jauvart
    • 1
    Email author
  • Nadia El Mrabet
    • 2
  • Jacques J. A. Fournier
    • 3
  • Louis Goubin
    • 4
  1. 1.Aix-Marseille UniversitéMarseilleFrance
  2. 2.Mines Saint-ÉtienneGardanne CedexFrance
  3. 3.CEA LETIGrenoble Cedex 9France
  4. 4.Laboratoire de Mathématiques de Versailles, UVSQ, CNRS, Université Paris-SaclayVersaillesFrance

Personalised recommendations