Objectives. McBits: fast constant-time code-based cryptography. Set new speed records for public-key cryptography. (to appear at CHES 2013)
|
|
- Nigel Stanley
- 5 years ago
- Views:
Transcription
1 McBits: fast constant-time code-based cryptography (to appear at CHES 2013) Objectives Set new speed records for public-key cryptography. D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter Schwabe Radboud University Nijmegen
2 McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Objectives Set new speed records for public-key cryptography. : : : at a high security level. Joint work with: Tung Chou Technische Universiteit Eindhoven Peter Schwabe Radboud University Nijmegen
3 McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Objectives Set new speed records for public-key cryptography. : : : at a high security level. : : : including protection against quantum computers. Joint work with: Tung Chou Technische Universiteit Eindhoven Peter Schwabe Radboud University Nijmegen
4 McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Objectives Set new speed records for public-key cryptography. : : : at a high security level. : : : including protection against quantum computers. : : : including full protection against cache-timing attacks, branch-prediction attacks, etc. Peter Schwabe Radboud University Nijmegen
5 McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter Schwabe Radboud University Nijmegen Objectives Set new speed records for public-key cryptography. : : : at a high security level. : : : including protection against quantum computers. : : : including full protection against cache-timing attacks, branch-prediction attacks, etc. : : : using code-based crypto with a solid track record.
6 McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter Schwabe Radboud University Nijmegen Objectives Set new speed records for public-key cryptography. : : : at a high security level. : : : including protection against quantum computers. : : : including full protection against cache-timing attacks, branch-prediction attacks, etc. : : : using code-based crypto with a solid track record. : : : all of the above at once.
7 tant-time ed cryptography ar at CHES 2013) rnstein y of Illinois at Chicago & he Universiteit Eindhoven rk with: ou he Universiteit Eindhoven hwabe University Nijmegen Objectives Set new speed records for public-key cryptography. : : : at a high security level. : : : including protection against quantum computers. : : : including full protection against cache-timing attacks, branch-prediction attacks, etc. : : : using code-based crypto with a solid track record. : : : all of the above at once. The com bench.c CPU cyc (Intel Co to encryp mceliec (n; t) = from Bis See pape
8 raphy S 2013) is at Chicago & iteit Eindhoven iteit Eindhoven y Nijmegen Objectives Set new speed records for public-key cryptography. : : : at a high security level. : : : including protection against quantum computers. : : : including full protection against cache-timing attacks, branch-prediction attacks, etc. : : : using code-based crypto with a solid track record. : : : all of the above at once. The competition bench.cr.yp.to: CPU cycles on h9i (Intel Core i to encrypt 59 byte ronald mceliece ronald ntruees7 mceliece: (n; t) = (2048; 32) from Biswas and S See paper at PQC
9 go & hoven hoven n Objectives Set new speed records for public-key cryptography. : : : at a high security level. : : : including protection against quantum computers. : : : including full protection against cache-timing attacks, branch-prediction attacks, etc. : : : using code-based crypto with a solid track record. : : : all of the above at once. The competition bench.cr.yp.to: CPU cycles on h9ivy (Intel Core i5-3210m, Ivy Br to encrypt 59 bytes: ronald1024 (RSA mceliece ronald ntruees787ep1 mceliece: (n; t) = (2048; 32) software from Biswas and Sendrier. See paper at PQCrypto 2008
10 Objectives Set new speed records for public-key cryptography. : : : at a high security level. : : : including protection against quantum computers. : : : including full protection against cache-timing attacks, branch-prediction attacks, etc. : : : using code-based crypto with a solid track record. : : : all of the above at once. The competition bench.cr.yp.to: CPU cycles on h9ivy (Intel Core i5-3210m, Ivy Bridge) to encrypt 59 bytes: ronald1024 (RSA-1024) mceliece ronald ntruees787ep1 mceliece: (n; t) = (2048; 32) software from Biswas and Sendrier. See paper at PQCrypto 2008.
11 es speed records c-key cryptography. high security level. ding protection uantum computers. ding full protection ache-timing attacks, rediction attacks, etc. code-based crypto lid track record. f the above at once. The competition bench.cr.yp.to: CPU cycles on h9ivy (Intel Core i5-3210m, Ivy Bridge) to encrypt 59 bytes: ronald1024 (RSA-1024) mceliece ronald ntruees787ep1 mceliece: (n; t) = (2048; 32) software from Biswas and Sendrier. See paper at PQCrypto Sounds r What s t
12 rds tography. ity level. ction omputers. rotection ng attacks, ttacks, etc. ed crypto record. e at once. The competition bench.cr.yp.to: CPU cycles on h9ivy (Intel Core i5-3210m, Ivy Bridge) to encrypt 59 bytes: ronald1024 (RSA-1024) mceliece ronald ntruees787ep1 mceliece: (n; t) = (2048; 32) software from Biswas and Sendrier. See paper at PQCrypto Sounds reasonably What s the problem
13 The competition bench.cr.yp.to: Sounds reasonably fast. What s the problem? CPU cycles on h9ivy (Intel Core i5-3210m, Ivy Bridge) to encrypt 59 bytes: ronald1024 (RSA-1024) mceliece, c ronald ntruees787ep1 mceliece: (n; t) = (2048; 32) software from Biswas and Sendrier. See paper at PQCrypto 2008.
14 The competition bench.cr.yp.to: Sounds reasonably fast. What s the problem? CPU cycles on h9ivy (Intel Core i5-3210m, Ivy Bridge) to encrypt 59 bytes: ronald1024 (RSA-1024) mceliece ronald ntruees787ep1 mceliece: (n; t) = (2048; 32) software from Biswas and Sendrier. See paper at PQCrypto 2008.
15 The competition bench.cr.yp.to: CPU cycles on h9ivy (Intel Core i5-3210m, Ivy Bridge) to encrypt 59 bytes: ronald1024 (RSA-1024) mceliece ronald ntruees787ep1 Sounds reasonably fast. What s the problem? Decryption is much slower: ntruees787ep mceliece ronald ronald2048 mceliece: (n; t) = (2048; 32) software from Biswas and Sendrier. See paper at PQCrypto 2008.
16 The competition bench.cr.yp.to: CPU cycles on h9ivy (Intel Core i5-3210m, Ivy Bridge) to encrypt 59 bytes: ronald1024 (RSA-1024) mceliece ronald ntruees787ep1 mceliece: (n; t) = (2048; 32) software from Biswas and Sendrier. See paper at PQCrypto Sounds reasonably fast. What s the problem? Decryption is much slower: ntruees787ep mceliece ronald ronald2048 But Biswas and Sendrier say they re faster now, even beating NTRU. What s the problem?
17 petition r.yp.to: les on h9ivy re i5-3210m, Ivy Bridge) t 59 bytes: ronald1024 (RSA-1024) mceliece ronald2048 ntruees787ep1 e: (2048; 32) software was and Sendrier. r at PQCrypto Sounds reasonably fast. What s the problem? Decryption is much slower: ntruees787ep mceliece ronald ronald2048 But Biswas and Sendrier say they re faster now, even beating NTRU. What s the problem? The serio Some Di bench.c (binary e (hyperell (conserv Use DH Decrypti Encrypti + key-ge
18 vy M, Ivy Bridge) s: 24 (RSA-1024) 48 87ep1 software endrier. rypto Sounds reasonably fast. What s the problem? Decryption is much slower: ntruees787ep mceliece ronald ronald2048 But Biswas and Sendrier say they re faster now, even beating NTRU. What s the problem? The serious compe Some Diffie Hellm bench.cr.yp.to: gls254 (binary elliptic cur kumfp127 (hyperelliptic; Euro curve255 (conservative ellipt Use DH for public- Decryption time Encryption time + key-generation t
19 idge) 024). Sounds reasonably fast. What s the problem? Decryption is much slower: ntruees787ep mceliece ronald ronald2048 But Biswas and Sendrier say they re faster now, even beating NTRU. What s the problem? The serious competition Some Diffie Hellman speeds bench.cr.yp.to: gls254 (binary elliptic curve; CHES kumfp127g (hyperelliptic; Eurocrypt curve25519 (conservative elliptic curve) Use DH for public-key encry Decryption time DH time Encryption time DH time + key-generation time.
20 Sounds reasonably fast. What s the problem? Decryption is much slower: ntruees787ep mceliece ronald ronald2048 But Biswas and Sendrier say they re faster now, even beating NTRU. What s the problem? The serious competition Some Diffie Hellman speeds from bench.cr.yp.to: gls254 (binary elliptic curve; CHES 2013) kumfp127g (hyperelliptic; Eurocrypt 2013) curve25519 (conservative elliptic curve) Use DH for public-key encryption. Decryption time DH time. Encryption time DH time + key-generation time.
21 easonably fast. he problem? on is much slower: ntruees787ep1 mceliece ronald1024 ronald2048 as and Sendrier re faster now, ting NTRU. he problem? The serious competition Some Diffie Hellman speeds from bench.cr.yp.to: gls254 (binary elliptic curve; CHES 2013) kumfp127g (hyperelliptic; Eurocrypt 2013) curve25519 (conservative elliptic curve) Use DH for public-key encryption. Decryption time DH time. Encryption time DH time + key-generation time. Elliptic/h fast encr (Also sig key exch let s focu Also sho let s focu kumfp12 protect a branch-p Broken b but high for the s
22 fast.? h slower: 787ep1 e ndrier ow, U.? The serious competition Some Diffie Hellman speeds from bench.cr.yp.to: gls254 (binary elliptic curve; CHES 2013) kumfp127g (hyperelliptic; Eurocrypt 2013) curve25519 (conservative elliptic curve) Use DH for public-key encryption. Decryption time DH time. Encryption time DH time + key-generation time. Elliptic/hyperellipt fast encryption and (Also signatures, n key exchange, mor let s focus on encr Also short keys etc let s focus on spee kumfp127g and cu protect against tim branch-prediction a Broken by quantum but high security le for the short term.
23 The serious competition Some Diffie Hellman speeds from bench.cr.yp.to: gls254 (binary elliptic curve; CHES 2013) kumfp127g (hyperelliptic; Eurocrypt 2013) curve25519 (conservative elliptic curve) Use DH for public-key encryption. Decryption time DH time. Encryption time DH time + key-generation time. Elliptic/hyperelliptic curves o fast encryption and decrypti (Also signatures, non-interac key exchange, more; but let s focus on encrypt/decryp Also short keys etc.; but let s focus on speed.) kumfp127g and curve25519 protect against timing attack branch-prediction attacks, et Broken by quantum compute but high security level for the short term.
24 The serious competition Some Diffie Hellman speeds from bench.cr.yp.to: gls254 (binary elliptic curve; CHES 2013) kumfp127g (hyperelliptic; Eurocrypt 2013) curve25519 (conservative elliptic curve) Use DH for public-key encryption. Decryption time DH time. Encryption time DH time + key-generation time. Elliptic/hyperelliptic curves offer fast encryption and decryption. (Also signatures, non-interactive key exchange, more; but let s focus on encrypt/decrypt. Also short keys etc.; but let s focus on speed.) kumfp127g and curve25519 protect against timing attacks, branch-prediction attacks, etc. Broken by quantum computers, but high security level for the short term.
25 us competition ffie Hellman speeds from r.yp.to: gls254 lliptic curve; CHES 2013) kumfp127g iptic; Eurocrypt 2013) curve25519 ative elliptic curve) for public-key encryption. on time DH time. on time DH time neration time. Elliptic/hyperelliptic curves offer fast encryption and decryption. (Also signatures, non-interactive key exchange, more; but let s focus on encrypt/decrypt. Also short keys etc.; but let s focus on speed.) kumfp127g and curve25519 protect against timing attacks, branch-prediction attacks, etc. Broken by quantum computers, but high security level for the short term. New dec (n; t) = (
26 tition an speeds from ve; CHES 2013) g crypt 2013) 19 ic curve) key encryption. DH time. DH time ime. Elliptic/hyperelliptic curves offer fast encryption and decryption. (Also signatures, non-interactive key exchange, more; but let s focus on encrypt/decrypt. Also short keys etc.; but let s focus on speed.) kumfp127g and curve25519 protect against timing attacks, branch-prediction attacks, etc. Broken by quantum computers, but high security level for the short term. New decoding spe (n; t) = (4096; 41);
27 from 2013) 3) ption.. Elliptic/hyperelliptic curves offer fast encryption and decryption. (Also signatures, non-interactive key exchange, more; but let s focus on encrypt/decrypt. Also short keys etc.; but let s focus on speed.) kumfp127g and curve25519 protect against timing attacks, branch-prediction attacks, etc. Broken by quantum computers, but high security level for the short term. New decoding speeds (n; t) = (4096; 41); secu
28 Elliptic/hyperelliptic curves offer fast encryption and decryption. (Also signatures, non-interactive key exchange, more; but let s focus on encrypt/decrypt. Also short keys etc.; but let s focus on speed.) New decoding speeds (n; t) = (4096; 41); security: kumfp127g and curve25519 protect against timing attacks, branch-prediction attacks, etc. Broken by quantum computers, but high security level for the short term.
29 Elliptic/hyperelliptic curves offer fast encryption and decryption. (Also signatures, non-interactive key exchange, more; but let s focus on encrypt/decrypt. Also short keys etc.; but let s focus on speed.) New decoding speeds (n; t) = (4096; 41); security: Ivy Bridge cycles. Talk will focus on this case. (Decryption is slightly slower: includes hash, cipher, MAC.) kumfp127g and curve25519 protect against timing attacks, branch-prediction attacks, etc. Broken by quantum computers, but high security level for the short term.
30 Elliptic/hyperelliptic curves offer fast encryption and decryption. (Also signatures, non-interactive key exchange, more; but let s focus on encrypt/decrypt. Also short keys etc.; but let s focus on speed.) kumfp127g and curve25519 protect against timing attacks, branch-prediction attacks, etc. New decoding speeds (n; t) = (4096; 41); security: Ivy Bridge cycles. Talk will focus on this case. (Decryption is slightly slower: includes hash, cipher, MAC.) (n; t) = (2048; 32); 2 80 security: Ivy Bridge cycles. Broken by quantum computers, but high security level for the short term.
31 Elliptic/hyperelliptic curves offer fast encryption and decryption. (Also signatures, non-interactive key exchange, more; but let s focus on encrypt/decrypt. Also short keys etc.; but let s focus on speed.) kumfp127g and curve25519 protect against timing attacks, branch-prediction attacks, etc. Broken by quantum computers, but high security level for the short term. New decoding speeds (n; t) = (4096; 41); security: Ivy Bridge cycles. Talk will focus on this case. (Decryption is slightly slower: includes hash, cipher, MAC.) (n; t) = (2048; 32); 2 80 security: Ivy Bridge cycles. All load/store addresses and all branch conditions are public. Eliminates cache-timing attacks etc. Similar improvements for CFS.
32 yperelliptic curves offer yption and decryption. natures, non-interactive ange, more; but s on encrypt/decrypt. rt keys etc.; but s on speed.) 7g and curve25519 gainst timing attacks, rediction attacks, etc. y quantum computers, security level hort term. New decoding speeds (n; t) = (4096; 41); security: Ivy Bridge cycles. Talk will focus on this case. (Decryption is slightly slower: includes hash, cipher, MAC.) (n; t) = (2048; 32); 2 80 security: Ivy Bridge cycles. All load/store addresses and all branch conditions are public. Eliminates cache-timing attacks etc. Similar improvements for CFS. Constant The extr to elimin Handle a using on XOR (^)
33 ic curves offer decryption. on-interactive e; but ypt/decrypt..; but d.) rve25519 ing attacks, ttacks, etc. computers, vel New decoding speeds (n; t) = (4096; 41); security: Ivy Bridge cycles. Talk will focus on this case. (Decryption is slightly slower: includes hash, cipher, MAC.) (n; t) = (2048; 32); 2 80 security: Ivy Bridge cycles. All load/store addresses and all branch conditions are public. Eliminates cache-timing attacks etc. Similar improvements for CFS. Constant-time fana The extremist s ap to eliminate timing Handle all secret d using only bit oper XOR (^), AND (&
34 ffer on. tive t. s, c. rs, New decoding speeds (n; t) = (4096; 41); security: Ivy Bridge cycles. Talk will focus on this case. (Decryption is slightly slower: includes hash, cipher, MAC.) (n; t) = (2048; 32); 2 80 security: Ivy Bridge cycles. All load/store addresses and all branch conditions are public. Eliminates cache-timing attacks etc. Similar improvements for CFS. Constant-time fanaticism The extremist s approach to eliminate timing attacks: Handle all secret data using only bit operations XOR (^), AND (&), etc.
35 New decoding speeds (n; t) = (4096; 41); security: Ivy Bridge cycles. Talk will focus on this case. (Decryption is slightly slower: includes hash, cipher, MAC.) Constant-time fanaticism The extremist s approach to eliminate timing attacks: Handle all secret data using only bit operations XOR (^), AND (&), etc. (n; t) = (2048; 32); 2 80 security: Ivy Bridge cycles. All load/store addresses and all branch conditions are public. Eliminates cache-timing attacks etc. Similar improvements for CFS.
36 New decoding speeds (n; t) = (4096; 41); security: Ivy Bridge cycles. Talk will focus on this case. (Decryption is slightly slower: includes hash, cipher, MAC.) (n; t) = (2048; 32); 2 80 security: Ivy Bridge cycles. Constant-time fanaticism The extremist s approach to eliminate timing attacks: Handle all secret data using only bit operations XOR (^), AND (&), etc. We take this approach. All load/store addresses and all branch conditions are public. Eliminates cache-timing attacks etc. Similar improvements for CFS.
37 New decoding speeds (n; t) = (4096; 41); security: Ivy Bridge cycles. Talk will focus on this case. (Decryption is slightly slower: includes hash, cipher, MAC.) (n; t) = (2048; 32); 2 80 security: Ivy Bridge cycles. All load/store addresses and all branch conditions are public. Eliminates cache-timing attacks etc. Similar improvements for CFS. Constant-time fanaticism The extremist s approach to eliminate timing attacks: Handle all secret data using only bit operations XOR (^), AND (&), etc. We take this approach. How can this be competitive in speed? Are you really simulating field multiplication with hundreds of bit operations instead of simple log tables?
38 oding speeds 4096; 41); security: y Bridge cycles. focus on this case. ion is slightly slower: hash, cipher, MAC.) 2048; 32); 2 80 security: y Bridge cycles. store addresses ranch conditions c. Eliminates ing attacks etc. mprovements for CFS. Constant-time fanaticism The extremist s approach to eliminate timing attacks: Handle all secret data using only bit operations XOR (^), AND (&), etc. We take this approach. How can this be competitive in speed? Are you really simulating field multiplication with hundreds of bit operations instead of simple log tables? Yes, we Not as s On a typ the XOR is actual operatin on vecto
39 eds security: cycles. this case. htly slower: er, MAC.) 2 80 security: cycles. esses ditions tes ks etc. nts for CFS. Constant-time fanaticism The extremist s approach to eliminate timing attacks: Handle all secret data using only bit operations XOR (^), AND (&), etc. We take this approach. How can this be competitive in speed? Are you really simulating field multiplication with hundreds of bit operations instead of simple log tables? Yes, we are. Not as slow as it s On a typical 32-bit the XOR instructio is actually 32-bit X operating in parall on vectors of 32 b
40 rity: : ity: S. Constant-time fanaticism The extremist s approach to eliminate timing attacks: Handle all secret data using only bit operations XOR (^), AND (&), etc. We take this approach. How can this be competitive in speed? Are you really simulating field multiplication with hundreds of bit operations instead of simple log tables? Yes, we are. Not as slow as it sounds! On a typical 32-bit CPU, the XOR instruction is actually 32-bit XOR, operating in parallel on vectors of 32 bits.
41 Constant-time fanaticism The extremist s approach to eliminate timing attacks: Handle all secret data using only bit operations XOR (^), AND (&), etc. We take this approach. Yes, we are. Not as slow as it sounds! On a typical 32-bit CPU, the XOR instruction is actually 32-bit XOR, operating in parallel on vectors of 32 bits. How can this be competitive in speed? Are you really simulating field multiplication with hundreds of bit operations instead of simple log tables?
42 Constant-time fanaticism The extremist s approach to eliminate timing attacks: Handle all secret data using only bit operations XOR (^), AND (&), etc. We take this approach. How can this be competitive in speed? Are you really simulating field multiplication with hundreds of bit operations instead of simple log tables? Yes, we are. Not as slow as it sounds! On a typical 32-bit CPU, the XOR instruction is actually 32-bit XOR, operating in parallel on vectors of 32 bits. Low-end smartphone CPU: 128-bit XOR every cycle. Ivy Bridge: 256-bit XOR every cycle, or three 128-bit XORs.
43 -time fanaticism emist s approach ate timing attacks: ll secret data ly bit operations, AND (&), etc. this approach. n this be ive in speed? really simulating tiplication with of bit operations f simple log tables? Yes, we are. Not as slow as it sounds! On a typical 32-bit CPU, the XOR instruction is actually 32-bit XOR, operating in parallel on vectors of 32 bits. Low-end smartphone CPU: 128-bit XOR every cycle. Ivy Bridge: 256-bit XOR every cycle, or three 128-bit XORs. Not imm that this saves tim multiplic
44 ticism proach attacks: ata ations ), etc. ach. ed? lating with erations og tables? Yes, we are. Not as slow as it sounds! On a typical 32-bit CPU, the XOR instruction is actually 32-bit XOR, operating in parallel on vectors of 32 bits. Low-end smartphone CPU: 128-bit XOR every cycle. Ivy Bridge: 256-bit XOR every cycle, or three 128-bit XORs. Not immediately o that this bitslicing saves time for, e.g multiplication in F
45 Yes, we are. Not as slow as it sounds! On a typical 32-bit CPU, the XOR instruction is actually 32-bit XOR, operating in parallel on vectors of 32 bits. Not immediately obvious that this bitslicing saves time for, e.g., multiplication in F Low-end smartphone CPU: 128-bit XOR every cycle. Ivy Bridge: 256-bit XOR every cycle, or three 128-bit XORs.
46 Yes, we are. Not as slow as it sounds! On a typical 32-bit CPU, the XOR instruction is actually 32-bit XOR, operating in parallel on vectors of 32 bits. Not immediately obvious that this bitslicing saves time for, e.g., multiplication in F Low-end smartphone CPU: 128-bit XOR every cycle. Ivy Bridge: 256-bit XOR every cycle, or three 128-bit XORs.
47 Yes, we are. Not as slow as it sounds! On a typical 32-bit CPU, the XOR instruction is actually 32-bit XOR, operating in parallel on vectors of 32 bits. Not immediately obvious that this bitslicing saves time for, e.g., multiplication in F But quite obvious that it saves time for addition in F Low-end smartphone CPU: 128-bit XOR every cycle. Ivy Bridge: 256-bit XOR every cycle, or three 128-bit XORs.
48 Yes, we are. Not as slow as it sounds! On a typical 32-bit CPU, the XOR instruction is actually 32-bit XOR, operating in parallel on vectors of 32 bits. Low-end smartphone CPU: 128-bit XOR every cycle. Ivy Bridge: 256-bit XOR every cycle, or three 128-bit XORs. Not immediately obvious that this bitslicing saves time for, e.g., multiplication in F But quite obvious that it saves time for addition in F Typical decoding algorithms have add, mult roughly balanced. Coming next: how to save many adds and most mults. Nice synergy with bitslicing.
49 are. low as it sounds! ical 32-bit CPU, instruction ly 32-bit XOR, g in parallel rs of 32 bits. smartphone CPU: OR every cycle. e: OR every cycle, 128-bit XORs. Not immediately obvious that this bitslicing saves time for, e.g., multiplication in F But quite obvious that it saves time for addition in F Typical decoding algorithms have add, mult roughly balanced. Coming next: how to save many adds and most mults. Nice synergy with bitslicing. The add Fix n = Big final is to find of f = c For each compute 41 adds,
50 ounds! CPU, n OR, el its. ne CPU: cycle. cycle, Rs. Not immediately obvious that this bitslicing saves time for, e.g., multiplication in F But quite obvious that it saves time for addition in F Typical decoding algorithms have add, mult roughly balanced. Coming next: how to save many adds and most mults. Nice synergy with bitslicing. The additive FFT Fix n = 4096 = 2 1 Big final decoding is to find all roots of f = c 41 x 41 + For each 2 F 2 12 compute f() by H 41 adds, 41 mults.
51 Not immediately obvious that this bitslicing saves time for, e.g., multiplication in F But quite obvious that it saves time for addition in F Typical decoding algorithms have add, mult roughly balanced. Coming next: how to save many adds and most mults. Nice synergy with bitslicing. The additive FFT Fix n = 4096 = 2 12, t = 41. Big final decoding step is to find all roots in F 2 12 of f = c 41 x c 0 x 0. For each 2 F 2 12, compute f() by Horner s r 41 adds, 41 mults.
52 Not immediately obvious that this bitslicing saves time for, e.g., multiplication in F But quite obvious that it saves time for addition in F Typical decoding algorithms have add, mult roughly balanced. Coming next: how to save many adds and most mults. Nice synergy with bitslicing. The additive FFT Fix n = 4096 = 2 12, t = 41. Big final decoding step is to find all roots in F 2 12 of f = c 41 x c 0 x 0. For each 2 F 2 12, compute f() by Horner s rule: 41 adds, 41 mults.
53 Not immediately obvious that this bitslicing saves time for, e.g., multiplication in F But quite obvious that it saves time for addition in F Typical decoding algorithms have add, mult roughly balanced. Coming next: how to save many adds and most mults. Nice synergy with bitslicing. The additive FFT Fix n = 4096 = 2 12, t = 41. Big final decoding step is to find all roots in F 2 12 of f = c 41 x c 0 x 0. For each 2 F 2 12, compute f() by Horner s rule: 41 adds, 41 mults. Or use Chien search: compute c i g i, c i g 2i, c i g 3i, etc. Cost per point: again 41 adds, 41 mults.
54 Not immediately obvious that this bitslicing saves time for, e.g., multiplication in F But quite obvious that it saves time for addition in F Typical decoding algorithms have add, mult roughly balanced. Coming next: how to save many adds and most mults. Nice synergy with bitslicing. The additive FFT Fix n = 4096 = 2 12, t = 41. Big final decoding step is to find all roots in F 2 12 of f = c 41 x c 0 x 0. For each 2 F 2 12, compute f() by Horner s rule: 41 adds, 41 mults. Or use Chien search: compute c i g i, c i g 2i, c i g 3i, etc. Cost per point: again 41 adds, 41 mults. Our cost: 6.01 adds, 2.09 mults.
55 ediately obvious bitslicing e for, e.g., ation in F e obvious that it e for addition in F ecoding algorithms, mult roughly balanced. next: how to save ds and most mults. ergy with bitslicing. The additive FFT Fix n = 4096 = 2 12, t = 41. Big final decoding step is to find all roots in F 2 12 of f = c 41 x c 0 x 0. For each 2 F 2 12, compute f() by Horner s rule: 41 adds, 41 mults. Or use Chien search: compute c i g i, c i g 2i, c i g 3i, etc. Cost per point: again 41 adds, 41 mults. Our cost: 6.01 adds, 2.09 mults. Asympto normally so Horne Θ(nt) =
56 bvious., that it ition in F lgorithms ghly balanced. to save st mults. bitslicing. The additive FFT Fix n = 4096 = 2 12, t = 41. Big final decoding step is to find all roots in F 2 12 of f = c 41 x c 0 x 0. For each 2 F 2 12, compute f() by Horner s rule: 41 adds, 41 mults. Or use Chien search: compute c i g i, c i g 2i, c i g 3i, etc. Cost per point: again 41 adds, 41 mults. Our cost: 6.01 adds, 2.09 mults. Asymptotics: normally t 2 Θ(n= so Horner s rule co Θ(nt) = Θ(n 2 = lg
57 12. nced. The additive FFT Fix n = 4096 = 2 12, t = 41. Big final decoding step is to find all roots in F 2 12 of f = c 41 x c 0 x 0. For each 2 F 2 12, compute f() by Horner s rule: 41 adds, 41 mults. Asymptotics: normally t 2 Θ(n= lg n), so Horner s rule costs Θ(nt) = Θ(n 2 = lg n). Or use Chien search: compute c i g i, c i g 2i, c i g 3i, etc. Cost per point: again 41 adds, 41 mults. Our cost: 6.01 adds, 2.09 mults.
58 The additive FFT Fix n = 4096 = 2 12, t = 41. Big final decoding step is to find all roots in F 2 12 of f = c 41 x c 0 x 0. Asymptotics: normally t 2 Θ(n= lg n), so Horner s rule costs Θ(nt) = Θ(n 2 = lg n). For each 2 F 2 12, compute f() by Horner s rule: 41 adds, 41 mults. Or use Chien search: compute c i g i, c i g 2i, c i g 3i, etc. Cost per point: again 41 adds, 41 mults. Our cost: 6.01 adds, 2.09 mults.
59 The additive FFT Fix n = 4096 = 2 12, t = 41. Big final decoding step is to find all roots in F 2 12 of f = c 41 x c 0 x 0. For each 2 F 2 12, compute f() by Horner s rule: 41 adds, 41 mults. Or use Chien search: compute c i g i, c i g 2i, c i g 3i, etc. Cost per point: again 41 adds, 41 mults. Asymptotics: normally t 2 Θ(n= lg n), so Horner s rule costs Θ(nt) = Θ(n 2 = lg n). Wait a minute. Didn t we learn in school that FFT evaluates an n-coeff polynomial at n points using n 1+o(1) operations? Isn t this better than n 2 = lg n? Our cost: 6.01 adds, 2.09 mults.
60 itive FFT 4096 = 2 12, t = 41. decoding step all roots in F x c 0 x 0. 2 F 2 12, f() by Horner s rule: 41 mults. hien search: compute 2i, c i g 3i, etc. Cost per ain 41 adds, 41 mults. : 6.01 adds, 2.09 mults. Asymptotics: normally t 2 Θ(n= lg n), so Horner s rule costs Θ(nt) = Θ(n 2 = lg n). Wait a minute. Didn t we learn in school that FFT evaluates an n-coeff polynomial at n points using n 1+o(1) operations? Isn t this better than n 2 = lg n? Standard Want to f = c 0 + at all the Write f Observe f() = f f( ) = f 0 has n evaluate by same Similarly
61 2, t = 41. step in F c 0 x 0., orner s rule: h: compute etc. Cost per ds, 41 mults. ds, 2.09 mults. Asymptotics: normally t 2 Θ(n= lg n), so Horner s rule costs Θ(nt) = Θ(n 2 = lg n). Wait a minute. Didn t we learn in school that FFT evaluates an n-coeff polynomial at n points using n 1+o(1) operations? Isn t this better than n 2 = lg n? Standard radix-2 F Want to evaluate f = c 0 + c 1 x + at all the nth root Write f as f 0 (x 2 ) Observe big overla f() = f 0 ( 2 ) + f( ) = f 0 ( 2 ) f 0 has n=2 coeffs; evaluate at (n=2)n by same idea recur Similarly f 1.
62 ule: te per lts. ults. Asymptotics: normally t 2 Θ(n= lg n), so Horner s rule costs Θ(nt) = Θ(n 2 = lg n). Wait a minute. Didn t we learn in school that FFT evaluates an n-coeff polynomial at n points using n 1+o(1) operations? Isn t this better than n 2 = lg n? Standard radix-2 FFT: Want to evaluate f = c 0 + c 1 x + + c n 1x n at all the nth roots of 1. Write f as f 0 (x 2 ) + xf 1 (x 2 ) Observe big overlap between f() = f 0 ( 2 ) + f 1 ( 2 ), f( ) = f 0 ( 2 ) f 1 ( 2 ). f 0 has n=2 coeffs; evaluate at (n=2)nd roots of by same idea recursively. Similarly f 1.
63 Asymptotics: normally t 2 Θ(n= lg n), so Horner s rule costs Θ(nt) = Θ(n 2 = lg n). Wait a minute. Didn t we learn in school that FFT evaluates an n-coeff polynomial at n points using n 1+o(1) operations? Isn t this better than n 2 = lg n? Standard radix-2 FFT: Want to evaluate f = c 0 + c 1 x + + c n 1x n 1 at all the nth roots of 1. Write f as f 0 (x 2 ) + xf 1 (x 2 ). Observe big overlap between f() = f 0 ( 2 ) + f 1 ( 2 ), f( ) = f 0 ( 2 ) f 1 ( 2 ). f 0 has n=2 coeffs; evaluate at (n=2)nd roots of 1 by same idea recursively. Similarly f 1.
64 tics: t 2 Θ(n= lg n), r s rule costs Θ(n 2 = lg n). inute. e learn in school evaluates ff polynomial nts +o(1) operations? better than n 2 = lg n? Standard radix-2 FFT: Want to evaluate f = c 0 + c 1 x + + c n 1x n 1 at all the nth roots of 1. Write f as f 0 (x 2 ) + xf 1 (x 2 ). Observe big overlap between f() = f 0 ( 2 ) + f 1 ( 2 ), f( ) = f 0 ( 2 ) f 1 ( 2 ). f 0 has n=2 coeffs; evaluate at (n=2)nd roots of 1 by same idea recursively. Similarly f 1. Useless i Standard FFT con 1988 Wa independ additive Still quit 1996 von some im 2010 Ga much be We use G plus som
65 lg n), sts n). school s ial ations? an n 2 = lg n? Standard radix-2 FFT: Want to evaluate f = c 0 + c 1 x + + c n 1x n 1 at all the nth roots of 1. Write f as f 0 (x 2 ) + xf 1 (x 2 ). Observe big overlap between f() = f 0 ( 2 ) + f 1 ( 2 ), f( ) = f 0 ( 2 ) f 1 ( 2 ). f 0 has n=2 coeffs; evaluate at (n=2)nd roots of 1 by same idea recursively. Similarly f 1. Useless in char 2: Standard workarou FFT considered im 1988 Wang Zhu, independently 198 additive FFT in Still quite expensiv 1996 von zur Gath some improvement 2010 Gao Mateer: much better additi We use Gao Mate plus some new imp
66 ? Standard radix-2 FFT: Want to evaluate f = c 0 + c 1 x + + c n 1x n 1 at all the nth roots of 1. Write f as f 0 (x 2 ) + xf 1 (x 2 ). Observe big overlap between f() = f 0 ( 2 ) + f 1 ( 2 ), f( ) = f 0 ( 2 ) f 1 ( 2 ). f 0 has n=2 coeffs; evaluate at (n=2)nd roots of 1 by same idea recursively. Similarly f 1. Useless in char 2: =. Standard workarounds are pa FFT considered impractical Wang Zhu, independently 1989 Cantor: additive FFT in char 2. Still quite expensive von zur Gathen Gerhar some improvements Gao Mateer: much better additive FFT. We use Gao Mateer, plus some new improvement
67 Standard radix-2 FFT: Want to evaluate f = c 0 + c 1 x + + c n 1x n 1 at all the nth roots of 1. Write f as f 0 (x 2 ) + xf 1 (x 2 ). Observe big overlap between f() = f 0 ( 2 ) + f 1 ( 2 ), f( ) = f 0 ( 2 ) f 1 ( 2 ). f 0 has n=2 coeffs; evaluate at (n=2)nd roots of 1 by same idea recursively. Similarly f 1. Useless in char 2: =. Standard workarounds are painful. FFT considered impractical Wang Zhu, independently 1989 Cantor: additive FFT in char 2. Still quite expensive von zur Gathen Gerhard: some improvements Gao Mateer: much better additive FFT. We use Gao Mateer, plus some new improvements.
68 radix-2 FFT: evaluate c 1 x + + c n 1x n 1 nth roots of 1. as f 0 (x 2 ) + xf 1 (x 2 ). big overlap between 0( 2 ) + f 1 ( 2 ), f 0 ( 2 ) f 1 ( 2 ). =2 coeffs; at (n=2)nd roots of 1 idea recursively. f 1. Useless in char 2: =. Standard workarounds are painful. FFT considered impractical Wang Zhu, independently 1989 Cantor: additive FFT in char 2. Still quite expensive von zur Gathen Gerhard: some improvements Gao Mateer: much better additive FFT. We use Gao Mateer, plus some new improvements. Gao and f = c 0 + on a size Main ide f 0 (x 2 + Big over f 0 ( 2 + and f( f 0 ( 2 + Twist Then size-(n=2 Apply sa
69 FT: + c n 1x n 1 s of 1. + xf 1 (x 2 ). p between f 1 ( 2 ), f 1 ( 2 ). d roots of 1 sively. Useless in char 2: =. Standard workarounds are painful. FFT considered impractical Wang Zhu, independently 1989 Cantor: additive FFT in char 2. Still quite expensive von zur Gathen Gerhard: some improvements Gao Mateer: much better additive FFT. We use Gao Mateer, plus some new improvements. Gao and Mateer ev f = c 0 + c 1 x + on a size-n F 2 -line Main idea: Write f f 0 (x 2 + x) + xf 1 ( Big overlap betwee f 0 ( 2 + ) + f 1 ( and f( + 1) = f 0 ( 2 + ) + ( + Twist to ensure Then 2 + is size-(n=2) F 2 -linea Apply same idea re
70 1 Useless in char 2: =. Standard workarounds are painful. FFT considered impractical. Gao and Mateer evaluate f = c 0 + c 1 x + + c n 1x n on a size-n F 2 -linear space Wang Zhu, independently 1989 Cantor: additive FFT in char 2. Still quite expensive von zur Gathen Gerhard: some improvements. Main idea: Write f as f 0 (x 2 + x) + xf 1 (x 2 + x). Big overlap between f() = f 0 ( 2 + ) + f 1 ( 2 + ) and f( + 1) = f 0 ( 2 + ) + ( + 1)f 1 ( Gao Mateer: much better additive FFT. We use Gao Mateer, plus some new improvements. Twist to ensure 1 2 space Then 2 + is a size-(n=2) F 2 -linear space. Apply same idea recursively.
71 Useless in char 2: =. Standard workarounds are painful. FFT considered impractical Wang Zhu, independently 1989 Cantor: additive FFT in char 2. Still quite expensive von zur Gathen Gerhard: some improvements Gao Mateer: much better additive FFT. We use Gao Mateer, plus some new improvements. Gao and Mateer evaluate f = c 0 + c 1 x + + c n 1x n 1 on a size-n F 2 -linear space. Main idea: Write f as f 0 (x 2 + x) + xf 1 (x 2 + x). Big overlap between f() = f 0 ( 2 + ) + f 1 ( 2 + ) and f( + 1) = f 0 ( 2 + ) + ( + 1)f 1 ( 2 + ). Twist to ensure 1 2 space. Then 2 + is a size-(n=2) F 2 -linear space. Apply same idea recursively.
72 n char 2: =. workarounds are painful. sidered impractical. ng Zhu, ently 1989 Cantor: FFT in char 2. e expensive. zur Gathen Gerhard: provements. o Mateer: tter additive FFT. ao Mateer, e new improvements. Gao and Mateer evaluate f = c 0 + c 1 x + + c n 1x n 1 on a size-n F 2 -linear space. Main idea: Write f as f 0 (x 2 + x) + xf 1 (x 2 + x). Big overlap between f() = f 0 ( 2 + ) + f 1 ( 2 + ) and f( + 1) = f 0 ( 2 + ) + ( + 1)f 1 ( 2 + ). Twist to ensure 1 2 space. Then 2 + is a size-(n=2) F 2 -linear space. Apply same idea recursively. We gene f = c 0 + for any t ) severa not all o by simpl For t = 0 For t 2 f f 1 is a c Instead o this cons multiply and com
73 =. nds are painful. practical. 9 Cantor: char 2. e. en Gerhard: s. ve FFT. er, rovements. Gao and Mateer evaluate f = c 0 + c 1 x + + c n 1x n 1 on a size-n F 2 -linear space. Main idea: Write f as f 0 (x 2 + x) + xf 1 (x 2 + x). Big overlap between f() = f 0 ( 2 + ) + f 1 ( 2 + ) and f( + 1) = f 0 ( 2 + ) + ( + 1)f 1 ( 2 + ). Twist to ensure 1 2 space. Then 2 + is a size-(n=2) F 2 -linear space. Apply same idea recursively. We generalize to f = c 0 + c 1 x + for any t < n. ) several optimiza not all of which ar by simply tracking For t = 0: copy c 0 For t 2 f1; 2g: f 1 is a constant. Instead of multiply this constant by ea multiply only by ge and compute subse
74 inful. d: s. Gao and Mateer evaluate f = c 0 + c 1 x + + c n 1x n 1 on a size-n F 2 -linear space. Main idea: Write f as f 0 (x 2 + x) + xf 1 (x 2 + x). Big overlap between f() = f 0 ( 2 + ) + f 1 ( 2 + ) and f( + 1) = f 0 ( 2 + ) + ( + 1)f 1 ( 2 + ). Twist to ensure 1 2 space. Then 2 + is a size-(n=2) F 2 -linear space. Apply same idea recursively. We generalize to f = c 0 + c 1 x + + c t x t for any t < n. ) several optimizations, not all of which are automat by simply tracking zeros. For t = 0: copy c 0. For t 2 f1; 2g: f 1 is a constant. Instead of multiplying this constant by each, multiply only by generators and compute subset sums.
75 Gao and Mateer evaluate f = c 0 + c 1 x + + c n 1x n 1 on a size-n F 2 -linear space. Main idea: Write f as f 0 (x 2 + x) + xf 1 (x 2 + x). Big overlap between f() = f 0 ( 2 + ) + f 1 ( 2 + ) and f( + 1) = f 0 ( 2 + ) + ( + 1)f 1 ( 2 + ). Twist to ensure 1 2 space. Then 2 + is a size-(n=2) F 2 -linear space. Apply same idea recursively. We generalize to f = c 0 + c 1 x + + c t x t for any t < n. ) several optimizations, not all of which are automated by simply tracking zeros. For t = 0: copy c 0. For t 2 f1; 2g: f 1 is a constant. Instead of multiplying this constant by each, multiply only by generators and compute subset sums.
76 Mateer evaluate c 1 x + + c n 1x n 1 -n F 2 -linear space. a: Write f as x) + xf 1 (x 2 + x). lap between f() = ) + f 1 ( 2 + ) + 1) = ) + ( + 1)f 1 ( 2 + ). to ensure 1 2 space. 2 + is a ) F 2 -linear space. me idea recursively. We generalize to f = c 0 + c 1 x + + c t x t for any t < n. ) several optimizations, not all of which are automated by simply tracking zeros. For t = 0: copy c 0. For t 2 f1; 2g: f 1 is a constant. Instead of multiplying this constant by each, multiply only by generators and compute subset sums. Syndrom Initial de s 0 = r 1 + s 1 = r 1 s 2 = r 1..., s t = r 1 r 1 ; r 2 ; : : scaled by Typically mapping Not as s still n 2+
77 aluate + c n 1x n 1 ar space. as x 2 + x). n f() = 2 + ) 1)f 1 ( 2 + ). 1 2 space. a r space. cursively. We generalize to f = c 0 + c 1 x + + c t x t for any t < n. ) several optimizations, not all of which are automated by simply tracking zeros. For t = 0: copy c 0. For t 2 f1; 2g: f 1 is a constant. Instead of multiplying this constant by each, multiply only by generators and compute subset sums. Syndrome comput Initial decoding ste s 0 = r 1 + r 2 + s 1 = r r 2 2 s 2 = r r , s = t r 1 t 1 + r 2 t 2 r 1 ; r 2 ; : : : ; r are r n scaled by Goppa c Typically precompu mapping bits to sy Not as slow as Chi still n 2+o(1) and h
78 1 + ).. We generalize to f = c 0 + c 1 x + + c t x t for any t < n. ) several optimizations, not all of which are automated by simply tracking zeros. For t = 0: copy c 0. For t 2 f1; 2g: f 1 is a constant. Instead of multiplying this constant by each, multiply only by generators and compute subset sums. Syndrome computation Initial decoding step: compu s 0 = r 1 + r r, n s 1 = r r r n s 2 = r r r n..., s = t r 1 t 1 + r 2 t r n r 1 ; r 2 ; : : : ; r are received bi n scaled by Goppa constants. Typically precompute matrix mapping bits to syndrome. Not as slow as Chien search still n 2+o(1) and huge secret
79 We generalize to f = c 0 + c 1 x + + c t x t for any t < n. ) several optimizations, not all of which are automated by simply tracking zeros. For t = 0: copy c 0. For t 2 f1; 2g: f 1 is a constant. Instead of multiplying this constant by each, multiply only by generators and compute subset sums. Syndrome computation Initial decoding step: compute s 0 = r 1 + r r, n s 1 = r r r n, n s 2 = r r r n 2 n,..., s = t r 1 t 1 + r 2 t r n t n. r 1 ; r 2 ; : : : ; r are received bits n scaled by Goppa constants. Typically precompute matrix mapping bits to syndrome. Not as slow as Chien search but still n 2+o(1) and huge secret key.
80 ralize to c 1 x + + c t x t < n. l optimizations, f which are automated y tracking zeros. : copy c 0. 1; 2g: onstant. f multiplying tant by each, only by generators pute subset sums. Syndrome computation Initial decoding step: compute s 0 = r 1 + r r, n s 1 = r r r n, n s 2 = r r r n 2 n,..., s = t r 1 t 1 + r 2 t r n t n. r 1 ; r 2 ; : : : ; r are received bits n scaled by Goppa constants. Typically precompute matrix mapping bits to syndrome. Not as slow as Chien search but still n 2+o(1) and huge secret key. Compare f( 1 ) = f( 2 ) =..., f( ) = n
81 + c t x t tions, e automated zeros.. ing ch, nerators t sums. Syndrome computation Initial decoding step: compute s 0 = r 1 + r r, n s 1 = r r r n, n s 2 = r r r n 2 n,..., s = t r 1 t 1 + r 2 t r n t n. r 1 ; r 2 ; : : : ; r are received bits n scaled by Goppa constants. Typically precompute matrix mapping bits to syndrome. Not as slow as Chien search but still n 2+o(1) and huge secret key. Compare to multip f( 1 ) = c 0 + c 1 1 f( 2 ) = c 0 + c , f( ) = n c 0 + c 1
82 ed Syndrome computation Initial decoding step: compute s 0 = r 1 + r r, n s 1 = r r r n, n s 2 = r r r n 2 n,..., s = t r 1 t 1 + r 2 t r n t n. r 1 ; r 2 ; : : : ; r are received bits n scaled by Goppa constants. Typically precompute matrix mapping bits to syndrome. Not as slow as Chien search but still n 2+o(1) and huge secret key. Compare to multipoint evalu f( 1 ) = c 0 + c c f( 2 ) = c 0 + c c..., f( ) = n c 0 + c n
83 Syndrome computation Initial decoding step: compute s 0 = r 1 + r r, n s 1 = r r r n, n s 2 = r r r n 2 n, Compare to multipoint evaluation: f( 1 ) = c 0 + c c t t 1, f( 2 ) = c 0 + c c t t 2,..., f( ) = n c 0 + c n c t t n...., s = t r 1 t 1 + r 2 t r n t n. r 1 ; r 2 ; : : : ; r are received bits n scaled by Goppa constants. Typically precompute matrix mapping bits to syndrome. Not as slow as Chien search but still n 2+o(1) and huge secret key.
84 Syndrome computation Initial decoding step: compute s 0 = r 1 + r r, n s 1 = r r r n, n s 2 = r r r n 2 n,..., s = t r 1 t 1 + r 2 t r n t n. r 1 ; r 2 ; : : : ; r are received bits n scaled by Goppa constants. Typically precompute matrix mapping bits to syndrome. Not as slow as Chien search but still n 2+o(1) and huge secret key. Compare to multipoint evaluation: f( 1 ) = c 0 + c c t t 1, f( 2 ) = c 0 + c c t t 2,..., f( ) = n c 0 + c n c t t n. Matrix for syndrome computation is transpose of matrix for multipoint evaluation.
85 Syndrome computation Initial decoding step: compute s 0 = r 1 + r r, n s 1 = r r r n, n s 2 = r r r n 2 n,..., s = t r 1 t 1 + r 2 t r n t n. r 1 ; r 2 ; : : : ; r are received bits n scaled by Goppa constants. Typically precompute matrix mapping bits to syndrome. Not as slow as Chien search but still n 2+o(1) and huge secret key. Compare to multipoint evaluation: f( 1 ) = c 0 + c c t t 1, f( 2 ) = c 0 + c c t t 2,..., f( ) = n c 0 + c n c t t n. Matrix for syndrome computation is transpose of matrix for multipoint evaluation. Amazing consequence: syndrome computation is as few ops as multipoint evaluation. Eliminate precomputed matrix.
86 e computation coding step: compute r r n, 1 + r r n n, r r n 2 n, t 1 + r 2 t r n t n. : ; r n are received bits Goppa constants. precompute matrix bits to syndrome. low as Chien search but o(1) and huge secret key. Compare to multipoint evaluation: f( 1 ) = c 0 + c c t t 1, f( 2 ) = c 0 + c c t t 2,..., f( ) = n c 0 + c n c t t n. Matrix for syndrome computation is transpose of matrix for multipoint evaluation. Amazing consequence: syndrome computation is as few ops as multipoint evaluation. Eliminate precomputed matrix. Transpos If a linea compute then reve exchangi compute 1956 Bo independ for Boole 1973 Fid preserves preserves number
87 ation p: compute + r, n + + r n, n + + r n 2 n, + + r n t n. eceived bits onstants. te matrix ndrome. en search but uge secret key. Compare to multipoint evaluation: f( 1 ) = c 0 + c c t t 1, f( 2 ) = c 0 + c c t t 2,..., f( ) = n c 0 + c n c t t n. Matrix for syndrome computation is transpose of matrix for multipoint evaluation. Amazing consequence: syndrome computation is as few ops as multipoint evaluation. Eliminate precomputed matrix. Transposition princ If a linear algorithm computes a matrix then reversing edg exchanging inputs/ computes the tran 1956 Bordewijk; independently 195 for Boolean matric 1973 Fiduccia ana preserves number o preserves number o number of nontrivi
88 te n, 2 n, t n. ts but key. Compare to multipoint evaluation: f( 1 ) = c 0 + c c t t 1, f( 2 ) = c 0 + c c t t 2,..., f( ) = n c 0 + c n c t t n. Matrix for syndrome computation is transpose of matrix for multipoint evaluation. Amazing consequence: syndrome computation is as few ops as multipoint evaluation. Eliminate precomputed matrix. Transposition principle: If a linear algorithm computes a matrix M then reversing edges and exchanging inputs/outputs computes the transpose of M 1956 Bordewijk; independently 1957 Lupanov for Boolean matrices Fiduccia analysis: preserves number of mults; preserves number of adds plu number of nontrivial outputs
89 Compare to multipoint evaluation: f( 1 ) = c 0 + c c t t 1, f( 2 ) = c 0 + c c t t 2,..., f( ) = n c 0 + c n c t t n. Matrix for syndrome computation is transpose of matrix for multipoint evaluation. Amazing consequence: syndrome computation is as few ops as multipoint evaluation. Eliminate precomputed matrix. Transposition principle: If a linear algorithm computes a matrix M then reversing edges and exchanging inputs/outputs computes the transpose of M Bordewijk; independently 1957 Lupanov for Boolean matrices Fiduccia analysis: preserves number of mults; preserves number of adds plus number of nontrivial outputs.
90 to multipoint evaluation: c 0 + c c t t 1, c 0 + c c t t 2, c 0 + c n c t t n. r syndrome computation ose of r multipoint evaluation. consequence: e computation is as few ultipoint evaluation. e precomputed matrix. Transposition principle: If a linear algorithm computes a matrix M then reversing edges and exchanging inputs/outputs computes the transpose of M Bordewijk; independently 1957 Lupanov for Boolean matrices Fiduccia analysis: preserves number of mults; preserves number of adds plus number of nontrivial outputs. We built producin Too man gcc ran
McBits: fast constant-time code-based cryptography. (to appear at CHES 2013)
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit
More informationObjectives. McBits: fast constant-time code-based cryptography. Set new speed records for public-key cryptography. (to appear at CHES 2013)
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) Objectives Set new speed records for public-key cryptography. D. J. Bernstein University of Illinois at Chicago & Technische
More informationObjectives. McBits: fast constant-time code-based cryptography. Set new speed records for public-key cryptography.
McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Objectives Set new speed records for public-key cryptography. Joint
More informationAdvanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
Advanced code-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lattice-basis reduction Define L = (0; 24)Z + (1; 17)Z = {(b; 24a + 17b) : a;
More informationMcBits: Fast code-based cryptography
McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography
More informationMcBits: fast constant-time code-based cryptography
McBits: fast constant-time code-based cryptography Daniel J. Bernstein 1,2, Tung Chou 2, and Peter Schwabe 3 1 Department of Computer Science University of Illinois at Chicago, Chicago, IL 60607 7053,
More informationSpeeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago
Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases D. J. Bernstein University of Illinois at Chicago NSF ITR 0716498 Part I. Linear maps Consider computing 0
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationThe tangent FFT. D. J. Bernstein University of Illinois at Chicago
The tangent FFT D. J. Bernstein University of Illinois at Chicago Advertisement SPEED: Software Performance Enhancement for Encryption and Decryption A workshop on software speeds for secret-key cryptography
More informationHyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago
Hyperelliptic-curve cryptography D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS 0140542 NSF ITR 0716498 Alfred P. Sloan Foundation Two parts to this talk: 1. Elliptic curves; modern
More informationDecoding One Out of Many
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, équipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem:
More informationClassic McEliece vs. NTS-KEM
Classic McEliece vs. NTS-KEM Classic McEliece Comparison Task Force 2018.06.29 Contents 1 Introduction 2 2 Ciphertext size: identical 3 3 Ciphertext details: Classic McEliece is better 4 4 Patent status:
More informationA brief survey of post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
A brief survey of post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
with Cryptographie basée sur les correcteurs d erreurs et arithmétique with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationElliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein
Elliptic curves Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Diffie-Hellman key exchange Pick some generator. Diffie-Hellman key exchange Pick some generator. Diffie-Hellman
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationWild McEliece Incognito
Wild McEliece Incognito Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Seminaire de Cryptographie Rennes April 1, 2011 Bad news Quantum computers
More informationSoftware implementation of ECC
Software implementation of ECC Radboud University, Nijmegen, The Netherlands June 4, 2015 Summer school on real-world crypto and privacy Šibenik, Croatia Software implementation of (H)ECC Radboud University,
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Code-Based Cryptography Tanja Lange with some slides by Tung Chou and Christiane Peters Technische Universiteit Eindhoven ASCrypto Summer School: 18 September 2017 Error correction
More informationFPGA-based Niederreiter Cryptosystem using Binary Goppa Codes
FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes Wen Wang 1, Jakub Szefer 1, and Ruben Niederhagen 2 1. Yale University, USA 2. Fraunhofer Institute SIT, Germany April 9, 2018 PQCrypto 2018
More informationEfficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves
Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves SESSION ID: CRYP-T07 Patrick Longa Microsoft Research http://research.microsoft.com/en-us/people/plonga/
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationAdvances in code-based public-key cryptography. D. J. Bernstein University of Illinois at Chicago
Advances in code-based public-key cryptography D. J. Bernstein University of Illinois at Chicago Advertisements 1. pqcrypto.org: Post-quantum cryptography hash-based, lattice-based, code-based, multivariate
More informationFPGA-based Key Generator for the Niederreiter Cryptosystem using Binary Goppa Codes
FPGA-based Key Generator for the Niederreiter Cryptosystem using Binary Goppa Codes Wen Wang 1, Jakub Szefer 1, and Ruben Niederhagen 2 1 Yale University, New Haven, CT, USA {wen.wang.ww349, jakub.szefer}@yale.edu
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr June 4th 2013 Pierre-Louis CAYREL
More informationCode-based post-quantum cryptography. D. J. Bernstein University of Illinois at Chicago
Code-based post-quantum cryptography D. J. Bernstein University of Illinois at Chicago Once the enormous energy boost that quantum computers are expected to provide hits the street, most encryption security
More informationCurve41417: Karatsuba revisited
Curve41417: Karatsuba revisited Chitchanok Chuengsatiansup Technische Universiteit Eindhoven September 25, 2014 Joint work with Daniel J. Bernstein and Tanja Lange Chitchanok Chuengsatiansup Curve41417:
More information3. Focus on secure cryptosystems. How do we know what a quantum computer will do?
Cryptographic readiness levels, and the impact of quantum computers Daniel J. Bernstein How is crypto developed? How confident are we that crypto is secure? Many stages of research from cryptographic design
More informationDaniel J. Bernstein University of Illinois at Chicago. means an algorithm that a quantum computer can run.
Quantum algorithms 1 Daniel J. Bernstein University of Illinois at Chicago Quantum algorithm means an algorithm that a quantum computer can run. i.e. a sequence of instructions, where each instruction
More informationNewHope for ARM Cortex-M
for ARM Cortex-M Erdem Alkim 1, Philipp Jakubeit 2, Peter Schwabe 2 erdemalkim@gmail.com, phil.jakubeit@gmail.com, peter@cryptojedi.org 1 Ege University, Izmir, Turkey 2 Radboud University, Nijmegen, The
More informationA Smart Card Implementation of the McEliece PKC
A Smart Card Implementation of the McEliece PKC Falko Strenzke 1 1 FlexSecure GmbH, Germany, strenzke@flexsecure.de 2 Cryptography and Computeralgebra, Department of Computer Science, Technische Universität
More informationKummer strikes back: new DH speed records
Kummer strikes back: new D speed records Daniel J. Bernstein 1,2, Chitchanok Chuengsatiansup 2, Tanja Lange 2, and Peter Schwabe 3 1 Department of Computer Science, University of Illinois at Chicago Chicago,
More informationThanks to: University of Illinois at Chicago NSF CCR Alfred P. Sloan Foundation
The Poly1305-AES message-authentication code D. J. Bernstein Thanks to: University of Illinois at Chicago NSF CCR 9983950 Alfred P. Sloan Foundation The AES function ( Rijndael 1998 Daemen Rijmen; 2001
More informationErrors, Eavesdroppers, and Enormous Matrices
Errors, Eavesdroppers, and Enormous Matrices Jessalyn Bolkema September 1, 2016 University of Nebraska - Lincoln Keep it secret, keep it safe Public Key Cryptography The idea: We want a one-way lock so,
More informationTable of C on t en t s Global Campus 21 in N umbe r s R e g ional Capac it y D e v e lopme nt in E-L e ar ning Structure a n d C o m p o n en ts R ea
G Blended L ea r ni ng P r o g r a m R eg i o na l C a p a c i t y D ev elo p m ent i n E -L ea r ni ng H R K C r o s s o r d e r u c a t i o n a n d v e l o p m e n t C o p e r a t i o n 3 0 6 0 7 0 5
More informationPost-quantum RSA. We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity
We built a great, great 1-terabyte RSA wall, and we had the university pay for the electricity Daniel J. Bernstein Joint work with: Nadia Heninger Paul Lou Luke Valenta The referees are questioning applicability...
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationPOST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW?
POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Böck https://hboeck.de 1 INTRODUCTION Hanno Böck, freelance journalist and hacker. Writing for Golem.de and others. Fuzzing Project, funded
More information(which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography)
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit
More informationBall-collision decoding
Ball-collision decoding Christiane Peters Technische Universiteit Eindhoven joint work with Daniel J. Bernstein and Tanja Lange Oberseminar Cryptography and Computer Algebra TU Darmstadt November 8, 200
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More information176 5 t h Fl oo r. 337 P o ly me r Ma te ri al s
A g la di ou s F. L. 462 E l ec tr on ic D ev el op me nt A i ng er A.W.S. 371 C. A. M. A l ex an de r 236 A d mi ni st ra ti on R. H. (M rs ) A n dr ew s P. V. 326 O p ti ca l Tr an sm is si on A p ps
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both
More informationPost-quantum key exchange based on Lattices
Post-quantum key exchange based on Lattices Joppe W. Bos Romanian Cryptology Days Conference Cybersecurity in a Post-quantum World September 20, 2017, Bucharest 1. NXP Semiconductors Operations in > 35
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationSPHINCS: practical stateless hash-based signatures
SPHINCS: practical stateless hash-based signatures D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, P. Schwabe, and Z. Wilcox O'Hearn Digital Signatures are Important!
More informationFrom NewHope to Kyber. Peter Schwabe April 7, 2017
From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017 In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used
More informationPublic-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.
Public-key cryptography and the Discrete-Logarithm Problem Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Cryptography Let s understand what our browsers do. Schoolbook
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationCRYPTANALYSE EN TEMPS POLYNOMIAL DU SCHÉMA DE MCELIECE BASÉ SUR LES CODES
POLYNOMIAL DU SCHÉMA CODES GÉOMÉTRIQUES A. COUVREUR 1 I. MÁRQUEZ-CORBELLA 1 R. PELLIKAAN 2 1 INRIA Saclay & LIX 2 Department of Mathematics and Computing Science, TU/e. Journées Codage et Cryptographie
More informationHigh-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition
High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition Joppe W. Bos, Craig Costello, Huseyin Hisil, Kristin Lauter CHES 2013 Motivation - I Group DH ECDH (F p1, ) (E F p2, +)
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationPublic Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.
Public Key Cryptography All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other. The thing that is common among all of them is that each
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationMechanizing Elliptic Curve Associativity
Mechanizing Elliptic Curve Associativity Why a Formalized Mathematics Challenge is Useful for Verification of Crypto ARM Machine Code Joe Hurd Computer Laboratory University of Cambridge Galois Connections
More informationA L A BA M A L A W R E V IE W
A L A BA M A L A W R E V IE W Volume 52 Fall 2000 Number 1 B E F O R E D I S A B I L I T Y C I V I L R I G HT S : C I V I L W A R P E N S I O N S A N D TH E P O L I T I C S O F D I S A B I L I T Y I N
More informationP a g e 5 1 of R e p o r t P B 4 / 0 9
P a g e 5 1 of R e p o r t P B 4 / 0 9 J A R T a l s o c o n c l u d e d t h a t a l t h o u g h t h e i n t e n t o f N e l s o n s r e h a b i l i t a t i o n p l a n i s t o e n h a n c e c o n n e
More informationSignatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven
Signatures and DLP-I Tanja Lange Technische Universiteit Eindhoven How to compute ap Use binary representation of a to compute a(x; Y ) in blog 2 ac doublings and at most that many additions. E.g. a =
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationCHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER
177 CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER 178 12.1 Introduction The study of cryptography of gray level images [110, 112, 118] by using block ciphers has gained considerable
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationFast Lattice-Based Encryption: Stretching SPRING
Fast Lattice-Based Encryption: Stretching SPRING Charles Bouillaguet 1 Claire Delaplace 1,2 Pierre-Alain Fouque 2 Paul Kirchner 3 1 CFHP team, CRIStAL, Université de Lille, France 2 EMSEC team, IRISA,
More informationP a g e 3 6 of R e p o r t P B 4 / 0 9
P a g e 3 6 of R e p o r t P B 4 / 0 9 p r o t e c t h um a n h e a l t h a n d p r o p e r t y fr om t h e d a n g e rs i n h e r e n t i n m i n i n g o p e r a t i o n s s u c h a s a q u a r r y. J
More informationAES side channel attacks protection using random isomorphisms
Rostovtsev A.G., Shemyakina O.V., St. Petersburg State Polytechnic University AES side channel attacks protection using random isomorphisms General method of side-channel attacks protection, based on random
More informationarxiv: v2 [cs.cr] 14 Feb 2018
Code-based Key Encapsulation from McEliece s Cryptosystem Edoardo Persichetti arxiv:1706.06306v2 [cs.cr] 14 Feb 2018 Florida Atlantic University Abstract. In this paper we show that it is possible to extend
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationCryptanalysis of the Original McEliece Cryptosystem
Cryptanalysis of the Original McEliece Cryptosystem Anne Canteaut and Nicolas Sendrier INRIA - projet CODES BP 105 78153 Le Chesnay, France Abstract. The class of public-ey cryptosystems based on error-correcting
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationMy brief introduction to cryptography
My brief introduction to cryptography David Thomson dthomson@math.carleton.ca Carleton University September 7, 2013 introduction to cryptography September 7, 2013 1 / 28 Outline 1 The general framework
More informationIntroduction to Cryptography. Susan Hohenberger
Introduction to Cryptography Susan Hohenberger 1 Cryptography -- from art to science -- more than just encryption -- essential today for non-military applications 2 Symmetric Crypto Shared secret K =>
More informationImpossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128
Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-8 Zheng Yuan,,, ian Li, Beijing Electronic Science & Technology Institute, Beijing 7, P.R. China zyuan@tsinghua.edu.cn, sharonlee95@6.com
More informationNoisy Diffie-Hellman protocols
Noisy Diffie-Hellman protocols Carlos Aguilar 1, Philippe Gaborit 1, Patrick Lacharme 1, Julien Schrek 1 and Gilles Zémor 2 1 University of Limoges, France, 2 University of Bordeaux, France. Classical
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationCoset Decomposition Method for Decoding Linear Codes
International Journal of Algebra, Vol. 5, 2011, no. 28, 1395-1404 Coset Decomposition Method for Decoding Linear Codes Mohamed Sayed Faculty of Computer Studies Arab Open University P.O. Box: 830 Ardeya
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationSignatures and DLP. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein
Signatures and DLP Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein ECDSA Users can sign messages using Edwards curves. Take a point P on an Edwards curve modulo a
More informationT h e C S E T I P r o j e c t
T h e P r o j e c t T H E P R O J E C T T A B L E O F C O N T E N T S A r t i c l e P a g e C o m p r e h e n s i v e A s s es s m e n t o f t h e U F O / E T I P h e n o m e n o n M a y 1 9 9 1 1 E T
More informationTi Secured communications
Ti5318800 Secured communications Pekka Jäppinen September 20, 2007 Pekka Jäppinen, Lappeenranta University of Technology: September 20, 2007 Relies on use of two keys: Public and private Sometimes called
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationThis is the new speed record for high-security Diffie-Hellman. Thanks to: University of Illinois at Chicago NSF CCR Alfred P.
New speed records for point multiplication D. J. Bernstein 640838 Pentium M cycles to compute a 32-byte secret shared by Dan and Tanja, given Dan s 32-byte secret key and Tanja s 32-byte public key. All
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein & Christine van Vredendaal University of Illinois at Chicago Technische Universiteit Eindhoven 19 January 2017
More informationReview. CS311H: Discrete Mathematics. Number Theory. Computing GCDs. Insight Behind Euclid s Algorithm. Using this Theorem. Euclidian Algorithm
Review CS311H: Discrete Mathematics Number Theory Instructor: Işıl Dillig What does it mean for two ints a, b to be congruent mod m? What is the Division theorem? If a b and a c, does it mean b c? What
More informationPolynomial Interpolation in the Elliptic Curve Cryptosystem
Journal of Mathematics and Statistics 7 (4): 326-331, 2011 ISSN 1549-3644 2011 Science Publications Polynomial Interpolation in the Elliptic Curve Cryptosystem Liew Khang Jie and Hailiza Kamarulhaili School
More information