Failure of the Point Blinding Countermeasure Against Fault Attack in Pairing-Based Cryptography

  • Nadia El Mrabet
  • Emmanuel Fouotsa
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9084)


Pairings are mathematical tools that have been proven to be very useful in the construction of many cryptographic protocols. Some of these protocols are suitable for implementation on power constrained devices such as smart cards or smartphone which are subject to side channel attacks. In this paper, we analyse the efficiency of the point blinding countermeasure in pairing based cryptography against side channel attacks. In particular,we show that this countermeasure does not protect Miller’s algorithm for pairing computation against fault attack. We then give recommendation for a secure implementation of a pairing based protocol using the Miller algorithm.


Miller’s algorithm Identity Based Cryptography Side Channel Attacks Fault Attacks Countermeasure 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R., Kuhn, M.: Tamper resistance – a cautionary note. In: The Second USENIX Workshop on Electronic Commerce Proceedings, pp. 1–11 (1996)Google Scholar
  2. 2.
    Bae, K., Moon, S., Ha, J.: Instruction fault attack on the Miller algorithm in a pairing-based cryptosystem. In: 2013 Seventh International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), pp. 167–174 (July 2013)Google Scholar
  3. 3.
    Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  4. 4.
    Blömer, J., da Silva, R.G., Günther, P., Krämer, J., Seifert, J.-P.: A practical second-order fault attack against a real-world pairing implementation. In: Proceedings of Fault Tolerance and Diagnosis in Cryptography (FDTC) (2014) (to appear), Updated version at
  5. 5.
    Blömer, J., Günther, P., Liske, G.: Improved side channel attacks on pairing based cryptography. In: Prouff, E. (ed.) COSADE 2013. LNCS, vol. 7864, pp. 154–168. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  6. 6.
    Boneh, D., Franklin, M.: Identity-Based Encryption from the Weil pairing. SIAM J. of Computing 32(3), 586–615 (2003)CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    Bosma, J., Cannon, W., Playout, C.: The Magma algebra system I. the user language. J. Symbolic Comput. 24(3-4), 235–265 (1997)CrossRefzbMATHMathSciNetGoogle Scholar
  8. 8.
    Buchberger, B.: An algorithm form finding the basis elements of the residue class ring of a zero dimensional polynomial ideal (phd thesis 1965). In: Elsevier (eds.) Journal of Symbolic Computation, vol. 41, pp. 475–511. Elsevier (2006)Google Scholar
  9. 9.
    Cohen, H., Frey, G. (eds.): Handbook of elliptic and hyperelliptic curve cryptography. Discrete Math. Appl. Chapman & Hall/CRC (2006)Google Scholar
  10. 10.
    Dutta, R., Barua, R., Sarkar, P.: Pairing-based cryptography: A survey. Cryptology ePrint Archive, Report 2004/064 (2004)Google Scholar
  11. 11.
    El Mrabet, N.: What about vulnerability to a fault attack of the Miller algorithm during an Identity Based Protocol? In: Park, J.H., Chen, H.-H., Atiquzzaman, M., Lee, C., Kim, T.-h., Yeo, S.-S. (eds.) ISA 2009. LNCS, vol. 5576, pp. 122–134. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. 12.
    El Mrabet, N: Fault attack against Miller’s algorithm. IACR Cryptology ePrint Archive, 2011:709 (2011)Google Scholar
  13. 13.
    El Mrabet, N., Di Natale, G., Flottes, M.-L., Rouzeyre, B., Bajard, J.-C.: Differential Power Analysis against the Miller algorithm. Technical report. Published in Prime 2009. IEEE Xplore (August 2008)Google Scholar
  14. 14.
    El Mrabet, N., Page, D., Vercauteren, F.: Fault attacks on pairing-based cryptography. In: Joye, M., Tunstall, M. (eds.) Fault Analysis in Cryptography, Information Security and Cryptography, pp. 221–236. Springer, Heidelberg (2012)Google Scholar
  15. 15.
    Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptology 23(2), 224–280 (2010)CrossRefzbMATHMathSciNetGoogle Scholar
  16. 16.
    Chowdhury, D.R., Santosh, G., Debdeep, M.: Fault attack and countermeasures on pairing based cryptography. International Journal of Network Security 12(1), 21–28 (2011)Google Scholar
  17. 17.
    Hess, F.: Pairing lattices. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 18–38. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Hess, F., Smart, N., Vercauteren, F.: The Eta Pairing Revisited. IEEE Transactions on Information Theory 52, 4595–4602 (2006)CrossRefzbMATHMathSciNetGoogle Scholar
  19. 19.
    Iyama, T., Kiyomoto, S., Fukushima, K., Tanaka, T., Takagi, T.: Efficient implementation of pairing on brew mobile phones. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) IWSEC 2010. LNCS, vol. 6434, pp. 326–336. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  20. 20.
    Joux, A.: A new index calculus algorithm with complexity l(1/4 + o(1)) in small characteristic. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 355–379. Springer, Heidelberg (2014)Google Scholar
  21. 21.
    Joye, M., Neven, G.: Identity-based Cryptography. Cryptology and information security series. IOS Press (2009)Google Scholar
  22. 22.
    Kawahara, Y., Takagi, T., Okamoto, E.: Efficient implementation of Tate pairing on a mobile phone using java. In: 2006 International Conference on Computational Intelligence and Security, vol. 2, pp. 1247–1252 (November 2006)Google Scholar
  23. 23.
    Koblitz, N., Menezes, A.: Pairing-based cryptography at high security levels. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 13–36. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  24. 24.
    Lashermes, R., Fournier, J., Goubin, L.: Inverting the final exponentiation of Tate pairings on ordinary elliptic curves using faults. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 365–382. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  25. 25.
    Miller, V.: The Weil pairing and its efficient calculation. Journal of Cryptology 17, 235–261 (2004)CrossRefzbMATHGoogle Scholar
  26. 26.
    Monagan, M.B., Geddes, K.O., Heal, K.M., Labahn, G., Vorkoetter, S.M., McCarron, J., DeMarco, P.: Maple 10 Programming Guide. Maplesoft, Waterloo ON (2005)Google Scholar
  27. 27.
    Page, D., Vercauteren, F.: A fault attack on Pairing-Based Cryptography. IEEE Transactions on Computers 55(9), 1075–1080 (2006)CrossRefzbMATHGoogle Scholar
  28. 28.
    Park, J., Sohn, G., Moon, S.: Fault attack on a point blinding countermeasure of pairing algorithms. ETRI Journal 33(6) (2011)Google Scholar
  29. 29.
    Scott, M.: Computing the Tate pairing. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 293–304. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  30. 30.
    Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: On the Final Exponentiation for Calculating Pairings on Ordinary Elliptic Curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 78–88. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  31. 31.
    Scott, M., Costigan, N., Abdulwahab, W.: Implementing cryptographic pairings on smartcards. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 134–147. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  32. 32.
    Stein, W.: Sage mathematics software (version 4.8). The Sage Group (2012),
  33. 33.
    The PARI Group, Bordeaux. PARI/GP, version 2.7.0 (2014),
  34. 34.
    Trichina, E., Korkikyan, R.: Multi fault laser attacks on protected CRT-RSA. In: 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 75–86. IEEE (2010)Google Scholar
  35. 35.
    Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theor. 56(1), 455–461 (2010)CrossRefMathSciNetGoogle Scholar
  36. 36.
    Washington, L.C.: Elliptic curves, number theory and cryptography. Discrete Math. Aplli., Chapman and Hall (2008)Google Scholar
  37. 37.
    Whelan, C., Scott, M.: The importance of the final exponentiation in pairings when considering Fault Attacks. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 225–246. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.LIASDUniversité Paris 8Saint-DenisFrance
  2. 2.SAS - CMP GardanneSaint-ÉtienneFrance
  3. 3.Dep of Mathematics, Higher Teacher’s Training CollegeUniversity of BamendaBamendaCameroun
  4. 4.LMNOUniversité de CaenCaenFrance

Personalised recommendations