Curve41417: Karatsuba revisited
|
|
- Ralf Porter
- 5 years ago
- Views:
Transcription
1 Curve41417: Karatsuba revisited Chitchanok Chuengsatiansup Technische Universiteit Eindhoven September 25, 2014 Joint work with Daniel J. Bernstein and Tanja Lange Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 1
2 Real-World Application Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 2
3 Performance budget This talk focuses on: n, P np ARM Cortex-A8 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 3
4 Performance budget This talk focuses on: n, P np ARM Cortex-A8 OpenSSL secp160-r1 (security level only 2 80 ) least secure option supported by OpenSSL 2.1 million cycles on FreeScale i.mx million cycles on TI Sitara Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 3
5 Performance budget This talk focuses on: n, P np ARM Cortex-A8 OpenSSL secp160-r1 (security level only 2 80 ) least secure option supported by OpenSSL 2.1 million cycles on FreeScale i.mx million cycles on TI Sitara Curve41417 (security level above ) 1.6 million cycles on FreeScale i.mx million cycles on TI Sitara Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 3
6 Design of Curve41417 High-security elliptic curve (security level above ) Defined over prime field F p where p = In Edwards curve form x 2 + y 2 = x 2 y 2 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 4
7 Design of Curve41417 High-security elliptic curve (security level above ) Defined over prime field F p where p = In Edwards curve form x 2 + y 2 = x 2 y 2 Large prime-order subgroup (cofactor 8) IEEE P1363 criteria (large embedding degree, etc.) Twist secure, i.e., twist of Curve41417 also secure Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 4
8 Side-Channel Attack Prevent software side-channel attack: constant-time no input-dependent branch no input-dependent array index Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 5
9 Side-Channel Attack Prevent software side-channel attack: constant-time no input-dependent branch no input-dependent array index Constant-time table-lookup: read entire table select via arithmetic if c is 1, select tbl[i] if c is 0, ignore tbl[i] t = (t (1 c)) + (tbl[i] (c) ) t = (t and (c 1)) xor (tbl[i] and ( c)) Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 5
10 ECC Arithmetic Mix coordinate systems: doubling: projective X, Y, Z addition: extended X, Y, Z, T (See Scalar multiplication: signed fixed windows of width w = 5 precompute 0P, 1P, 2P,..., 16P also multiply d = 3617 to T coordinate special first doubling compute T only before addition Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 6
11 ARM Cortex-A8 Vector Unit 128-bit vector Arithmetic and load/store unit can perform in parallel Operate in parallel on vectors of four 32-bit integers or two 64-bit integers Each cycle produces: four 32-bit integer additions: a 0 +b 0, a 1 +b 1, a 2 +b 2, a 3 +b 3 or two 64-bit integer additions: c 0 +d 0, c 1 +d 1 or one multiply-add instruction: a 0 b 0 + c 0 where a i, b i are 32- and c i, d i are 64-bit integers Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 7
12 Redundant Representation Use non-integer radix 2 414/16 = Decompose integer f modulo into 16 integer pieces Write f as f f f f f f f f f f f f f f f f 15 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 8
13 Carries Goal: Bring each limb down to 26 or 25 bits Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9
14 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9
15 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9
16 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 8 m 9 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9
17 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 8 m 9 m 10 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9
18 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m 8 m 9 m 10 m 11 m 12 m 13 m 14 m 15 m 0 m 1 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9
19 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m 8 m 9 m 10 m 11 m 12 m 13 m 14 m 15 m 0 m 1 Decrease latency: Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9
20 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m 8 m 9 m 10 m 11 m 12 m 13 m 14 m 15 m 0 m 1 Decrease latency: m 0 m 1 m 8 m 9 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9
21 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m 8 m 9 m 10 m 11 m 12 m 13 m 14 m 15 m 0 m 1 Decrease latency: m 0 m 1 m 8 m 9 m 4 m 5 m 12 m 13 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9
22 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m 8 m 9 m 10 m 11 m 12 m 13 m 14 m 15 m 0 m 1 Decrease latency: m 0 m 1 m 2 m 8 m 9 m 10 m 4 m 5 m 12 m 13 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9
23 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m 8 m 9 m 10 m 11 m 12 m 13 m 14 m 15 m 0 m 1 Decrease latency: m 0 m 1 m 2 m 8 m 9 m 10 m 4 m 5 m 6 m 12 m 13 m 14 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9
24 Carries Goal: Bring each limb down to 26 or 25 bits Typical carry chain: m 0 m 1 m 2 m 14 m 15 m 0 m 1 Increase throughput: m 0 m 1 m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m 8 m 9 m 10 m 11 m 12 m 13 m 14 m 15 m 0 m 1 Decrease latency: m 0 m 1 m 2 m 3 m 4 m 5 m 8 m 9 m 10 m 11 m 12 m 13 m 4 m 5 m 6 m 7 m 8 m 9 m 12 m 13 m 14 m 15 m 0 m 1 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 9
25 Level of Karatsuba Karatsuba splits 1 (2n 2n) into 3 (n n) Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 10
26 Level of Karatsuba Karatsuba splits 1 (2n 2n) into 3 (n n) Zero-level Karatsuba (Schoolbook) e.g. for 16 limbs: = 256 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 10
27 Level of Karatsuba Karatsuba splits 1 (2n 2n) into 3 (n n) Zero-level Karatsuba (Schoolbook) e.g. for 16 limbs: = 256 One-level Karatsuba e.g.: (8 8) + some additions = some additions Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 10
28 Level of Karatsuba Karatsuba splits 1 (2n 2n) into 3 (n n) Zero-level Karatsuba (Schoolbook) e.g. for 16 limbs: = 256 One-level Karatsuba e.g.: (8 8) + some additions = some additions Two-level Karatsuba e.g.: 3 (8 8) 3 (3 (4 4)) + even more additions = even more additions Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 10
29 Level of Karatsuba Karatsuba splits 1 (2n 2n) into 3 (n n) Zero-level Karatsuba (Schoolbook) e.g. for 16 limbs: = 256 One-level Karatsuba e.g.: (8 8) + some additions = some additions Two-level Karatsuba e.g.: 3 (8 8) 3 (3 (4 4)) + even more additions = even more additions What is the zero-level/one-level cutoff for number of limbs? Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 10
30 GMP s cutoffs for Karatsuba cycles/byte bits Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 11
31 GMP s cutoffs for Karatsuba cycles/byte bits GMP 6.0.0a library chooses 1248 bits on ARM Cortex-A8 Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 11
32 GMP s cutoffs for Karatsuba cycles/byte bits GMP 6.0.0a library chooses 1248 bits on ARM Cortex-A8 We reduce cutoff via improvements to Karatsuba Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 11
33 GMP s cutoffs for Karatsuba cycles/byte bits GMP 6.0.0a library chooses 1248 bits on ARM Cortex-A8 We reduce cutoff via improvements to Karatsuba We reduce cutoff via redundant representation Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 11
34 Polynomial Multiplication Goal: Compute P = AB given A = a 0 + a 1 t n and B = b 0 + b 1 t n Method 1: schoolbook P = a 0 b 0 + (a 0 b 1 + a 1 b 0 )t n + a 1 b 1 t 2n Method 2: Karatsuba (8n 4 additions) P = a 0 b 0 +((a 0 +a 1 )(b 0 +b 1 ) a 0 b 0 a 1 b 1 )t n +a 1 b 1 t 2n Method 3: refined Karatsuba (7n 3 additions) P = (a 0 b 0 a 1 b 1 t n )(1 t n ) + (a 0 + a 1 )(b 0 + b 1 )t n Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 12
35 Polynomial Multiplication modq Goal: Compute P = AB modq given A = a 0 + a 1 t n and B = b 0 + b 1 t n Method 1: schoolbook P = a 0 b 0 + (a 0 b 1 + a 1 b 0 )t n + a 1 b 1 t 2n modq Method 2: Karatsuba (8n 4 additions) P = a 0 b 0 +((a 0 +a 1 )(b 0 +b 1 ) a 0 b 0 a 1 b 1 )t n +a 1 b 1 t 2n modq Method 3: refined Karatsuba (7n 3 additions) P = (a 0 b 0 a 1 b 1 t n )(1 t n ) + (a 0 + a 1 )(b 0 + b 1 )t n modq Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 12
36 Polynomial Multiplication modq Goal: Compute P = AB modq given A = a 0 + a 1 t n and B = b 0 + b 1 t n Method 1: schoolbook P = a 0 b 0 + (a 0 b 1 + a 1 b 0 )t n + a 1 b 1 t 2n modq Method 2: Karatsuba (8n 4 additions) P = a 0 b 0 +((a 0 +a 1 )(b 0 +b 1 ) a 0 b 0 a 1 b 1 )t n +a 1 b 1 t 2n modq Method 3: refined Karatsuba (7n 3 additions) P = (a 0 b 0 a 1 b 1 t n )(1 t n ) + (a 0 + a 1 )(b 0 + b 1 )t n modq Method 4: reduced refined Karatsuba (6n 2 additions) (new) P=(a 0 b 0 a 1 b 1 t n modq)(1 t n )+(a 0 +a 1 )(b 0 +b 1 )t n modq Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 12
37 Reduced Refined Karatsuba a 0 b 0 a 1 b 1 subtract reduce a 0 b 0 t n a 1 b 1 a 0 b 0 t n a 1 b 1 subtract (1 t n )(a 0 b 0 t n a 1 b 1 ) (a 0 + a 1 )(b 0 + b 1 ) subtract reduce Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 13
38 Cost Comparison (Karatsuba) Level Mult. 64-bit Add 32-bit Cost 0-level = level = level = level = 223 Note: use multiply-add instructions Recall: 1 cycle per multiplication 0.5 cycle per 64-bit addition 0.25 cycle per 32-bit addition Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 14
39 Cost Comparison (Karatsuba) Level Mult. 64-bit Add 32-bit Cost 0-level = level = level = level = 223 Note: use multiply-add instructions Recall: 1 cycle per multiplication 0.5 cycle per 64-bit addition 0.25 cycle per 32-bit addition Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 14
40 Cost Comparison (refined Karatsuba) Level Mult. 64-bit Add 32-bit Cost 0-level = level = level = level = 210 Note: use multiply-add instructions Recall: 1 cycle per multiplication 0.5 cycle per 64-bit addition 0.25 cycle per 32-bit addition Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 15
41 Cost Comparison (refined Karatsuba) Level Mult. 64-bit Add 32-bit Cost 0-level = level = level = level = 210 Note: use multiply-add instructions Recall: 1 cycle per multiplication 0.5 cycle per 64-bit addition 0.25 cycle per 32-bit addition Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 15
42 Cost Comparison (reduced refined Karatsuba) Level Mult. 64-bit Add 32-bit Cost 0-level = level = level = level = 207 Note: use multiply-add instructions Recall: 1 cycle per multiplication 0.5 cycle per 64-bit addition 0.25 cycle per 32-bit addition Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 16
43 Cost Comparison (reduced refined Karatsuba) Level Mult. 64-bit Add 32-bit Cost 0-level = level = level = level = 207 Note: use multiply-add instructions Recall: 1 cycle per multiplication 0.5 cycle per 64-bit addition 0.25 cycle per 32-bit addition Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 16
44 Performance Comparison OpenSSL curve # cycle on i.mx515 # cycle on Sitara secp160r1 2.1 million 2.1 million nistp million 2.8 million nistp million 3.9 million nistp million 3.9 million nistp million 13.2 million nistp million 29.7 million Curve41417 (security level above ) 1.6 million cycles on FreeScale i.mx million cycles on TI Sitara Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 17
45 Performance Comparison OpenSSL curve # cycle on i.mx515 # cycle on Sitara secp160r1 2.1 million 2.1 million nistp million 2.8 million nistp million 3.9 million nistp million 3.9 million nistp million 13.2 million nistp million 29.7 million Curve41417 (security level above ) 1.6 million cycles on FreeScale i.mx million cycles on TI Sitara Coming soon: Intel Haswell implementation with Sebastian Verschoor Chitchanok Chuengsatiansup Curve41417: Karatsuba revisited 17
A new algorithm for residue multiplication modulo
A new algorithm for residue multiplication modulo 2 521 1 Shoukat Ali and Murat Cenk Institute of Applied Mathematics Middle East Technical University, Ankara, Turkey shoukat.1983@gmail.com mcenk@metu.edu.tr
More informationSoftware implementation of ECC
Software implementation of ECC Radboud University, Nijmegen, The Netherlands June 4, 2015 Summer school on real-world crypto and privacy Šibenik, Croatia Software implementation of (H)ECC Radboud University,
More informationKummer strikes back: new DH speed records
Kummer strikes back: new D speed records Daniel J. Bernstein 1,2, Chitchanok Chuengsatiansup 2, Tanja Lange 2, and Peter Schwabe 3 1 Department of Computer Science, University of Illinois at Chicago Chicago,
More informationDouble-base scalar multiplication revisited
Double-base scalar multiplication revisited Daniel J. Bernstein 1,2, Chitchanok Chuengsatiansup 1, and Tanja Lange 1 1 Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O.
More informationMcBits: Fast code-based cryptography
McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography
More informationFaster ECC over F 2. School of Computer and Communication Sciences EPFL, Switzerland 2 CertiVox Labs.
Faster ECC over F 2 521 1 Robert Granger 1 and Michael Scott 2 1 Laboratory for Cryptologic Algorithms School of Computer and Communication Sciences EPFL, Switzerland robbiegranger@gmail.com 2 CertiVox
More informationEfficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves
Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves SESSION ID: CRYP-T07 Patrick Longa Microsoft Research http://research.microsoft.com/en-us/people/plonga/
More informationSoftware implementation of Koblitz curves over quadratic fields
Software implementation of Koblitz curves over quadratic fields Thomaz Oliveira 1, Julio López 2 and Francisco Rodríguez-Henríquez 1 1 Computer Science Department, Cinvestav-IPN 2 Institute of Computing,
More informationSpeeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases. D. J. Bernstein University of Illinois at Chicago
Speeding up characteristic 2: I. Linear maps II. The Å(Ò) game III. Batching IV. Normal bases D. J. Bernstein University of Illinois at Chicago NSF ITR 0716498 Part I. Linear maps Consider computing 0
More informationFour-Dimensional GLV Scalar Multiplication
Four-Dimensional GLV Scalar Multiplication ASIACRYPT 2012 Beijing, China Patrick Longa Microsoft Research Francesco Sica Nazarbayev University Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic
More informationEd448-Goldilocks, a new elliptic curve
Ed448-Goldilocks, a new elliptic curve Mike Hamburg Abstract Many papers have proposed elliptic curves which are faster and easier to implement than the NIST prime-order curves. Most of these curves have
More informationCRYPTOGRAPHIC COMPUTING
CRYPTOGRAPHIC COMPUTING ON GPU Chen Mou Cheng Dept. Electrical Engineering g National Taiwan University January 16, 2009 COLLABORATORS Daniel Bernstein, UIC, USA Tien Ren Chen, Army Tanja Lange, TU Eindhoven,
More informationEdwards Curves and the ECM Factorisation Method
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and
More informationHigh-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition
High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition Joppe W. Bos, Craig Costello, Huseyin Hisil, Kristin Lauter CHES 2013 Motivation - I Group DH ECDH (F p1, ) (E F p2, +)
More informationECM at Work. Joppe W. Bos 1 and Thorsten Kleinjung 2. 1 Microsoft Research, Redmond, USA
ECM at Work Joppe W. Bos 1 and Thorsten Kleinjung 2 1 Microsoft Research, Redmond, USA 2 Laboratory for Cryptologic Algorithms, EPFL, Lausanne, Switzerland 1 / 18 Security assessment of public-key cryptography
More informationElliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein
Elliptic curves Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Diffie-Hellman key exchange Pick some generator. Diffie-Hellman key exchange Pick some generator. Diffie-Hellman
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationPost-Snowden Elliptic Curve Cryptography. Patrick Longa Microsoft Research
Post-Snowden Elliptic Curve Cryptography Patrick Longa Microsoft Research Joppe Bos Craig Costello Michael Naehrig NXP Semiconductors Microsoft Research Microsoft Research June 2013 the Snowden leaks the
More informationSide-channel attacks and countermeasures for curve based cryptography
Side-channel attacks and countermeasures for curve based cryptography Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org 28.05.2007 Tanja Lange SCA on curves p. 1 Overview Elliptic curves
More informationOn the correct use of the negation map in the Pollard rho method
On the correct use of the negation map in the Pollard rho method Daniel J. Bernstein 1, Tanja Lange 2, and Peter Schwabe 2 1 Department of Computer Science University of Illinois at Chicago, Chicago, IL
More informationA new class of irreducible pentanomials for polynomial based multipliers in binary fields
Noname manuscript No. (will be inserted by the editor) A new class of irreducible pentanomials for polynomial based multipliers in binary fields Gustavo Banegas Ricardo Custódio Daniel Panario the date
More informationA new class of irreducible pentanomials for polynomial based multipliers in binary fields
Noname manuscript No. (will be inserted by the editor) A new class of irreducible pentanomials for polynomial based multipliers in binary fields Gustavo Banegas Ricardo Custódio Daniel Panario the date
More informationElliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.
Elliptic Curves I 1.0 Introduction The first three sections introduce and explain the properties of elliptic curves. A background understanding of abstract algebra is required, much of which can be found
More informationThe tangent FFT. D. J. Bernstein University of Illinois at Chicago
The tangent FFT D. J. Bernstein University of Illinois at Chicago Advertisement SPEED: Software Performance Enhancement for Encryption and Decryption A workshop on software speeds for secret-key cryptography
More informationECM at Work. Joppe W. Bos and Thorsten Kleinjung. Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 14
ECM at Work Joppe W. Bos and Thorsten Kleinjung Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 14 Motivation The elliptic curve method for integer factorization
More informationSignatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven
Signatures and DLP-I Tanja Lange Technische Universiteit Eindhoven How to compute ap Use binary representation of a to compute a(x; Y ) in blog 2 ac doublings and at most that many additions. E.g. a =
More informationPublic-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.
Public-key cryptography and the Discrete-Logarithm Problem Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Cryptography Let s understand what our browsers do. Schoolbook
More informationAdvanced code-based cryptography. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
Advanced code-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lattice-basis reduction Define L = (0; 24)Z + (1; 17)Z = {(b; 24a + 17b) : a;
More informationHybrid Binary-Ternary Joint Sparse Form and its Application in Elliptic Curve Cryptography
Hybrid Binary-Ternary Joint Sparse Form and its Application in Elliptic Curve Cryptography Jithra Adikari, Student Member, IEEE, Vassil Dimitrov, and Laurent Imbert Abstract Multi-exponentiation is a common
More informationPairings at High Security Levels
Pairings at High Security Levels Michael Naehrig Eindhoven University of Technology michael@cryptojedi.org DoE CRYPTODOC Darmstadt, 21 November 2011 Pairings are efficient!... even at high security levels.
More informationEdwards coordinates for elliptic curves, part 1
Edwards coordinates for elliptic curves, part 1 Tanja Lange Technische Universiteit Eindhoven tanja@hyperelliptic.org joint work with Daniel J. Bernstein 19.10.2007 Tanja Lange http://www.hyperelliptic.org/tanja/newelliptic/
More information(which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography)
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit
More informationHyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago
Hyperelliptic-curve cryptography D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS 0140542 NSF ITR 0716498 Alfred P. Sloan Foundation Two parts to this talk: 1. Elliptic curves; modern
More information45nm 1GHz Samsung Exynos more than 15 million sold.
Smartphone/tablet CPUs 1 Apple A4 also appeared 2 ipad 1 (2010) was the in iphone 4 (2010). first popular tablet: 45nm 1GHz Samsung Exynos more than 15 million sold. 3110 in Samsung Galaxy S (2010) ipad
More informationTwisted Hessian curves
Twisted Hessian curves Daniel J. Bernstein 1,2, Chitchanok Chuengsatiansup 1, David Kohel 3, and Tanja Lange 1 1 Department of Mathematics and Computer Science Technische Universiteit Eindhoven P.O. Box
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationLow-Weight Polynomial Form Integers for Efficient Modular Multiplication
1 Low-Weight Polynomial Form Integers for Efficient Modular Multiplication Jaewook Chung and M. Anwar Hasan February 9, 2006 Abstract In 1999, Jerome Solinas introduced families of moduli called the generalized
More informationExplicit Complex Multiplication
Explicit Complex Multiplication Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Explicit CM Eindhoven,
More informationInverted Edwards coordinates
Inverted Edwards coordinates Daniel J. Bernstein 1 and Tanja Lange 2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois at Chicago, Chicago, IL 60607 7045, USA
More informationModular Multiplication in GF (p k ) using Lagrange Representation
Modular Multiplication in GF (p k ) using Lagrange Representation Jean-Claude Bajard, Laurent Imbert, and Christophe Nègre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier
More informationHigh-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition
High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition Joppe W. Bos 1, Craig Costello 1, Huseyin Hisil 2, and Kristin Lauter 1 1 Microsoft Research, Redmond, USA 2 Yasar University,
More informationFaster arithmetic for number-theoretic transforms
University of New South Wales 7th October 2011, Macquarie University Plan for talk 1. Review number-theoretic transform (NTT) 2. Discuss typical butterfly algorithm 3. Improvements to butterfly algorithm
More informationFast Cryptography in Genus 2
Fast Cryptography in Genus 2 Joppe W. Bos, Craig Costello, Huseyin Hisil and Kristin Lauter EUROCRYPT 2013 Athens, Greece May 27, 2013 Fast Cryptography in Genus 2 Recall that curves are much better than
More informationA Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m )
A Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m ) Stefan Tillich, Johann Großschädl Institute for Applied Information Processing and
More informationµkummer: efficient hyperelliptic signatures and key exchange on microcontrollers
µkummer: efficient hyperelliptic signatures and key exchange on microcontrollers Joost Renes 1 Peter Schwabe 1 Benjamin Smith 2 Lejla Batina 1 1 Digital Security Group, Radboud University, The Netherlands
More informationArithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products
1 Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products David Kohel Institut de Mathématiques de Luminy International Workshop on Codes and Cryptography 2011 Qingdao, 2 June
More informationShort Division of Long Integers. (joint work with David Harvey)
Short Division of Long Integers (joint work with David Harvey) Paul Zimmermann October 6, 2011 The problem to be solved Divide efficiently a p-bit floating-point number by another p-bit f-p number in the
More informationSide-channel attacks on PKC and countermeasures with contributions from PhD students
basics Online Side-channel attacks on PKC and countermeasures (Tutorial @SPACE2016) with contributions from PhD students Lejla Batina Institute for Computing and Information Sciences Digital Security Radboud
More informationEfficient Application of Countermeasures for Elliptic Curve Cryptography
Efficient Application of Countermeasures for Elliptic Curve Cryptography Vladimir Soukharev, Ph.D. Basil Hess, Ph.D. InfoSec Global Inc. May 19, 2017 Outline Introduction Brief Summary of ECC Arithmetic
More informationECM using Edwards curves
ECM using Edwards curves Daniel J. Bernstein 1, Peter Birkner 2, Tanja Lange 2, and Christiane Peters 2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois at
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationChapter 4 Mathematics of Cryptography
Chapter 4 Mathematics of Cryptography Part II: Algebraic Structures Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 4.1 Chapter 4 Objectives To review the concept
More informationMcBits: fast constant-time code-based cryptography. (to appear at CHES 2013)
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Christine van Vredendaal Technische Universiteit Eindhoven 1 May 2017 Joint work with: Jens Bauch & Daniel J. Bernstein & Henry de
More informationReprésentation RNS des nombres et calcul de couplages
Représentation RNS des nombres et calcul de couplages Sylvain Duquesne Université Rennes 1 Séminaire CCIS Grenoble, 7 Février 2013 Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 1 / 29
More informationFaster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves
Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Junfeng Fan, Frederik Vercauteren and Ingrid Verbauwhede Katholieke Universiteit Leuven, COSIC May 18, 2009 1 Outline What is
More informationAn Analysis of Affine Coordinates for Pairing Computation
An Analysis of Affine Coordinates for Pairing Computation Michael Naehrig Microsoft Research mnaehrig@microsoft.com joint work with Kristin Lauter and Peter Montgomery Microsoft Research Pairing 2010,
More informationREDUNDANT TRINOMIALS FOR FINITE FIELDS OF CHARACTERISTIC 2
REDUNDANT TRINOMIALS FOR FINITE FIELDS OF CHARACTERISTIC 2 CHRISTOPHE DOCHE Abstract. In this paper we introduce so-called redundant trinomials to represent elements of nite elds of characteristic 2. The
More informationPerformance evaluation of a new coordinate system for elliptic curves
Performance evaluation of a new coordinate system for elliptic curves Daniel J. Bernstein 1 and Tanja Lange 2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois
More informationPairings for Cryptography
Pairings for Cryptography Michael Naehrig Technische Universiteit Eindhoven Ñ ÐÖÝÔØÓ ºÓÖ Nijmegen, 11 December 2009 Pairings A pairing is a bilinear, non-degenerate map e : G 1 G 2 G 3, where (G 1, +),
More informationYou could have invented Supersingular Isogeny Diffie-Hellman
You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks
More informationFourQNEON: Faster Elliptic Curve Scalar Multiplications on ARM Processors
FourQNEON: Faster Elliptic Curve Scalar Multiplications on ARM Processors Patrick Longa Microsoft Research, USA plonga@microsoft.com Abstract. We present a high-speed, high-security implementation of the
More informationModels of Elliptic Curves
Models of Elliptic Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 26.03.2009 D. J. Bernstein & T. Lange
More informationEfficient Subquadratic Space Complexity Binary Polynomial Multipliers Based On Block Recombination
Efficient Subquadratic Space Complexity Binary Polynomial Multipliers Based On Block Recombination Murat Cenk, Anwar Hasan, Christophe Negre To cite this version: Murat Cenk, Anwar Hasan, Christophe Negre.
More informationHigh-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition
High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition Joppe W. Bos 1, Craig Costello 1, Huseyin Hisil 2, and Kristin Lauter 1 1 Microsoft Research, Redmond, USA 2 Yasar University,
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationFrequency Domain Finite Field Arithmetic for Elliptic Curve Cryptography
Frequency Domain Finite Field Arithmetic for Elliptic Curve Cryptography Selçuk Baktır, Berk Sunar {selcuk,sunar}@wpi.edu Department of Electrical & Computer Engineering Worcester Polytechnic Institute
More informationComputer Architecture 10. Residue Number Systems
Computer Architecture 10 Residue Number Systems Ma d e wi t h Op e n Of f i c e. o r g 1 A Puzzle What number has the reminders 2, 3 and 2 when divided by the numbers 7, 5 and 3? x mod 7 = 2 x mod 5 =
More informationSignatures and DLP. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein
Signatures and DLP Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein ECDSA Users can sign messages using Edwards curves. Take a point P on an Edwards curve modulo a
More informationNew Strategy for Doubling-Free Short Addition-Subtraction Chain
Applied Mathematics & Information Sciences 2(2) (2008), 123 133 An International Journal c 2008 Dixie W Publishing Corporation, U. S. A. New Strategy for Doubling-Free Short Addition-Subtraction Chain
More informationOn the complexity of computing discrete logarithms in the field F
On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of
More informationPower Consumption Analysis. Arithmetic Level Countermeasures for ECC Coprocessor. Arithmetic Operators for Cryptography.
Power Consumption Analysis General principle: measure the current I in the circuit Arithmetic Level Countermeasures for ECC Coprocessor Arnaud Tisserand, Thomas Chabrier, Danuta Pamula I V DD circuit traces
More informationSubquadratic Computational Complexity Schemes for Extended Binary Field Multiplication Using Optimal Normal Bases
1 Subquadratic Computational Complexity Schemes for Extended Binary Field Multiplication Using Optimal Normal Bases H. Fan and M. A. Hasan March 31, 2007 Abstract Based on a recently proposed Toeplitz
More informationCBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions
CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions Author: Markku-Juhani O. Saarinen Presented by: Jean-Philippe Aumasson CT-RSA '14, San Francisco, USA 26 February 2014 1 / 19 Sponge
More informationAttacking and defending the McEliece cryptosystem
Attacking and defending the McEliece cryptosystem (Joint work with Daniel J. Bernstein and Tanja Lange) Christiane Peters Technische Universiteit Eindhoven PQCrypto 2nd Workshop on Postquantum Cryptography
More informationEfficient Implementation of Elliptic Curve Point Operations Using Binary Edwards Curves
Efficient Implementation of Elliptic Curve Point Operations Using Binary Edwards Curves Richard Moloney, School of Mathematical Sciences, University College Dublin, Ireland richard.moloney@ucd.ie Pierre
More informationFinite Fields. SOLUTIONS Network Coding - Prof. Frank H.P. Fitzek
Finite Fields In practice most finite field applications e.g. cryptography and error correcting codes utilizes a specific type of finite fields, namely the binary extension fields. The following exercises
More informationHigh-speed key encapsulation from NTRU
High-speed key encapsulation from NTRU Andreas Hülsing 1, Joost Rijneveld 2, John Schanck 3,4, Peter Schwabe 2 1 Eindhoven University of Technology, The Netherlands 2 Radboud University, Nijmegen, The
More informationThe Fundamental Theorem of Arithmetic
Chapter 1 The Fundamental Theorem of Arithmetic 1.1 Primes Definition 1.1. We say that p N is prime if it has just two factors in N, 1 and p itself. Number theory might be described as the study of the
More informationCyclic Groups in Cryptography
Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic
More informationFaster ECC over F 2. (feat. PMULL)
Faster ECC over F 2 571 (feat. PMULL) Hwajeong Seo 1 Institute for Infocomm Research (I2R), Singapore hwajeong84@gmail.com Abstract. In this paper, we show efficient elliptic curve cryptography implementations
More informationComparison of Elliptic Curve and Edwards Curve
CS90G - PROJECT REPORT Comparison of Elliptic Curve and Edwards Curve Shivapriya Hiremath, Stephanie Smith June 14, 013 1 INTRODUCTION In this project we have implemented the Elliptic Curve and Edwards
More informationAccelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography. Stefan Tillich, Johann Großschädl
Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography International Workshop on Information Security & Hiding (ISH '05) Institute for Applied Information Processing and Communications
More informationModern elliptic curve cryptography
Modern elliptic curve cryptography Ivo Kubjas 1 Introduction Elliptic curve cryptography has raised attention as it allows for having shorter keys and ciphertexts. For example, to obtain similar security
More information6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)
6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC) 6.0 Introduction Elliptic curve cryptography (ECC) is the application of elliptic curve in the field of cryptography.basically a form of PKC which applies over the
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationTwo Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map
Two Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map Jung Hee Cheon, Sungmo Park, Sangwoo Park, and Daeho Kim Electronics and Telecommunications Research Institute, 161 Kajong-Dong,Yusong-Gu,
More informationSliding right into disaster - Left-to-right sliding windows leak
Sliding right into disaster - Left-to-right sliding windows leak Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and
More informationLecture 11. Advanced Dividers
Lecture 11 Advanced Dividers Required Reading Behrooz Parhami, Computer Arithmetic: Algorithms and Hardware Design Chapter 15 Variation in Dividers 15.3, Combinational and Array Dividers Chapter 16, Division
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationHardware implementations of ECC
Hardware implementations of ECC The University of Electro- Communications Introduction Public- key Cryptography (PKC) The most famous PKC is RSA and ECC Used for key agreement (Diffie- Hellman), digital
More informationInteger multiplication with generalized Fermat primes
Integer multiplication with generalized Fermat primes CARAMEL Team, LORIA, University of Lorraine Supervised by: Emmanuel Thomé and Jérémie Detrey Journées nationales du Calcul Formel 2015 (Cluny) November
More information9. Datapath Design. Jacob Abraham. Department of Electrical and Computer Engineering The University of Texas at Austin VLSI Design Fall 2017
9. Datapath Design Jacob Abraham Department of Electrical and Computer Engineering The University of Texas at Austin VLSI Design Fall 2017 October 2, 2017 ECE Department, University of Texas at Austin
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationHigh-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers
More informationEfficient Arithmetic on Elliptic and Hyperelliptic Curves
Efficient Arithmetic on Elliptic and Hyperelliptic Curves Department of Mathematics and Computer Science Eindhoven University of Technology Tutorial on Elliptic and Hyperelliptic Curve Cryptography 4 September
More informationAdvanced Constructions in Curve-based Cryptography
Advanced Constructions in Curve-based Cryptography Benjamin Smith Team GRACE INRIA and Laboratoire d Informatique de l École polytechnique (LIX) Summer school on real-world crypto and privacy Sibenik,
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationAN IMPROVED LOW LATENCY SYSTOLIC STRUCTURED GALOIS FIELD MULTIPLIER
Indian Journal of Electronics and Electrical Engineering (IJEEE) Vol.2.No.1 2014pp1-6 available at: www.goniv.com Paper Received :05-03-2014 Paper Published:28-03-2014 Paper Reviewed by: 1. John Arhter
More informationCPSC 518 Introduction to Computer Algebra Schönhage and Strassen s Algorithm for Integer Multiplication
CPSC 518 Introduction to Computer Algebra Schönhage and Strassen s Algorithm for Integer Multiplication March, 2006 1 Introduction We have now seen that the Fast Fourier Transform can be applied to perform
More information