Improving Side-Channel Attacks Against Pairing-Based Cryptography

  • Damien JauvartEmail author
  • Jacques J. A. Fournier
  • Nadia El-Mrabet
  • Louis Goubin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10158)


Although the vulnerability of pairing-based algorithms to side-channel attacks has been demonstrated—pairing implementations were targeted on three different devices in a recent paper [41]—it nevertheless remains difficult to choose an adapted leakage model and detect points of interest. Our proposed approach evaluates the parameters of the attack and validates the data processing workflow. We describe weaknesses in the implementation of cryptographic pairings, and we show how information leakage can be fully exploited. Different leakage models, point-of-interest detection methods, and parameter dependencies are compared. In addition, practical results were obtained with a software implementation of twisted Ate pairing on Barreto–Naehrig curves with an ARM Cortex-M3 processor running at 50 MHz. We discuss countermeasures aimed at reducing side-channel leakage and review the available literature.


Pairing-based cryptography Twisted Ate pairing Miller’s algorithm Side-channel attack Points of interest Countermeasures 



This work was supported in part by the EUREKA Catrene programme under contract CAT208 MobiTrust and by a French DGA-MRIS scholarship.


  1. 1.
    Bajard, J., Mrabet, N.: Pairing in cryptography: an arithmetic point of view. In: Architectures, and Implementations, Advanced Signal Processing Algorithms (2007)Google Scholar
  2. 2.
    Bajard, J.-C., Imbert, L., Liardet, P.-Y., Teglia, Y.: Leak resistant arithmetic. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 62–75. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-28632-5_5 CrossRefGoogle Scholar
  3. 3.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006). doi: 10.1007/11693383_22 CrossRefGoogle Scholar
  4. 4.
    Bauer, A., Jaulmes, E., Prouff, E., Wild, J.: Horizontal and vertical side-channel attacks against secure RSA implementations. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 1–17. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36095-4_1 CrossRefGoogle Scholar
  5. 5.
    Blömer, J., Günther, P., Liske, G.: Improved side channel attacks on pairing based cryptography. In: Prouff, E. (ed.) COSADE 2013. LNCS, vol. 7864, pp. 154–168. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40026-1_10 CrossRefGoogle Scholar
  6. 6.
    Boneh, D., Franklin, M.: Identity-Based Encryption from the Weil Pairing, vol. 32. Springer, Heidelberg (2001)zbMATHGoogle Scholar
  7. 7.
    Booth, A.D.: A signed binary multiplication technique. Q. J. Mech. Appl. Math. 4(2), 236–240 (1951)Google Scholar
  8. 8.
    Brickell, E.F.: A fast modular multiplication algorithm with application to two key cryptography. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 51–60. Springer, New York (1983)Google Scholar
  9. 9.
    Clavier, C., Feix, B., Gagnerot, G., Giraud, C., Roussellet, M., Verneuil, V.: ROSETTA for single trace analysis. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 140–155. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34931-7_9 CrossRefGoogle Scholar
  10. 10.
    Clavier, C., Feix, B., Gagnerot, G., Roussellet, M., Verneuil, V.: Horizontal correlation analysis on exponentiation. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 46–61. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-17650-0_5 CrossRefGoogle Scholar
  11. 11.
    Cook, S.: On the minimum computation time of functions. Trans. Am. Math. Soc. 142(23), 291–291 (1969)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Coron, J.-S.: Resistance against differential power analysis for elliptic curve cryptosystems. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 292–302. Springer, Heidelberg (1999). doi: 10.1007/3-540-48059-5_25 CrossRefGoogle Scholar
  13. 13.
    Coron, J.-S., Kocher, P., Naccache, D.: Statistics and secret leakage. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 157–173. Springer, Heidelberg (2001). doi: 10.1007/3-540-45472-1_12 CrossRefGoogle Scholar
  14. 14.
    Devegili, A.J., Scott, M., Dahab, R.: Implementing cryptographic pairings over Barreto-Naehrig curves. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 197–207. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-73489-5_10 CrossRefGoogle Scholar
  15. 15.
    Dhem, J.-F., Joye, M., Quisquater, J.-J.: Normalisation in diminished-radix modulus transformation. Electron. Lett. 33(23), 1931 (1997)CrossRefGoogle Scholar
  16. 16.
    Duursma, I., Lee, H.-S.: Tate pairing implementation for hyperelliptic curves \(y^{2}=x^{p}-x+d\). In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 111–123. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-40061-5_7 CrossRefGoogle Scholar
  17. 17.
    El Mrabet, N., Di Natale, G., Flottes, M.L.: A practical differential power analysis attack against the miller algorithm. In: PRIME, pp. 308–311 (2009)Google Scholar
  18. 18.
    Ghosh, S., Roychowdhury, D.: Security of prime field pairing cryptoprocessor against differential power attack. In: Joye, M., Mukhopadhyay, D., Tunstall, M. (eds.) InfoSecHiComNet 2011. LNCS, vol. 7011, pp. 16–29. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-24586-2_4 CrossRefGoogle Scholar
  19. 19.
    Gierlichs, B., Lemke-Rust, K., Paar, C.: Templates vs. stochastic methods. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 15–29. Springer, Heidelberg (2006). doi: 10.1007/11894063_2 CrossRefGoogle Scholar
  20. 20.
    Hess, F., Smart, N.P., Vercauteren, F.: The Eta pairing revisited. IEEE Trans. Inf. Theor. 52, 4595–4602 (2006)Google Scholar
  21. 21.
    Hutter, M., Medwed, M., Hein, D., Wolkerstorfer, J.: Attacking ECDSA-enabled RFID devices. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 519–534. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-01957-9_32 CrossRefGoogle Scholar
  22. 22.
    Joye, M.: Elliptic curves and side-channel analysis. ST J. Syst. Res. 4(1), 17–21 (2003)Google Scholar
  23. 23.
    Karatsuba, A., Ofman, Y.: Multiplication of multidigit numbers on automata. In: Soviet Physics Doklady, vol. 7, p. 595 (1963)Google Scholar
  24. 24.
    Kim, T.H., Takagi, T., Han, D.-G., Kim, H.W., Lim, J.: Side channel attacks and countermeasures on pairing based cryptosystems over binary fields. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) CANS 2006. LNCS, vol. 4301, pp. 168–181. Springer, Heidelberg (2006). doi: 10.1007/11935070_11 CrossRefGoogle Scholar
  25. 25.
    Koblitz, N., Menezes, A.: Pairing-based cryptography at high security levels. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 13–36. Springer, Heidelberg (2005). doi: 10.1007/11586821_2 CrossRefGoogle Scholar
  26. 26.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Advances in Cryptology - CRYPTO 1999, pp. 1–10 (1999)Google Scholar
  27. 27.
    Mayer-Sommer, R.: Smartly analyzing the simplicity and the power of simple power analysis on smartcards. In: Koç, Ç.K., Paar, C. (eds.) CHES 2000. LNCS, vol. 1965, pp. 78–92. Springer, Heidelberg (2000). doi: 10.1007/3-540-44499-8_6 CrossRefGoogle Scholar
  28. 28.
    Miller, V.S.: Use of elliptic curves in cryptography. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 417–426. Springer, Heidelberg (1986). doi: 10.1007/3-540-39799-X_31 CrossRefGoogle Scholar
  29. 29.
    Montgomery, P.L.: Modular multiplication without trial division (1985)Google Scholar
  30. 30.
    Oswald, E.: On side-channel attacks and the application of algorithmic countermeasures. na (2003)Google Scholar
  31. 31.
    Page, D., Vercauteren, F.: Fault and Side-Channel Attacks on Pairing Based Cryptography (2004)Google Scholar
  32. 32.
    Pan, W., Marnane, W.P.: A correlation power analysis attack against tate pairing on FPGA. In: Koch, A., Krishnamurthy, R., McAllister, J., Woods, R., El-Ghazawi, T. (eds.) ARC 2011. LNCS, vol. 6578, pp. 340–349. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19475-7_36 CrossRefGoogle Scholar
  33. 33.
    Perin, G., Imbert, L., Maurine, P., Torres, L.: Vertical and horizontal correlation attacks on RNS-based exponentiations. J. Cryptographic Eng. 5(3), 1–15 (2015)Google Scholar
  34. 34.
    Perin, G., Imbert, L., Torres, L., Maurine, P.: Attacking randomized exponentiations using unsupervised learning. In: Prouff, E. (ed.) COSADE 2014. LNCS, vol. 8622, pp. 144–160. Springer, Cham (2014). doi: 10.1007/978-3-319-10175-0_11 Google Scholar
  35. 35.
    Quisquater, J.-J.: Presentation at the rump session of Eurocrypt 90 (1990)Google Scholar
  36. 36.
    Sato, H., Schepers, D., Takagi, T.: Exact analysis of montgomery multiplication. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 290–304. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30556-9_23 CrossRefGoogle Scholar
  37. 37.
    Scott, M.: Computing the tate pairing. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 293–304. Springer, Heidelberg (2005). doi: 10.1007/978-3-540-30574-3_20 CrossRefGoogle Scholar
  38. 38.
    Scott, M.: On the efficient implementation of pairing-based protocols. In: Chen, L. (ed.) IMACC 2011. LNCS, vol. 7089, pp. 296–308. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25516-8_18 CrossRefGoogle Scholar
  39. 39.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106, 2nd edn. Springer, New York (2009)CrossRefzbMATHGoogle Scholar
  40. 40.
    Toom, A.L.: The complexity of a scheme of functional elements realizing the multiplication of integers. Sov. Math. Dokl. 3, 714–716 (1963)zbMATHGoogle Scholar
  41. 41.
    Unterluggauer, T., Wenger, E.: practical attack on bilinear pairings to disclose the secrets of embedded devices. In: ARES, pp. 69–77 (2014)Google Scholar
  42. 42.
    Whelan, C., Scott, M.: Side channel analysis of practical pairing implementations: which path is more secure? In: Nguyen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 99–114. Springer, Heidelberg (2006). doi: 10.1007/11958239_7 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Damien Jauvart
    • 1
    • 2
    Email author
  • Jacques J. A. Fournier
    • 1
  • Nadia El-Mrabet
    • 3
  • Louis Goubin
    • 2
  1. 1.CEA-Tech PACAGardanneFrance
  2. 2.UVSQ-PRiSMVersaillesFrance
  3. 3.EMSEGardanneFrance

Personalised recommendations