Singular curve point decompression attack
|
|
- Verity Pope
- 6 years ago
- Views:
Transcription
1 Singular curve point decompression attack Peter Günther joint work with Johannes Blömer University of Paderborn FDTC 2015, September 13th, Saint Malo Peter Günther (UPB) Decompression Attack FDTC / 18
2 Elliptic curves Example: E(R) : y 2 = x 3 3x + 3 y Elliptic curve E(K) Points (x, y) K 2 that fulfill y 2 = x 3 + a 4 x + a 6 with a 4, a 6 K and discriminant x := 16(4a a 2 6) 0. Peter Günther (UPB) Decompression Attack FDTC / 18
3 Elliptic curves as additive group Example: E(R) : y 2 = x 3 3x + 3 y P T Group operation independent from a 6 : x λ = y P y T x P x T x P+T = λ 2 x P x T y P+T = λ(x P x P+T ) y P T + P Peter Günther (UPB) Decompression Attack FDTC / 18
4 Elliptic curves as additive group Example: E(R) : y 2 = x 3 3x + 3 y P T Group operation independent from a 6 : x λ = 3x T + a 4 2y T x 2T = λ 2 2x T 2T y 2T = λ(x T x 2T ) y T Peter Günther (UPB) Decompression Attack FDTC / 18
5 Elliptic curve scalar multiplication and DLOG Scalar multiplication: s N, P E(F q ): sp := P + P + + P (s times) P sp s Peter Günther (UPB) Decompression Attack FDTC / 18
6 Elliptic curve scalar multiplication and DLOG Scalar multiplication: s N, P E(F q ): sp := P + P + + P (s times) Discrete logarithm (DLOG): given P, Q = sp, compute s Assumption: complexity of DLOG problem exponential on elliptic curve high security already for small F q (e.g. 256 bit) s P sp s Peter Günther (UPB) Decompression Attack FDTC / 18
7 Elliptic curve scalar multiplication and DLOG Scalar multiplication: s N, P E(F q ): sp := P + P + + P (s times) Discrete logarithm (DLOG): given P, Q = sp, compute s Assumption: complexity of DLOG problem exponential on elliptic curve high security already for small F q (e.g. 256 bit) Important cryptographic primitive (ECDH, ECDSA,... ) s P sp s Peter Günther (UPB) Decompression Attack FDTC / 18
8 Elliptic curve scalar multiplication and DLOG Scalar multiplication: s N, P E(F q ): sp := P + P + + P (s times) Discrete logarithm (DLOG): given P, Q = sp, compute s Assumption: complexity of DLOG problem exponential on elliptic curve high security already for small F q (e.g. 256 bit) Important cryptographic primitive (ECDH, ECDSA,... ) Adversarial environment: Physical protection of s required s P sp s Peter Günther (UPB) Decompression Attack FDTC / 18
9 Invalid point attack on scalar multiplication E : y 2 = x 3 + a 4 x + a 6 Outline of invalid point attacks 1 Group law does not require a 6 2 Move P to weak curve with same a 4 3 Obtain Q = sp for secret s on weak curve 4 Compute DLOG of Q to base P on weak curve 5 Infer DLOG s on original curve Examples weak curve attacks P on curve with smooth order P in small subgroup P on singular curve Peter Günther (UPB) Decompression Attack FDTC / 18
10 Singular curves with node (a 4 0) E(R) : y 2 = x 3 3x + 3 E(R) : y 2 = x 3 3x + 2, = 0 y y x x Peter Günther (UPB) Decompression Attack FDTC / 18
11 Singular curves with node (a 4 0) E(R) : y 2 = x 3 3x + 3 E(R) : y 2 = x 3 3x + 2, = 0 y y P T P T x x T + P T + P Peter Günther (UPB) Decompression Attack FDTC / 18
12 Singular curves with node (a 4 0) E(R) : y 2 = x 3 3x + 3 E(R) : y 2 = x 3 3x + 2, = 0 y y P T P T x 2T x 2T Peter Günther (UPB) Decompression Attack FDTC / 18
13 Singular curves with node (a 4 0) E(R) : y 2 = x 3 3x + 3 E(R) : y 2 = x 3 3x + 2, = 0 y y P T P T E NS (F q ) subgroup of F q or F q 2 DLOG problem subexponential 1 Map DLOG instance to F q or F q x 2 2 Solve DLOG in F q or F q 2 2T x 2T Peter Günther (UPB) Decompression Attack FDTC / 18
14 Singular curves with cusp (a 4 = 0) E(R) : y 2 = x E(R) : y 2 = x 3, = 0 y y x x Peter Günther (UPB) Decompression Attack FDTC / 18
15 Singular curves with cusp (a 4 = 0) E(R) : y 2 = x E(R) : y 2 = x 3, = 0 y y E NS (F q ) F + q DLOG problem trivial (by division) T 1 Map DLOG instance T to F + q 2 Solve DLOG in F + q P x P x + P T + P Peter Günther (UPB) Decompression Attack FDTC / 18
16 Singular curve attack on scalar multiplication For fixed a 4, there are at most 2 corresponding singular curves Random faults will not provide points on singular curve How do we get a point onto one of them? P Peter Günther (UPB) Decompression Attack FDTC / 18
17 Our approach: Point decompression Compression Compress : E(F q ) F q {0, 1} (x, y) (x, b) where b = LSB(y) Reduces bandwidth by 50% Defined in many standards like IEEE 1363, SEC 1, X9.62 Decompression prior to scalar multiplication Peter Günther (UPB) Decompression Attack FDTC / 18
18 Point compression Decompress Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 4 x + a 6 1: v x 3 + a 4 x v = x 3 + a 4 x 2: v v + a 6 v = x 3 + a 4 x + a 6 3: if v F q then 4: v ( 1) b v v = ( 1) b x 3 + a 4 x + a 6 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC / 18
19 Point compression Decompress Require: E : y 2 = Similar x 3 + implementations a 4 x + a 6, (x, b) infieee q {0, 1363, 1} SEC 1, Ensure: (x, y) with X9.62, y 2 = OpenSSL x 3 + a 6 1: v x 3 Implicit (partial) point validation: v = x 3 2: v v + a 6 v = x 3 + a 6 3: if Decompress(x, b) E(F q ) v F q then 4: v ( 1) b v v = ( 1) b x 3 + a 6 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC / 18
20 Attack on decompression Decompress Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 4 x + a 6 1: v x 3 + a 4 x v = x 3 + a 4 x 2: v v + a 6 v = x 3 + a 4 x + a 6 3: if v F q then 4: v ( 1) b v v = ( 1) b x 3 + a 4 x + a 6 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC / 18
21 Attack on decompression Decompress with a 4 = 0 Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 6 1: v x 3 v = x 3 2: v v + a 6 v = x 3 + a 6 3: if v F q then 4: v ( 1) b v v = ( 1) b x 3 + a 6 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC / 18
22 Attack on decompression Decompress with a 4 = 0 and with fault Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 6 1: v x 3 v = x 3 2: v v + a 6 v = x 3 + a 6 3: if v F q then 4: v ( 1) b v v = ( 1) b x 3 + a 6 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC / 18
23 Attack on decompression Decompress with a 4 = 0 and with fault Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 6 1: v x 3 v = x 3 2: v v + a 6 v = x 3 + a 6 3: if v F q then Observation: 4: v ( 1) b x quadratic residue v v = ( 1) b x 3 + a output on singular curve 6 5: return (x, y) y 6: else 2 = x 3 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC / 18
24 Hash string to curve Decompress: building block of other algorithms MapToPoint : {0, 1} E(F q ) Require: E : y 2 = x 3 + a 4 x + a 6, H : {0, 1} F q {0, 1}, M {0, 1}, Ensure: P E(F q ) 1: i 0 2: repeat until (x, b) is valid compression 3: (x, b) H(M i) 4: P Decompress(x, b) 5: i i + 1 6: until P O 7: return P Peter Günther (UPB) Decompression Attack FDTC / 18
25 Hash string to curve Decompress: building block of other algorithms MapToPoint : {0, 1} E(F q ) Require: E : y 2 = x 3 + a 4 x + a 6, H : {0, 1} F q {0, 1}, M {0, 1}, Ensure: P E(F q ) 1: i 0 Atttack: 2: repeat until (x, b) is valid compression Choose M such that 3: (x, b) H(M i) H(M 0) = (x, b) with 4: P Decompress(x, b) quadratic residue x. 5: i i + 1 6: until P O 7: return P Peter Günther (UPB) Decompression Attack FDTC / 18
26 Properties of the attack Features of the attack Efficient, especially in the case a 4 = 0 One shot: can be applied to exponentiation with nonce Applications: Point decompression (encryption schemes) Hashing to curve (special signature schemes) Random point sampling (countermeasures) Limitations of the attack Access to Q = sp required For a 4 0: stronger control over (x, b) required Attack on plain Decompress still possible Attack on MapToPoint not possible Peter Günther (UPB) Decompression Attack FDTC / 18
27 Example application: BLS short signatures Definition (BLS Signatures) G 1, G 2 E(F q ): cyclic groups of order r with generators P 1 and P 2 G T F q cyclic group of order r pairing e : G 1 G 2 G T MapToPoint : {0, 1} E(F q ) KeyGen( ): 1 Select s uniformly at random from [0, r 1] 2 Output secret key s and public key P s = sp 2 Sign(M, s): 1 compute P = MapToPoint(M) G 1 2 compute and output σ = sp as signature for M under s Verify(M, σ, P s ): output 1 if and only if e(σ, P 2 ) = e(maptopoint(m), P s ). Peter Günther (UPB) Decompression Attack FDTC / 18
28 Example application: BLS short signatures Definition (BLS Signatures) G 1, G 2 E(F q ): cyclic groups of order r with generators P 1 and P 2 G T F q cyclic group of order r pairing e : G 1 G 2 G T MapToPoint : {0, 1} E(F q ) KeyGen( ): 1 Select s uniformly at random from [0, r 1] 2 Output secret key s and public key P s = sp 2 Sign(M, s): 1 compute P = MapToPoint(M) G 1 2 compute and output σ = sp as signature for M under s Verify(M, σ, P s ): output 1 if and only if e(σ, P 2 ) = e(maptopoint(m), P s ). Peter Günther (UPB) Decompression Attack FDTC / 18
29 Example application: BLS short signatures Definition (BLS Signatures) G 1, G 2 E(F q ): cyclic groups of order r with generators P 1 and P 2 G T F q cyclic Very group efficient of order withr Barreto-Naehrig (BN) curves: pairing e : G 1 G 2 G T E : y 2 = x 3 + a MapToPoint : {0, 1} 6 E(F q ) Note: a 4 = 0 KeyGen( ): 1 Select s uniformly at random from [0, r 1] 2 Output secret key s and public key P s = sp 2 Sign(M, s): 1 compute P = MapToPoint(M) G 1 2 compute and output σ = sp as signature for M under s Verify(M, σ, P s ): output 1 if and only if e(σ, P 2 ) = e(maptopoint(m), P s ). Peter Günther (UPB) Decompression Attack FDTC / 18
30 Attack: Proof of concept realization Target: BLS short signatures of Relic toolkit on AVR Target hardware: Atmel AVR Xmega A1 Target software: Relic toolkit Open source Prime and binary field arithmetic NIST and pairing-friendly curves including BN curves Bilinear maps and related extension fields Cryptographic protocols including BLS short signatures Attack: Second order instruction skip attack First fault: decompress to singular curve Second fault: remove point validation countermeasure Peter Günther (UPB) Decompression Attack FDTC / 18
31 Attack: Proof of concept realization Target: BLS short signatures of Relic toolkit on AVR Target hardware: Atmel AVR Xmega A1 Target software: Relic toolkit Open source Prime and binary field arithmetic NIST and pairing-friendly curves including BN curves Bilinear maps and related extension fields Cryptographic protocols including BLS short signatures Attack: Second order instruction skip attack First fault: decompress to singular curve Second fault: remove point validation countermeasure Peter Günther (UPB) Decompression Attack FDTC / 18
32 Instruction skips via clock glitching Glitcher Queue delay t1 delay t2 Timer MHz config clock reset 99 MHz Host *.log *.py IO Peter Günther (UPB) Decompression Attack FDTC / 18
33 Instruction skips via clock glitching Glitcher Queue delay t1 delay t2 Timer MHz config clock reset 99 MHz Host *.log *.py IO 99 MHz 33 MHz clock t 1 t 2 Peter Günther (UPB) Decompression Attack FDTC / 18
34 The RELIC implementation First fault: move to singular curve Decompress: Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 4 x + a 6 1: v x 3 + a 4 x P 2: v v + a 6 3: if v F q then 4: v ( 1) b v 5: return (x, y) 6: else 7: return O 8: end if Peter Günther (UPB) Decompression Attack FDTC / 18
35 The RELIC implementation First fault: move to singular curve BN-curve: E : y 2 = x , note: a 4 = 0 Decompress: Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 6 1: v x 3 2: v v + a 6 3: if v F q then 4: v ( 1) b v 5: return (x, y) 6: else 7: return O 8: end if avr-gcc P.ep_rhs:... movw r30, r24 ld r20, Z movw r22, r28 subi r22, 0xEB sbci r23, 0xFF movw r24, r22 call fp_add_dig rjmp Peter Günther (UPB) Decompression Attack FDTC / 18
36 The RELIC implementation First fault: move to singular curve BN-curve: E : y 2 = x , note: a 4 = 0 Decompress: Require: E : y 2 = x 3 + a 4 x + a 6, (x, b) F q {0, 1} Ensure: (x, y) with y 2 = x 3 + a 6 1: v x 3 2: v v + a 6 3: if v F q then 4: v ( 1) b v 5: return (x, y) 6: else 7: return O 8: end if avr-gcc.ep_rhs:... movw r30, r24 ld r20, Z movw r22, r28 subi r22, 0xEB sbci r23, 0xFF movw r24, r22 call fp_add_dig rjmp Peter Günther (UPB) Decompression Attack FDTC / 18
37 References Relic toolkit: Glitcher Die Datenkrake: workshop-program/presentation/nedospasov Peter Günther (UPB) Decompression Attack FDTC / 18
Introduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationTampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014
Tampering attacks in pairing-based cryptography Johannes Blömer University of Paderborn September 22, 2014 1 / 16 Pairings Definition 1 A pairing is a bilinear, non-degenerate, and efficiently computable
More informationA Practical Second-Order Fault Attack against a Real-World Pairing Implementation
A Practical Second-Order Fault Attack against a Real-World Pairing Implementation Johannes Blömer, Ricardo Gomes da Silva, Peter Günther, Juliane Krämer and Jean-Pierre Seifert Technische Universität Berlin
More informationA Relation between Group Order of Elliptic Curve and Extension Degree of Definition Field
A Relation between Group Order of Elliptic Curve and Extension Degree of Definition Field Taichi Sumo, Yuki Mori (Okayama University) Yasuyuki Nogami (Graduate School of Okayama University) Tomoko Matsushima
More informationPairings at High Security Levels
Pairings at High Security Levels Michael Naehrig Eindhoven University of Technology michael@cryptojedi.org DoE CRYPTODOC Darmstadt, 21 November 2011 Pairings are efficient!... even at high security levels.
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationELECTROMAGNETIC FAULT INJECTION: TOWARDS A FAULT MODEL ON A 32-BIT MICROCONTROLLER
ELECTROMAGNETIC FAULT INJECTION: TOWARDS A FAULT MODEL ON A 32-BIT MICROCONTROLLER Nicolas Moro 1,3, Amine Dehbaoui 2, Karine Heydemann 3, Bruno Robisson 1, Emmanuelle Encrenaz 3 1 CEA Commissariat à l
More informationElliptic Curve Cryptosystems in the Presence of Faults
Elliptic Curve Cryptosystems in the Presence of Faults Marc Joye Thomson Security Labs marc.joye@thomson.net Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures Concluding
More informationConstructing Pairing-Friendly Elliptic Curves for Cryptography
Constructing Pairing-Friendly Elliptic Curves for Cryptography University of California, Berkeley, USA 2nd KIAS-KMS Summer Workshop on Cryptography Seoul, Korea 30 June 2007 Outline 1 Pairings in Cryptography
More informationFaster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves
Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Junfeng Fan, Frederik Vercauteren and Ingrid Verbauwhede Katholieke Universiteit Leuven, COSIC May 18, 2009 1 Outline What is
More informationAsymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)
Asymmetric Pairings Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp) 1 Overview In their 2006 paper "Pairings for cryptographers", Galbraith, Paterson and Smart identified three
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things Efficient algorithms Suitable elliptic curves We have got
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationOptimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves
CT-RSA 2012 February 29th, 2012 Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves Joint work with: Nicolas Estibals CARAMEL project-team, LORIA, Université de Lorraine / CNRS / INRIA,
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationEfficient Application of Countermeasures for Elliptic Curve Cryptography
Efficient Application of Countermeasures for Elliptic Curve Cryptography Vladimir Soukharev, Ph.D. Basil Hess, Ph.D. InfoSec Global Inc. May 19, 2017 Outline Introduction Brief Summary of ECC Arithmetic
More informationFormal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August
More informationSide-channel attacks on PKC and countermeasures with contributions from PhD students
basics Online Side-channel attacks on PKC and countermeasures (Tutorial @SPACE2016) with contributions from PhD students Lejla Batina Institute for Computing and Information Sciences Digital Security Radboud
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationAn Analysis of Affine Coordinates for Pairing Computation
An Analysis of Affine Coordinates for Pairing Computation Michael Naehrig Microsoft Research mnaehrig@microsoft.com joint work with Kristin Lauter and Peter Montgomery Microsoft Research Pairing 2010,
More informationWagner s Attack on a Secure CRT-RSA Algorithm Reconsidered FDTC 2006
Wagner s Attack on a Secure CRT-RSA Algorithm Reconsidered FDTC 2006 Johannes Blömer Paderborn University Institute for Computer Science Paderborn, Germany Martin Otto Siemens AG Corporate Technology CT
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationSome Efficient Algorithms for the Final Exponentiation of η T Pairing
Some Efficient Algorithms for the Final Exponentiation of η T Pairing Masaaki Shirase 1, Tsuyoshi Takagi 1, and Eiji Okamoto 2 1 Future University-Hakodate, Japan 2 University of Tsukuba, Japan Abstract.
More informationAn introduction to supersingular isogeny-based cryptography
An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 Šibenik, Croatia Towards quantum-resistant cryptosystems from supersingular
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationAttacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP)
Attacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP) Mrs.Santoshi Pote 1, Mrs. Jayashree Katti 2 ENC, Usha Mittal Institute of Technology, Mumbai, India 1 Information Technology,
More informationMapping an Arbitrary Message to an Elliptic Curve when Defined over GF (2 n )
International Journal of Network Security, Vol8, No2, PP169 176, Mar 2009 169 Mapping an Arbitrary Message to an Elliptic Curve when Defined over GF (2 n ) Brian King Indiana University - Purdue University
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationCOMPRESSION FOR TRACE ZERO SUBGROUPS OF ELLIPTIC CURVES
COMPRESSION FOR TRACE ZERO SUBGROUPS OF ELLIPTIC CURVES A. SILVERBERG Abstract. We give details of a compression/decompression algorithm for points in trace zero subgroups of elliptic curves over F q r,
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationElliptic Curve Cryptography
Technical Guideline BSI TR-03111 Elliptic Curve Cryptography Version 2.10 Date: 2018-06-01 History Version Date Comment 1.00 2007-02-14 Initial public version. 1.10 2009-02-03 Enhancements, corrections,
More informationArithmetic Operators for Pairing-Based Cryptography
Arithmetic Operators for Pairing-Based Cryptography J.-L. Beuchat 1 N. Brisebarre 2 J. Detrey 3 E. Okamoto 1 1 University of Tsukuba, Japan 2 École Normale Supérieure de Lyon, France 3 Cosec, b-it, Bonn,
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things l Efficient algorithms l Suitable elliptic curves We have
More informationShort Signature Scheme From Bilinear Pairings
Sedat Akleylek, Barış Bülent Kırlar, Ömer Sever, and Zaliha Yüce Institute of Applied Mathematics, Middle East Technical University, Ankara, Turkey {akleylek,kirlar}@metu.edu.tr,severomer@yahoo.com,zyuce@stm.com.tr
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationFrom NewHope to Kyber. Peter Schwabe April 7, 2017
From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017 In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used
More informationFour-Dimensional GLV Scalar Multiplication
Four-Dimensional GLV Scalar Multiplication ASIACRYPT 2012 Beijing, China Patrick Longa Microsoft Research Francesco Sica Nazarbayev University Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic
More informationElliptic Curves and Cryptography
Elliptic Curves and Cryptography Aleksandar Jurišić Alfred J. Menezes March 23, 2005 Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is
More informationTrue & Deterministic Random Number Generators
True & Deterministic Random Number Generators Çetin Kaya Koç http://cs.ucsb.edu/~koc koc@cs.ucsb.edu 1.0 0.5 1.0 0.5 0.5 1.0 0.5 1.0 Koç (http://cs.ucsb.edu/~koc) HRL RNG April 11, 2013 1 / 47 Random Numbers
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationHardware Implementation of Elliptic Curve Point Multiplication over GF (2 m ) for ECC protocols
Hardware Implementation of Elliptic Curve Point Multiplication over GF (2 m ) for ECC protocols Moncef Amara University of Paris 8 LAGA laboratory Saint-Denis / France Amar Siad University of Paris 8 LAGA
More informationError-free protection of EC point multiplication by modular extension
Error-free protection of EC point multiplication by modular extension Martin Seysen February 21, 2017 Giesecke & Devrient GmbH, Prinzregentenstraße 159, D-81677 München, e-mail: m.seysen@gmx.de Abstract
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More informationModern elliptic curve cryptography
Modern elliptic curve cryptography Ivo Kubjas 1 Introduction Elliptic curve cryptography has raised attention as it allows for having shorter keys and ciphertexts. For example, to obtain similar security
More informationA DFA ON AES BASED ON THE ENTROPY OF ERROR DISTRIBUTIONS
A DFA ON AES BASED ON THE ENTROPY OF ERROR DISTRIBUTIONS FDTC2012 Ronan Lashermes, Guillaume Reymond, Jean-Max Dutertre, Jacques Fournier, Bruno Robisson and Assia Tria 9 SEPTEMBER 2012 INTRODUCTION Introduction
More informationElliptic Curve Cryptography
AIMS-VOLKSWAGEN STIFTUNG WORKSHOP ON INTRODUCTION TO COMPUTER ALGEBRA AND APPLICATIONS Douala, Cameroon, October 12, 2017 Elliptic Curve Cryptography presented by : BANSIMBA Gilda Rech BANSIMBA Gilda Rech
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationOn the complexity of computing discrete logarithms in the field F
On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of
More informationPairings for Cryptography
Pairings for Cryptography Michael Naehrig Technische Universiteit Eindhoven Ñ ÐÖÝÔØÓ ºÓÖ Nijmegen, 11 December 2009 Pairings A pairing is a bilinear, non-degenerate map e : G 1 G 2 G 3, where (G 1, +),
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationAdvanced Constructions in Curve-based Cryptography
Advanced Constructions in Curve-based Cryptography Benjamin Smith Team GRACE INRIA and Laboratoire d Informatique de l École polytechnique (LIX) Summer school on real-world crypto and privacy Sibenik,
More informationGLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias
GLV/GLS Decomposition, Power Analysis, and Attacks on ECDSA Signatures With Single-Bit Nonce Bias Diego F. Aranha Pierre-Alain Fouque Benoît Gerard Jean-Gabriel Kammerer Mehdi Tibouchi Jean-Christophe
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationComputational Number Theory. Adam O Neill Based on
Computational Number Theory Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Secret Key Exchange - * Is Alice Ka Public Network Ka = KB O KB 0^1 Eve should have a hard time getting information
More informationShort Signatures from the Weil Pairing
Short Signatures from the Weil Pairing Dan Boneh dabo@cs.stanford.edu Ben Lynn blynn@cs.stanford.edu Hovav Shacham hovav@cs.stanford.edu Abstract We introduce a short signature scheme based on the Computational
More informationReprésentation RNS des nombres et calcul de couplages
Représentation RNS des nombres et calcul de couplages Sylvain Duquesne Université Rennes 1 Séminaire CCIS Grenoble, 7 Février 2013 Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 1 / 29
More informationSEC X.1: Supplemental Document for Odd Characteristic Extension Fields
Standards for Efficient Cryptography SEC X.1: Supplemental Document for Odd Characteristic Extension Fields Nippon Telephone and Telegraph Corporation Contact: Kazumaro Aoki, Tetsutaro Kobayashi, and Akira
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationPairing-Friendly Elliptic Curves of Prime Order
Pairing-Friendly Elliptic Curves of Prime Order Paulo S. L. M. Barreto 1 Michael Naehrig 2 1 University of São Paulo pbarreto@larc.usp.br 2 RWTH Aachen University mnaehrig@ti.rwth-aachen.de SAC 2005 Outline
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationSubgroup security in pairing-based cryptography
Subgroup security in pairing-based cryptography Paulo S. L. M. Barreto 1, Craig Costello 2, Rafael Misoczki 1, Michael Naehrig 2, Geovandro C. C. F. Pereira 1, and Gustavo Zanon 1 1 Escola Politécnica,
More informationTopics in Cryptography. Lecture 5: Basic Number Theory
Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating
More informationShort Signatures Without Random Oracles
Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen (presented by Aleksandr Yampolskiy) Outline Motivation Preliminaries Secure short signature Extensions Conclusion Why signatures without
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationA Pairing-Based DAA Scheme Further Reducing TPM Resources
A Pairing-Based DAA Scheme Further Reducing TPM Resources Ernie Brickell Intel Corporation ernie.brickell@intel.com Jiangtao Li Intel Labs jiangtao.li@intel.com Abstract Direct Anonymous Attestation (DAA)
More informationCSC 5930/9010 Modern Cryptography: Number Theory
CSC 5930/9010 Modern Cryptography: Number Theory Professor Henry Carter Fall 2018 Recap Hash functions map arbitrary-length strings to fixedlength outputs Cryptographic hashes should be collision-resistant
More informationThe Number Field Sieve for Barreto-Naehrig Curves: Smoothness of Norms
The Number Field Sieve for Barreto-Naehrig Curves: Smoothness of Norms by Michael Shantz A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master
More informationHow to Use Linear Homomorphic Signature in Network Coding
How to Use Linear Homomorphic Signature in Network Coding Li Chen lichen.xd at gmail.com Xidian University September 28, 2013 How to Use Linear Homomorphic Signature in Network Coding Outline 1 Linear
More informationSome Security Comparisons of GOST R and ECDSA Signature Schemes
Some Security Comparisons of GOST R 34.10-2012 and ECDSA Signature Schemes Trieu Quang Phong Nguyen Quoc Toan Institute of Cryptography Science and Technology Gover. Info. Security Committee, Viet Nam
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationA gentle introduction to elliptic curve cryptography
A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 5, 2017 Šibenik, Croatia Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic
More informationShort signatures from the Weil pairing
Short signatures from the Weil pairing Dan Boneh, Ben Lynn, and Hovav Shacham Computer Science Department, Stanford University {dabo,blynn,hovav}@cs.stanford.edu Abstract. We introduce a short signature
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationA point compression method for elliptic curves defined over GF (2 n )
A point compression method for elliptic curves defined over GF ( n ) Brian King Purdue School of Engineering Indiana Univ. Purdue Univ. at Indianapolis briking@iupui.edu Abstract. Here we describe new
More informationArithmetic Operators for Pairing-Based Cryptography
Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationWeek : Public Key Cryptosystem and Digital Signatures
Week 10-11 : Public Key Cryptosystem and Digital Signatures 1. Public Key Encryptions RSA, ElGamal, 2 RSA- PKC(1/3) 1st public key cryptosystem R.L.Rivest, A.Shamir, L.Adleman, A Method for Obtaining Digital
More informationSide-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman
Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman Presenter: Reza Azarderakhsh CEECS Department and I-Sense, Florida Atlantic University razarderakhsh@fau.edu Paper by: Brian
More informationReducing the Key Size of Rainbow using Non-Commutative Rings
Reducing the Key Size of Rainbow using Non-Commutative Rings Takanori Yasuda (Institute of systems, Information Technologies and Nanotechnologies (ISIT)), Kouichi Sakurai (ISIT, Kyushu university) and
More informationProperty Preserving Symmetric Encryption
Property Preserving Symmetric Encryption Omkant Pandey Microsoft, Redmond Yannis Rouselakis University of Texas at Austin Traditional Cryptography Alice Bob Eve New Goal: Computations on Encrypted Data
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More information