Lattice attacks on pairing-based signatures

Abstract

ABSTRACTPractical implementations of cryptosystems often suffer from critical information leakage through side-channels (such as their power consumption or their electromagnetic emanations). For public-key cryptography on embedded systems, the core operation is usually group exponentiation – or scalar multiplication on elliptic curves – which is a sequence of group operations derived from the private-key that may reveal secret bits to an attacker (on an unprotected implementation). We present lattice-based polynomial-time (heuristic) algorithms that recover the signer’s secret in popular pairing-based signatures when used to sign several messages under the assumption that blocks of consecutive bits of the corresponding exponents are known by the attacker. Our techniques rely upon Coppersmith's method and apply to many signatures in the so-called exponent-inversion framework in the standard security model (i.e. Boneh-Boyen, Gentry and Pontcheval-Sanders signatures) as well as in the random oracle model (i.e. Sakai-Kasahara signatures).KEYWORDS: Coppersmith’s methodCryptanalysisLattice attacksMSC 68P25, 94A60Pairing-based signaturesSide-channel attacks Disclosure statementNo potential conflict of interest was reported by the authors.Notes1. For the ease of exposition, we consider so-called Type-1 bilinear maps (Galbraith et al. Citation2008), but our results apply to all possible instantiations of the considered signature schemes (i.e. using Type-1, Type-2, or Type-3 bilinear maps).2. It is well known that the computational complexity of Gröbner basis algorithm may be exponential or even doubly exponential. In our setting, the number of variables and the total total degree of the input polynomials are fixed and the theoretical complexity is polynomial in the field size (and thus in the security parameter).3. We recall that a combinatorial class is a finite or countable set on which a size function is defined, satisfying the following conditions: (i) the size of an element is a non-negative integer and (ii) the number of elements of any given size is finite.4. In order to reach this asymptotic bound, the constructed matrix is of huge dimension and the resulting polynomial system has a very large number of variables and the computation which is theoretically polynomial-time becomes in practice prohibitive.5. Pointcheval-Sanders signature scheme can be instantiated with Type-3 bilinear maps but for consistency and the ease of exposition, we present it using Type-1 bilinear maps.