Paper 2014/543

A Practical Second-Order Fault Attack against a Real-World Pairing Implementation

Johannes Blömer, Ricardo Gomes da Silva, Peter Günther, Juliane Krämer, and Jean-Pierre Seifert

Abstract

Several fault attacks against pairing-based cryptography have been described theoretically in recent years. Interestingly, none of these have been practically evaluated. We accomplished this task and prove that fault attacks against pairing-based cryptography are indeed possible and are even practical — thus posing a serious threat. Moreover, we successfully conducted a second-order fault attack against an open source implementation of the eta pairing on an AVR XMEGA A1. We injected the first fault into the computation of the Miller Algorithm and applied the second fault to skip the final exponentiation completely. We introduce a low-cost setup that allowed us to generate multiple independent faults in one computation. The setup implements these faults by clock glitches which induce instruction skips. With this setup we conducted the first practical fault attack against a complete pairing computation.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Proceedings of FDTC 2014
Keywords
Pairing-Based CryptographyFault Attackseta Pairing
Contact author(s)
peter guenther @ uni-paderborn de
History
2015-10-06: last of 2 revisions
2014-07-18: received
See all versions
Short URL
https://ia.cr/2014/543
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2014/543,
      author = {Johannes Blömer and Ricardo Gomes da Silva and Peter Günther and Juliane Krämer and Jean-Pierre Seifert},
      title = {A Practical Second-Order Fault Attack against a Real-World Pairing Implementation},
      howpublished = {Cryptology {ePrint} Archive, Paper 2014/543},
      year = {2014},
      url = {https://eprint.iacr.org/2014/543}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.