Square Always Exponentiation
|
|
- Patrick Freeman
- 6 years ago
- Views:
Transcription
1 Square Always Exponentiation Christophe Clavier 1 Benoit Feix 1,2 Georges Gagnerot 1,2 Mylène Roussellet 2 Vincent Verneuil 2,3 1 XLIM-Université de Limoges, France 2 INSIDE Secure, Aix-en-Provence, France 3 Univ. Bordeaux, IMB, France Indocrypt December 12, 2011 Vincent Verneuil - Square Always Exponentiation 1 / 38
2 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 2 / 38
3 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 2 / 38
4 Motivation 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 2 / 38
5 Motivation Motivation Exponentiation is the core operation of RSA, DSA, Diffie-Hellman protocols. Embedded in constrained devices (smart cards, etc.) with low resources. Targeted by side-channel attacks in this sensitive context. Vincent Verneuil - Square Always Exponentiation 3 / 38
6 Motivation Context Let consider the computation of m d mod n with d = (d k 1 d k 2...d 0 ) 2. M the cost of a modular multiplication. S the cost of a modular squaring. Two cases : fast squaring (S/M =.8) or not (S/M = 1). Vincent Verneuil - Square Always Exponentiation 4 / 38
7 Recalls 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 4 / 38
8 Recalls Basic Exponentiation Square-and-Multiply Left-to-right Right-to-left Vincent Verneuil - Square Always Exponentiation 5 / 38
9 Recalls Basic Exponentiation Square-and-Multiply Left-to-right Right-to-left ( ( m d = m d 0 m d 1... ( m d ) 2 ) ) 2 2 k 1... m d = m d k 1 2k 1 m d k 2 2k 2... m d 0 Vincent Verneuil - Square Always Exponentiation 5 / 38
10 Recalls Basic Exponentiation Square-and-Multiply Left-to-right Right-to-left ( ( m d = m d 0 m d 1... ( m d ) 2 ) ) 2 2 k 1... m d = m d k 1 2k 1 m d k 2 2k 2... m d 0 Input: m,n,d N Output: m d mod n a 1 for i = k 1 to 0 do a a 2 mod n if d i = 1 then a a m mod n return a Input: m,n,d N Output: m d mod n a 1 ; b m for i = 0 to k 1 do if d i = 1 then a a b mod n b b 2 mod n return a Vincent Verneuil - Square Always Exponentiation 5 / 38
11 Recalls Side-Channel Threats When a computation involving a secret occurs on an embedded devices, side-channels (power, EM) may be spotted to search for leakages. Kocher introduced in 1999 the simple and differential side-channel analysis. Vincent Verneuil - Square Always Exponentiation 6 / 38
12 Recalls Side-channel leakage: power, EM, etc. Simple Side-Channel Analysis on Exponentiation (SPA) The whole exponent may be recovered using a single curve. Vincent Verneuil - Square Always Exponentiation 7 / 38
13 Recalls Regular Exponentiation Montgomery ladder Square & multiply: S, M, S, S, M, S, M, S, S, M... Vincent Verneuil - Square Always Exponentiation 8 / 38
14 Recalls Regular Exponentiation Montgomery ladder Square & multiply: S, M, S, S, M, S, M, S, S, M... Square & multiply always: S, M, S, M,S, M,S, M,S, M, S, M... Vincent Verneuil - Square Always Exponentiation 8 / 38
15 Recalls Regular Exponentiation Montgomery ladder Square & multiply: S, M, S, S, M, S, M, S, S, M... Square & multiply always: S, M, S, M,S, M,S, M,S, M, S, M... Vincent Verneuil - Square Always Exponentiation 8 / 38
16 Recalls Regular Exponentiation Montgomery ladder Square & multiply: S, M, S, S, M, S, M, S, S, M... Square & multiply always: S, M, S, M,S, M,S, M,S, M, S, M... Montgomery ladder: S, M, S, M,S, M,S, M,S, M, S, M... Vincent Verneuil - Square Always Exponentiation 8 / 38
17 Recalls Regular Exponentiation Montgomery ladder Square & multiply: S, M, S, S, M, S, M, S, S, M... Square & multiply always: S, M, S, M,S, M,S, M,S, M, S, M... Montgomery ladder: S, M, S, M,S, M,S, M,S, M, S, M... Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: for i = k 1 to 0 do 4: R 1 di R 0 R 1 mod n 5: R di R di 2 mod n 6: return R 0 Vincent Verneuil - Square Always Exponentiation 8 / 38
18 Recalls Regular Exponentiation Atomic Exponentiation Multiply Always Square & multiply: S, M, S, S, M, S, M, S, S, M... Vincent Verneuil - Square Always Exponentiation 9 / 38
19 Recalls Regular Exponentiation Atomic Exponentiation Multiply Always Square & multiply: S, M, S, S, M, S, M, S, S, M... Multiply always: M,M, M,M,M, M,M, M,M,M... Vincent Verneuil - Square Always Exponentiation 9 / 38
20 Recalls Regular Exponentiation Atomic Exponentiation Multiply Always Square & multiply: S, M, S, S, M, S, M, S, S, M... Multiply always: M,M, M,M,M, M,M, M,M,M... Input: m,n,d N Output: m d mod n 1: R 0 1 2: R 1 m 3: i k 1 4: t 0 5: while i 0 do 6: R 0 R 0 R t mod n 7: t t d i [ is bitwise XOR] 8: i i 1 + t 9: return R 0 Vincent Verneuil - Square Always Exponentiation 9 / 38
21 Recalls Squaring-Multiplication Discrimination Attack In [Distinguishing Multiplications from Squaring Operations, SAC 2008], Amiel et al. observed that E x,y (HW(x y)) has a different value whether: x = y uniformly distributed in [0,2 k 1], x and y independent and uniformly distributed in [0,2 k 1]. Vincent Verneuil - Square Always Exponentiation 10 / 38
22 Recalls Squaring-Multiplication Discrimination Attack Attack: subtract two (averaged) power traces of consecutive atomic multiplications. Countermeasure: exponent blinding d d + rψ(n). Vincent Verneuil - Square Always Exponentiation 11 / 38
23 Recalls Cost Summary Algorithm Cost / bit S/M = 1 S/M =.8 # reg Square & multiply 1,2,3.5M + 1S 1.5M 1.3M 2 Multiply always 2,3 1.5M 1.5M 1.5M 2 Montgomery ladder 1M + 1S 2M 1.8M 2 1 algorithm unprotected towards the SPA 2 algorithm sensitive to S M discrimination 3 possible sliding window optimization Vincent Verneuil - Square Always Exponentiation 12 / 38
24 Contribution 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 12 / 38
25 Contribution Our Contribution Atomic exponentiation algorithms immune to the S M discrimination Better efficiency than ladder algorithms Study of algorithms for parallelized (co)processors and space/time trade-offs Vincent Verneuil - Square Always Exponentiation 13 / 38
26 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 13 / 38
27 Principle 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 13 / 38
28 Principle Replacing Multiplications by Squarings x y = (x + y)2 x 2 y 2 (1) 2 ( ) x + y 2 ( ) x y 2 x y = (2) 2 2 Vincent Verneuil - Square Always Exponentiation 14 / 38
29 Principle Replacing Multiplications by Squarings x y = (x + y)2 x 2 y 2 (1) 2 ( ) x + y 2 ( ) x y 2 x y = (2) 2 2 Vincent Verneuil - Square Always Exponentiation 14 / 38
30 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 14 / 38
31 Left-to-Right Algorithm Using (1) Input: m,n,d N Output: m d mod n a 1 for i = k 1 to 0 do a a 2 mod n if d i = 1 then a (a+m)2 a 2 return a 2 m2 2 mod n Vincent Verneuil - Square Always Exponentiation 15 / 38
32 Input: m,n,d N Output: m d mod n 1: R 0 1 ; R 1 m ; R 2 1 2: R 3 m 2 /2 mod n 3: j 0 ; i k 1 4: while i 0 do 5: R Mj,0 R Mj,1 + R Mj,2 mod n Atomic Left-to-Right Algorithm 0 bit j = 0 1 bit j = 1 0 bit 1 bit 6: R Mj,3 R 2 Mj,3 mod n 7: R Mj,4 R Mj,5 /2 mod n 8: R Mj,6 R Mj,7 R Mj,8 mod n j = 3 9: j d i (1 + (j mod 3)) 10: i i M j,9 11: return R M = j = 2 Vincent Verneuil - Square Always Exponentiation 16 / 38
33 j = 0 (d i = 0 or 1) R 1 R 1 + R 1 mod n R 0 R 2 0 mod n R 2 R 1 /2 mod n R 1 R 1 R 2 mod n j d i [ if d i = 0] i i (1 d i ) [ if d i = 1] Atomic Left-to-Right Algorithm j = 2 (d i = 1) R 1 R 1 + R 3 mod n R 0 R 2 0 mod n R 0 R 0 /2 mod n R 0 R 2 R 0 mod n j 3 i i 1 Atomic Patterns j = 1 (d i = 1) R 2 R 0 + R 1 mod n R 2 R 2 2 mod n R 2 R 2 /2 mod n R 2 R 2 R 3 mod n j 2 i i j = 3 (d i = 0 or 1) R 3 R 3 + R 3 mod n R 0 R 2 0 mod n R 3 R 3 /2 mod n R 1 R 1 R 3 mod n j d i i i (1 d i ) [ if d i = 1] Vincent Verneuil - Square Always Exponentiation 17 / 38
34 Right-to-Left Algorithm Using (2) Input: m,n,d N Output: m d mod n a 1 ; b m for i = 0 to k 1 do if d i = 1 then a ( a+b 2 b b 2 mod n return a ) 2 ( a b 2 ) 2 mod n Vincent Verneuil - Square Always Exponentiation 18 / 38
35 Input: m,n,d N Output: m d mod n 1: R 0 m ; R 1 1 ; R 2 1 2: i 0 ; j 0 3: while i k 1 do 4: j d i (1 + (j mod 3)) 5: R Mj,0 R Mj,1 + R 0 mod n 6: R Mj,2 R Mj,3 /2 mod n 7: R Mj,4 R Mj,5 R Mj,6 mod n Atomic Right-to-Left Algorithm 0 bit 8: R Mj,3 R 2 Mj,3 mod n j = 3 9: i i + M j,7 10: return R M = j = 0 1 bit j = 1 0 bit 1 bit j = 2 Vincent Verneuil - Square Always Exponentiation 19 / 38
36 j = 0 (d i = 0) j 0 [ if j was 0] R 0 R 0 + R 0 mod n R 2 R 0 /2 mod n R 0 R 0 R 2 mod n R 0 R 2 0 mod n i i + 1 j = 1 (d i = 1) j 1 R 2 R 1 + R 0 mod n R 2 R 2 /2 mod n R 1 R 0 R 1 mod n R 2 R 2 2 mod n i i Atomic Right-to-Left Algorithm j = 2 (d i = 1) j 2 R 0 R 2 + R 0 mod n R 1 R 1 /2 mod n R 0 R 0 R 2 mod n R 1 R 2 1 mod n i i j = 3 (d i = 1) j 3 R 0 R 0 + R 0 mod n R 0 R 0 /2 mod n R 1 R 2 R 1 mod n R 0 R 2 0 mod n i i + 1 Vincent Verneuil - Square Always Exponentiation 20 / 38 Atomic Patterns
37 Cost Comparison Algorithm Cost / bit S/M = 1 S/M =.8 # reg Square & multiply 1,2,3.5M + 1S 1.5M 1.3M 2 Multiply always 2,3 1.5M 1.5M 1.5M 2 Montgomery ladder 1M + 1S 2M 1.8M 2 L.-to-r. square always 3 2S 2M 1.6M 4 R.-to-l. square always 3 2S 2M 1.6M 3 11 % speed-up over Montgomery ladder 1 algorithm unprotected towards the SPA 2 algorithm sensitive to S M discrimination 3 possible sliding window optimization Vincent Verneuil - Square Always Exponentiation 21 / 38
38 Implementation AT90SC 30MHz with AdvX arithmetic coprocessor: Algorithm Key len. (b) Code (B) RAM (B) Timing (ms) Mont. ladder Square Always % practical speed-up obtained in practice Vincent Verneuil - Square Always Exponentiation 22 / 38
39 Security Considerations Immune to any S M discrimination Compatible with classical DPA/FA countermeasures Right-to-left is more robust than left-to-right Despite DPA countermeasures prevent safe-errors, we provide algorithms immune to C safe-errors Vincent Verneuil - Square Always Exponentiation 23 / 38
40 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 23 / 38
41 Generalities 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 23 / 38
42 Generalities Motivation Trendy topic Parallelized Montgomery ladder : 1M / bit Squarings are independent in eq. (1) and (2) What can we do if two parallel squarings are available? Vincent Verneuil - Square Always Exponentiation 24 / 38
43 Generalities Basic Parallelization Core 1 Core 2 0 bit S S 1 bit S S S S Many wasted squaring slots :-( Vincent Verneuil - Square Always Exponentiation 25 / 38
44 Generalities Scanning Direction Left-to-right: m d = m d 0 ( m d 1 ( ( ) ) ) m d k 1... Right-to-left: m d = m d k 12 k 1 m d k 22 k 2... m d 0 Right-to-left is more flexible Vincent Verneuil - Square Always Exponentiation 26 / 38
45 Generalities Better Parallelization Strategy: use the wasted 1 bit squaring slot to compute 1 squaring in advance. if(d i = 1) a ((a + b)/2) 2 ((a b)/2) 2 mod n b b 2 mod n Core 1 Core 2 S S S S Remark: requires 1 additional memory register to store the precomputed squaring. Vincent Verneuil - Square Always Exponentiation 27 / 38
46 Generalities Better Parallelization Strategy: use the wasted 1 bit squaring slot to compute 1 squaring in advance. if(d i = 1) a ((a + b)/2) 2 ((a b)/2) 2 mod n b b 2 mod n if(d i+1 = 1) a ((a + b)/2) 2 ((a b)/2) 2 mod n b b 2 mod n Core 1 Core 2 S S S S Remark: requires 1 additional memory register to store the precomputed squaring. Vincent Verneuil - Square Always Exponentiation 27 / 38
47 Generalities Better Parallelization Strategy: use the wasted 1 bit squaring slot to compute 1 squaring in advance. if(d i = 1) a ((a + b)/2) 2 ((a b)/2) 2 mod n b b 2 mod n if(d i+1 = 1) a ((a + b)/2) 2 ((a b)/2) 2 mod n b b 2 mod n Core 1 Core 2 S S S S Remark: requires 1 additional memory register to store the precomputed squaring. Vincent Verneuil - Square Always Exponentiation 27 / 38
48 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 27 / 38
49 Right-to-Left Parallelized Algorithm Input: m,n N, m < n, d = (d k 1...d 0 ) 2, require 5 k-bit registers a, b, R 0, R 1, R 2 Output: m d mod n 1: a 1 ; b m ; extra 0 2: for i = 0 to k 1 do 3: if d i = 1 then 4: if extra = 0 then 5: R 0 (a b) 2 mod n R 1 b 2 mod n 6: a (a + b) 2 mod n R 2 R 2 1 mod n 7: a (a R 0 )/4 mod n ; b R 1 ; R 1 R 2 8: extra 1 9: else 10: R 0 (a b) 2 mod n a (a + b) 2 mod n 11: a (a R 0 )/4 mod n ; b R 1 12: extra 0 13: else 14: if extra = 0 then 15: b b 2 mod n <nothing> 16: else 17: b R 1 18: extra 0 19: return a Vincent Verneuil - Square Always Exponentiation 28 / 38
50 Atomic Parallelized Algorithm Input: m,n N, m < n, d = (d k 1 d k 2...d 0 ) 2, require 7 k-bit registers R 0 to R 6 Output: m d mod n 1: R 0 1 ; R 1 m ; v (0,0,0) ; u 1 2: while v 0 k 1 do 3: j d v0 (v 1 + u + 1) 4: R 5 (R 0 R 1 )/2 mod n 5: R 6 (R 0 + R 1 )/2 mod n 6: R Mj,0 R 2 Mj,1 mod n R Mj,2 R 2 Mj,3 mod n 7: R Mj,4 R 0 R 2 mod n 8: R Mj,5 R 3 9: R Mj,6 R 4 10: v 1 M j,7 11: u M j,8 12: t 1 v 1 (1 d v0 +1) 13: R Nt,0 R 3 14: v Nt,1 0 15: v Nt,2 v Nt, : v 0 v 0 + u 17: return R 0 Vincent Verneuil - Square Always Exponentiation 29 / 38
51 Atomic Parallelized Algorithm Matrices M = N = ( 1 1 ) Vincent Verneuil - Square Always Exponentiation 30 / 38
52 Even Better Parallelization Strategy: use the wasted 1 bit squaring slots to compute several squarings in advance. The variable extra, 0 extra extramax, stores the number of precomputed squarings. Remark: requires extramax additional memory registers to store the precomputed squarings. Vincent Verneuil - Square Always Exponentiation 31 / 38
53 Even Better Parallelization Example : d = ( ) 2, extramax = 1 extramax = cost: 1S 2S 1S 1S 1S Cost: 6S Vincent Verneuil - Square Always Exponentiation 32 / 38
54 Even Better Parallelization Example : d = ( ) 2, extramax 2 extramax cost: 1S 2S 2S 0S 0S Cost: 5S Vincent Verneuil - Square Always Exponentiation 33 / 38
55 Generalized Parallel Square Always Input: m,n N, m < n, d = (d k 1 d k 2...d 0 ) 2, extramax N, require extramax+4 k-bit registers a, R 0, R 1,... R extramax+2 Output: m d mod n 1: a 1 ; R 1 m ; extra 0 2: for i = 0 to k 1 do 3: if d i = 1 then 4: if extra < extramax then 5: R 0 (a R 1 ) 2 mod n R extra+2 R 2 extra+1 mod n 6: a (a + R 1 ) 2 mod n R extra+3 R 2 extra+2 mod n 7: a (a R 0 )/4 mod n 8: (R 1,R 2,...R extramax+1 ) (R 2,R 3,...R extramax+2 ) 9: extra extra+1 10: else 11: R 0 (a R 1 ) 2 mod n a (a + R 1 ) 2 mod n 12: a (a R 0 )/4 mod n 13: (R 1,R 2,...R extramax+1 ) (R 2,R 3,...R extramax+2 ) 14: extra extra 1 15: else 16: if extra = 0 then 17: R 1 R 2 1 mod n 18: else 19: (R 1,R 2,...R extramax+1 ) (R 2,R 3,...R extramax+2 ) 20: extra extra 1 21: return a Vincent Verneuil - Square Always Exponentiation 34 / 38
56 Cost Comparison We demonstrate that the cost of the parallelized algorithms tends to: ( ) S 4 extramax +2 Algorithm General cost S/M = 1 S/M = 0.8 Parallel Montgomery ladder 1M 1M 1M Parallel Sq. Al. extramax = 1 7S/6 1.17M 0.93M Parallel Sq. Al. extramax = 2 11S/ M 0.88M Parallel Sq. Al. extramax = 3 15S/ M 0.86M.... Parallel Sq. Al. extramax 1S 1M 0.8M Vincent Verneuil - Square Always Exponentiation 35 / 38
57 1 Introduction Motivation Recalls Contribution 2 Square Always Principle 3 Parallelization Generalities 4 Conclusion Outline Vincent Verneuil - Square Always Exponentiation 35 / 38
58 Conclusion Square Always is an alternative countermeasure to S M discrimination It provides better efficiency than the Montgomery ladder Parallelization brings best exponentiation performances to our knowledge Two parallel squaring blocks yields faster exponentiation than two parallel multiplication blocks! Vincent Verneuil - Square Always Exponentiation 36 / 38
59 Thank you for your attention! Vincent Verneuil - Square Always Exponentiation 37 / 38
60 Turning Squarings into Multiplications r, r 1, r 2 being random integers < n x x = (x + r) x x r = (x + r) (x r) + r 2 = (x + r 1 ) (x + r 2 ) x (r 1 + r 2 ) r 1 r 2 Vincent Verneuil - Square Always Exponentiation 38 / 38
Elliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationSquare Always Exponentiation
Square Always Exponentiation Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent Verneuil To cite this version: Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet,
More informationBlinded Fault Resistant Exponentiation FDTC 06
Previous Work Our Algorithm Guillaume Fumaroli 1 David Vigilant 2 1 Thales Communications guillaume.fumaroli@fr.thalesgroup.com 2 Gemalto david.vigilant@gemalto.com FDTC 06 Outline Previous Work Our Algorithm
More informationSide-Channel Analysis on Blinded Regular Scalar Multiplications
Side-Channel Analysis on Blinded Regular Scalar Multiplications Extended Version Benoit Feix 1 and Mylène Roussellet 2 and Alexandre Venelli 3 1 UL Security Transactions, UK Security Lab benoit.feix@ul.com
More informationSide-channel attacks on PKC and countermeasures with contributions from PhD students
basics Online Side-channel attacks on PKC and countermeasures (Tutorial @SPACE2016) with contributions from PhD students Lejla Batina Institute for Computing and Information Sciences Digital Security Radboud
More informationEfficient randomized regular modular exponentiation using combined Montgomery and Barrett multiplications
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2016 Efficient randomized regular modular exponentiation
More informationHorizontal and Vertical Side-Channel Attacks against Secure RSA Implementations
Introduction Clavier et al s Paper This Paper Horizontal and Vertical Side-Channel Attacks against Secure RSA Implementations Aurélie Bauer Éliane Jaulmes Emmanuel Prouff Justine Wild ANSSI Session ID:
More informationRemote Timing Attacks are Practical
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel
More informationImproved Collision-Correlation Power Analysis on First Order Protected AES
Improved Collision-Correlation Power Analysis on First Order Protected AES Christophe Clavier, Benoit Feix, Georges Gagnerot, Mylène Roussellet, Vincent Verneuil To cite this version: Christophe Clavier,
More informationFast and Regular Algorithms for Scalar Multiplication over Elliptic Curves
Fast and Regular Algorithms for Scalar Multiplication over Elliptic Curves Matthieu Rivain CryptoExperts matthieu.rivain@cryptoexperts.com Abstract. Elliptic curve cryptosystems are more and more widespread
More informationAlgorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis
Algorithm for RSA and Hyperelliptic Curve Cryptosystems Resistant to Simple Power Analysis Christophe Negre ici joined work with T. Plantard (U. of Wollongong, Australia) Journees Nationales GDR IM January
More informationLazy Leak Resistant Exponentiation in RNS
Lazy Leak Resistant Exponentiation in RNS Andrea Lesavourey, Christophe Negre, Thomas Plantard To cite this version: Andrea Lesavourey, Christophe Negre, Thomas Plantard. Lazy Leak Resistant Exponentiation
More informationEfficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand
Efficient Modular Exponentiation Based on Multiple Multiplications by a Common Operand Christophe Negre, Thomas Plantard, Jean-Marc Robert Team DALI (UPVD) and LIRMM (UM2, CNRS), France CCISR, SCIT, (University
More informationA DPA attack on RSA in CRT mode
A DPA attack on RSA in CRT mode Marc Witteman Riscure, The Netherlands 1 Introduction RSA is the dominant public key cryptographic algorithm, and used in an increasing number of smart card applications.
More informationEfficient Leak Resistant Modular Exponentiation in RNS
Efficient Leak Resistant Modular Exponentiation in RNS Andrea Lesavourey (1), Christophe Negre (1) and Thomas Plantard (2) (1) DALI (UPVD) and LIRMM (Univ. of Montpellier, CNRS), Perpignan, France (2)
More informationSide-Channel Analysis on Blinded Regular Scalar Multiplications
Side-Channel Analysis on Blinded Regular Scalar Multiplications Benoit Feix 1 and Mylène Roussellet 2 and Alexandre Venelli 3 1 UL Security Transactions, UK Security Lab benoit.feix@ul.com 2 Gemalto, La
More informationPower Analysis to ECC Using Differential Power between Multiplication and Squaring
Power Analysis to ECC Using Differential Power between Multiplication and Squaring Toru Akishita 1 and Tsuyoshi Takagi 2 1 Sony Corporation, Information Technologies Laboratories, Tokyo, Japan akishita@pal.arch.sony.co.jp
More informationMulti-Exponentiation Algorithm
Multi-Exponentiation Algorithm Chien-Ning Chen Email: chienning@ntu.edu.sg Feb 15, 2012 Coding and Cryptography Research Group Outline Review of multi-exponentiation algorithms Double/Multi-exponentiation
More informationFormal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August
More informationRandomized Signed-Scalar Multiplication of ECC to Resist Power Attacks
Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks Jae Cheol Ha 1 and Sang Jae Moon 2 1 Division of Information Science, Korea Nazarene Univ., Cheonan, Choongnam, 330-718, Korea jcha@kornu.ac.kr
More informationDynamic Runtime Methods to Enhance Private Key Blinding
Dynamic Runtime Methods to Enhance Private Key Blinding Karine Gandolfi-Villegas and Nabil Hamzi Gemalto Security Labs {nabil.hamzi,karine.villegas}@gemalto.com Abstract. In this paper we propose new methods
More informationEfficient regular modular exponentiation using multiplicative half-size splitting
J Cryptogr Eng (17) 7:45 53 DOI 1.17/s13389-16-134-5 SHORT COMMUNICATION Efficient regular modular exponentiation using multiplicative half-size splitting Christophe Negre 1, Thomas Plantard 3,4 Received:
More informationInvestigations of Power Analysis Attacks on Smartcards *
Investigations of Power Analysis Attacks on Smartcards * Thomas S. Messerges Ezzy A. Dabbish Robert H. Sloan 1 Dept. of EE and Computer Science Motorola Motorola University of Illinois at Chicago tomas@ccrl.mot.com
More informationHardware Architectures for Public Key Algorithms Requirements and Solutions for Today and Tomorrow
Hardware Architectures for Public Key Algorithms Requirements and Solutions for Today and Tomorrow Cees J.A. Jansen Pijnenburg Securealink B.V. Vught, The Netherlands ISSE Conference, London 27 September,
More informationLow-Cost Solutions for Preventing Simple Side-Channel Analysis: Side-Channel Atomicity
Low-Cost Solutions for Preventing Simple Side-Channel Analysis: Side-Channel Atomicity [Published in IEEE Transactions on Computers 53(6):760-768, 00.] Benoît Chevallier-Mames 1, Mathieu Ciet, and Marc
More informationRandom Delay Insertion: Effective Countermeasure against DPA on FPGAs
Random Delay Insertion: Effective Countermeasure against DPA on FPGAs Lu, Yingxi Dr. Máire O Neill Prof. John McCanny Overview September 2004 PRESENTATION OUTLINE DPA and countermeasures Random Delay Insertion
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationPower Consumption Analysis. Arithmetic Level Countermeasures for ECC Coprocessor. Arithmetic Operators for Cryptography.
Power Consumption Analysis General principle: measure the current I in the circuit Arithmetic Level Countermeasures for ECC Coprocessor Arnaud Tisserand, Thomas Chabrier, Danuta Pamula I V DD circuit traces
More informationOn the BRIP Algorithms Security for RSA
On the BRIP Algorithms Security for RSA Frédéric Amiel 1 and Benoit Feix 2 1 AMESYS, 1030, Avenue Guillibert de la Lauzire, 13794 Aix-en-Provence, Cedex 3, France f.amiel@amesys.fr 2 INSIDE CONTACTLESS
More informationCo-Z Addition Formulæ and Binary Ladders on Elliptic Curves. Raveen Goundar Marc Joye Atsuko Miyaji
Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves Raveen Goundar Marc Joye Atsuko Miyaji Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves Raveen Goundar Marc Joye Atsuko Miyaji Elliptic
More informationFast Point Multiplication on Elliptic Curves Without Precomputation
Published in J. von zur Gathen, J.L. Imaña, and Ç.K. Koç, Eds, Arithmetic of Finite Fields (WAIFI 2008), vol. 5130 of Lecture Notes in Computer Science, pp. 36 46, Springer, 2008. Fast Point Multiplication
More informationS XMP LIBRARY INTERNALS. Niall Emmart University of Massachusetts. Follow on to S6151 XMP: An NVIDIA CUDA Accelerated Big Integer Library
S6349 - XMP LIBRARY INTERNALS Niall Emmart University of Massachusetts Follow on to S6151 XMP: An NVIDIA CUDA Accelerated Big Integer Library High Performance Modular Exponentiation A^K mod P Where A,
More informationBranch Prediction based attacks using Hardware performance Counters IIT Kharagpur
Branch Prediction based attacks using Hardware performance Counters IIT Kharagpur March 19, 2018 Modular Exponentiation Public key Cryptography March 19, 2018 Branch Prediction Attacks 2 / 54 Modular Exponentiation
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationNumbers. Çetin Kaya Koç Winter / 18
Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 18 Number Systems and Sets We represent the set of integers as Z = {..., 3, 2, 1,0,1,2,3,...} We denote the set of positive integers modulo n as
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More informationResistance of Randomized Projective Coordinates Against Power Analysis
Resistance of Randomized Projective Coordinates Against Power Analysis William Dupuy and Sébastien Kunz-Jacques DCSSI Crypto Lab 51, bd de Latour-Maubourg, 75700 PARIS 07 SP william.dupuy@laposte.net,
More informationExponent Blinding Does not Always Lift (Partial) SPA Resistance to Higher-Level Security
Exponent Blinding Does not Always Lift (Partial) SPA Resistance to Higher-Level Security Werner Schindler (Bundesamt für Sicherheit in der Informationstechnik (BSI)) and Kouichi Itoh (Fujitsu Laboratories
More informationAffine Precomputation with Sole Inversion in Elliptic Curve Cryptography
Affine Precomputation with Sole Inversion in Elliptic Curve Cryptography Erik Dahmen, 1 Katsuyuki Okeya, 2 and Daniel Schepers 1 1 Technische Universität Darmstadt, Fachbereich Informatik, Hochschulstr.10,
More informationFPGA IMPLEMENTATION FOR ELLIPTIC CURVE CRYPTOGRAPHY OVER BINARY EXTENSION FIELD
University of Windsor Scholarship at UWindsor Electronic Theses and Dissertations 10-5-2017 FPGA IMPLEMENTATION FOR ELLIPTIC CURVE CRYPTOGRAPHY OVER BINARY EXTENSION FIELD Che Chen University of Windsor
More informationAPPLICATION OF ELLIPTIC CURVES IN CRYPTOGRAPHY-A REVIEW
APPLICATION OF ELLIPTIC CURVES IN CRYPTOGRAPHY-A REVIEW Savkirat Kaur Department of Mathematics, Dev Samaj College for Women, Ferozepur (India) ABSTRACT Earlier, the role of cryptography was confined to
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationPower Analysis for Secret Recovering and Reverse Engineering of Public Key Algorithms
Power Analysis for Secret Recovering and Reverse Engineering of Public Key Algorithms Frederic Amiel 1,, Benoit Feix 2,, and Karine Villegas 1 1 GEMALTO, Security Labs, La Vigie, Avenue du Jujubier, ZI
More informationIntroduction to Side Channel Analysis. Elisabeth Oswald University of Bristol
Introduction to Side Channel Analysis Elisabeth Oswald University of Bristol Outline Part 1: SCA overview & leakage Part 2: SCA attacks & exploiting leakage and very briefly Part 3: Countermeasures Part
More informationArithmetic Operators for Pairing-Based Cryptography
Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationElliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm Problem Vanessa VITSE Université de Versailles Saint-Quentin, Laboratoire PRISM October 19, 2009 Vanessa VITSE (UVSQ) Elliptic Curve Discrete Logarithm Problem October
More informationHardware implementations of ECC
Hardware implementations of ECC The University of Electro- Communications Introduction Public- key Cryptography (PKC) The most famous PKC is RSA and ECC Used for key agreement (Diffie- Hellman), digital
More informationCryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1
Cryptography CS 555 Topic 18: RSA Implementation and Security Topic 18 1 Outline and Readings Outline RSA implementation issues Factoring large numbers Knowing (e,d) enables factoring Prime testing Readings:
More informationFast Algorithm in ECC for Wireless Sensor Network
Fast Algorithm in ECC for Wireless Sensor Network Xu Huang, Pritam Shah, and Dharmendra Sharma Abstract Elliptic curve cryptography (ECC) has been attractive to the people who are working in the field
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationrecover the secret key [14]. More recently, the resistance of smart-card implementations of the AES candidates against monitoring power consumption wa
Resistance against Dierential Power Analysis for Elliptic Curve Cryptosystems Jean-Sebastien Coron Ecole Normale Superieure Gemplus Card International 45 rue d'ulm 34 rue Guynemer Paris, F-75230, France
More informationThe Montgomery Powering Ladder
The Montgomery Powering Ladder [Published in B.S. Kaliski Jr., Ç.K. Koç, and C. Paar, Eds., Cryptographic Hardware and Embedded Systems CHES 2002, vol. 2523 of Lecture Notes in Computer Science, pp. 291
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationLinear Regression Side Channel Attack Applied on Constant XOR
Linear Regression Side Channel Attack Applied on Constant XOR Shan Fu ab, Zongyue Wang c, Fanxing Wei b, Guoai Xu a, An Wang d a National Engineering Laboratory of Mobile Internet Security, Beijing University
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationA variant of the F4 algorithm
A variant of the F4 algorithm Vanessa VITSE - Antoine JOUX Université de Versailles Saint-Quentin, Laboratoire PRISM CT-RSA, February 18, 2011 Motivation Motivation An example of algebraic cryptanalysis
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More informationSecurity Analysis of XTR Exponentiation Algorithms Against Simple Power Analysis Attack
Security Analysis of XTR Exponentiation Algorithms Against Simple Power Analysis Attack Jaewook Chung and Anwar Hasan j4chung@uwaterloo.ca ahasan@secure.uwaterloo.ca Center for Applied Cryptographic Research
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationHigh-Order Conversion From Boolean to Arithmetic Masking
High-Order Conversion From Boolean to Arithmetic Masking Jean-Sébastien Coron University of Luxembourg jean-sebastien.coron@uni.lu Abstract. Masking with random values is an effective countermeasure against
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationPower Analysis Attacks and Algorithmic Approaches to their Countermeasures for Koblitz Curve Cryptosystems
Power Analysis Attacks and Algorithmic Approaches to their Countermeasures for Koblitz Curve Cryptosystems M. Anwar Hasan Department of Electrical and Computer Engineering University of Waterloo, Waterloo,
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationIntroduction to Cryptology. Lecture 20
Introduction to Cryptology Lecture 20 Announcements HW9 due today HW10 posted, due on Thursday 4/30 HW7, HW8 grades are now up on Canvas. Agenda More Number Theory! Our focus today will be on computational
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More informationExponentiation and Point Multiplication. Çetin Kaya Koç Spring / 70
Exponentiation and Point Multiplication 1 2 3 4 5 6 8 7 10 9 12 16 14 11 13 15 20 http://koclab.org Çetin Kaya Koç Spring 2018 1 / 70 Contents Exponentiation and Point Multiplication Exponentiation and
More informationTiming Attacks on Software Implementation of RSA
Timing Attacks on Software Implementation of RSA Project Report Harshman Singh School of Electrical Engineering and Computer Science Oregon State University Major Professor: Dr. Çetin Kaya Koç 2 Acknowledgements
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationA Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations
A Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations James A. Muir School of Computer Science Carleton University, Ottawa, Canada http://www.scs.carleton.ca/ jamuir 23 October
More informationComplexity Analysis of a Fast Modular Multiexponentiation Algorithm
Complexity Analysis of a Fast Modular Multiexponentiation Algorithm Haimin Jin 1,, Duncan S. Wong, Yinlong Xu 1 1 Department of Computer Science University of Science and Technology of China China jhm113@mail.ustc.edu.cn,
More informationImproved High-Order Conversion From Boolean to Arithmetic Masking
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1, Jean-Sébastien Coron 2, and Rina Zeitoun 1 1 IDEMIA, France luk.bettale@idemia.com, rina.zeitoun@idemia.com 2 University
More informationSymbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes
Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS Inès Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz Sorbonne Universités, UPMC Univ Paris
More informationKnown Plaintext Only Attack on RSA CRT with Montgomery Multiplication
Known Plaintext Only Attack on RSA CRT with Montgomery Multiplication Martin Hlaváč hlavm1am@artax.karlin.mff.cuni.cz Department of Algebra, Charles University in Prague, Sokolovská 83, 186 75 Prague 8,
More informationSliding right into disaster - Left-to-right sliding windows leak
Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and
More informationTiming Attack against protected RSA-CRT implementation used in PolarSSL
Timing Attack against protected RSA-CRT implementation used in PolarSSL Cyril Arnaud 1 and Pierre-Alain Fouque 1 École de l Air, cy.arnaud@orange.fr Université Rennes 1 pierre-alain.fouque@ens.fr Abstract.
More informationSide-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman
Side-Channel Attacks on Quantum-Resistant Supersingular Isogeny Diffie-Hellman Presenter: Reza Azarderakhsh CEECS Department and I-Sense, Florida Atlantic University razarderakhsh@fau.edu Paper by: Brian
More informationZero-Value Point Attacks on Elliptic Curve Cryptosystem
Zero-Value Point Attacks on Elliptic Curve Cryptosystem Toru Akishita 1 and Tsuyoshi Takagi 2 1 Sony Corporation, Ubiquitous Technology Laboratories, 6-7-35 Kitashinagawa Shinagawa-ku, Tokyo, 141-0001
More informationA Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m )
A Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m ) Stefan Tillich, Johann Großschädl Institute for Applied Information Processing and
More informationA DPA Attack against the Modular Reduction within a CRT Implementation of RSA
A DPA Attack against the Modular Reduction within a CRT Implementation of RSA Bert den Boer, Kerstin Lemke, and Guntram Wicke T-Systems ISS GmbH Rabinstr. 8, D-53111 Bonn, Germany BdenBoer@tpd.tno.nl,
More informationLow-Resource and Fast Elliptic Curve Implementations over Binary Edwards Curves
Rochester Institute of Technology RIT Scholar Works Theses Thesis/Dissertation Collections 5-2016 Low-Resource and Fast Elliptic Curve Implementations over Binary Edwards Curves Brian Koziel bck6520@rit.edu
More informationRevisiting Atomic Patterns for Scalar Multiplications on Elliptic Curves
Revisiting Atomic Patterns for Scalar Multiplications on Elliptic Curves Franck Rondepierre Oberthur Technologies, Crypto Group 420, rue Estienne d Orves, 92 700 Colombes, France f.rondepierre@oberthur.com
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationRSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis. Daniel Genkin, Adi Shamir, Eran Tromer
RSA Key Extraction via Low- Bandwidth Acoustic Cryptanalysis Daniel Genkin, Adi Shamir, Eran Tromer Mathematical Attacks Input Crypto Algorithm Key Output Goal: recover the key given access to the inputs
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationXMX: A Firmware-oriented Block Cipher Based on Modular Multiplications
XMX: A Firmware-oriented Block Cipher Based on Modular Multiplications [Published in E. Biham, Ed., Fast Software Encrytion, vol. 1267 of Lecture Notes in Computer Science, pp. 166 171, Springer-Verlag,
More informationMontgomery-Suitable Cryptosystems
Montgomery-Suitable Cryptosystems [Published in G. Cohen, S. Litsyn, A. Lobstein, and G. Zémor, Eds., Algebraic Coding, vol. 781 of Lecture Notes in Computer Science, pp. 75-81, Springer-Verlag, 1994.]
More informationFast Simultaneous Scalar Multiplication on Elliptic Curve with Montgomery Form
Fast Simultaneous Scalar Multiplication on Elliptic Curve with Montgomery Form Toru Akishita Sony Corporation, 6-7-35 Kitashinagawa Shinagawa-ku, Tokyo, 141-0001, Japan akishita@pal.arch.sony.co.jp Abstract.
More informationOn Double Exponentiation for Securing RSA against Fault Analysis
On Double Exponentiation for Securing RSA against Fault Analysis Duc-Phong Le 1, Matthieu Rivain 2, and Chik How Tan 1 1 Temasek Laboratories, National University of Singapore {tslld,tsltch}@nus.edu.sg
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationMoTE-ECC: Energy-Scalable Elliptic Curve Cryptography for Wireless Sensor Networks
MoTE-ECC: Energy-Scalable Elliptic Curve Cryptography for Wireless Sensor Networks Zhe Liu 1, Erich Wenger 2, and Johann Großschädl 1 1 University of Luxembourg, Laboratory of Algorithmics, Cryptology
More informationLecture 14. Outline. 1. Finish Polynomials and Secrets. 2. Finite Fields: Abstract Algebra 3. Erasure Coding
Lecture 14. Outline. 1. Finish Polynomials and Secrets. 2. Finite Fields: Abstract Algebra 3. Erasure Coding Modular Arithmetic Fact and Secrets Modular Arithmetic Fact: There is exactly 1 polynomial of
More informationA Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. XX, NO. X, MONTH 2007 1 A Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations James A. Muir Abstract We present a simple algorithm
More informationA New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis
A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis Jean Sébastien Coron 1, David Lefranc 2 and Guillaume Poupard 3 1 Université du Luxembourg Luxembourg coron@clipper.ens.fr 2
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationFast SPA-Resistant Exponentiation Through Simultaneous Processing of Half-Exponents
Fast SPA-Resistant Exponentiation Through Simultaneous Processing of Half-Exponents Carlos Moreno and M. Anwar Hasan Department of Electrical and Computer Engineering University of Waterloo, Canada cmoreno@uwaterloo.ca,
More information