Several fault attacks against pairing-based
cryptography have been described theoretically in recent
years. Interestingly, none of these have been practically
evaluated. We accomplished this task and prove that fault
attacks against pairing-based cryptography are indeed
possible and are even practical -- thus posing a serious
threat. Moreover, we successfully conducted a second-order fault attack against an open source implementation
of the eta pairing on an AVR XMEGA A1. We injected
the first fault into the computation of the Miller Algorithm
and applied the second fault to skip the final exponentiation completely. We introduce a low-cost setup that
allowed us to generate multiple independent faults in one
computation. The setup implements these faults by clock
glitches which induce instruction skips. With this setup we
conducted the first practical fault attack against a complete
pairing computation.
↧