DOCSLIB.ORG

Secure, Fast and Verified Cryptographic Applications: a Scalable Approach

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Secure, Fast and Verified Cryptographic Applications: a Scalable Approach Secure, fast and verified cryptographic applications :a scalable approach Jean-Karim Zinzindohoué-Marsaudon To cite this version: Jean-Karim Zinzindohoué-Marsaudon. Secure, fast and verified cryptographic applications : a scalable approach. Cryptography and Security [cs.CR]. Université Paris sciences et lettres, 2018. English. NNT : 2018PSLEE052. tel-01981380v2 HAL Id: tel-01981380 https://tel.archives-ouvertes.fr/tel-01981380v2 Submitted on 10 Jan 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. THÈSE DE DOCTORAT de l’Université de recherche Paris Sciences et Lettres PSL Research University Préparée à ENS Ulm – INRIA Paris SECURE, FAST AND VERIFIED CRYPTOGRAPHIC APPLICATIONS: A SCALABLE APPROACH IMPLEMENTATIONS CRYPTOGRAPHIQUES SURES, PERFORMANTES ET VERIFIEES : UNE APPROCHE PASSANT A L’ECHELLE Ecole doctorale ED386 SCIENCES MATHEMATIQUES DE PARIS CENTRE Spécialité INFORMATIQUE COMPOSITION DU JURY : Mme. CORTIER Véronique LORIA, Rapporteur , Présidente du Jury M. FOUQUE Pierre-Alain Université Rennes 1, Rapporteur M. SCHWABE Peter Soutenue par JEAN-KARIM Radboud University, Membre du jury ZINZINDOHOUE-MARSAUDON M. FOURNET Cédric le 03 juillet 2018 Microsoft Research, Membre du jury h M. STRUB Pierre-Yves Ecole Polytechnique, Membre du jury Dirigée par KARTHIKEYAN BHARGAVAN M. BHARGAVAN Karthikeyan INRIA Paris, Membre du jury h SECURE, FAST AND VERIFIED CRYPTOGRAPHIC APPLICATIONS: A SCALABLE APPROACH Jean-Karim ZINZINDOHOUE-MARSAUDON Ph. D. Thesis President of the Jury: Ms. Véronique CORTIER July 3rd 2018 Abstract The security of Internet applications relies crucially on the secure design and robust implementations of cryptographic algorithms and protocols. This thesis presents a new, scalable and extensible approach for verifying state-of-the-art bignum algorithms, found in popular cryptographic implementations. Our code and proofs are written in F∗, a proof-oriented language which offers a very rich and expressive type system, with dependent types, refinement types, effects and customizable memory models. The natural way of writing and verifying higher-order functional code in F∗ prioritizes code sharing and proof composition, but this results in low performance for cryptographic code. We propose a new language, Low∗, a fragment of F∗ which can be seen as a shal- low embedding of C in F∗ and safely compiled to C code. Nonetheless, Low∗ retains the full expressiveness and verification power of the F∗ system, at the specification and proof level. We use Low∗ to implement cryptographic code, incorporating state-of-the-art optimizations from existing C libraries. We use F∗ to verify this code for functional correctness, memory safety and secret in- dependence. We present HACL∗, a full-fledged and fully verified cryptographic library which boasts performance on par, if not better, with the reference C code. Several algorithms from HACL∗ are now part of NSS, Mozilla’s cryp- tographic library, notably used in the Firefox web browser and the Red Hat operating system. Eventually, we apply our techniques to miTLS, a verified implementation of the Transport Layer Security protocol. We show how they extend to cryptographic proofs, state-machine implementations and message parsing verification. 3 Contents Contents 4 1 Introduction 7 1.1 Contributions . 13 1.2 Related work . 13 2 Verified Programming in F∗ 19 2.1 Raising the Level of Trust in Software Development . 19 2.2 F∗, a proof-oriented programming language . 21 2.3 Syntax . 22 2.4 Types . 25 2.5 Proofs . 27 2.6 Effects . 34 2.7 Proofs with effects . 40 2.8 Libraries . 43 2.9 A feel for the SMT encoding . 49 3 An Extensible Bignum Framework for Cryptography 53 3.1 A Dire Need for Trust in Cryptography . 53 3.2 Prime fields Arithmetic . 54 3.3 A verified generic bignum library . 58 3.4 A second approach: balancing code sharing and performance . 74 4 Low∗, a Low-Level Programming Subset of F∗ 81 4.1 Verification Approach . 81 4.2 The Low∗ language . 85 4.3 A formal translation from Low∗ to Clight . 95 4.4 The KreMLin compiler . 103 4.5 KreMLin: a Compiler from Low∗ to C . 103 5 HACL∗, a Fast and Verified Reference Cryptographic Library107 5.1 A self-contained, modern and efficient cryptographic library . 107 5.2 Methodology: Structuring the Library Between Specifications and Low-Level Code . 109 4 Contents 5.3 High-Level Specifications . 110 5.4 Low-level Low∗ code . 118 5.5 Vectorization . 126 5.6 Evaluation (LoC, verification time, benchmarks etc.) . 131 6 Going Further: Building Secure Cryptographic Applications 137 6.1 Towards Cryptographic Proofs of Protocols . 138 6.2 A Verified State Machine for OpenSSL . 150 6.3 Parsing Protocol Messages . 157 7 Conclusion 165 Bibliography 169 5 Chapter 1 Introduction The last few decades have seen a booming expansion of information technolo- gies. In less than half a century, the Internet went from a confidential military network to an indispensable communication technology that we all rely on. This incredible development was backed by dramatic improvements in compu- tational power, storage capacity and worldwide connectivity in such a way that sharing large amounts of data and computational resources across the planet is now an easy feat. New generations of children are raised in a connected world where everything is immediate and decentralized, and information tech- nologies are now pervasive. The development of new usages and features has been the main drive for this technological and societal revolution, led by young information technology (IT) companies that have grown to be richer — and maybe more powerful — than certain states. Unfortunately, other subjects of concern such as security and privacy have not received as much attention, mostly for business and marketing reasons: the hype supporting new products always originates from new, distinguishing features, while improvements on the overall quality of the products in terms of safety, security or privacy are much harder to show off and market. This is not without consequences. Current users of various communication sys- tems around the globe are mostly unaware that they inherited many legacy protocols, software designs and more generally conceptual views from their predecessors. Because of the pace at which new standards, technologies and usages ap- pear and disappear, IT companies focus on maintaining compatibility between their latest most up-to-date products and legacy items. Thus low-level li- braries, which are at the core of many of those products, tend to encompass a broad range of features, from legacy ones to the most recent or advanced, in a mix of old and recent code. These libraries are essential building blocks for software applications, for instance providing ways to access the kernel of the system, to use the graphical interfaces, to access cryptographic or networking functionalities etc. with new, non-interoperable versions of those components 7 1. Introduction every couple months or years. Hence, these libraries are regularly updated, integrating new features but retaining the old ones, which may still be useful to a number of products. This process results in always larger and more com- plex codebases, almost impossible to audit and fully review, and sometimes leads to major issues: software components are usually not completely isolated and a flaw in some remote unused part of a core library could be used by an attacker to corrupt the whole system. It raises the following questions: should we trust legacy code which is sel- dom used, might not have been developed with the current security standards and may very well be flawed in a way that would compromise the whole code- base? And on the other hand, should we trust the latest implementations which have not yet received a lot of attention and may be similarly flawed? Obviously we should be extremely cautious in both cases, and still, this is under the assumption that the code is open-source so that the community can review it and contribute. Proprietary code that almost no one gets their hands on should be considered with the utmost care. The research community is always keen on studying the security of new systems under different and often innovative angles, and thus for a long time now these evolving new technologies have been analyzed, criticized and new approaches have been proposed. Unfortunately, exchanges between academic researchers and the IT industry are limited. Although there are some ties between the two communities, in practice it is not so common for academia to consider industrial constraints or the industry the latest academic research innovations. No one is to blame, the industry has its own set of constraints which often do not apply to a research environment, while real companies are interested in improvements from the research community only as long as they can readily be integrated in their processes at a negligible cost or with a high return on investment, which does not happen so often. However, as computer science is still young and undergoing heavy changes, now may be a good time to encourage further cooperation, especially on security related aspects. The ambition of this work is to improve security in software development by bringing state-of-the-art methods from academia together with the specific needs from the industry and real world applications, and build new ways to solve the later using the former. This idea of making research more practi- cal, or making the industry more research aware is not novel. Nonetheless, as new concerns emerge from the security and privacy aspects of computer science, contributing to making communication systems more reliable, robust and trustworthy appears as a challenging topic, which will quickly produce results and significant long term impacts.
Load more

Recommended publications
  • Why Untyped Nonground Metaprogramming Is Not (Much Of) a Problem
    NORTH- HOLLAND WHY UNTYPED NONGROUND METAPROGRAMMING IS NOT (MUCH OF) A PROBLEM BERN MARTENS* and DANNY DE SCHREYE+ D We study a semantics for untyped, vanilla metaprograms, using the non- ground representation for object level variables. We introduce the notion of language independence, which generalizes range restriction. We show that the vanilla metaprogram associated with a stratified normal oljjctct program is weakly stratified. For language independent, stratified normal object programs, we prove that there is a natural one-to-one correspon- dence between atoms p(tl, . , tr) in the perfect Herbrand model of t,he object program and solve(p(tl, , tT)) atoms in the weakly perfect Her\) and model of the associated vanilla metaprogram. Thus, for this class of programs, the weakly perfect, Herbrand model provides a sensible SC mantics for the metaprogram. We show that this result generalizes to nonlanguage independent programs in the context of an extended Hcr- brand semantics, designed to closely mirror the operational behavior of logic programs. Moreover, we also consider a number of interesting exterl- sions and/or variants of the basic vanilla metainterpreter. For instance. WC demonstrate how our approach provides a sensible semantics for a limit4 form of amalgamation. a “Partly supported by the Belgian National Fund for Scientific Research, partly by ESPRlT BRA COMPULOG II, Contract 6810, and partly by GOA “Non-Standard Applications of Ab- stract Interpretation,” Belgium. TResearch Associate of the Belgian National Fund for Scientific Research Address correspondence to Bern Martens and Danny De Schreye, Department of Computer Science, Katholieke Universiteit Leuven, Celestijnenlaan 200A. B-3001 Hevrrlee Belgium E-mail- {bern, dannyd}@cs.kuleuven.ac.be.
    [Show full text]
  • Practical Reflection and Metaprogramming for Dependent
    Practical Reflection and Metaprogramming for Dependent Types David Raymond Christiansen Advisor: Peter Sestoft Submitted: November 2, 2015 i Abstract Embedded domain-specific languages are special-purpose pro- gramming languages that are implemented within existing general- purpose programming languages. Dependent type systems allow strong invariants to be encoded in representations of domain-specific languages, but it can also make it difficult to program in these em- bedded languages. Interpreters and compilers must always take these invariants into account at each stage, and authors of embedded languages must work hard to relieve users of the burden of proving these properties. Idris is a dependently typed functional programming language whose semantics are given by elaboration to a core dependent type theory through a tactic language. This dissertation introduces elabo- rator reflection, in which the core operators of the elaborator are real- ized as a type of computations that are executed during the elab- oration process of Idris itself, along with a rich API for reflection. Elaborator reflection allows domain-specific languages to be imple- mented using the same elaboration technology as Idris itself, and it gives them additional means of interacting with native Idris code. It also allows Idris to be used as its own metalanguage, making it into a programmable programming language and allowing code re-use across all three stages: elaboration, type checking, and execution. Beyond elaborator reflection, other forms of compile-time reflec- tion have proven useful for embedded languages. This dissertation also describes error reflection, in which Idris code can rewrite DSL er- ror messages before presenting domain-specific messages to users, as well as a means for integrating quasiquotation into a tactic-based elaborator so that high-level syntax can be used for low-level reflected terms.
    [Show full text]
  • Dynamic Extension of Typed Functional Languages
    Dynamic Extension of Typed Functional Languages Don Stewart PhD Dissertation School of Computer Science and Engineering University of New South Wales 2010 Supervisor: Assoc. Prof. Manuel M. T. Chakravarty Co-supervisor: Dr. Gabriele Keller Abstract We present a solution to the problem of dynamic extension in statically typed functional languages with type erasure. The presented solution re- tains the benefits of static checking, including type safety, aggressive op- timizations, and native code compilation of components, while allowing extensibility of programs at runtime. Our approach is based on a framework for dynamic extension in a stat- ically typed setting, combining dynamic linking, runtime type checking, first class modules and code hot swapping. We show that this framework is sufficient to allow a broad class of dynamic extension capabilities in any statically typed functional language with type erasure semantics. Uniquely, we employ the full compile-time type system to perform run- time type checking of dynamic components, and emphasize the use of na- tive code extension to ensure that the performance benefits of static typing are retained in a dynamic environment. We also develop the concept of fully dynamic software architectures, where the static core is minimal and all code is hot swappable. Benefits of the approach include hot swappable code and sophisticated application extension via embedded domain specific languages. We instantiate the concepts of the framework via a full implementation in the Haskell programming language: providing rich mechanisms for dy- namic linking, loading, hot swapping, and runtime type checking in Haskell for the first time. We demonstrate the feasibility of this architecture through a number of novel applications: an extensible text editor; a plugin-based network chat bot; a simulator for polymer chemistry; and xmonad, an ex- tensible window manager.
    [Show full text]
  • Metaprogramming with Julia
    Metaprogramming with Julia https://szufel.pl Programmers effort vs execution speed Octave R Python Matlab time, time, log scale - C JavaScript Java Go Julia C rozmiar kodu Sourcewego w KB Source: http://www.oceanographerschoice.com/2016/03/the-julia-language-is-the-way-of-the-future/ 2 Metaprogramming „Metaprogramming is a programming technique in which computer programs have the ability to treat other programs as their data. It means that a program can be designed to read, generate, analyze or transform other programs, and even modify itself while running.” (source: Wikipedia) julia> code = Meta.parse("x=5") :(x = 5) julia> dump(code) Expr head: Symbol = args: Array{Any}((2,)) 1: Symbol x 2: Int64 5 3 Metaprogramming (cont.) julia> code = Meta.parse("x=5") :(x = 5) julia> dump(code) Expr head: Symbol = args: Array{Any}((2,)) 1: Symbol x 2: Int64 5 julia> eval(code) 5 julia> x 5 4 Julia Compiler system not quite accurate picture... Source: https://www.researchgate.net/ publication/301876510_High- 5 level_GPU_programming_in_Julia Example 1. Select a field from an object function getValueOfA(x) return x.a end function getValueOf(x, name::String) return getproperty(x, Symbol(name)) end function getValueOf2(name::String) field = Symbol(name) code = quote (obj) -> obj.$field end return eval(code) end function getValueOf3(name::String) return eval(Meta.parse("obj -> obj.$name")) end 6 Let’s test using BenchmarkTools struct MyStruct a b end x = MyStruct(5,6) @btime getValueOfA($x) @btime getValueOf($x,"a") const getVal2 = getValueOf2("a") @btime
    [Show full text]
  • How to (Pre-)Compute a Ladder
    How to (pre-)compute a ladder Improving the performance of X25519 and X448 Thomaz Oliveira1, Julio L´opez2, H¨useyinHı¸sıl3, Armando Faz-Hern´andez2, and Francisco Rodr´ıguez-Henr´ıquez1 1 Computer Science Department, Cinvestav-IPN [email protected], [email protected] 2 Institute of Computing, University of Campinas [email protected], [email protected] 3 Yasar University [email protected] Abstract. In the RFC 7748 memorandum, the Internet Research Task Force specified a Montgomery-ladder scalar multiplication function based on two recently adopted elliptic curves, \curve25519" and \curve448". The purpose of this function is to support the Diffie-Hellman key ex- change algorithm that will be included in the forthcoming version of the Transport Layer Security cryptographic protocol. In this paper, we describe a ladder variant that permits to accelerate the fixed-point mul- tiplication function inherent to the Diffie-Hellman key pair generation phase. Our proposal combines a right-to-left version of the Montgomery ladder along with the pre-computation of constant values directly de- rived from the base-point and its multiples. To our knowledge, this is the first proposal of a Montgomery ladder procedure for prime elliptic curves that admits the extensive use of pre-computation. In exchange of very modest memory resources and a small extra programming effort, the proposed ladder obtains significant speedups for software implemen- tations. Moreover, our proposal fully complies with the RFC 7748 spec- ification. A software implementation of the X25519 and X448 functions using our pre-computable ladder yields an acceleration factor of roughly 1.20, and 1.25 when implemented on the Haswell and the Skylake micro- architectures, respectively.
    [Show full text]
  • A Foundation for Trait-Based Metaprogramming
    A foundation for trait-based metaprogramming John Reppy Aaron Turon University of Chicago {jhr, adrassi}@cs.uchicago.edu Abstract We present a calculus, based on the Fisher-Reppy polymorphic Scharli¨ et al. introduced traits as reusable units of behavior inde- trait calculus [FR03], with support for trait privacy, hiding and deep pendent of the inheritance hierarchy. Despite their relative simplic- renaming of trait methods, and a more granular trait typing. Our ity, traits offer a surprisingly rich calculus. Trait calculi typically in- calculus is more expressive (it provides new forms of conflict- clude operations for resolving conflicts when composing two traits. resolution) and more flexible (it allows after-the-fact renaming) In the existing work on traits, these operations (method exclusion than the previous work. Traits provide a useful mechanism for shar- and aliasing) are shallow, i.e., they have no effect on the body of the ing code between otherwise unrelated classes. By adding deep re- other methods in the trait. In this paper, we present a new trait sys- naming, our trait calculus supports sharing code between methods. tem, based on the Fisher-Reppy trait calculus, that adds deep oper- For example, the JAVA notion of synchronized methods can im- ations (method hiding and renaming) to support conflict resolution. plemented as a trait in our system and can be applied to multiple The proposed operations are deep in the sense that they preserve methods in the same class to produce synchronized versions. We any existing connections between the affected method and the other term this new use of traits trait-based metaprogramming.
    [Show full text]
  • Metaprogramming in .NET by Kevin Hazzard Jason Bock
    S AMPLE CHAPTER in .NET Kevin Hazzard Jason Bock FOREWORD BY Rockford Lhotka MANNING Metaprogramming in .NET by Kevin Hazzard Jason Bock Chapter 1 Copyright 2013 Manning Publications brief contents PART 1DEMYSTIFYING METAPROGRAMMING ..............................1 1 ■ Metaprogramming concepts 3 2 ■ Exploring code and metadata with reflection 41 PART 2TECHNIQUES FOR GENERATING CODE ..........................63 3 ■ The Text Template Transformation Toolkit (T4) 65 4 ■ Generating code with the CodeDOM 101 5 ■ Generating code with Reflection.Emit 139 6 ■ Generating code with expressions 171 7 ■ Generating code with IL rewriting 199 PART 3LANGUAGES AND TOOLS ............................................221 8 ■ The Dynamic Language Runtime 223 9 ■ Languages and tools 267 10 ■ Managing the .NET Compiler 287 v Metaprogramming concepts In this chapter ■ Defining metaprogramming ■ Exploring examples of metaprogramming The basic principles of object-oriented programming (OOP) are understood by most software developers these days. For example, you probably understand how encapsulation and implementation-hiding can increase the cohesion of classes. Languages like C# and Visual Basic are excellent for creating so-called coarsely grained types because they expose simple features for grouping and hiding both code and data. You can use cohesive types to raise the abstraction level across a system, which allows for loose coupling to occur. Systems that enjoy loose cou- pling at the top level are much easier to maintain because each subsystem isn’t as dependent on the others as they could be in a poor design. Those benefits are realized at the lower levels, too, typically through lowered complexity and greater reusability of classes. In figure 1.1, which of the two systems depicted would likely be easier to modify? Without knowing what the gray circles represent, most developers would pick the diagram on the right as the better one.
    [Show full text]
  • The Complete Cost of Cofactor H = 1
    The complete cost of cofactor h = 1 Peter Schwabe and Daan Sprenkels Radboud University, Digital Security Group, P.O. Box 9010, 6500 GL Nijmegen, The Netherlands [email protected], [email protected] Abstract. This paper presents optimized software for constant-time variable-base scalar multiplication on prime-order Weierstraß curves us- ing the complete addition and doubling formulas presented by Renes, Costello, and Batina in 2016. Our software targets three different mi- croarchitectures: Intel Sandy Bridge, Intel Haswell, and ARM Cortex- M4. We use a 255-bit elliptic curve over F2255−19 that was proposed by Barreto in 2017. The reason for choosing this curve in our software is that it allows most meaningful comparison of our results with optimized software for Curve25519. The goal of this comparison is to get an under- standing of the cost of using cofactor-one curves with complete formulas when compared to widely used Montgomery (or twisted Edwards) curves that inherently have a non-trivial cofactor. Keywords: Elliptic Curve Cryptography · SIMD · Curve25519 · scalar multiplication · prime-field arithmetic · cofactor security 1 Introduction Since its invention in 1985, independently by Koblitz [34] and Miller [38], elliptic- curve cryptography (ECC) has widely been accepted as the state of the art in asymmetric cryptography. This success story is mainly due to the fact that attacks have not substantially improved: with a choice of elliptic curve that was in the 80s already considered conservative, the best attack for solving the elliptic- curve discrete-logarithm problem is still the generic Pollard-rho algorithm (with minor speedups, for example by exploiting the efficiently computable negation map in elliptic-curve groups [14]).
    [Show full text]
  • A Fast, Verified, Cross-Platform Cryptographic Provider
    EverCrypt: A Fast, Verified, Cross-Platform Cryptographic Provider Jonathan Protzenko∗, Bryan Parnoz, Aymeric Fromherzz, Chris Hawblitzel∗, Marina Polubelovay, Karthikeyan Bhargavany Benjamin Beurdouchey, Joonwon Choi∗x, Antoine Delignat-Lavaud∗,Cedric´ Fournet∗, Natalia Kulatovay, Tahina Ramananandro∗, Aseem Rastogi∗, Nikhil Swamy∗, Christoph M. Wintersteiger∗, Santiago Zanella-Beguelin∗ ∗Microsoft Research zCarnegie Mellon University yInria xMIT Abstract—We present EverCrypt: a comprehensive collection prone (due in part to Intel and AMD reporting CPU features of verified, high-performance cryptographic functionalities avail- inconsistently [78]), with various cryptographic providers able via a carefully designed API. The API provably supports invoking illegal instructions on specific platforms [74], leading agility (choosing between multiple algorithms for the same functionality) and multiplexing (choosing between multiple im- to killed processes and even crashing kernels. plementations of the same algorithm). Through abstraction and Since a cryptographic provider is the linchpin of most zero-cost generic programming, we show how agility can simplify security-sensitive applications, its correctness and security are verification without sacrificing performance, and we demonstrate crucial. However, for most applications (e.g., TLS, cryptocur- how C and assembly can be composed and verified against rencies, or disk encryption), the provider is also on the critical shared specifications. We substantiate the effectiveness of these techniques with
    [Show full text]
  • Specialising Dynamic Techniques for Implementing the Ruby Programming Language
    SPECIALISING DYNAMIC TECHNIQUES FOR IMPLEMENTING THE RUBY PROGRAMMING LANGUAGE A thesis submitted to the University of Manchester for the degree of Doctor of Philosophy in the Faculty of Engineering and Physical Sciences 2015 By Chris Seaton School of Computer Science This published copy of the thesis contains a couple of minor typographical corrections from the version deposited in the University of Manchester Library. [email protected] chrisseaton.com/phd 2 Contents List of Listings7 List of Tables9 List of Figures 11 Abstract 15 Declaration 17 Copyright 19 Acknowledgements 21 1 Introduction 23 1.1 Dynamic Programming Languages.................. 23 1.2 Idiomatic Ruby............................ 25 1.3 Research Questions.......................... 27 1.4 Implementation Work......................... 27 1.5 Contributions............................. 28 1.6 Publications.............................. 29 1.7 Thesis Structure............................ 31 2 Characteristics of Dynamic Languages 35 2.1 Ruby.................................. 35 2.2 Ruby on Rails............................. 36 2.3 Case Study: Idiomatic Ruby..................... 37 2.4 Summary............................... 49 3 3 Implementation of Dynamic Languages 51 3.1 Foundational Techniques....................... 51 3.2 Applied Techniques.......................... 59 3.3 Implementations of Ruby....................... 65 3.4 Parallelism and Concurrency..................... 72 3.5 Summary............................... 73 4 Evaluation Methodology 75 4.1 Evaluation Philosophy
    [Show full text]
  • Efficient Elliptic Curve Diffie-Hellman Computation at the 256-Bit Security
    Efficient Elliptic Curve Diffie-Hellman Computation at the 256-bit Security Level Kaushik Nath and Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B. T. Road Kolkata - 700108 India fkaushikn r,[email protected] Abstract In this paper we introduce new Montgomery and Edwards form elliptic curve targeted at the 506 510 256-bit security level. To this end, we work with three primes, namely p1 := 2 − 45, p2 = 2 − 75 521 and p3 := 2 − 1. While p3 has been considered earlier in the literature, p1 and p2 are new. We define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agree- ment protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over p1 leads to a 3%-4% slowdown and the new Montgomery curve over p2 leads to a 4:5%-5% slowdown; on the other hand, 29 and 30.5 extra bits of security respectively are gained. For designers aiming for the 256-bit security level, the new curves over p1 and p2 provide an acceptable trade-off between security and efficiency. Keywords: Elliptic curve cryptography, Elliptic curve Diffie-Hellman key agreement, Montgomery form, Edwards form, 256-bit security.
    [Show full text]
  • Comparative Programming Languages CM20253
    We have briefly covered many aspects of language design And there are many more factors we could talk about in making choices of language The End There are many languages out there, both general purpose and specialist And there are many more factors we could talk about in making choices of language The End There are many languages out there, both general purpose and specialist We have briefly covered many aspects of language design The End There are many languages out there, both general purpose and specialist We have briefly covered many aspects of language design And there are many more factors we could talk about in making choices of language Often a single project can use several languages, each suited to its part of the project And then the interopability of languages becomes important For example, can you easily join together code written in Java and C? The End Or languages And then the interopability of languages becomes important For example, can you easily join together code written in Java and C? The End Or languages Often a single project can use several languages, each suited to its part of the project For example, can you easily join together code written in Java and C? The End Or languages Often a single project can use several languages, each suited to its part of the project And then the interopability of languages becomes important The End Or languages Often a single project can use several languages, each suited to its part of the project And then the interopability of languages becomes important For example, can you easily
    [Show full text]