logging in or signing up FAULT ATTACK CiTS Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 31 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: December 12, 2011 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript FAULT ATTACK AND COUNTERMEASURES ON PAIRING BASED CRYPTOGRAPHY: FAULT ATTACK AND COUNTERMEASURES ON PAIRING BASED CRYPTOGRAPHY Submitted by NAJASHA T.C S7 IT NO:14092040OVERVIEW: OVERVIEW INTRODUCTION PAIRING BASED CRYPTOGRAPHY TATE PAIRING FAULT ATTACKS ANALYSIS OF EXISTING COUNTERMEASURES PROPOSED COUNTERMEASURE PAIRING IN EDWARDS COORDINATES COUNTERMEASURES CONCLUSIONINTRODUCTION: INTRODUCTION New And Increasingly Popular way of constructing cryptographic Protocols. Provided new instantiations of Identity Based Encryption. Wealth of new “hard problems” and proof techniques. Used in identity aware & ubiquitous device. Resilience to side-channel and fault attack.PAIRING BASED CRYPTOGRAPHY: PAIRING BASED CRYPTOGRAPHY Pairing is just a map between groups: e : G1 × G1 → G2 where, G1 = E( Fq ) and G2 = Fqk . Properties of map: Bilinearity: e(a · P, b · Q) = e(P,Q) a·b which means we can play about with the exponents at will. Non-degenerate: i.e. not all e(P,Q) = 1 . Computable: i.e. we can evaluate e(P,Q) easily. In real applications we generally use the Tate or Weil pairing.TATE PAIRING: TATE PAIRING Tate Pairing of order l is a map e1:E( fq )[l]×E( fqk )[l] →f* qk /(f* qk )l Where, l → large odd prime, k → secret multiplier, E( fq ) →curve groups. It satisfies the properties of pairing. Reduced Tate pairing is E l (P,Q)=e l (P,Q) (qk-1)/lPowerPoint Presentation: Efficiently computed if k is small. Uses Miller’s algorithm for pairing. Miller’s Algorithm: performs doubling for every bit value of l. performs addition if corresponding bit value is 1. finally returns Tate Pairing. TATE PAIRING ( CONTD )FAULT ATTACKS: FAULT ATTACKS Tries to exploit erroneous results that are produced by the device in presence of fault at loop bound m. Provoke error in memory where m is stored. Attacker can measure change from timing or power analysis.ANALYSIS OF EXISTING COUNTERMEASURES: ANALYSIS OF EXISTING COUNTERMEASURES There are two existing countermeasures. New Point blinding Technique: Randomization of input points. Points P & Q are blinded by computing xP & yQ since, e(P,Q)=e(P,Q) xy Final result remains unchanged. Fault attack exploits the final result. Attacker alters value of m & collects two pairing results R1,R2. Can solve x,y coordinates of secret point P. This method is not sufficient.PowerPoint Presentation: Altering Traditional Point Blinding: Fault attack described earlier exploits public point Q. Randomize public point Q using random point X. e(P,Q)=e(P,Q+X).e(P,X) -1 It wraps only input. Attacker can easily alter the value of m. Collects value of R1 & R2. Behaves same to fault attack as new point blinding technique. Secret point can be easily obtained. Method is not sufficient.PROPOSED COUNTERMEASURE : PROPOSED COUNTERMEASURE Blinding Loop Boundary: Blinds the loop boundary m. It modifies the Duursma -Lee Algorithm. Modified Algorithm runs for random number of iterations. Intermediate result is restored at m th iteration only. Security Against Fault attack: Adversary inject fault into loop boundary. But faulty loop boundary value is not known. Inject fault at m ′. Inject fault at m.Modified Duursma-Lee Algorithm: Modified Duursma -Lee AlgorithmPAIRING IN EDWARDS COORDINATES: PAIRING IN EDWARDS COORDINATES Edward curve is, x 2 +y 2 =c 2 (1+x 2 y 2 ) Operations can be performed efficiently. Uses complex iterative operations. Fault injection has very less probability. Fault is injected by changing register l. Attacker succeeds at least once after 512 trials.PowerPoint Presentation: Countermeasure: Uses modified Miller’s algorithm Automatically aborts if l is even. Attackers alters value of l, which is odd prime. Proposed Algorithm does not execute with fault. It simply returns zero. Proposed countermeasure is secure.CONCLUSION: CONCLUSION Existing Countermeasures are not sufficient. Security of pairing algorithm should be considered in presence of fault. New countermeasures are proposed. creative use of the bilinearity property of pairings and sensible implementation methods help to minimise such risk with low overheadPowerPoint Presentation: THANK YOU…PowerPoint Presentation: ??? You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
FAULT ATTACK CiTS Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 31 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: December 12, 2011 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript FAULT ATTACK AND COUNTERMEASURES ON PAIRING BASED CRYPTOGRAPHY: FAULT ATTACK AND COUNTERMEASURES ON PAIRING BASED CRYPTOGRAPHY Submitted by NAJASHA T.C S7 IT NO:14092040OVERVIEW: OVERVIEW INTRODUCTION PAIRING BASED CRYPTOGRAPHY TATE PAIRING FAULT ATTACKS ANALYSIS OF EXISTING COUNTERMEASURES PROPOSED COUNTERMEASURE PAIRING IN EDWARDS COORDINATES COUNTERMEASURES CONCLUSIONINTRODUCTION: INTRODUCTION New And Increasingly Popular way of constructing cryptographic Protocols. Provided new instantiations of Identity Based Encryption. Wealth of new “hard problems” and proof techniques. Used in identity aware & ubiquitous device. Resilience to side-channel and fault attack.PAIRING BASED CRYPTOGRAPHY: PAIRING BASED CRYPTOGRAPHY Pairing is just a map between groups: e : G1 × G1 → G2 where, G1 = E( Fq ) and G2 = Fqk . Properties of map: Bilinearity: e(a · P, b · Q) = e(P,Q) a·b which means we can play about with the exponents at will. Non-degenerate: i.e. not all e(P,Q) = 1 . Computable: i.e. we can evaluate e(P,Q) easily. In real applications we generally use the Tate or Weil pairing.TATE PAIRING: TATE PAIRING Tate Pairing of order l is a map e1:E( fq )[l]×E( fqk )[l] →f* qk /(f* qk )l Where, l → large odd prime, k → secret multiplier, E( fq ) →curve groups. It satisfies the properties of pairing. Reduced Tate pairing is E l (P,Q)=e l (P,Q) (qk-1)/lPowerPoint Presentation: Efficiently computed if k is small. Uses Miller’s algorithm for pairing. Miller’s Algorithm: performs doubling for every bit value of l. performs addition if corresponding bit value is 1. finally returns Tate Pairing. TATE PAIRING ( CONTD )FAULT ATTACKS: FAULT ATTACKS Tries to exploit erroneous results that are produced by the device in presence of fault at loop bound m. Provoke error in memory where m is stored. Attacker can measure change from timing or power analysis.ANALYSIS OF EXISTING COUNTERMEASURES: ANALYSIS OF EXISTING COUNTERMEASURES There are two existing countermeasures. New Point blinding Technique: Randomization of input points. Points P & Q are blinded by computing xP & yQ since, e(P,Q)=e(P,Q) xy Final result remains unchanged. Fault attack exploits the final result. Attacker alters value of m & collects two pairing results R1,R2. Can solve x,y coordinates of secret point P. This method is not sufficient.PowerPoint Presentation: Altering Traditional Point Blinding: Fault attack described earlier exploits public point Q. Randomize public point Q using random point X. e(P,Q)=e(P,Q+X).e(P,X) -1 It wraps only input. Attacker can easily alter the value of m. Collects value of R1 & R2. Behaves same to fault attack as new point blinding technique. Secret point can be easily obtained. Method is not sufficient.PROPOSED COUNTERMEASURE : PROPOSED COUNTERMEASURE Blinding Loop Boundary: Blinds the loop boundary m. It modifies the Duursma -Lee Algorithm. Modified Algorithm runs for random number of iterations. Intermediate result is restored at m th iteration only. Security Against Fault attack: Adversary inject fault into loop boundary. But faulty loop boundary value is not known. Inject fault at m ′. Inject fault at m.Modified Duursma-Lee Algorithm: Modified Duursma -Lee AlgorithmPAIRING IN EDWARDS COORDINATES: PAIRING IN EDWARDS COORDINATES Edward curve is, x 2 +y 2 =c 2 (1+x 2 y 2 ) Operations can be performed efficiently. Uses complex iterative operations. Fault injection has very less probability. Fault is injected by changing register l. Attacker succeeds at least once after 512 trials.PowerPoint Presentation: Countermeasure: Uses modified Miller’s algorithm Automatically aborts if l is even. Attackers alters value of l, which is odd prime. Proposed Algorithm does not execute with fault. It simply returns zero. Proposed countermeasure is secure.CONCLUSION: CONCLUSION Existing Countermeasures are not sufficient. Security of pairing algorithm should be considered in presence of fault. New countermeasures are proposed. creative use of the bilinearity property of pairings and sensible implementation methods help to minimise such risk with low overheadPowerPoint Presentation: THANK YOU…PowerPoint Presentation: ???