Curve41417: Karatsuba revisited
Size: px
Start display at page:

Download "Curve41417: Karatsuba revisited"

Transcription

1 Curve41417: Karatsuba revisited Chitchanok Chuengsatiansup Technische Universiteit Eindhoven September 25, 2014 Joint work with Daniel J. Bernstein and Tanja Lange Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 1

2 Real-World Application Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 2

3 Performance budget This talk focuses on: n, P np ARM Cortex-A8 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 3

4 Performance budget This talk focuses on: n, P np ARM Cortex-A8 OpenSSL secp160-r1 (security level only 2 80 ) least secure option supported by OpenSSL 2.1 million cycles on FreeScale i.mx million cycles on TI Sitara Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 3

5 Performance budget This talk focuses on: n, P np ARM Cortex-A8 OpenSSL secp160-r1 (security level only 2 80 ) least secure option supported by OpenSSL 2.1 million cycles on FreeScale i.mx million cycles on TI Sitara Curve41417 (security level above ) 1.6 million cycles on FreeScale i.mx million cycles on TI Sitara Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 3

6 Design of Curve41417 High-security elliptic curve (security level above ) Defined over prime field F p where p = In Edwards curve form x 2 + y 2 = x 2 y 2 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 4

7 Design of Curve41417 High-security elliptic curve (security level above ) Defined over prime field F p where p = In Edwards curve form x 2 + y 2 = x 2 y 2 Large prime-order subgroup (cofactor 8) IEEE P1363 criteria (large embedding degree, etc.) Twist secure, i.e., twist of Curve41417 also secure Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 4

8 Side-Channel Attack Prevent software side-channel attack: constant-time no input-dependent branch no input-dependent array index Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 5

9 Side-Channel Attack Prevent software side-channel attack: constant-time no input-dependent branch no input-dependent array index Constant-time table-lookup: read entire table select via arithmetic if c is 1, select tbl[i] if c is 0, ignore tbl[i] t = (t (1 c)) + (tbl[i] (c) ) t = (t and (c 1)) xor (tbl[i] and ( c)) Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 5

10 ECC Arithmetic Mix coordinate systems: doubling: projective X, Y, Z addition: extended X, Y, Z, T (See Scalar multiplication: signed fixed windows of width w = 5 precompute 0P, 1P, 2P,..., 16P also multiply d = 3617 to T coordinate special first doubling compute T only before addition Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 6

11 ARM Cortex-A8 Vector Unit 128-bit vector Arithmetic and load/store unit can perform in parallel Operate in parallel on vectors of four 32-bit integers or two 64-bit integers Each cycle produces: four 32-bit integer additions: a 0 +b 0, a 1 +b 1, a 2 +b 2, a 3 +b 3 or two 64-bit integer additions: c 0 +d 0, c 1 +d 1 or one multiply-add instruction: a 0 b 0 + c 0 where a i, b i are 32- and c i, d i are 64-bit integers Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 7

12 Redundant Representation Use non-integer radix 2 414/16 = Decompose integer f modulo into 16 integer pieces Write f as f f f f f f f f f f f f f f f f 15 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 8

13 Carries Goal: Bring each limb down to 26 or 25 bits Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9

14 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9

15 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9

16 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 8 m 9 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9

17 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 8 m 9 m 10 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9

18 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m 8 m 9 m 10 m 11 m 12 m 13 m 14 m 15 m 0 m 1 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9

19 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m 8 m 9 m 10 m 11 m 12 m 13 m 14 m 15 m 0 m 1 Decrease latency: Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9

20 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m 8 m 9 m 10 m 11 m 12 m 13 m 14 m 15 m 0 m 1 Decrease latency: m 0 m 1 m 8 m 9 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9

21 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m 8 m 9 m 10 m 11 m 12 m 13 m 14 m 15 m 0 m 1 Decrease latency: m 0 m 1 m 8 m 9 m 4 m 5 m 12 m 13 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9

22 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m 8 m 9 m 10 m 11 m 12 m 13 m 14 m 15 m 0 m 1 Decrease latency: m 0 m 1 m 2 m 8 m 9 m 10 m 4 m 5 m 12 m 13 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9

23 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m 8 m 9 m 10 m 11 m 12 m 13 m 14 m 15 m 0 m 1 Decrease latency: m 0 m 1 m 2 m 8 m 9 m 10 m 4 m 5 m 6 m 12 m 13 m 14 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9

24 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m 8 m 9 m 10 m 11 m 12 m 13 m 14 m 15 m 0 m 1 Decrease latency: m 0 m 1 m 2 m 3 m 4 m 5 m 8 m 9 m 10 m 11 m 12 m 13 m 4 m 5 m 6 m 7 m 8 m 9 m 12 m 13 m 14 m 15 m 0 m 1 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9

25 Level of Karatsuba Karatsuba splits 1 (2n 2n) into 3 (n n) Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 10

26 Level of Karatsuba Karatsuba splits 1 (2n 2n) into 3 (n n) Zero-level Karatsuba (Schoolbook) e.g. for 16 limbs: = 256 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 10

27 Level of Karatsuba Karatsuba splits 1 (2n 2n) into 3 (n n) Zero-level Karatsuba (Schoolbook) e.g. for 16 limbs: = 256 One-level Karatsuba e.g.: (8 8) + some additions = some additions Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 10

28 Level of Karatsuba Karatsuba splits 1 (2n 2n) into 3 (n n) Zero-level Karatsuba (Schoolbook) e.g. for 16 limbs: = 256 One-level Karatsuba e.g.: (8 8) + some additions = some additions Two-level Karatsuba e.g.: 3 (8 8) 3 (3 (4 4)) + even more additions = even more additions Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 10

29 Level of Karatsuba Karatsuba splits 1 (2n 2n) into 3 (n n) Zero-level Karatsuba (Schoolbook) e.g. for 16 limbs: = 256 One-level Karatsuba e.g.: (8 8) + some additions = some additions Two-level Karatsuba e.g.: 3 (8 8) 3 (3 (4 4)) + even more additions = even more additions What is the zero-level/one-level cutoff for number of limbs? Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 10

30 GMP s cutoffs for Karatsuba cycles/byte bits Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 11

31 GMP s cutoffs for Karatsuba cycles/byte bits GMP 6.0.0a library chooses 1248 bits on ARM Cortex-A8 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 11

32 GMP s cutoffs for Karatsuba cycles/byte bits GMP 6.0.0a library chooses 1248 bits on ARM Cortex-A8 We reduce cutoff via improvements to Karatsuba Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 11

33 GMP s cutoffs for Karatsuba cycles/byte bits GMP 6.0.0a library chooses 1248 bits on ARM Cortex-A8 We reduce cutoff via improvements to Karatsuba We reduce cutoff via redundant representation Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 11

34 Polynomial Multiplication Goal: Compute P = AB given A = a 0 + a 1 t n and B = b 0 + b 1 t n Method 1: schoolbook P = a 0 b 0 + (a 0 b 1 + a 1 b 0 )t n + a 1 b 1 t 2n Method 2: Karatsuba (8n 4 additions) P = a 0 b 0 +((a 0 +a 1 )(b 0 +b 1 ) a 0 b 0 a 1 b 1 )t n +a 1 b 1 t 2n Method 3: refined Karatsuba (7n 3 additions) P = (a 0 b 0 a 1 b 1 t n )(1 t n ) + (a 0 + a 1 )(b 0 + b 1 )t n Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 12

35 Polynomial Multiplication modq Goal: Compute P = AB modq given A = a 0 + a 1 t n and B = b 0 + b 1 t n Method 1: schoolbook P = a 0 b 0 + (a 0 b 1 + a 1 b 0 )t n + a 1 b 1 t 2n modq Method 2: Karatsuba (8n 4 additions) P = a 0 b 0 +((a 0 +a 1 )(b 0 +b 1 ) a 0 b 0 a 1 b 1 )t n +a 1 b 1 t 2n modq Method 3: refined Karatsuba (7n 3 additions) P = (a 0 b 0 a 1 b 1 t n )(1 t n ) + (a 0 + a 1 )(b 0 + b 1 )t n modq Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 12

36 Polynomial Multiplication modq Goal: Compute P = AB modq given A = a 0 + a 1 t n and B = b 0 + b 1 t n Method 1: schoolbook P = a 0 b 0 + (a 0 b 1 + a 1 b 0 )t n + a 1 b 1 t 2n modq Method 2: Karatsuba (8n 4 additions) P = a 0 b 0 +((a 0 +a 1 )(b 0 +b 1 ) a 0 b 0 a 1 b 1 )t n +a 1 b 1 t 2n modq Method 3: refined Karatsuba (7n 3 additions) P = (a 0 b 0 a 1 b 1 t n )(1 t n ) + (a 0 + a 1 )(b 0 + b 1 )t n modq Method 4: reduced refined Karatsuba (6n 2 additions) (new) P=(a 0 b 0 a 1 b 1 t n modq)(1 t n )+(a 0 +a 1 )(b 0 +b 1 )t n modq Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 12

37 Reduced Refined Karatsuba a 0 b 0 a 1 b 1 subtract reduce a 0 b 0 t n a 1 b 1 a 0 b 0 t n a 1 b 1 subtract (1 t n )(a 0 b 0 t n a 1 b 1 ) (a 0 + a 1 )(b 0 + b 1 ) subtract reduce Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 13

38 Cost Comparison (Karatsuba) Level Mult. 64-bit Add 32-bit Cost 0-level = level = level = level = 223 Note: use multiply-add instructions Recall: 1 cycle per multiplication 0.5 cycle per 64-bit addition 0.25 cycle per 32-bit addition Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 14

39 Cost Comparison (Karatsuba) Level Mult. 64-bit Add 32-bit Cost 0-level = level = level = level = 223 Note: use multiply-add instructions Recall: 1 cycle per multiplication 0.5 cycle per 64-bit addition 0.25 cycle per 32-bit addition Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 14

40 Cost Comparison (refined Karatsuba) Level Mult. 64-bit Add 32-bit Cost 0-level = level = level = level = 210 Note: use multiply-add instructions Recall: 1 cycle per multiplication 0.5 cycle per 64-bit addition 0.25 cycle per 32-bit addition Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 15

41 Cost Comparison (refined Karatsuba) Level Mult. 64-bit Add 32-bit Cost 0-level = level = level = level = 210 Note: use multiply-add instructions Recall: 1 cycle per multiplication 0.5 cycle per 64-bit addition 0.25 cycle per 32-bit addition Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 15

42 Cost Comparison (reduced refined Karatsuba) Level Mult. 64-bit Add 32-bit Cost 0-level = level = level = level = 207 Note: use multiply-add instructions Recall: 1 cycle per multiplication 0.5 cycle per 64-bit addition 0.25 cycle per 32-bit addition Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 16

43 Cost Comparison (reduced refined Karatsuba) Level Mult. 64-bit Add 32-bit Cost 0-level = level = level = level = 207 Note: use multiply-add instructions Recall: 1 cycle per multiplication 0.5 cycle per 64-bit addition 0.25 cycle per 32-bit addition Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 16

44 Performance Comparison OpenSSL curve # cycle on i.mx515 # cycle on Sitara secp160r1 2.1 million 2.1 million nistp million 2.8 million nistp million 3.9 million nistp million 3.9 million nistp million 13.2 million nistp million 29.7 million Curve41417 (security level above ) 1.6 million cycles on FreeScale i.mx million cycles on TI Sitara Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 17

45 Performance Comparison OpenSSL curve # cycle on i.mx515 # cycle on Sitara secp160r1 2.1 million 2.1 million nistp million 2.8 million nistp million 3.9 million nistp million 3.9 million nistp million 13.2 million nistp million 29.7 million Curve41417 (security level above ) 1.6 million cycles on FreeScale i.mx million cycles on TI Sitara Coming soon: Intel Haswell implementation with Sebastian Verschoor Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 17

Similar documents

A new algorithm for residue multiplication modulo

A new algorithm for residue multiplication modulo A new algorithm for residue multiplication modulo 2 521 1 Shoukat Ali and Murat Cenk Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey shoukat.1983@gmail.com mcenk@metu.edu.tr

More information

Software implementation of ECC

Software implementation of ECC Software implementation of ECC Radboud University, Nijmegen, The Netherlands June 4, 2015 Summer school on real-world crypto and privacy Šibenik, Croatia Software implementation of (H)ECC Radboud University,

More information

Kummer strikes back: new DH speed records

Kummer strikes back: new DH speed records Kummer strikes back: new D speed records Daniel J. Bernstein 1,2, Chitchanok Chuengsatiansup 2, Tanja Lange 2, and Peter Schwabe 3 1 Department of Computer Science, University of Illinois at Chicago Chicago,

More information

Double-base scalar multiplication revisited

Double-base scalar multiplication revisited Double-base scalar multiplication revisited Daniel J. Bernstein 1,2, Chitchanok Chuengsatiansup 1, and Tanja Lange 1 1 Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O.

More information

McBits: Fast code-based cryptography

McBits: Fast code-based cryptography McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography

More information

Faster ECC over F 2. School of Computer and Communication Sciences EPFL, Switzerland 2 CertiVox Labs.

Faster ECC over F 2. School of Computer and Communication Sciences EPFL, Switzerland 2 CertiVox Labs. Faster ECC over F 2 521 1 Robert Granger 1 and Michael Scott 2 1 Laboratory for Cryptologic Algorithms School of Computer and Communication Sciences EPFL, Switzerland robbiegranger@gmail.com 2 CertiVox

More information

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves SESSION ID: CRYP-T07 Patrick Longa Microsoft Research http://research.microsoft.com/en-us/people/plonga/

More information

Software implementation of Koblitz curves over quadratic fields

Software implementation of Koblitz curves over quadratic fields Software implementation of Koblitz curves over quadratic fields Thomaz Oliveira 1, Julio López 2 and Francisco Rodríguez-Henríquez 1 1 Computer Science Department, Cinvestav-IPN 2 Institute of Computing,

More information

Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago

Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases D. J. Bernstein University of Illinois at Chicago NSF ITR 0716498 Part I. Linear maps Consider computing 0

More information

Four-Dimensional GLV Scalar Multiplication

Four-Dimensional GLV Scalar Multiplication Four-Dimensional GLV Scalar Multiplication ASIACRYPT 2012 Beijing, China Patrick Longa Microsoft Research Francesco Sica Nazarbayev University Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic

More information

Ed448-Goldilocks, a new elliptic curve

Ed448-Goldilocks, a new elliptic curve Ed448-Goldilocks, a new elliptic curve Mike Hamburg Abstract Many papers have proposed elliptic curves which are faster and easier to implement than the NIST prime-order curves. Most of these curves have

More information

CRYPTOGRAPHIC COMPUTING

CRYPTOGRAPHIC COMPUTING CRYPTOGRAPHIC COMPUTING ON GPU Chen Mou Cheng Dept. Electrical Engineering g National Taiwan University January 16, 2009 COLLABORATORS Daniel Bernstein, UIC, USA Tien Ren Chen, Army Tanja Lange, TU Eindhoven,

More information

Edwards Curves and the ECM Factorisation Method

Edwards Curves and the ECM Factorisation Method Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and

More information

High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition

High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition Joppe W. Bos, Craig Costello, Huseyin Hisil, Kristin Lauter CHES 2013 Motivation - I Group DH ECDH (F p1, ) (E F p2, +)

More information

ECM at Work. Joppe W. Bos 1 and Thorsten Kleinjung 2. 1 Microsoft Research, Redmond, USA

ECM at Work. Joppe W. Bos 1 and Thorsten Kleinjung 2. 1 Microsoft Research, Redmond, USA ECM at Work Joppe W. Bos 1 and Thorsten Kleinjung 2 1 Microsoft Research, Redmond, USA 2 Laboratory for Cryptologic Algorithms, EPFL, Lausanne, Switzerland 1 / 18 Security assessment of public-key cryptography

More information

Elliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein

Elliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein Elliptic curves Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Diffie-Hellman key exchange Pick some generator. Diffie-Hellman key exchange Pick some generator. Diffie-Hellman

More information

Message Authentication Codes (MACs)

Message Authentication Codes (MACs) Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.

More information

Post-Snowden Elliptic Curve Cryptography. Patrick Longa Microsoft Research

Post-Snowden Elliptic Curve Cryptography. Patrick Longa Microsoft Research Post-Snowden Elliptic Curve Cryptography Patrick Longa Microsoft Research Joppe Bos Craig Costello Michael Naehrig NXP Semiconductors Microsoft Research Microsoft Research June 2013 the Snowden leaks the

More information

Side-channel attacks and countermeasures for curve based cryptography

Side-channel attacks and countermeasures for curve based cryptography Side-channel attacks and countermeasures for curve based cryptography Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org 28.05.2007 Tanja Lange SCA on curves p. 1 Overview Elliptic curves

More information

On the correct use of the negation map in the Pollard rho method

On the correct use of the negation map in the Pollard rho method On the correct use of the negation map in the Pollard rho method Daniel J. Bernstein 1, Tanja Lange 2, and Peter Schwabe 2 1 Department of Computer Science University of Illinois at Chicago, Chicago, IL

More information

A new class of irreducible pentanomials for polynomial based multipliers in binary fields

A new class of irreducible pentanomials for polynomial based multipliers in binary fields Noname manuscript No. (will be inserted by the editor) A new class of irreducible pentanomials for polynomial based multipliers in binary fields Gustavo Banegas Ricardo Custódio Daniel Panario the date

More information

A new class of irreducible pentanomials for polynomial based multipliers in binary fields

A new class of irreducible pentanomials for polynomial based multipliers in binary fields Noname manuscript No. (will be inserted by the editor) A new class of irreducible pentanomials for polynomial based multipliers in binary fields Gustavo Banegas Ricardo Custódio Daniel Panario the date

More information

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves. Elliptic Curves I 1.0 Introduction The first three sections introduce and explain the properties of elliptic curves. A background understanding of abstract algebra is required, much of which can be found

More information

The tangent FFT. D. J. Bernstein University of Illinois at Chicago

The tangent FFT. D. J. Bernstein University of Illinois at Chicago The tangent FFT D. J. Bernstein University of Illinois at Chicago Advertisement SPEED: Software Performance Enhancement for Encryption and Decryption A workshop on software speeds for secret-key cryptography

More information

ECM at Work. Joppe W. Bos and Thorsten Kleinjung. Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 14

ECM at Work. Joppe W. Bos and Thorsten Kleinjung. Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 14 ECM at Work Joppe W. Bos and Thorsten Kleinjung Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 14 Motivation The elliptic curve method for integer factorization

More information

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven Signatures and DLP-I Tanja Lange Technische Universiteit Eindhoven How to compute ap Use binary representation of a to compute a(x; Y ) in blog 2 ac doublings and at most that many additions. E.g. a =

More information

Public-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.

Public-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Public-key cryptography and the Discrete-Logarithm Problem Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Cryptography Let s understand what our browsers do. Schoolbook

More information

Advanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

Advanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Advanced code-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lattice-basis reduction Define L = (0; 24)Z + (1; 17)Z = {(b; 24a + 17b) : a;

More information

Hybrid Binary-Ternary Joint Sparse Form and its Application in Elliptic Curve Cryptography

Hybrid Binary-Ternary Joint Sparse Form and its Application in Elliptic Curve Cryptography Hybrid Binary-Ternary Joint Sparse Form and its Application in Elliptic Curve Cryptography Jithra Adikari, Student Member, IEEE, Vassil Dimitrov, and Laurent Imbert Abstract Multi-exponentiation is a common

More information

Pairings at High Security Levels

Pairings at High Security Levels Pairings at High Security Levels Michael Naehrig Eindhoven University of Technology michael@cryptojedi.org DoE CRYPTODOC Darmstadt, 21 November 2011 Pairings are efficient!... even at high security levels.

More information

Edwards coordinates for elliptic curves, part 1

Edwards coordinates for elliptic curves, part 1 Edwards coordinates for elliptic curves, part 1 Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org joint work with Daniel J. Bernstein 19.10.2007 Tanja Lange http://www.hyperelliptic.org/tanja/newelliptic/

More information

(which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography)

(which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit

More information

Hyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago

Hyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago Hyperelliptic-curve cryptography D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS 0140542 NSF ITR 0716498 Alfred P. Sloan Foundation Two parts to this talk: 1. Elliptic curves; modern

More information

45nm 1GHz Samsung Exynos more than 15 million sold.

45nm 1GHz Samsung Exynos more than 15 million sold. Smartphone/tablet CPUs 1 Apple A4 also appeared 2 ipad 1 (2010) was the in iphone 4 (2010). first popular tablet: 45nm 1GHz Samsung Exynos more than 15 million sold. 3110 in Samsung Galaxy S (2010) ipad

More information

Twisted Hessian curves

Twisted Hessian curves Twisted Hessian curves Daniel J. Bernstein 1,2, Chitchanok Chuengsatiansup 1, David Kohel 3, and Tanja Lange 1 1 Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O. Box

More information

Elliptic Curve Cryptography and Security of Embedded Devices

Elliptic Curve Cryptography and Security of Embedded Devices Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography

More information

Low-Weight Polynomial Form Integers for Efficient Modular Multiplication

Low-Weight Polynomial Form Integers for Efficient Modular Multiplication 1 Low-Weight Polynomial Form Integers for Efficient Modular Multiplication Jaewook Chung and M. Anwar Hasan February 9, 2006 Abstract In 1999, Jerome Solinas introduced families of moduli called the generalized

More information

Explicit Complex Multiplication

Explicit Complex Multiplication Explicit Complex Multiplication Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Explicit CM Eindhoven,

More information

Inverted Edwards coordinates

Inverted Edwards coordinates Inverted Edwards coordinates Daniel J. Bernstein 1 and Tanja Lange 2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois at Chicago, Chicago, IL 60607 7045, USA

More information

Modular Multiplication in GF (p k ) using Lagrange Representation

Modular Multiplication in GF (p k ) using Lagrange Representation Modular Multiplication in GF (p k ) using Lagrange Representation Jean-Claude Bajard, Laurent Imbert, and Christophe Nègre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier

More information

High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition

High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition Joppe W. Bos 1, Craig Costello 1, Huseyin Hisil 2, and Kristin Lauter 1 1 Microsoft Research, Redmond, USA 2 Yasar University,

More information

Faster arithmetic for number-theoretic transforms

Faster arithmetic for number-theoretic transforms University of New South Wales 7th October 2011, Macquarie University Plan for talk 1. Review number-theoretic transform (NTT) 2. Discuss typical butterfly algorithm 3. Improvements to butterfly algorithm

More information

Fast Cryptography in Genus 2

Fast Cryptography in Genus 2 Fast Cryptography in Genus 2 Joppe W. Bos, Craig Costello, Huseyin Hisil and Kristin Lauter EUROCRYPT 2013 Athens, Greece May 27, 2013 Fast Cryptography in Genus 2 Recall that curves are much better than

More information

A Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m )

A Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m ) A Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m ) Stefan Tillich, Johann Großschädl Institute for Applied Information Processing and

More information

µkummer: efficient hyperelliptic signatures and key exchange on microcontrollers

µkummer: efficient hyperelliptic signatures and key exchange on microcontrollers µkummer: efficient hyperelliptic signatures and key exchange on microcontrollers Joost Renes 1 Peter Schwabe 1 Benjamin Smith 2 Lejla Batina 1 1 Digital Security Group, Radboud University, The Netherlands

More information

Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products

Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products 1 Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products David Kohel Institut de Mathématiques de Luminy International Workshop on Codes and Cryptography 2011 Qingdao, 2 June

More information

Short Division of Long Integers. (joint work with David Harvey)

Short Division of Long Integers. (joint work with David Harvey) Short Division of Long Integers (joint work with David Harvey) Paul Zimmermann October 6, 2011 The problem to be solved Divide efficiently a p-bit floating-point number by another p-bit f-p number in the

More information

Side-channel attacks on PKC and countermeasures with contributions from PhD students

Side-channel attacks on PKC and countermeasures with contributions from PhD students basics Online Side-channel attacks on PKC and countermeasures (Tutorial @SPACE2016) with contributions from PhD students Lejla Batina Institute for Computing and Information Sciences Digital Security Radboud

More information

Efficient Application of Countermeasures for Elliptic Curve Cryptography

Efficient Application of Countermeasures for Elliptic Curve Cryptography Efficient Application of Countermeasures for Elliptic Curve Cryptography Vladimir Soukharev, Ph.D. Basil Hess, Ph.D. InfoSec Global Inc. May 19, 2017 Outline Introduction Brief Summary of ECC Arithmetic

More information

ECM using Edwards curves

ECM using Edwards curves ECM using Edwards curves Daniel J. Bernstein 1, Peter Birkner 2, Tanja Lange 2, and Christiane Peters 2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois at

More information

Arithmétique et Cryptographie Asymétrique

Arithmétique et Cryptographie Asymétrique Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians

More information

Chapter 4 Mathematics of Cryptography

Chapter 4 Mathematics of Cryptography Chapter 4 Mathematics of Cryptography Part II: Algebraic Structures Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 4.1 Chapter 4 Objectives To review the concept

More information

McBits: fast constant-time code-based cryptography. (to appear at CHES 2013)

McBits: fast constant-time code-based cryptography. (to appear at CHES 2013) McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit

More information

Short generators without quantum computers: the case of multiquadratics

Short generators without quantum computers: the case of multiquadratics Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal Technische Universiteit Eindhoven 1 May 2017 Joint work with: Jens Bauch & Daniel J. Bernstein & Henry de

More information

Représentation RNS des nombres et calcul de couplages

Représentation RNS des nombres et calcul de couplages Représentation RNS des nombres et calcul de couplages Sylvain Duquesne Université Rennes 1 Séminaire CCIS Grenoble, 7 Février 2013 Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 1 / 29

More information

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Junfeng Fan, Frederik Vercauteren and Ingrid Verbauwhede Katholieke Universiteit Leuven, COSIC May 18, 2009 1 Outline What is

More information

An Analysis of Affine Coordinates for Pairing Computation

An Analysis of Affine Coordinates for Pairing Computation An Analysis of Affine Coordinates for Pairing Computation Michael Naehrig Microsoft Research mnaehrig@microsoft.com joint work with Kristin Lauter and Peter Montgomery Microsoft Research Pairing 2010,

More information

REDUNDANT TRINOMIALS FOR FINITE FIELDS OF CHARACTERISTIC 2

REDUNDANT TRINOMIALS FOR FINITE FIELDS OF CHARACTERISTIC 2 REDUNDANT TRINOMIALS FOR FINITE FIELDS OF CHARACTERISTIC 2 CHRISTOPHE DOCHE Abstract. In this paper we introduce so-called redundant trinomials to represent elements of nite elds of characteristic 2. The

More information

Performance evaluation of a new coordinate system for elliptic curves

Performance evaluation of a new coordinate system for elliptic curves Performance evaluation of a new coordinate system for elliptic curves Daniel J. Bernstein 1 and Tanja Lange 2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois

More information

Pairings for Cryptography

Pairings for Cryptography Pairings for Cryptography Michael Naehrig Technische Universiteit Eindhoven Ñ ÐÖÝÔØÓ ºÓÖ Nijmegen, 11 December 2009 Pairings A pairing is a bilinear, non-degenerate map e : G 1 G 2 G 3, where (G 1, +),

More information

You could have invented Supersingular Isogeny Diffie-Hellman

You could have invented Supersingular Isogeny Diffie-Hellman You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks

More information

FourQNEON: Faster Elliptic Curve Scalar Multiplications on ARM Processors

FourQNEON: Faster Elliptic Curve Scalar Multiplications on ARM Processors FourQNEON: Faster Elliptic Curve Scalar Multiplications on ARM Processors Patrick Longa Microsoft Research, USA plonga@microsoft.com Abstract. We present a high-speed, high-security implementation of the

More information

Models of Elliptic Curves

Models of Elliptic Curves Models of Elliptic Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 26.03.2009 D. J. Bernstein & T. Lange

More information

Efficient Subquadratic Space Complexity Binary Polynomial Multipliers Based On Block Recombination

Efficient Subquadratic Space Complexity Binary Polynomial Multipliers Based On Block Recombination Efficient Subquadratic Space Complexity Binary Polynomial Multipliers Based On Block Recombination Murat Cenk, Anwar Hasan, Christophe Negre To cite this version: Murat Cenk, Anwar Hasan, Christophe Negre.

More information

High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition

High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition Joppe W. Bos 1, Craig Costello 1, Huseyin Hisil 2, and Kristin Lauter 1 1 Microsoft Research, Redmond, USA 2 Yasar University,

More information

The Elliptic Curve in https

The Elliptic Curve in https The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol

More information

Frequency Domain Finite Field Arithmetic for Elliptic Curve Cryptography

Frequency Domain Finite Field Arithmetic for Elliptic Curve Cryptography Frequency Domain Finite Field Arithmetic for Elliptic Curve Cryptography Selçuk Baktır, Berk Sunar {selcuk,sunar}@wpi.edu Department of Electrical & Computer Engineering Worcester Polytechnic Institute

More information

Computer Architecture 10. Residue Number Systems

Computer Architecture 10. Residue Number Systems Computer Architecture 10 Residue Number Systems Ma d e wi t h Op e n Of f i c e. o r g 1 A Puzzle What number has the reminders 2, 3 and 2 when divided by the numbers 7, 5 and 3? x mod 7 = 2 x mod 5 =

More information

Signatures and DLP. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein

Signatures and DLP. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein Signatures and DLP Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein ECDSA Users can sign messages using Edwards curves. Take a point P on an Edwards curve modulo a

More information

New Strategy for Doubling-Free Short Addition-Subtraction Chain

New Strategy for Doubling-Free Short Addition-Subtraction Chain Applied Mathematics & Information Sciences 2(2) (2008), 123 133 An International Journal c 2008 Dixie W Publishing Corporation, U. S. A. New Strategy for Doubling-Free Short Addition-Subtraction Chain

More information

On the complexity of computing discrete logarithms in the field F

On the complexity of computing discrete logarithms in the field F On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of

More information

Power Consumption Analysis. Arithmetic Level Countermeasures for ECC Coprocessor. Arithmetic Operators for Cryptography.

Power Consumption Analysis. Arithmetic Level Countermeasures for ECC Coprocessor. Arithmetic Operators for Cryptography. Power Consumption Analysis General principle: measure the current I in the circuit Arithmetic Level Countermeasures for ECC Coprocessor Arnaud Tisserand, Thomas Chabrier, Danuta Pamula I V DD circuit traces

More information

Subquadratic Computational Complexity Schemes for Extended Binary Field Multiplication Using Optimal Normal Bases

Subquadratic Computational Complexity Schemes for Extended Binary Field Multiplication Using Optimal Normal Bases 1 Subquadratic Computational Complexity Schemes for Extended Binary Field Multiplication Using Optimal Normal Bases H. Fan and M. A. Hasan March 31, 2007 Abstract Based on a recently proposed Toeplitz

More information

CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions

CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions Author: Markku-Juhani O. Saarinen Presented by: Jean-Philippe Aumasson CT-RSA '14, San Francisco, USA 26 February 2014 1 / 19 Sponge

More information

Attacking and defending the McEliece cryptosystem

Attacking and defending the McEliece cryptosystem Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography

More information

Efficient Implementation of Elliptic Curve Point Operations Using Binary Edwards Curves

Efficient Implementation of Elliptic Curve Point Operations Using Binary Edwards Curves Efficient Implementation of Elliptic Curve Point Operations Using Binary Edwards Curves Richard Moloney, School of Mathematical Sciences, University College Dublin, Ireland richard.moloney@ucd.ie Pierre

More information

Finite Fields. SOLUTIONS Network Coding - Prof. Frank H.P. Fitzek

Finite Fields. SOLUTIONS Network Coding - Prof. Frank H.P. Fitzek Finite Fields In practice most finite field applications e.g. cryptography and error correcting codes utilizes a specific type of finite fields, namely the binary extension fields. The following exercises

More information

High-speed key encapsulation from NTRU

High-speed key encapsulation from NTRU High-speed key encapsulation from NTRU Andreas Hülsing 1, Joost Rijneveld 2, John Schanck 3,4, Peter Schwabe 2 1 Eindhoven University of Technology, The Netherlands 2 Radboud University, Nijmegen, The

More information

The Fundamental Theorem of Arithmetic

The Fundamental Theorem of Arithmetic Chapter 1 The Fundamental Theorem of Arithmetic 1.1 Primes Definition 1.1. We say that p N is prime if it has just two factors in N, 1 and p itself. Number theory might be described as the study of the

More information

Cyclic Groups in Cryptography

Cyclic Groups in Cryptography Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic

More information

Faster ECC over F 2. (feat. PMULL)

Faster ECC over F 2. (feat. PMULL) Faster ECC over F 2 571 (feat. PMULL) Hwajeong Seo 1 Institute for Infocomm Research (I2R), Singapore hwajeong84@gmail.com Abstract. In this paper, we show efficient elliptic curve cryptography implementations

More information

Comparison of Elliptic Curve and Edwards Curve

Comparison of Elliptic Curve and Edwards Curve CS90G - PROJECT REPORT Comparison of Elliptic Curve and Edwards Curve Shivapriya Hiremath, Stephanie Smith June 14, 013 1 INTRODUCTION In this project we have implemented the Elliptic Curve and Edwards

More information

Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography. Stefan Tillich, Johann Großschädl

Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography. Stefan Tillich, Johann Großschädl Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography International Workshop on Information Security & Hiding (ISH '05) Institute for Applied Information Processing and Communications

More information

Modern elliptic curve cryptography

Modern elliptic curve cryptography Modern elliptic curve cryptography Ivo Kubjas 1 Introduction Elliptic curve cryptography has raised attention as it allows for having shorter keys and ciphertexts. For example, to obtain similar security

More information

6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)

6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC) 6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC) 6.0 Introduction Elliptic curve cryptography (ECC) is the application of elliptic curve in the field of cryptography.basically a form of PKC which applies over the

More information

Non-generic attacks on elliptic curve DLPs

Non-generic attacks on elliptic curve DLPs Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith

More information

Two Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map

Two Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map Two Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map Jung Hee Cheon, Sungmo Park, Sangwoo Park, and Daeho Kim Electronics and Telecommunications Research Institute, 161 Kajong-Dong,Yusong-Gu,

More information

Sliding right into disaster - Left-to-right sliding windows leak

Sliding right into disaster - Left-to-right sliding windows leak Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and

More information

Lecture 11. Advanced Dividers

Lecture 11. Advanced Dividers Lecture 11 Advanced Dividers Required Reading Behrooz Parhami, Computer Arithmetic: Algorithms and Hardware Design Chapter 15 Variation in Dividers 15.3, Combinational and Array Dividers Chapter 16, Division

More information

Fast, twist-secure elliptic curve cryptography from Q-curves

Fast, twist-secure elliptic curve cryptography from Q-curves Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,

More information

Hardware implementations of ECC

Hardware implementations of ECC Hardware implementations of ECC The University of Electro- Communications Introduction Public- key Cryptography (PKC) The most famous PKC is RSA and ECC Used for key agreement (Diffie- Hellman), digital

More information

Integer multiplication with generalized Fermat primes

Integer multiplication with generalized Fermat primes Integer multiplication with generalized Fermat primes CARAMEL Team, LORIA, University of Lorraine Supervised by: Emmanuel Thomé and Jérémie Detrey Journées nationales du Calcul Formel 2015 (Cluny) November

More information

9. Datapath Design. Jacob Abraham. Department of Electrical and Computer Engineering The University of Texas at Austin VLSI Design Fall 2017

9. Datapath Design. Jacob Abraham. Department of Electrical and Computer Engineering The University of Texas at Austin VLSI Design Fall 2017 9. Datapath Design Jacob Abraham Department of Electrical and Computer Engineering The University of Texas at Austin VLSI Design Fall 2017 October 2, 2017 ECE Department, University of Texas at Austin

More information

SM9 identity-based cryptographic algorithms Part 1: General

SM9 identity-based cryptographic algorithms Part 1: General SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...

More information

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers

More information

Efficient Arithmetic on Elliptic and Hyperelliptic Curves

Efficient Arithmetic on Elliptic and Hyperelliptic Curves Efficient Arithmetic on Elliptic and Hyperelliptic Curves Department of Mathematics and Computer Science Eindhoven University of Technology Tutorial on Elliptic and Hyperelliptic Curve Cryptography 4 September

More information

Advanced Constructions in Curve-based Cryptography

Advanced Constructions in Curve-based Cryptography Advanced Constructions in Curve-based Cryptography Benjamin Smith Team GRACE INRIA and Laboratoire d Informatique de l École polytechnique (LIX) Summer school on real-world crypto and privacy Sibenik,

More information

Computational algebraic number theory tackles lattice-based cryptography

Computational algebraic number theory tackles lattice-based cryptography Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right

More information

AN IMPROVED LOW LATENCY SYSTOLIC STRUCTURED GALOIS FIELD MULTIPLIER

AN IMPROVED LOW LATENCY SYSTOLIC STRUCTURED GALOIS FIELD MULTIPLIER Indian Journal of Electronics and Electrical Engineering (IJEEE) Vol.2.No.1 2014pp1-6 available at: www.goniv.com Paper Received :05-03-2014 Paper Published:28-03-2014 Paper Reviewed by: 1. John Arhter

More information

CPSC 518 Introduction to Computer Algebra Schönhage and Strassen s Algorithm for Integer Multiplication

CPSC 518 Introduction to Computer Algebra Schönhage and Strassen s Algorithm for Integer Multiplication CPSC 518 Introduction to Computer Algebra Schönhage and Strassen s Algorithm for Integer Multiplication March, 2006 1 Introduction We have now seen that the Fast Fourier Transform can be applied to perform

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback