Cryptography Reference
In-Depth Information
automotive and building access control [130]. Such attacks are often categorized as
follows:
1. a side-channel attack passively monitors execution, and recovers information
through analysis of collected profiles, and
2. a fault attack actively influences execution and hopes to recover information as a
result of unintended behavior.
Typically the goal is to recover security-critical information embedded in the
device; this might mean recovery of key material that subsequently allows the attacker
to construct a clone device, for example.
Although the field of side-channel analysis now includes remote methods for exe-
cution monitoring (e.g., network-based attacks on SSL [74]), fault attacks require
physical access to the device under attack. On the one hand, with such access (poten-
tially after the device is depackaged) fault induction methods are numerous [21]. For
example, one might try to “glitch” the clock signal to alter execution control flow, or
alter memory content by exposing it to intense light or a laser beam; in either case,
the fault that results may be permanent or transient. On the other hand, the same
requirement limits the class of devices that fault attacks can target. Typically, this
class is limited to embedded and mobile devices, the quintessential example being
smart cards that are carried into, and used within, an adversarial environment.
Pairing-Based Cryptography
First mooted by Shamir [371] in 1984, identity-based cryptographic schemes rep-
resent a conceptually ideal partner for smart cards since the latter are often used
as identity-aware tokens. The seminal Identity Based Encryption (IBE) scheme of
Boneh and Franklin [57] functions by making constructive use of bilinear maps, or
“pairings”; this approach is now popular within a wider context.
We expand on the details later, but at a high level a pairing
e
: G
1
× G
2
−→ G
T
simply maps inputs from the additive groups
G
1
and
G
2
onto a result in the multi-
plicative group
G
T
. A crucial feature of said mapping is the bilinear property that
ensures
a
·
b
e
(
a
·
A
,
b
·
B
)
=
e
(
A
,
B
)
.
Efficient realizations parametrize
G
T
using a
finite field; note that parametrization should ensure intractable Discrete Logarithm
Problems (DLPs) in all groups, in part meaning that inversion of the pairing [150] is
also intractable.
Given two inputs, the evaluation of a pairing is typically performed via an algo-
rithm derived from the so-called “Miller loop” [286]; for an overview of related
optimizations, see the description of Scott [364]. Two features are pertinent:
G
1
and
G
2
using an elliptic curve, and
