Cryptography Reference
In-Depth Information
g
g 0 +
g 1 ρ +
g 2 ρ
2
c 1
g
=
1
+ (
.Let d
=
=
g
/
∈ F q 3 , then d clearly is of
2 . To determine d 0 ,
the form d
=
d 0 +
d 1 ρ ρ
d 1
∈ F q , we use the fact that the
2
terms
ρσ
and
ρ
σ
do not appear in g . This finally gives the following linear system
of equations:
g 1
d 0
d 1
g 1 +
g 0 +
g 2
g 2
=
.
g 2
g 1
g 0 +
g 2
13.3.1.3 Extensions of the Attack Technique
El Mrabet [131] extends the idea of using a fault attack on the Miller loop bound to
a wider (and arguably more useful) class of pairings. The disadvantage of the paper
is the fault model: the paper focuses on recovery of points assuming that the final
powering will be removed using a secondary fault attack or leakage via the scan chain
[350] (i.e., the pre-powering result is given to the attacker, rather than the attacker
being forced to recover it cryptanalytically from the post-powering result).
However, assuming this is possible, the main contribution is, development of
various explicit attacks against variants of Miller's algorithm, i.e., Algorithm 13.1.
For example, the paper shows it is possible to attack a pairing that employs Jacobian
projective coordinates more or less as easily as one using affine coordinates once the
final powering is eliminated.
13.3.2 Attack 2
Conceptually, Whelan and Scott [420] again adopt an approach similar to that of to
Page and Vercauteren [318]: for two fixed inputs, they compute two results (one valid
and one faulty). However, their attack differs significantly: the fault model assumes
the Miller variable f , or the line function used to update it, has a random fault induced.
Various pairings with different final powerings are analysed; the conclusion is that
pairings with no final powering (e.g.,
η G pairing) are easier to attack than those with
a complex final powering (e.g., Tate pairing).
We adopt the same notation as in the original paper, writing elements of
F q k as
“cells” throughout. That is,
k
1
z i X i
z
∈ F q k
=
→[
z 0 ][
z 1 ]···[
z k 1 ]
i
=
0
where the right-hand side should be interpreted as a vector of elements in the base
field, so each z i
∈ F q . The main assumption is that a fault can target any of the cells
in memory.
Search WWH ::




Custom Search