TY - GEN
T1 - An efficient countermeasure against side channel attacks for pairing computation
AU - Shirase, Masaaki
AU - Takagi, Tsuyoshi
AU - Okamoto, Eiji
PY - 2008
Y1 - 2008
N2 - Pairing-based cryptosystems have been widely researched, and several efficient hardware implementations of pairings have also been proposed. However, side channel attacks (SCAs) are serious attacks on hardware implementations. Whelan et al. pointed out that pairings except the η T pairing might not be vulnerable against SCAs by setting the secret point to the first parameter [25]. This paper deals with SCAs for the η T pairing over . To our knowledge, the randomized-projective-coordinate method has the smallest overhead among all countermeasures against SCAs for the η T pairing. The cost of that overhead is 3nM, where M is the cost of a multiplication in . In this paper, we propose another countermeasure based on random value additions (x p ∈+∈λ) and (y p ∈+∈λ), where P∈=∈(x p ,y p ) is the input point, and λ is a random value in . The countermeasure using the random value addition was relatively slow in the case of the scalar multiplication of elliptic curve cryptosystems. However, in the case of the η T pairing, we can construct an efficient countermeasure due to the form of the function for a point P∈=∈(x p ,y p ). The overhead of our proposed scheme is just 0.5nM, which is a reduction of more than 75% compared with the randomized-projective-coordinate method.
AB - Pairing-based cryptosystems have been widely researched, and several efficient hardware implementations of pairings have also been proposed. However, side channel attacks (SCAs) are serious attacks on hardware implementations. Whelan et al. pointed out that pairings except the η T pairing might not be vulnerable against SCAs by setting the secret point to the first parameter [25]. This paper deals with SCAs for the η T pairing over . To our knowledge, the randomized-projective-coordinate method has the smallest overhead among all countermeasures against SCAs for the η T pairing. The cost of that overhead is 3nM, where M is the cost of a multiplication in . In this paper, we propose another countermeasure based on random value additions (x p ∈+∈λ) and (y p ∈+∈λ), where P∈=∈(x p ,y p ) is the input point, and λ is a random value in . The countermeasure using the random value addition was relatively slow in the case of the scalar multiplication of elliptic curve cryptosystems. However, in the case of the η T pairing, we can construct an efficient countermeasure due to the form of the function for a point P∈=∈(x p ,y p ). The overhead of our proposed scheme is just 0.5nM, which is a reduction of more than 75% compared with the randomized-projective-coordinate method.
UR - http://www.scopus.com/inward/record.url?scp=41549128969&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=41549128969&partnerID=8YFLogxK
U2 - 10.1007/978-3-540-79104-1_21
DO - 10.1007/978-3-540-79104-1_21
M3 - Conference contribution
AN - SCOPUS:41549128969
SN - 3540791035
SN - 9783540791034
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 290
EP - 303
BT - Information Security Practice and Experience - 4th International Conference, ISPEC 2008, Proceedings
T2 - 4th Information Security Practice and Experience Conference, ISPEC 2008
Y2 - 21 April 2008 through 23 April 2008
ER -