qdsa: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs
|
|
- Virgil Willis
- 6 years ago
- Views:
Transcription
1 qdsa: Small and Secure Digital Signatures with Curve-based Diffie-Hellman Key Pairs Joost Renes 1 Benjamin Smith 2 1 Radboud University 2 INRIA and Laboratoire d Informatique de l École polytechnique 15 November November / 24
2 Curve-based crypto DH EdDSA 15 November / 24
3 Curve-based crypto DH EdDSA Q 1, Q 2 15 November / 24
4 Curve-based crypto DH EdDSA x 1, Q 2 15 November / 24
5 Curve-based crypto DH XEdDSA x 1, x 2 15 November / 24
6 Curve-based crypto DH qdsa x 1, x 2 15 November / 24
7 Curve-based crypto DH qdsa x 1, x 2 15 November / 24
8 Outline (1) Quotient operations (2) The qdsa scheme (3) Instantiating with the x-line (4) Instantiating with Kummer surfaces 15 November / 24
9 Operations on quotient groups G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q 15 November / 24
10 Operations on quotient groups G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 Operations G/ ± 1 G/ ± 1 15 November / 24
11 Operations on quotient groups G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 Operations G/ ± 1 G/ ± 1 15 November / 24
12 Operations on quotient groups G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 x(p) Operations G/ ± 1 G/ ± 1 15 November / 24
13 Operations on quotient groups {P, P} G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 x(p) Operations G/ ± 1 G/ ± 1 15 November / 24
14 Operations on quotient groups {P, P} G {[λ]p, [λ]p} G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 x(p) Operations G/ ± 1 G/ ± 1 15 November / 24
15 Operations on quotient groups {P, P} G {[λ]p, [λ]p} G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 x(p) x([λ]p) Operations G/ ± 1 G/ ± 1 15 November / 24
16 Operations on quotient groups {P, P} G {[λ]p, [λ]p} G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 x(p) x([λ]p) Operations G/ ± 1 G/ ± 1 (Q1) x(p) x([λ]p) 15 November / 24
17 Operations on quotient groups G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 (x(p), x(q)) Operations G/ ± 1 G/ ± 1 (Q1) x(p) x([λ]p) 15 November / 24
18 Operations on quotient groups {{P, P}, {Q, Q}} G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 (x(p), x(q)) Operations G/ ± 1 G/ ± 1 (Q1) x(p) x([λ]p) 15 November / 24
19 Operations on quotient groups {{P, P}, {Q, Q}} G {±(P ± Q)} G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 (x(p), x(q)) Operations G/ ± 1 G/ ± 1 (Q1) x(p) x([λ]p) 15 November / 24
20 Operations on quotient groups {{P, P}, {Q, Q}} G {±(P ± Q)} G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 (x(p), x(q)) {x(p ± Q)} Operations G/ ± 1 G/ ± 1 (Q1) x(p) x([λ]p) 15 November / 24
21 Operations on quotient groups {{P, P}, {Q, Q}} G {±(P ± Q)} G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 (x(p), x(q)) {x(p ± Q)} Operations G/ ± 1 G/ ± 1 (Q1) x(p) x([λ]p) (Q2) (x(p), x(q)) {x(p + Q), x(p Q)} 15 November / 24
22 Operations on quotient groups G G Operations G G (G1) P [λ]p (G2) (P, Q) P + Q G/ ± 1 G/ ± 1 Operations G/ ± 1 G/ ± 1 (Q1) x(p) x([λ]p) (Q2) (x(p), x(q)) {x(p + Q), x(p Q)} 15 November / 24
23 Schnorr signatures Starting point: Schnorr signatures [Sch89] (1) Schnorr identification scheme (group-based) (2) Apply Fiat-Shamir to make it non-interactive (3) Include message to create a signature scheme 15 November / 24
24 Schnorr signatures Starting point: Schnorr signatures [Sch89] (1) Schnorr identification scheme (group-based) (2) Apply Fiat-Shamir to make it non-interactive (3) Include message to create a signature scheme 15 November / 24
25 Schnorr identification on the quotient (qid) Prover(P, Q, α) Comm. Verifier(P, Q) 15 November / 24
26 Schnorr identification on the quotient (qid) Prover(P, Q, α) Comm. Verifier(P, Q) r R Z N 15 November / 24
27 Schnorr identification on the quotient (qid) Prover(P, Q, α) Comm. Verifier(P, Q) r R Z N R [r]p R 15 November / 24
28 Schnorr identification on the quotient (qid) Prover(P, Q, α) Comm. Verifier(P, Q) r R Z N R [r]p R c c R Z N 15 November / 24
29 Schnorr identification on the quotient (qid) Prover(P, Q, α) Comm. Verifier(P, Q) r R Z N R [r]p R c c R Z N s (r c α) mod N s 15 November / 24
30 Schnorr identification on the quotient (qid) Prover(P, Q, α) Comm. Verifier(P, Q) r R Z N R [r]p R c c R Z N s (r c α) mod N s R? = [s]p + [c]q 15 November / 24
31 Schnorr identification on the quotient (qid) Prover(x(P), x(q), α) Comm. Verifier(x(P), x(q)) r R Z N R [r]p R c c R Z N s (r c α) mod N s R? = [s]p + [c]q 15 November / 24
32 Schnorr identification on the quotient (qid) Prover(x(P), x(q), α) Comm. Verifier(x(P), x(q)) r R Z N x(r) x([r]p) x(r) c c R Z N s (r c α) mod N s R? = [s]p + [c]q 15 November / 24
33 Schnorr identification on the quotient (qid) Prover(x(P), x(q), α) Comm. Verifier(x(P), x(q)) r R Z N x(r) x([r]p) x(r) c c R Z N s (r c α) mod N s R? = [s]p + [c]q 15 November / 24
34 Schnorr identification on the quotient (qid) Prover(x(P), x(q), α) Comm. Verifier(x(P), x(q)) r R Z N x(r) x([r]p) x(r) c c R Z N s (r c α) mod N s x(r)? {x([s]p ± [c]q)} Need {x([s]p + [c]q), x([s]p [c]q)}.. possible on G / ±1! 15 November / 24
35 Schnorr identification on the quotient (qid) Prover(x(P), x(q), α) Comm. Verifier(x(P), x(q)) r R Z N x(r) x([r]p) x(r) c c R Z + N s (r c α) mod N s x(r)? {x([s]p ± [c]q)} Need {x([s]p + [c]q), x([s]p [c]q)}.. possible on G / ±1! 15 November / 24
36 qsig and qdsa qid (Schn. ID) Fiat-Shamir = qsig (Schn. sig.) 15 November / 24
37 qsig and qdsa (1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly qid (Schn. ID) Fiat-Shamir = qsig (Schn. sig.) = qdsa (EdDSA) 15 November / 24
38 qsig and qdsa (1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly qid (Schn. ID) Fiat-Shamir = qsig (Schn. sig.) = qdsa (EdDSA) Add countermeasures against side-channel attacks 15 November / 24
39 qsig and qdsa (1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly qid (Schn. ID) Fiat-Shamir = qsig (Schn. sig.) = qdsa (EdDSA) Add countermeasures against side-channel attacks (3) Fault attacks on ephemeral scalar multiplication Add randomness into hash for nonce generation 15 November / 24
40 qsig and qdsa (1) Include the public key in the challenge (2) Generate ephemeral secret r pseudo-randomly qid (Schn. ID) Fiat-Shamir = qsig (Schn. sig.) = qdsa (EdDSA) Add countermeasures against side-channel attacks (3) Fault attacks on ephemeral scalar multiplication Add randomness into hash for nonce generation (4) Fault attacks on base point (Mehdi s talk on Monday) Clamp, or add a small cofactor into the computation Verify correctness of base point 15 November / 24
41 Additional remarks (1) Security reduction. Similar to original Schnorr ID scheme (2) Unified keys. Identical key pairs for DH and qdsa (3) Key and signatures sizes. 32-byte keys, 64-byte signatures (requires work in genus 2!) (4) Verification. Two-dimensional scalar multiplication algorithms not available & no batching 15 November / 24
42 Back to curves Here, G the Jacobian group of a hyperelliptic curve of genus g Elliptic curves for g = 1, have J / ±1 = P 1 Hyperelliptic curves with g = 2, have J / ±1 = K For g 3 does not scale well (index calculus) 15 November / 24
43 Back to curves Here, G the Jacobian group of a hyperelliptic curve of genus g Elliptic curves for g = 1, have J / ±1 = P 1 Hyperelliptic curves with g = 2, have J / ±1 = K For g 3 does not scale well (index calculus) Need to define (1) x(p) x([λ]p) (usual way via Montgomery ladder) (2) {x(p), x(q)} {x(p + Q), x(p Q)} (3) For any x(p), a 32-byte representation of x(p) 15 November / 24
44 On the choice of model (g = 1) For elliptic curves common choice of Montgomery model E/F p : By 2 = x 3 + Ax 2 + x We obtain Curve25519 by defining p = , A = , B = 1 15 November / 24
45 Arithmetic on P 1 If x(p) = (X 1 : Z 1 ), x(p + Q) = (X 3 : Z 3 ), x(q) = (X 2 : Z 2 ), x(p Q) = (X 4 : Z 4 ), then xadd : X 3 X 4 = λ (X 1 X 2 Z 1 Z 2 ) 2, Z 3 Z 4 = λ (X 1 Z 2 X 2 Z 1 ) 2, 15 November / 24
46 Arithmetic on P 1 If x(p) = (X 1 : Z 1 ), x(p + Q) = (X 3 : Z 3 ), x(q) = (X 2 : Z 2 ), x(p Q) = (X 4 : Z 4 ), then xadd : xdbl : X 3 X 4 = λ (X 1 X 2 Z 1 Z 2 ) 2, Z 3 Z 4 = λ (X 1 Z 2 X 2 Z 1 ) 2, X 3 = µ (X 2 Z 2) 2, Z 3 = µ 4XZ ( X 2 + AXZ + Z 2) 15 November / 24
47 Biquadratic forms on P 1 In fact, have X 3 X 4 = B 00, B 00 = ν (X 1 X 2 Z 1 Z 2 ) 2, Z 3 Z 4 = B 11, B 11 = ν (X 1 Z 2 X 2 Z 1 ) 2, X 3 Z 4 + X 4 Z 3 = B 10, B 10 = ν [ (X 1 Z 2 X 2 Z 1 ) (X 1 Z 2 + X 2 Z 1 ) ] + 2AX 1 X 2 Z 1 Z 2, 15 November / 24
48 Biquadratic forms on P 1 In fact, have X 3 X 4 = B 00, B 00 = ν (X 1 X 2 Z 1 Z 2 ) 2, Z 3 Z 4 = B 11, B 11 = ν (X 1 Z 2 X 2 Z 1 ) 2, X 3 Z 4 + X 4 Z 3 = B 10, B 10 = ν [ (X 1 Z 2 X 2 Z 1 ) (X 1 Z 2 + X 2 Z 1 ) ie. ( X 3 X 4 ) X 3 Z 4 + X 4 Z 3 Z 3 Z 4 + 2AX 1 X 2 Z 1 Z 2 ], ( ) B00 = ν. B 10 B November / 24
49 Biquadratic forms on P 1 In fact, have X 3 X 4 = B 00, B 00 = ν (X 1 X 2 Z 1 Z 2 ) 2, Z 3 Z 4 = B 11, B 11 = ν (X 1 Z 2 X 2 Z 1 ) 2, X 3 Z 4 + X 4 Z 3 = B 10, B 10 = ν [ (X 1 Z 2 X 2 Z 1 ) (X 1 Z 2 + X 2 Z 1 ) ie. ( X 3 X 4 ) X 3 Z 4 + X 4 Z 3 Z 3 Z 4 + 2AX 1 X 2 Z 1 Z 2 ], ( ) B00 = ν. B 10 B 11 Thus (X 3 : Z 3 ) and (X 4 : Z 4 ) are the unique solutions to B 11 X 2 2 B 10 XZ + B 00 Z 2 = 0 15 November / 24
50 Summarizing verification on P 1 Given a signature (x(r) s) on M w.r.t. x(q) (1) c H(x(R) M) (2) x(t 0 ) x([s]p) (3) x(t 1 ) x([c]q) (4) Compute all B 00, B 10, B 11 for x(t 0 ) and x(t 1 ) (5) Check that x(r) vanishes on B 11 X 2 2 B 10 XZ + B 00 Z 2 (ie. x(r) {x(t 0 + T 1 ), x(t 0 T 1 )}) 15 November / 24
51 On the choice of model (g = 2) Gaudry-Schost curve [GS12] E/F :y 2 = x x x x x and its squared Kummer surface [CC86] ( K : 4E 2 x xyzt = 2 + y 2 + z 2 + t 2 F (xt + yz) G(xz + yt) H(xy + zt) ) 15 November / 24
52 Arithmetic on K If x(p) = (x 1 : y 1 : z 1 : t 1 ), x(p + Q) = (x 3 : y 3 : z 3 : t 3 ), x(q) = (x 2 : y 2 : z 2 : t 2 ), x(p Q) = (x 4 : y 4 : z 4 : t 4 ), then [Gau07; Ber+14] x 3 x 4 = ν ε 1 (x + y + z + t ) 2, y 3 y 4 = ν ε 2 (x + y z t ) 2, z 3 z 4 = ν ε 3 (x y + z t ) 2, t 3 t 4 = ν ε 4 (x y z + t ) 2, where xadd : x = ε 1 (x 1 + y 1 + z 1 + t 1 ) (x 2 + y 2 + z 2 + t 2 ) y = ε 2 (x 1 + y 1 z 1 t 1 ) (x 2 + y 2 z 2 t 2 ) z = ε 3 (x 1 y 1 + z 1 t 1 ) (x 2 y 2 + z 2 t 2 ) t = ε 4 (x 1 y 1 z 1 + t 1 ) (x 2 y 2 z 2 + t 2 ) 15 November / 24
53 Quadratic identities on K These formulas give rise to an identity [Cos11] 2x 3 x 4 B 00 2y 3 y 4 2z 3 z 4 = ν B 11 B 22 2t 3 t 4 B November / 24
54 Quadratic identities on K These formulas give rise to an identity [Cos11] 2x 3 x 4 B 00 σ(x, y) 2y 3 y 4 σ(x, z) σ(y, z) 2z 3 z 4 = ν B 10 B 11 B 20 B 21 B 22 σ(x, t) σ(y, t) σ(z, t) 2t 3 t 4 B 30 B 31 B 32 B 33 where σ(a, b) = a 3 b 4 + a 4 b November / 24
55 Quadratic identities on K These formulas give rise to an identity [Cos11] 2x 3 x 4 B 00 σ(x, y) 2y 3 y 4 σ(x, z) σ(y, z) 2z 3 z 4 = ν B 10 B 11 B 20 B 21 B 22 σ(x, t) σ(y, t) σ(z, t) 2t 3 t 4 B 30 B 31 B 32 B 33 where σ(a, b) = a 3 b 4 + a 4 b 3. are the unique solutions to Thus (x 3 : y 3 : z 3 : t 3 ), (x 4 : y 4 : z 4 : t 4 ) B 11 x 2 2 B 10 xy + B 00 y 2 = 0, B 22 x 2 2 B 20 xz + B 00 z 2 = 0, B 33 x 2 2 B 30 xt + B 00 t 2 = 0, B 22 y 2 2 B 21 yz + B 11 z 2 = 0, B 33 y 2 2 B 31 yt + B 11 t 2 = 0, B 33 z 2 2 B 32 zt + B 22 t 2 = 0 15 November / 24
56 Summarizing verification on K Given a signature (x(r) s) on M w.r.t. x(q) (1) c H(x(R) M) (2) x(t 0 ) x([s]p) (3) x(t 1 ) x([c]q) (4) Compute all B IJ for x(t 0 ) and x(t 1 ) (5) Check 6 quadratic polynomial equations in x(r) 15 November / 24
57 Efficiency of the B IJ Computing the B IJ on K does not look great. 15 November / 24
58 Efficiency of the B IJ Computing the B IJ on K does not look great. We have [CC86] K H K Int Ĉ [Gau07] K Gau 15 November / 24
59 Efficiency of the B IJ Computing the B IJ on K does not look great. We have [CC86] K H K Int Ĉ [Gau07] K Gau The forms B Gau IJ on K Gau are nice, but need extra constants Pulling back all the way via H Ĉ destroys nice symmetry 15 November / 24
60 Efficiency of the B IJ Computing the B IJ on K does not look great. We have [CC86] K H K Int Ĉ [Gau07] K Gau The forms B Gau IJ on K Gau are nice, but need extra constants Pulling back all the way via H Ĉ destroys nice symmetry Solution: Pull back B Gau IJ via Ĉ, evaluate at H(x(P)) 15 November / 24
61 Cost of computing biquadratic forms g Func. M S C 1 2 Check Ladder Check Ladder Table: Cost of B IJ 15 November / 24
62 Point compression Signatures (x(r) s) Have K P 3, so x(r) = (x : y : z : t) = ( x t : y t : z t : 1) (if t 0) At first sight need 48 bytes to represent x(r) Compressing further seems to require solving a quartic 15 November / 24
63 Point compression Signatures (x(r) s) Have K P 3, so x(r) = (x : y : z : t) = ( x t : y t : z t : 1) (if t 0) At first sight need 48 bytes to represent x(r) Compressing further seems to require solving a quartic But have a projection π : K P 2 as a double cover 15 November / 24
64 Point compression Take the four nodes N 0,..., N 3 and an isomorphism N 0 (0 : 0 : 0 : 1), N 1 (0 : 0 : 1 : 0), N 2 (0 : 1 : 0 : 0), N 3 (1 : 0 : 0 : 0). 15 November / 24
65 Point compression Take the four nodes N 0,..., N 3 and an isomorphism N 0 (0 : 0 : 0 : 1), N 1 (0 : 0 : 1 : 0), N 2 (0 : 1 : 0 : 0), N 3 (1 : 0 : 0 : 0). Then K : 4C xyzt = r1 2(xy + zt)2 + r2 2(xz + yt)2 + r3 2 (xt + yz)2 2r 1 s 1 ((x 2 + y 2 )zt + xy(z 2 + t 2 )) 2r 2 s 2 ((x 2 + z 2 )yt + xz(y 2 + t 2 )) 2r 3 s 3 ((x 2 + t 2 )yz + xt(y 2 + z 2 )) 15 November / 24
66 Point compression Take the four nodes N 0,..., N 3 and an isomorphism N 0 (0 : 0 : 0 : 1), N 1 (0 : 0 : 1 : 0), N 2 (0 : 1 : 0 : 0), N 3 (1 : 0 : 0 : 0). Then K : 4C xyzt = r1 2(xy + zt)2 + r2 2(xz + yt)2 + r3 2 (xt + yz)2 2r 1 s 1 ((x 2 + y 2 )zt + xy(z 2 + t 2 )) 2r 2 s 2 ((x 2 + z 2 )yt + xz(y 2 + t 2 )) 2r 3 s 3 ((x 2 + t 2 )yz + xt(y 2 + z 2 )) Quadratic in all its variables! Projection away from N 0 is π : (x : y : z : t) (x : y : z) which we can represent in 32 bytes. 15 November / 24
67 Point compression Take the four nodes N 0,..., N 3 and an isomorphism N 0 (0 : 0 : 0 : 1), N 1 (0 : 0 : 1 : 0), N 2 (0 : 1 : 0 : 0), N 3 (1 : 0 : 0 : 0). Then K : 4C xyzt = r1 2(xy + zt)2 + r2 2(xz + yt)2 + r3 2 (xt + yz)2 2r 1 s 1 ((x 2 + y 2 )zt + xy(z 2 + t 2 )) 2r 2 s 2 ((x 2 + z 2 )yt + xz(y 2 + t 2 )) 2r 3 s 3 ((x 2 + t 2 )yz + xt(y 2 + z 2 )) Quadratic in all its variables! Projection away from N 0 is π : (x : y : z : t) (x : y : z) which we can represent in 32 bytes. Recovery is solving a quadratic, ie. computing a square root 15 November / 24
68 Implementing the scheme g. Ref. Object. Function. CC. Stack. 1 This Curve25519 sign 14 M 512 B [NLD15] Ed25519 sign 19 M B [Liu+17] FourQ sign 5 M B Table: AVR ATmega comparison (rounded) 15 November / 24
69 Implementing the scheme g. Ref. Object. Function. CC. Stack. 1 This Curve25519 verify 25 M 644 B [NLD15] Ed25519 verify 31 M B [Liu+17] FourQ verify 11 M B Table: AVR ATmega comparison (rounded) 15 November / 24
70 Implementing the scheme g. Ref. Object. Function. CC. Stack. 2 This GS sign 10 M 417 B [Ren+16] GS sign 10 M 926 B Table: AVR ATmega comparison (rounded) 15 November / 24
71 Implementing the scheme g. Ref. Object. Function. CC. Stack. 2 This GS verify 20 M 609 B [Ren+16] GS verify 16 M 992 B Table: AVR ATmega comparison (rounded) 15 November / 24
72 Thanks! Questions? 15 November / 24
73 References I [Ber+14] [CC86] [Cos11] [Gau07] Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange and Peter Schwabe. Kummer Strikes Back: New DH Speed Records. In: Advances in Cryptology ASIACRYPT Ed. by Palash Sarkar and Tetsu Iwata. Vol LNCS. SV, 2014, pp David V. Chudnovsky and Gregory V. Chudnovsky. Sequences of numbers generated by addition in formal groups and new primality and factorization tests. In: Adv. in Appl. Math. 7 (1986), pp Romain Cosset. Applications des fonctions theta à la cryptographie sur les courbes hyperelliptiques. https: //tel.archives-ouvertes.fr/tel /file/main.pdf. PhD thesis. Université Henri Poincaré - Nancy I, Pierrick Gaudry. Fast genus 2 arithmetic based on Theta functions. In: J. Mathematical Cryptology 1.3 (2007). pp November / 24
74 References II [GS12] [Liu+17] [NLD15] Pierrick Gaudry and Eric Schost. Genus 2 point counting over prime fields. In: J. Symb. Comput (2012), pp doi: /j.jsc url: Zhe Liu, Patrick Longa, Geovandro Pereira, Oscar Reparaz and Hwajeong Seo. FourQ on embedded devices with strong countermeasures against side-channel attacks. Cryptology eprint Archive, Report 2017/ Erick Nascimento, Julio López and Ricardo Dahab. Efficient and Secure Elliptic Curve Cryptography for 8-bit AVR Microcontrollers. In: Security, Privacy, and Applied Cryptography Engineering. Ed. by Rajat Subhra Chakraborty, Peter Schwabe and Jon Solworth. Vol LNCS. Springer, 2015, pp November / 24
75 References III [Ren+16] [Sch89] Joost Renes, Peter Schwabe, Benjamin Smith and Lejla Batina. µkummer: Efficient Hyperelliptic Signatures and Key Exchange on Microcontrollers. In: Cryptographic Hardware and Embedded Systems - CHES th International Conference, Santa Barbara, CA, USA, August 17-19, 2016, Proceedings. 2016, pp doi: / _15. url: Claus-Peter Schnorr. Efficient Identification and Signatures for Smart Cards. In: Advances in Cryptology - CRYPTO 89. Ed. by Gilles Brassard. Vol LNCS. Springer, 1989, pp November / 24
µkummer: efficient hyperelliptic signatures and key exchange on microcontrollers
µkummer: efficient hyperelliptic signatures and key exchange on microcontrollers Joost Renes 1 Peter Schwabe 1 Benjamin Smith 2 Lejla Batina 1 1 Digital Security Group, Radboud University, The Netherlands
More informationAdvanced Constructions in Curve-based Cryptography
Advanced Constructions in Curve-based Cryptography Benjamin Smith Team GRACE INRIA and Laboratoire d Informatique de l École polytechnique (LIX) Summer school on real-world crypto and privacy Sibenik,
More informationSoftware implementation of ECC
Software implementation of ECC Radboud University, Nijmegen, The Netherlands June 4, 2015 Summer school on real-world crypto and privacy Šibenik, Croatia Software implementation of (H)ECC Radboud University,
More informationFast Cryptography in Genus 2
Fast Cryptography in Genus 2 Joppe W. Bos, Craig Costello, Huseyin Hisil and Kristin Lauter EUROCRYPT 2013 Athens, Greece May 27, 2013 Fast Cryptography in Genus 2 Recall that curves are much better than
More informationHyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago
Hyperelliptic-curve cryptography D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS 0140542 NSF ITR 0716498 Alfred P. Sloan Foundation Two parts to this talk: 1. Elliptic curves; modern
More informationFast FPGA implementations of Diffie-Hellman on the Kummer surface of a genus-2 curve
Fast FPGA implementations of Diffie-Hellman on the Kummer surface of a genus-2 curve Philipp Koppermann 1, Fabrizio De Santis 2, Johann Heyszl 1 and Georg Sigl 1,3 1 Fraunhofer Research Institution AISEC,
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationSide-channel attacks on PKC and countermeasures with contributions from PhD students
basics Online Side-channel attacks on PKC and countermeasures (Tutorial @SPACE2016) with contributions from PhD students Lejla Batina Institute for Computing and Information Sciences Digital Security Radboud
More information(which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography)
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit
More informationA gentle introduction to elliptic curve cryptography
A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 5, 2017 Šibenik, Croatia Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic
More informationHyperelliptic Curve Cryptography
Hyperelliptic Curve Cryptography A SHORT INTRODUCTION Definition (HEC over K): Curve with equation y 2 + h x y = f x with h, f K X Genus g deg h(x) g, deg f x = 2g + 1 f monic Nonsingular 2 Nonsingularity
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationCo-Z Addition Formulæ and Binary Ladders on Elliptic Curves. Raveen Goundar Marc Joye Atsuko Miyaji
Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves Raveen Goundar Marc Joye Atsuko Miyaji Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves Raveen Goundar Marc Joye Atsuko Miyaji Elliptic
More informationEdwards coordinates for elliptic curves, part 1
Edwards coordinates for elliptic curves, part 1 Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org joint work with Daniel J. Bernstein 19.10.2007 Tanja Lange http://www.hyperelliptic.org/tanja/newelliptic/
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationSide-channel attacks and countermeasures for curve based cryptography
Side-channel attacks and countermeasures for curve based cryptography Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org 28.05.2007 Tanja Lange SCA on curves p. 1 Overview Elliptic curves
More informationSide-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman
Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman Presenter: Reza Azarderakhsh CEECS Department and I-Sense, Florida Atlantic University razarderakhsh@fau.edu Paper by: Brian
More informationResistance of Randomized Projective Coordinates Against Power Analysis
Resistance of Randomized Projective Coordinates Against Power Analysis William Dupuy and Sébastien Kunz-Jacques DCSSI Crypto Lab 51, bd de Latour-Maubourg, 75700 PARIS 07 SP william.dupuy@laposte.net,
More informationA gentle introduction to elliptic curve cryptography
A gentle introduction to elliptic curve cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India Part 1: Diffie-Hellman key exchange Part 2: Elliptic Curves Part
More informationMasking the GLP Lattice-Based Signature Scheme at any Order
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin
More informationMontgomery curves and their arithmetic
Montgomery curves and their arithmetic The case of large characteristic fields Craig Costello Benjamin Smith A survey in tribute to Peter L. Montgomery Abstract Three decades ago, Montgomery introduced
More informationFast Point Multiplication on Elliptic Curves Without Precomputation
Published in J. von zur Gathen, J.L. Imaña, and Ç.K. Koç, Eds, Arithmetic of Finite Fields (WAIFI 2008), vol. 5130 of Lecture Notes in Computer Science, pp. 36 46, Springer, 2008. Fast Point Multiplication
More informationOn hybrid SIDH schemes using Edwards and Montgomery curve arithmetic
On hybrid SIDH schemes using Edwards and Montgomery curve arithmetic Michael Meyer 1,2, Steffen Reith 1, and Fabio Campos 1 1 Department of Computer Science, University of Applied Sciences Wiesbaden 2
More informationSelecting Elliptic Curves for Cryptography Real World Issues
Selecting Elliptic Curves for Cryptography Real World Issues Michael Naehrig Cryptography Research Group Microsoft Research UW Number Theory Seminar Seattle, 28 April 2015 Elliptic Curve Cryptography 1985:
More informationEdwards Curves and the ECM Factorisation Method
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationFast Cryptography in Genus 2
Fast Cryptography in Genus 2 Joppe W. Bos 1, Craig Costello 1, Huseyin Hisil 2, and Kristin Lauter 1 1 Microsoft Research, Redmond, USA 2 Yasar University, Izmir, Turkey Abstract. In this paper we highlight
More informationModular Multiplication in GF (p k ) using Lagrange Representation
Modular Multiplication in GF (p k ) using Lagrange Representation Jean-Claude Bajard, Laurent Imbert, and Christophe Nègre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier
More informationTwisted Edwards Curves Revisited
A version of this paper appears in Advances in Cryptology - ASIACRYPT 2008, LNCS Vol. 5350, pp. 326 343. J. Pieprzyk ed., Springer-Verlag, 2008. Twisted Edwards Curves Revisited Huseyin Hisil, Kenneth
More informationFourQ on embedded devices with strong countermeasures against side-channel attacks
FourQ on embedded devices with strong countermeasures against side-channel attacks Zhe Liu 1, Patrick Longa 2, Geovandro Pereira 1, Oscar Reparaz 3, and Hwajeong Seo 4 1 University of Waterloo, Canada
More informationArithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products
1 Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products David Kohel Institut de Mathématiques de Luminy International Workshop on Codes and Cryptography 2011 Qingdao, 2 June
More informationYou could have invented Supersingular Isogeny Diffie-Hellman
You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks
More informationCo-Z Addition Formulæ and Binary Lad Elliptic Curves. Goundar, Raveen Ravinesh; Joye, Marc Author(s) Atsuko
JAIST Reposi https://dspace.j Title Co-Z Addition Formulæ and Binary Lad Elliptic Curves Goundar, Raveen Ravinesh; Joye, Marc Author(s) Atsuko Citation Lecture Notes in Computer Science, 6 79 Issue Date
More informationFaster Group Operations on Elliptic Curves
Faster Group Operations on Elliptic Curves Huseyin Hisil 1 Kenneth Koon-Ho Wong 1 Gary Carter 1 Ed Dawson 1 1 Information Security Institute, Queensland University of Technology, Brisbane, QLD, Australia,
More informationThe Jacobi Model of an Elliptic Curve and Side-Channel Analysis
The Jacobi Model of an Elliptic Curve and Side-Channel Analysis [Published in M. Fossorier, T. Høholdt, and A. Poli, Eds., Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, vol. 2643 of
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More informationEfficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields
Efficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields Sanjit Chatterjee, Palash Sarkar and Rana Barua Cryptology Research Group Applied Statistics Unit Indian
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationFast Simultaneous Scalar Multiplication on Elliptic Curve with Montgomery Form
Fast Simultaneous Scalar Multiplication on Elliptic Curve with Montgomery Form Toru Akishita Sony Corporation, 6-7-35 Kitashinagawa Shinagawa-ku, Tokyo, 141-0001, Japan akishita@pal.arch.sony.co.jp Abstract.
More informationEd448-Goldilocks, a new elliptic curve
Ed448-Goldilocks, a new elliptic curve Mike Hamburg Abstract Many papers have proposed elliptic curves which are faster and easier to implement than the NIST prime-order curves. Most of these curves have
More informationSpeeding up the Scalar Multiplication on Binary Huff Curves Using the Frobenius Map
International Journal of Algebra, Vol. 8, 2014, no. 1, 9-16 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ija.2014.311117 Speeding up the Scalar Multiplication on Binary Huff Curves Using the
More informationA Refined Power-Analysis Attack on Elliptic Curve Cryptosystems
A Refined Power-Analysis Attack on Elliptic Curve Cryptosystems Louis Goubin CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP45, 78430Louveciennes Cedex, France lgoubin@slb.com Abstract.
More informationPower Analysis to ECC Using Differential Power between Multiplication and Squaring
Power Analysis to ECC Using Differential Power between Multiplication and Squaring Toru Akishita 1 and Tsuyoshi Takagi 2 1 Sony Corporation, Information Technologies Laboratories, Tokyo, Japan akishita@pal.arch.sony.co.jp
More informationDifferential Addition in generalized Edwards Coordinates
Differential Addition in generalized Edwards Coordinates Benjamin Justus and Daniel Loebenberger Bonn-Aachen International Center for Information Technology Universität Bonn 53113 Bonn Germany Abstract.
More informationFour-Dimensional GLV Scalar Multiplication
Four-Dimensional GLV Scalar Multiplication ASIACRYPT 2012 Beijing, China Patrick Longa Microsoft Research Francesco Sica Nazarbayev University Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationExplicit isogenies and the Discrete Logarithm Problem in genus three
Explicit isogenies and the Discrete Logarithm Problem in genus three Benjamin Smith INRIA Saclay Île-de-France Laboratoire d informatique de l école polytechnique (LIX) EUROCRYPT 2008 : Istanbul, April
More informationEfficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves
Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves SESSION ID: CRYP-T07 Patrick Longa Microsoft Research http://research.microsoft.com/en-us/people/plonga/
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationA New Model of Binary Elliptic Curves with Fast Arithmetic
A New Model of Binary Elliptic Curves with Fast Arithmetic Hongfeng Wu 1 Chunming Tang 2 and Rongquan Feng 2 1 College of Science North China University of technology Beijing 100144 PR China whfmath@gmailcom
More informationIsogenies in a quantum world
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arxiv:1012.4019 For ordinary isogenous elliptic curves of equal
More informationHashing into Hessian Curves
Hashing into Hessian Curves Reza Rezaeian Farashahi Department of Computing Macquarie University Sydney, NSW 109, Australia Abstract We describe a hashing function from the elements of the finite field
More informationAvailable online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:
Available online at http://scik.org J. Math. Comput. Sci. 6 (2016), No. 3, 281-289 ISSN: 1927-5307 AN ID-BASED KEY-EXPOSURE FREE CHAMELEON HASHING UNDER SCHNORR SIGNATURE TEJESHWARI THAKUR, BIRENDRA KUMAR
More informationLoop-abort faults on supersingular isogeny cryptosystems
Loop-abort faults on supersingular isogeny cryptosystems Alexandre Gélin Benjamin Wesolowski Laboratoire d Informatique de Paris 6 Sorbonne Universités UPMC, France École Polytechnique Fédérale de Lausanne,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationElliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein
Elliptic curves Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Diffie-Hellman key exchange Pick some generator. Diffie-Hellman key exchange Pick some generator. Diffie-Hellman
More informationThe point decomposition problem in Jacobian varieties
The point decomposition problem in Jacobian varieties Jean-Charles Faugère2, Alexandre Wallet1,2 1 2 ENS Lyon, Laboratoire LIP, Equipe AriC UPMC Univ Paris 96, CNRS, INRIA, LIP6, Equipe PolSys 1 / 19 1
More informationConnecting Legendre with Kummer and Edwards
Connecting Legendre with Kummer and Edwards Sabyasachi Karati icis Lab Department of Computer Science University of Calgary Canada e-mail: sabyasachi.karati@ucalgary.ca Palash Sarkar Applied Statistics
More informationFast arithmetic and pairing evaluation on genus 2 curves
Fast arithmetic and pairing evaluation on genus 2 curves David Freeman University of California, Berkeley dfreeman@math.berkeley.edu November 6, 2005 Abstract We present two algorithms for fast arithmetic
More informationA message recovery signature scheme equivalent to DSA over elliptic curves
A message recovery signature scheme equivalent to DSA over elliptic curves Atsuko Miyaji Multimedia Development Center Matsushita Electric Industrial Co., LTD. E-mail : miyaji@isl.mei.co.jp Abstract. The
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationComparison of Elliptic Curve and Edwards Curve
CS90G - PROJECT REPORT Comparison of Elliptic Curve and Edwards Curve Shivapriya Hiremath, Stephanie Smith June 14, 013 1 INTRODUCTION In this project we have implemented the Elliptic Curve and Edwards
More informationZero-Value Point Attacks on Elliptic Curve Cryptosystem
Zero-Value Point Attacks on Elliptic Curve Cryptosystem Toru Akishita 1 and Tsuyoshi Takagi 2 1 Sony Corporation, Ubiquitous Technology Laboratories, 6-7-35 Kitashinagawa Shinagawa-ku, Tokyo, 141-0001
More informationMontgomery-Suitable Cryptosystems
Montgomery-Suitable Cryptosystems [Published in G. Cohen, S. Litsyn, A. Lobstein, and G. Zémor, Eds., Algebraic Coding, vol. 781 of Lecture Notes in Computer Science, pp. 75-81, Springer-Verlag, 1994.]
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland. CT-RSA 2014 1 / 22 Outline Introduction
More informationHidden pairings and trapdoor DDH groups. Alexander W. Dent Joint work with Steven D. Galbraith
Hidden pairings and trapdoor DDH groups Alexander W. Dent Joint work with Steven D. Galbraith 2 Pairings in cryptography Elliptic curves have become an important tool in cryptography and pairings have
More informationParallel Cube Tester Analysis of the CubeHash One-Way Hash Function
Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function Alan Kaminsky Department of Computer Science B. Thomas Golisano College of Computing and Information Sciences Rochester Institute of
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 10-1 Overview 1. How to exchange
More informationEfficient Doubling on Genus Two Curves over. binary fields.
Efficient Doubling on Genus Two Curves over Binary Fields Tanja Lange 1, and Marc Stevens 2, 1 Institute for Information Security and Cryptology (ITSC), Ruhr-Universität Bochum Universitätsstraße 150 D-44780
More informationAn introduction to supersingular isogeny-based cryptography
An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 Šibenik, Croatia Towards quantum-resistant cryptosystems from supersingular
More informationHyperelliptic curves
1/40 Hyperelliptic curves Pierrick Gaudry Caramel LORIA CNRS, Université de Lorraine, Inria ECC Summer School 2013, Leuven 2/40 Plan What? Why? Group law: the Jacobian Cardinalities, torsion Hyperelliptic
More informationThe arithmetic of characteristic 2 Kummer surfaces
The arithmetic of characteristic 2 Kummer surfaces Pierrick Gaudry 1 and David Lubicz 2,3 1 LORIA, Campus Scientifique, BP 239, F-54506 Vandoeuvre-lès-Nancy 2 CÉLAR, BP 7419, F-35174 Bruz 3 IRMAR, Universté
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationPerformance evaluation of a new coordinate system for elliptic curves
Performance evaluation of a new coordinate system for elliptic curves Daniel J. Bernstein 1 and Tanja Lange 2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationFaster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves
Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Junfeng Fan, Frederik Vercauteren and Ingrid Verbauwhede Katholieke Universiteit Leuven, COSIC May 18, 2009 1 Outline What is
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationSignatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven
Signatures and DLP-I Tanja Lange Technische Universiteit Eindhoven How to compute ap Use binary representation of a to compute a(x; Y ) in blog 2 ac doublings and at most that many additions. E.g. a =
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationCyclic Groups in Cryptography
Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic
More informationHigh-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition
High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition Joppe W. Bos, Craig Costello, Huseyin Hisil, Kristin Lauter CHES 2013 Motivation - I Group DH ECDH (F p1, ) (E F p2, +)
More informationOptimal Use of Montgomery Multiplication on Smart Cards
Optimal Use of Montgomery Multiplication on Smart Cards Arnaud Boscher and Robert Naciri Oberthur Card Systems SA, 71-73, rue des Hautes Pâtures, 92726 Nanterre Cedex, France {a.boscher, r.naciri}@oberthurcs.com
More informationPractical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationImproved Parameters for the Ring-TESLA Digital Signature Scheme
Improved Parameters for the Ring-TESLA Digital Signature Scheme Arjun Chopra Abstract Akleylek et al. have proposed Ring-TESLA, a practical and efficient digital signature scheme based on the Ring Learning
More informationFast point multiplication algorithms for binary elliptic curves with and without precomputation
Fast point multiplication algorithms for binary elliptic curves with and without precomputation Thomaz Oliveira 1 Diego F. Aranha 2 Julio López 2 Francisco Rodríguez-Henríquez 1 1 CINVESTAV-IPN, Mexico
More informationA New Identification Scheme Based on the Perceptrons Problem
Advances in Cryptology Proceedings of EUROCRYPT 95 (may 21 25, 1995, Saint-Malo, France) L.C. Guillou and J.-J. Quisquater, Eds. Springer-Verlag, LNCS 921, pages 319 328. A New Identification Scheme Based
More informationFaster Compact DiffieHellman: Endomorphisms on the x-line
Faster Compact DiffieHellman: Endomorphisms on the x-line Craig Costello craigco@microsoft.com Microsoft Resesarch Redmond Seattle, USA Hüseyin Hışıl huseyin.hisil@yasar.edu.tr Computer Eng. Department
More informationCryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)
Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R) Eli Biham Computer Science Department Technion Israel Institute of Technology Haifa 32000, Israel biham@cs.technion.ac.il http://www.cs.technion.ac.il/~biham/
More informationModern elliptic curve cryptography
Modern elliptic curve cryptography Ivo Kubjas 1 Introduction Elliptic curve cryptography has raised attention as it allows for having shorter keys and ciphertexts. For example, to obtain similar security
More informationFACTORIZATION WITH GENUS 2 CURVES
MATHEMATICS OF COMPUTATION Volume 00, Number 0, Pages 000 000 S 005-5718(XX)0000-0 FACTORIZATION WITH GENUS CURVES ROMAIN COSSET Abstract. The elliptic curve method (ECM) is one of the best factorization
More informationSkew-Frobenius maps on hyperelliptic curves
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript h been published without reviewing and editing received from the authors: posting the manuscript to SCIS
More informationKummer strikes back: new DH speed records
Kummer strikes back: new D speed records Daniel J. Bernstein 1,2, Chitchanok Chuengsatiansup 2, Tanja Lange 2, and Peter Schwabe 3 1 Department of Computer Science, University of Illinois at Chicago Chicago,
More information