Inverting the Final Exponentiation of Tate Pairings on Ordinary Elliptic Curves Using Faults

  • Ronan Lashermes
  • Jacques Fournier
  • Louis Goubin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8086)


The calculation of the Tate pairing on ordinary curves involves two major steps: the Miller Loop (ML) followed by the Final Exponentiation (FE). The first step for achieving a full pairing inversion would be to invert this FE, which in itself is a mathematically difficult problem. To our best knowledge, most fault attack schemes proposed against pairing algorithms have mainly focussed on the ML. They solved, if at all, the inversion of the FE in some special ‘easy’ cases or even showed that the complexity of the FE is an intrinsic countermeasure against a successful full fault attack on the Tate pairing. In this paper, we present a fault attack on the FE whereby the inversion of the final exponentiation becomes feasible using 3 independent faults.


Tate pairing Ate pairing final exponentiation fault attacks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Boneh, D., Franklin, M.: Identity-Based Encryption from the Weil pairing. SIAM J. of Computing 32(3), 586–615 (2003)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Dutta, R., Barua, R., Sarkar, P.: Pairing-Based Cryptographic Protocols: A Survey. Cryptology ePrint Archive, Report 2004/064 (2004),
  3. 3.
    El Mrabet, N., Di Natale, G., Flottes, M.L., Rouzeyre, B., Bajard, J.C.: Differential Power Analysis against the Miller Algorithm. Technical report, Published in Prime 2009, IEEE Xplore (August 2008)Google Scholar
  4. 4.
    Whelan, C., Scott, M.: Side channel analysis of practical pairing implementations: Which path is more secure? In: Nguyên, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 99–114. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Page, D., Vercauteren, F.: A Fault Attack on Pairing-Based Cryptography. IEEE Transactions on Computers 55(9), 1075–1080 (2006)CrossRefGoogle Scholar
  6. 6.
    Whelan, C., Scott, M.: The Importance of the Final Exponentiation in Pairings when considering Fault Attacks. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 225–246. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    El Mrabet, N.: What about Vulnerability to a Fault Attack of the Miller’s algorithm During an Identity Based Protocol? In: Park, J.H., Chen, H.-H., Atiquzzaman, M., Lee, C., Kim, T.-h., Yeo, S.-S. (eds.) ISA 2009. LNCS, vol. 5576, pp. 122–134. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  8. 8.
    Vercauteren, F.: The Hidden Root Problem. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 89–99. Springer, Heidelberg (2008)Google Scholar
  9. 9.
    Beuchat, J.-L., González-Díaz, J.E., Mitsunari, S., Okamoto, E., Rodríguez-Henríquez, F., Teruya, T.: High-Speed Software Implementation of the Optimal Ate Pairing over Barreto–Naehrig Curves. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 21–39. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: On the Final Exponentiation for Calculating Pairings on Ordinary Elliptic Curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 78–88. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–369. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Hess, F., Smart, N., Vercauteren, F.: The Eta Pairing Revisited. IEEE Transactions on Information Theory 52(10), 4595–4602 (2006)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Vercauteren, F.: Optimal Pairings. IEEE Transactions on Information Theory 56(1), 455–461 (2010)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Kim, S., Cheon, J.H.: Fixed Argument Pairing Inversion on Elliptic Curves. Cryptology ePrint Archive, Report 2012/657 (2012),
  15. 15.
    Kanayama, N., Okamoto, E.: Approach to Pairing Inversions Without Solving Miller Inversion. IEEE Transactions on Information Theory 58(2), 1248–1253 (2012)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Galbraith, S., Hess, F., Vercauteren, F.: Aspects of Pairing Inversion. IEEE Transactions on Information Theory 54(12), 5719–5728 (2008)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Satoh, T.: On Pairing Inversion Problems. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 317–328. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  18. 18.
    Bar-El, H., Choukri, H., Naccache, D., Tunstall, M., Whelan, C.: The Sorcerer’s Apprentice Guide to Fault Attacks. Proceedings of the IEEE 94(2), 370–382 (2006)CrossRefGoogle Scholar
  19. 19.
    Dehbaoui, A., Dutertre, J.M., Robisson, B., Tria, A.: Electromagnetic Transient Faults Injection on a Hardware and a Software Implementations of AES. In: FDTC, pp. 7–15. IEEE (2012)Google Scholar
  20. 20.
    Stein, W., et al.: Sage Mathematics Software (Version 5.5). The Sage Development Team (2012),
  21. 21.
    Ozturk, E., Gaubatz, G., Sunar, B.: Tate Pairing with Strong Fault Resiliency. In: Proceedings of FDTC 2007, pp. 103–111. IEEE Computer Society (2007)Google Scholar
  22. 22.
    Ghosh, S., Mukhopadhyay, D., Chowdhury, D.: Fault Attack and Countermeasures on Pairing Based Cryptography. International Journal Network Security 12, 21–28 (2011)Google Scholar
  23. 23.
    Certivox: Miracl library, v 5.6.1 (2012),
  24. 24.
    Naehrig, M., Barreto, P.S.L.M., Schwabe, P.: On compressible pairings and their computation. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 371–388. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  25. 25.
    Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., López, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 48–68. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  26. 26.
    Van Woudenberg, J., Witteman, M., Menarini, F.: Practical Optical Fault Injection on Secure Microcontrollers. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 91–99 (September 2011)Google Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Ronan Lashermes
    • 1
    • 2
  • Jacques Fournier
    • 1
  • Louis Goubin
    • 2
  1. 1.CEA-TechRegGardanneFrance
  2. 2.UVSQ-PRiSMVersaillesFrance

Personalised recommendations