Practical Attack on Bilinear Pairings to Disclose the Secrets of Embedded Devices

Identity-based encryption constitutes a promising alternative to traditional cryptography that works without symmetric keys or public key infrastructures. Such schemes generally depend on the computation of bilinear pairings. The latest developments in efficient pairing algorithms made identity-based encryption available to embedded devices as well. However, those devices are inherently exposed to side-channel attacks. In this paper, we present a correlation power analysis attack to extract the private key in the popular identity-based encryption scheme by Boneh and Boyen. On an ARM Cortex-M0 we exploit the leakage of a finite field multiplication within the highly practical optimal-Ate pairing defined over the elliptic curves by Barreto and Naehrig. As a secondary contribution, we practically verified the feasibility of our attack on an FPGA, an ASIC, and using power simulations. For future work our research intends to raise awareness of the importance of the randomization countermeasure in pairing computations.