Instruction Fault Attack on the Miller Algorithm in a Pairing-Based Cryptosystem

Some fault attacks such as counter and data corruption have been proposed for pairing-based cryptosystems. However, a fault model that can skip the if instruction in traditional schemes such as RSA and ECC(elliptic curve cryptography) does not appear in the literature in terms of pairing-based cryptography. This paper investigated the vulnerability of skipping the if instruction in the last iteration of the Miller algorithm and describes how to extract the secret information. Indeed, the proposed method of attack is more efficient than previous counter fault attacks against the Miller algorithm. As evidence, a fault attack in Affine and Jacobian coordinate systems that finds the secret information using one faulty output is described. The feasibility of our fault model was verified by a practical laser fault injection experiment.