A Practical Second-Order Fault Attack against a Real-World Pairing Implementation

Author

Blomer, Johannes ; Gomes Da Silva, Ricardo ; Gunther, Peter ; Kramer, Juliane ; Seifert, Jean-Pierre

Author_Institution

Univ. of Paderborn, Paderborn, Germany

fYear

2014

fDate

23-23 Sept. 2014

Firstpage

123

Lastpage

136

Abstract

Several fault attacks against pairing-based cryptography have been described theoretically in recent years. Interestingly, none of these has been practically evaluated. We accomplish this task and prove that fault attacks against pairing-based cryptography are indeed possible and even practical - thus posing a serious threat. Moreover, we successfully conduct a second-order fault attack against an open source implementation of the eta pairing on an AVR XMEGA A1. We inject the first fault into the computation of the Miller Algorithm and apply the second fault to completely skip the final exponentiation. We introduce a low-cost setup that allows us to generate multiple independent faults in one computation. The setup implements these faults by clock glitches which induce instruction skips. With this setup we conducted the first practical fault attack against a complete pairing computation.

Keywords

public key cryptography; AVR XMEGA A1; Miller algorithm; clock glitches; eta pairing; instruction skips; pairing-based cryptography; public-key cryptography; real-world pairing implementation; second-order fault attack; Circuit faults; Clocks; Elliptic curve cryptography; Elliptic curves; Field programmable gate arrays; Synchronization; Fault Attacks; Pairing-Based Cryptography; eta Pairing;

fLanguage

English

Publisher

ieee

Conference_Titel

Fault Diagnosis and Tolerance in Cryptography (FDTC), 2014 Workshop on

Conference_Location

Busan

Type

conf

DOI

10.1109/FDTC.2014.22

Filename

6976638