DOCSLIB.ORG

Automatic Generation of High Speed Elliptic Curve Cryptography Code

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Automatic Generation of High Speed Elliptic Curve Cryptography Code View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by PORTO Publications Open Repository TOrino Politecnico di Torino Porto Institutional Repository [Doctoral thesis] Automatic generation of high speed elliptic curve cryptography code Original Citation: Canavese, Daniele (2016). Automatic generation of high speed elliptic curve cryptography code. PhD thesis Availability: This version is available at : http://porto.polito.it/2652694/ since: October 2016 Published version: DOI:10.6092/polito/porto/2652694 Terms of use: This article is made available under terms and conditions applicable to Open Access Policy Arti- cle ("Creative Commons: Attribution 3.0") , as described at http://porto.polito.it/terms_and_ conditions.html Porto, the institutional repository of the Politecnico di Torino, is provided by the University Library and the IT-Services. The aim is to enable open access to all the world. Please share with us how this access benefits you. Your story matters. (Article begins on next page) POLITECNICO DI TORINO SCUOLA DI DOTTORATO Dottorato in Ingegneria Informatica e dei Sistemi { XVII ciclo Tesi di Dottorato Automatic generation of high speed elliptic curve cryptography code Daniele Canavese Tutore Coordinatore del corso di dottorato Antonio Lioy Matteo Sonza Reorda Maggio 2016 Contents List of Figures vi List of Tables viii List of Algorithms ix Introduction x 1 High speed cryptography 1 1.1 Real world applications....................................1 1.1.1 Domain name system security............................1 1.1.2 Google encrypted search...............................3 1.1.3 Mobile phone protection...............................4 1.2 Related works..........................................6 1.2.1 Cryptography-aware DSLs and compilers.....................6 1.2.2 Elliptic curve cryptography.............................7 1.2.3 Other high speed cryptographic techniques.................... 10 2 Elliptic curve cryptography 11 2.1 Mathematical background.................................. 11 2.1.1 Groups......................................... 11 2.1.2 Fields.......................................... 12 2.1.3 Elliptic curves..................................... 13 2.1.4 Security of elliptic curve crypto-systems...................... 16 2.1.5 ECDH.......................................... 18 2.2 Algorithmic background.................................... 19 2.2.1 Binary field arithmetic................................ 20 2.2.2 Elliptic curve arithmetic............................... 25 2.2.3 ECDH.......................................... 31 2.2.4 Summary of decisions................................. 32 3 Implicit computational complexity 33 3.1 Logic background........................................ 34 3.1.1 Classical logic..................................... 34 3.1.2 Intuitionistic logic................................... 34 3.1.3 Linear logic....................................... 35 3.1.4 λ-calculus........................................ 36 3.1.5 Dual light affine logic................................. 38 3.1.6 Typeable functional assembly............................ 38 III 3.2 Multiplicative inversion in TFA............................... 38 3.2.1 Data representations................................. 38 3.2.2 Basic operations.................................... 39 3.2.3 Functional BEA.................................... 41 3.2.4 DCEA.......................................... 43 4 Architecture 45 4.1 Code compilation........................................ 46 4.1.1 Front-end stage.................................... 47 4.1.2 Middle-end stage................................... 47 4.1.3 Back-end stage..................................... 48 4.2 Performance evaluation.................................... 48 4.3 Library building........................................ 50 4.4 UI................................................. 50 5 Languages and representations 52 5.1 Domain specific languages.................................. 52 5.1.1 HRL........................................... 52 5.1.2 aXiom.......................................... 55 5.1.3 Test cases........................................ 59 5.2 HR................................................ 59 6 Optimizations 61 6.1 Analysis algorithms...................................... 62 6.1.1 Control flow graph analysis............................. 62 6.1.2 Live variable analysis................................. 63 6.1.3 DAG analysis..................................... 64 6.1.4 Operator chain analysis............................... 66 6.2 Transformation algorithms.................................. 66 6.2.1 Constant folding.................................... 68 6.2.2 Algebraic simplification................................ 68 6.2.3 Copy propagation................................... 70 6.2.4 Dead code elimination................................ 70 6.2.5 Strength reduction.................................. 71 6.2.6 Common sub-expression elimination........................ 73 6.3 Translation algorithms.................................... 75 6.3.1 Bit vector packing................................... 75 6.3.2 Loop unrolling..................................... 75 6.3.3 Use of target idioms.................................. 76 6.4 Optimization example..................................... 77 7 Experimental results 80 7.1 Impact of optimizations.................................... 81 7.2 Performance........................................... 82 7.2.1 Results on the i7 processor............................. 83 7.2.2 Results on the ARMv7 processor.......................... 84 7.3 Comparison against standard libraries........................... 84 7.4 Comparison against other curves.............................. 86 8 Conclusions and future work 88 IV A Proof rules 90 A.1 CL rules............................................. 90 A.2 IL rules.............................................. 91 A.3 LL rules............................................. 91 A.4 DLAL rules........................................... 92 A.5 TFA rules............................................ 93 B Grammars 94 B.1 HRL grammar......................................... 94 B.2 aXiom.............................................. 95 C Annotations 99 D Additional results 101 D.1 CryptoGen code performance................................ 101 D.2 Library code performance................................... 101 Notations 105 Acronyms 108 Index 112 Bibliography 115 V List of Figures 1 Suggested key lengths for 2016................................ xi 1.1 DNS security time-line.....................................2 1.2 Google encrypted search time-line..............................3 1.3 Mobile phone security time-line................................5 2.1 Plots of two elliptic curves over R.............................. 14 2.2 Point addition and doubling in E~R............................. 15 2.3 Steps of the ECDH protocol.................................. 18 2.4 Man-in-the-middle attack on the ECDH protocol..................... 19 2.5 Algorithm choices for the scalar multiplication implementation............. 32 3.1 Example of functional right shift............................... 40 3.2 BEA and DCEA in comparison................................ 43 4.1 General architecture of the framework............................ 45 4.2 Architecture of the cryptographic compiler......................... 47 4.3 Architecture of the C back-end................................ 48 4.4 A sample library configuration file.............................. 51 5.1 Two equivalent snippets, in C and HRL........................... 54 5.2 Two equivalent snippets, in C and aXiom.......................... 57 5.3 An aXiom snippet and its output HRL code........................ 58 5.4 The modular reduction algorithm in aXiom........................ 58 5.5 UML class diagram of HR................................... 60 6.1 Example of a control flow graph............................... 63 6.2 DAG representation for the (2 ⋅ x + x)~y expression.................... 65 6.3 Example of the DAG for a basic block............................ 65 6.4 Example of the DAG for some tuple instructions..................... 66 6.5 Example of an operator chain................................. 66 6.6 Constant folding example................................... 68 6.7 Algebraic simplification example............................... 69 6.8 Copy propagation example................................... 70 6.9 Dead code elimination example................................ 71 6.10 Example of hidden strength reduction possibilities.................... 72 6.11 Strength reduction example.................................. 72 6.12 Common sub-expression elimination example........................ 74 6.13 Bit vector packing example.................................. 75 6.14 Loop unrolling example..................................... 76 VI 7.1 Comparison of various scalar multiplication implementations.............. 85 7.2 Comparison of the B-233 and B-283 curve performance against similar curves.... 87 VII List of Tables 1.1 Supposed TLS 1.2 cipher-suite priorities for Google Search in 2016..........4 1.2 Protocol supports of the ECC algorithms..........................9 2.1 Elliptic curve formulas for various coordinate systems.................. 28 2.2 Elliptic curve costs for various coordinate systems..................... 29 2.3 Elliptic curve costs for various scalar multiplication algorithms............. 31 5.1 The instructions available in the HRL language.....................
Load more

Recommended publications
  • Etsi Gr Qsc 001 V1.1.1 (2016-07)
    ETSI GR QSC 001 V1.1.1 (2016-07) GROUP REPORT Quantum-Safe Cryptography (QSC); Quantum-safe algorithmic framework 2 ETSI GR QSC 001 V1.1.1 (2016-07) Reference DGR/QSC-001 Keywords algorithm, authentication, confidentiality, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice The present document can be downloaded from: http://www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https://portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.
    [Show full text]
  • Algebraic Cryptanalysis of Hidden Field Equations Family
    MASARYK UNIVERSITY FACULTY OF INFORMATICS Algebraic cryptanalysis of Hidden Field Equations family BACHELOR'S THESIS Adam Janovsky Brno, Spring 2016 Declaration I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Adam Janovský Advisor: prof. RNDr. Jan Slovák, DrSc. i Abstract The goal of this thesis is to present a Grobner basis as a tool for algebraic cryptanalysis. Firtst, the thesis shortly introduces asymmetric cryptography. Next, a Grobner basis is presented and it is explained how a Grobner basis can be used to algorithmic equation solving. Further, fast algorithm for the Grobner basis computation, the F4, is presented. The thesis then introduces basic variant of Hidden field equations cryptosystem and discusses its vulnerability to algebraic attacks from Grobner basis perspective. Finally, the thesis gives an overview of recent results in algebraic cryptanalysis of Hidden Field Equations and suggests parameters that could make the algebraical attacks intractable. ii Keywords Grobner basis, cryptanalysis, Hidden Field Equations, F4 iii Contents 1 Introduction 1 1.1 Notation 2 2 Preliminaries 3 2.1 Asymmetric cryptography 3 2.1.1 Overview 3 2.1.2 RSA 5 2.2 Grobner basis 7 2.3 Equation solving 14 3 F4 algorithm for computing a Grobner basis 19 4 Hidden Field Equations 27 4.1 Overview of HFE 27 4.1.1 Parameters of HFE 27 4.2 Encryption and Decryption 29 4.2.1 Encryption 29 4.2.2 Decryption 31 4.3 Public key derivation 32 5 Algebraic attacks on HFE 35 5.1 Algebraic attack for q = 2 35 5.2 Algebraic attack for odd q 37 6 Conclusions 41 Appendices 42 A SAGE code 43 B Grobner basis for q=ll 47 A" 1 Introduction The thesis studies algebraic attacks against basic variant of Hidden Field Equations (HFE) cipher.
    [Show full text]
  • Lattice-Based Cryptography - a Comparative Description and Analysis of Proposed Schemes
    Lattice-based cryptography - A comparative description and analysis of proposed schemes Einar Løvhøiden Antonsen Thesis submitted for the degree of Master in Informatics: programming and networks 60 credits Department of Informatics Faculty of mathematics and natural sciences UNIVERSITY OF OSLO Autumn 2017 Lattice-based cryptography - A comparative description and analysis of proposed schemes Einar Løvhøiden Antonsen c 2017 Einar Løvhøiden Antonsen Lattice-based cryptography - A comparative description and analysis of proposed schemes http://www.duo.uio.no/ Printed: Reprosentralen, University of Oslo Acknowledgement I would like to thank my supervisor, Leif Nilsen, for all the help and guidance during my work with this thesis. I would also like to thank all my friends and family for the support. And a shoutout to Bliss and the guys there (you know who you are) for providing a place to relax during stressful times. 1 Abstract The standard public-key cryptosystems used today relies mathematical problems that require a lot of computing force to solve, so much that, with the right parameters, they are computationally unsolvable. But there are quantum algorithms that are able to solve these problems in much shorter time. These quantum algorithms have been known for many years, but have only been a problem in theory because of the lack of quantum computers. But with recent development in the building of quantum computers, the cryptographic world is looking for quantum-resistant replacements for today’s standard public-key cryptosystems. Public-key cryptosystems based on lattices are possible replacements. This thesis presents several possible candidates for new standard public-key cryptosystems, mainly NTRU and ring-LWE-based systems.
    [Show full text]
  • Building Secure Public Key Encryption Scheme from Hidden Field Equations
    Hindawi Security and Communication Networks Volume 2017, Article ID 9289410, 6 pages https://doi.org/10.1155/2017/9289410 Research Article Building Secure Public Key Encryption Scheme from Hidden Field Equations Yuan Ping,1,2 Baocang Wang,1,3 Yuehua Yang,1 and Shengli Tian1 1 School of Information Engineering, Xuchang University, Xuchang 461000, China 2Guizhou Provincial Key Laboratory of Public Big Data, Guiyang 550025, China 3State Key Laboratory of Integrated Service Networks, Xidian University, Xi’an 710071, China Correspondence should be addressed to Baocang Wang; [email protected] Received 4 April 2017; Accepted 5 June 2017; Published 10 July 2017 Academic Editor: Dengpan Ye Copyright © 2017 Yuan Ping et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Multivariate public key cryptography is a set of cryptographic schemes built from the NP-hardness of solving quadratic equations over finite fields, amongst which the hidden field equations (HFE) family of schemes remain the most famous. However, the original HFE scheme was insecure, and the follow-up modifications were shown to be still vulnerable to attacks. In this paper, we propose 2 a new variant of the HFE scheme by considering the special equation =defined over the finite field F3 when =0,1. We observe that the equation can be used to further destroy the special structure of the underlying central map of the HFE scheme. It is shown that the proposed public key encryption scheme is secure against known attacks including the MinRank attack, the algebraic attacks, and the linearization equations attacks.
    [Show full text]
  • THE END of CRYPTOGRAPHY AS WE KNOW IT ABOUT ISARA About ISARA
    THE END OF CRYPTOGRAPHY AS WE KNOW IT ABOUT ISARA About ISARA Founded in 2015, Consumers, ISARA is affiliated with governments and the rich academic and organizations should research ecosystem of benefit from the power Quantum Valley, a high- of quantum computing tech hub in Waterloo, without compromising Ontario, Canada data security. Founded Vision About ISARA We have a highly We’re building quantum experienced safe solutions, starting management team with with the launch of our backgrounds in wireless, ISARA Quantum encryption, security Resistant Toolkit. solutions, sales and standards/certification. Team Solutions 01 Threat 02 Solutions Standards 03 Quantum Computing Threat Cryptographic Challenges For A Post Quantum World Today’s security solutions rely on the complexity of the underlying mathematical problems that form the foundation for modern cryptographic systems. The massive processing capabilities found in quantum computers will challenge our current beliefs around complexity. When Does The Clock Run Out? Understanding the risks means balancing multiple factors. The answer depends on who you are, what secrets you need to keep and what the impact is if your secrets are no longer secrets. In some cases, it’s already too late. When Do You Need To Worry? Critical technologies Life of your secrets Key infrastructure Threat horizon Risk Value of your assets Assessment Ability to integrate tools Cost to defend $ Years To Quantum Y2Q: The scope of the change required is akin to Y2K. To do a risk management assessment, all protocols, clients and servers need an in-depth review. This requires coordination between vendors, OEMs and customers to catch all of the interactions.
    [Show full text]
  • On Multivariate Signature-Only Public Key Cryptosystems
    On multivariate signature-only public key cryptosystems Nicolas T. Courtois1,2 [email protected] http://www.minrank.org 1 Syst`emes Information Signal (SIS), Universit´ede Toulon et du Var BP 132, F-83957 La Garde Cedex, France 2 INRIA Rocquencourt, Projet Codes, Domaine de Voluceau BP 105, 78153 Le Chesnay, France Abstract. In a paper published at Asiacrypt 2000 a signature scheme that (apparently) cannot be abused for encryption is published. The problem is highly non-trivial and every solution should be looked upon with caution. What is especially hard to achieve is to avoid that the pub- lic key should leak some information, to be used as a possible ”shadow” secondary public key. In the present paper we argument that the problem has many natural solutions within the framework of the multivariate cryptography. First of all it seems that virtually any non-injective multivariate public key is inherently unusable for encryption. Unfortunately having a lot of leakage is inherent to multivariate cryp- tosystems. Though it may appear hopeless at the first sight, we use this very property to remove leakage. In our new scenario the Certification Authority (CA) makes extensive modifications of the public key such that the user can still use the internal trapdoor, but has no control on any publicly verifiable property of the actual public key equations published by CA. Thus we propose a very large class of multivariate non-encryption PKI schemes with many parameters q, d, h, v, r, u, f, D. The paper is also of independent interest, as it contains all variants of the HFE trapdoor public key cryptosystem.
    [Show full text]
  • Scalable Verification for Outsourced Dynamic Databases Hwee Hwa PANG Singapore Management University, [email protected]
    Singapore Management University Institutional Knowledge at Singapore Management University Research Collection School Of Information Systems School of Information Systems 8-2009 Scalable Verification for Outsourced Dynamic Databases Hwee Hwa PANG Singapore Management University, [email protected] Jilian ZHANG Singapore Management University, [email protected] Kyriakos MOURATIDIS Singapore Management University, [email protected] DOI: https://doi.org/10.14778/1687627.1687718 Follow this and additional works at: https://ink.library.smu.edu.sg/sis_research Part of the Databases and Information Systems Commons, and the Numerical Analysis and Scientific omputC ing Commons Citation PANG, Hwee Hwa; ZHANG, Jilian; and MOURATIDIS, Kyriakos. Scalable Verification for Outsourced Dynamic Databases. (2009). Proceedings of the VLDB Endowment: VLDB'09, August 24-28, Lyon, France. 2, (1), 802-813. Research Collection School Of Information Systems. Available at: https://ink.library.smu.edu.sg/sis_research/876 This Conference Proceeding Article is brought to you for free and open access by the School of Information Systems at Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in Research Collection School Of Information Systems by an authorized administrator of Institutional Knowledge at Singapore Management University. For more information, please email [email protected]. Scalable Verification for Outsourced Dynamic Databases HweeHwa Pang Jilian Zhang Kyriakos Mouratidis School of Information Systems Singapore Management University fhhpang, jilian.z.2007, [email protected] ABSTRACT receive updated price quotes early could act ahead of their com- Query answers from servers operated by third parties need to be petitors, so the advantage of data freshness would justify investing verified, as the third parties may not be trusted or their servers may in the computing infrastructure.
    [Show full text]
  • On the Differential Security of the Hfev- Signature Primitive
    On the Differential Security of the − HF Ev Signature Primitive Ryann Cartor1, Ryan Gipson1, Daniel Smith-Tone1,2, and Jeremy Vates1 1Department of Mathematics, University of Louisville, Louisville, Kentucky, USA 2National Institute of Standards and Technology, Gaithersburg, Maryland, USA [email protected], [email protected], [email protected], [email protected] Abstract. Multivariate Public Key Cryptography (MPKC) is one of the most attractive post-quantum options for digital signatures in a wide array of applications. The history of multivariate signature schemes is tumultuous, however, and solid security arguments are required to in- spire faith in the schemes and to verify their security against yet undis- covered attacks. The effectiveness of “differential attacks" on various field-based systems has prompted the investigation of the resistance of schemes against differential adversaries. Due to its prominence in the area and the recent optimization of its parameters, we prove the secu- rity of HF Ev− against differential adversaries. We investigate the newly suggested parameters and conclude that the proposed scheme is secure against all known attacks and against any differential adversary. Key words: Multivariate Cryptography, HFEv-, Discrete Differential, MinRank, Q-rank 1 Introduction and Outline In the mid 1990s, Peter Shor discovered a way to efficiently implement quantum period finding algorithms on structures of exponential size and showed how the modern world as we know it will change forever once the behemoth engineering challenge of constructing a large scale quantum computing device is overcome. His polynomial time quantum Fourier transforms for smooth integers can be employed to factor integers, to compute discrete logarithms and is powerful enough to efficiently solve hidden subgroup problems for well behaved (usually Abelian) groups.
    [Show full text]
  • Multivariate Public Key Cryptography
    Multivariate Public Key Cryptography Jintai Ding1 and Bo-Yin Yang2 1 University of Cincinnati and Technische Universität Darmstadt. 2 Academia Sinica and Taiwan InfoSecurity Center, Taipei, Taiwan. Summary. A multivariate public key cryptosystem (MPKCs for short) have a set of (usually) quadratic polynomials over a finite field as its public map. Its main security assumption is backed by the NP-hardness of the problem to solve nonlinear equations over a finite field. This family is considered as one of the major families of PKCs that could resist potentially even the powerful quantum computers of the future. There has been fast and intensive development in Multivariate Public Key Cryptography in the last two decades. Some constructions are not as secure as was claimed initially, but others are still viable. The paper gives an overview of multivariate public key cryptography and discusses the current status of the research in this area. Keywords: Gröbner basis, multivariate public key cryptosystem, linear alge- bra, differential attack 1 Introduction As envisioned by Diffie and Hellman, a public key cryptosystem (hereafter PKC for short) depends on the existence of class of “trapdoor one-way func- tions”. This class and the mathematical structure behind it will determine all the essential characteristics of the PKC. So for example behind elliptic cryp- tography is the elliptic curve group, and behind NTRU stands the structure of an integral lattice. Multivariate (Public-Key) Cryptography is the study of PKCs where the trapdoor one-way function takes the form of a multivariate quadratic polyno- mial map over a finite field. Namely the public key is in general given by a set of quadratic polynomials: P =(p1(w1,...,wn),..., pm(w1,...,wn)), where each pi is a (usu.
    [Show full text]
  • NSA's MORECOWBELL
    NSA's MORECOWBELL: Knell for DNS Christian Grothoff Matthias Wachs Monika Ermert Jacob Appelbaum Inria TU Munich Heise Verlag Tor Project 1 Introduction On the net, close to everything starts with a request to the Domain Name System (DNS), a core Internet protocol to allow users to access Internet services by names, such as www.example.com, instead of using numeric IP addresses, like 2001:DB8:4145::4242. Developed in the \Internet good old times" the contemporary DNS is like a large network activity chart for the visually impaired. Consequently, it now attracts not only all sorts of commercially-motivated surveillance, but, as new documents of the NSA spy program MORECOWBELL confirm, also the National Security Agency. Given the design weaknesses of DNS, this begs the question if DNS be secured and saved, or if it has to be replaced | at least for some use cases. In the last two years, there has been a flurry of activity to address security and privacy in DNS at the Internet Engineering Task Force (IETF), the body that documents the DNS standards. The Internet Architecture Board, peer body of the IETF, just called on the engineers to use encryption everywhere, possibly including DNS. [4] A recent draft [6] by the IETF on DNS privacy starts by acknowledging that the DNS \... is one of the most important infrastructure components of the Internet and one of the most often ignored or misunderstood. Almost every activity on the Internet starts with a DNS query (and often several). Its use has many privacy implications ..." Despite seemingly quick consensus on this assessment, the IETF is not expecting that existing industry solutions will change the situation anytime soon: \It seems today that the possibility of massive encryption of DNS traffic is very remote." [5] From a surveillance perspective, DNS currently treats all information in the DNS database as public data.
    [Show full text]
  • Low-Latency Elliptic Curve Scalar Multiplication
    Noname manuscript No. (will be inserted by the editor) Low-Latency Elliptic Curve Scalar Multiplication Joppe W. Bos Received: date / Accepted: date Abstract This paper presents a low-latency algorithm designed for parallel computer architectures to compute the scalar multiplication of elliptic curve points based on approaches from cryptographic side-channel analysis. A graph- ics processing unit implementation using a standardized elliptic curve over a 224-bit prime field, complying with the new 112-bit security level, computes the scalar multiplication in 1.9 milliseconds on the NVIDIA GTX 500 archi- tecture family. The presented methods and implementation considerations can be applied to any parallel 32-bit architecture. Keywords Elliptic Curve Cryptography · Elliptic Curve Scalar Multiplica- tion · Parallel Computing · Low-Latency Algorithm 1 Introduction Elliptic curve cryptography (ECC) [30,37] is an approach to public-key cryp- tography which enjoys increasing popularity since its invention in the mid 1980s. The attractiveness of small key-sizes [32] has placed this public-key cryptosystem as the preferred alternative to the widely used RSA public-key cryptosystem [48]. This is emphasized by the current migration away from 80-bit to 128-bit security where, for instance, the United States' National Se- curity Agency restricts the use of public key cryptography in \Suite B" [40] to ECC. The National Institute of Standards and Technology (NIST) is more flexible and settles for 112-bit security at the lowest level from the year 2011 on [52]. At the same time there is a shift in architecture design towards many-core processors [47]. Following both these trends, we evaluate the performance of a Laboratory for Cryptologic Algorithms Ecole´ Polytechnique F´ed´eralede Lausanne (EPFL) Station 14, CH-1015 Lausanne, Switzerland E-mail: joppe.bos@epfl.ch 2 Joppe W.
    [Show full text]
  • Post-Quantum Key Exchange for the Internet and the Open Quantum Safe Project∗
    Post-Quantum Key Exchange for the Internet and the Open Quantum Safe Project∗ Douglas Stebila1;y and Michele Mosca2;3;4;z 1 Department of Computing and Software, McMaster University, Hamilton, Ontario, Canada [email protected] 2 Institute for Quantum Computing and Department of Combinatorics & Optimization, University of Waterloo, Waterloo, Ontario, Canada 3 Perimeter Institute for Theoretical Physics, Waterloo, Ontario, Canada 4 Canadian Institute for Advanced Research, Toronto, Ontario, Canada [email protected] July 28, 2017 Abstract Designing public key cryptosystems that resist attacks by quantum computers is an important area of current cryptographic research and standardization. To retain confidentiality of today's communications against future quantum computers, applications and protocols must begin exploring the use of quantum-resistant key exchange and encryption. In this paper, we explore post-quantum cryptography in general and key exchange specifically. We review two protocols for quantum-resistant key exchange based on lattice problems: BCNS15, based on the ring learning with errors problem, and Frodo, based on the learning with errors problem. We discuss their security and performance characteristics, both on their own and in the context of the Transport Layer Security (TLS) protocol. We introduce the Open Quantum Safe project, an open-source software project for prototyping quantum-resistant cryptography, which includes liboqs, a C library of quantum-resistant algorithms, and our integrations of liboqs into popular open-source applications and protocols, including the widely used OpenSSL library. ∗Based on the Stafford Tavares Invited Lecture at Selected Areas in Cryptography (SAC) 2016 by D. Stebila. ySupported in part by Australian Research Council (ARC) Discovery Project grant DP130104304, Natural Sciences and Engineering Research Council of Canada (NSERC) Discovery grant RGPIN-2016-05146, and an NSERC Discovery Accelerator Supplement grant.
    [Show full text]