Lattice attacks on pairing-based signatures

Abstract

ABSTRACT Practical implementations of cryptosystems often suffer from critical information leakage through side-channels (such as their power consumption or their electromagnetic emanations). For public-key cryptography on embedded systems, the core operation is usually group exponentiation – or scalar multiplication on elliptic curves – which is a sequence of group operations derived from the private-key that may reveal secret bits to an attacker (on an unprotected implementation). We present lattice-based polynomial-time (heuristic) algorithms that recover the signer’s secret in popular pairing-based signatures when used to sign several messages under the assumption that blocks of consecutive bits of the corresponding exponents are known by the attacker. Our techniques rely upon Coppersmith's method and apply to many signatures in the so-called exponent-inversion framework in the standard security model (i.e. Boneh-Boyen, Gentry and Pontcheval-Sanders signatures) as well as in the random oracle model (i.e. Sakai-Kasahara signatures).