Cryptology ePrint Archive: Report 2015/152

Inverting the Final exponentiation of Tate pairings on ordinary elliptic curves using faults

Ronan Lashermes and Jacques Fournier and Louis Goubin

Abstract: The calculation of the Tate pairing on ordinary curves involves two major steps: the Miller Loop (ML) followed by the Final Exponentiation (FE). The first step for achieving a full pairing inversion would be to invert this FE, which in itself is a mathematically difficult problem. To our best knowledge, most fault attack schemes proposed against pairing algorithms have mainly focussed on the ML. They solved, if at all, the inversion of the FE in some special `easy' cases or even showed that the complexity of the FE is an intrinsic countermeasure against a successful full fault attack on the Tate pairing. In this paper, we present a fault attack on the FE whereby the inversion of the final exponentiation becomes feasible using $3$ independent faults.

Category / Keywords: public-key cryptography / Tate pairing, Ate pairing, final exponentiation, fault attacks

Original Publication (in the same form): IACR-CHES-2013

Date: received 23 Feb 2015, last revised 27 Feb 2015

Contact author: ronan lashermes at wanadoo fr

Available format(s): PDF | BibTeX Citation

Version: 20150227:225457 (All versions of this report)

Short URL: ia.cr/2015/152

Discussion forum: Show discussion | Start new discussion