Cryptography Reference
In-Depth Information
a normal pairing is retained by a faulty pairing. For the attack of Page and Vercauteren
[318] in particular, they assume
a
·
b
e
Δ
(
a
·
A
,
b
·
B
)
=
e
Δ
(
A
,
B
)
,
which is not true unless
Δ
=
m
, i.e., there is no fault.
13.5 Conclusion
The field of pairing-based cryptography is moving fast; in under ten years it has grown
from an interesting aside into an industrially supported and soon to be standardized
endeavour. On the one hand, study of physical security, fault attacks specifically,
has not yet caught up with the vast range of parametrizations, algorithms and use
cases. On the other hand, selected attacks using reasonable fault models have already
been demonstrated; it seems likely that as implementations mature and proliferate,
practical study of what faults can reasonably be induced will yield further attacks.
Even so, the range of approaches is far smaller than in the context of block
ciphers. In part this is due to the mathematical complexity of pairings. This fact
suggests future attack opportunities might just as likely result from permanent faults
in software (e.g., through errors in implementation) as from more hardware-oriented
fault induction. In the case of ECC, this is already an issue
1
; it is interesting that
pairing-based cryptography seems to exacerbate the underlying problem.
1
See http://www.mail-archive.com/openssl-dev@openssl.org/msg23208.html.
