Arithmetic Operators on GF(2M) for Cryptographic Applications: Performance - Power Consumption - Security Tradeoffs Danuta Pamula

Total Page:16

File Type:pdf, Size:1020Kb

Arithmetic Operators on GF(2M) for Cryptographic Applications: Performance - Power Consumption - Security Tradeoffs Danuta Pamula Arithmetic operators on GF(2m) for cryptographic applications: performance - power consumption - security tradeoffs Danuta Pamula To cite this version: Danuta Pamula. Arithmetic operators on GF(2m) for cryptographic applications: performance - power consumption - security tradeoffs. Computer Arithmetic. Université Rennes 1, 2012. English. tel-00767537 HAL Id: tel-00767537 https://tel.archives-ouvertes.fr/tel-00767537 Submitted on 20 Dec 2012 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. N° d’ordre : 2012REN1E011 ANNÉE 2012 THÈSE / UNIVERSITÉ DE RENNES 1 sous le sceau de l’Université Européenne de Bretagne pour le grade de DOCTEUR DE L’UNIVERSITÉ DE RENNES 1 Mention : Informatique École doctorale Matisse présentée par Danuta Pamula préparée à l’unité de recherche IRISA (UMR 6074) Institut de Recherche en Informatique et Systèmes Aléatoires Équipe CAIRN - ENSSAT et L’École Politechnique de Silésie à Gliwice Faculté d'Automatique, Électronique et Informatique, Institut d’Électronique Thèse soutenue à Gliwice, Pologne Intitulé de la thèse : le 17 Décembre 2012 Opérateurs devant le jury composé de : Aleksander NAWRAT arithmétiques sur Professeur à l'École polytechnique de Silésie / président m Liam MARNANE GF(2 ): étude de Professeur Université de Cork / rapporteur Tadeusz LUBA compromis Professeur à l'École polytechnique de Varsovie / rapporteur performances- Romuald ROCHER Maître de Conférences Université Rennes 1 - IUT Lannion / examinateur consommation- Arnaud TISSERAND Chargé de Recherche CNRS / directeur de thèse sécurité. Edward HRYNKIEWICZ Professeur à l'École polytechnique de Silésie / co- directeur de thèse Silesian University of Technology Faculty of Automatic Control, Electronics and Computer Science Institute of Electronics University of Rennes 1 IRISA A DISSERTATION Arithmetic operators on GF (2m) for cryptographic applications: performance - power consumption - security tradeoffs Author: Danuta Pamuła Supervisors: dr hab. inż. Edward Hrynkiewicz, prof. nzw. w Politechnice Śląskiej (PL) Arnaud Tisserand, CNRS researcher, HDR (FR) Submitted in total fulfillment of the requirements of the degree of Doctor of Philosophy under a Cotutelle agreement with Silesian University of Technology (PL) and University of Rennes 1 (FR). Gliwice 2012 Acknowledgements I would like to thank Professor Edward Hrynkiewicz and Arnaud Tisserand, my research su pervisors, for their patient guidance, enthusiastic encouragement and useful critiques of this research work. Contents Nomenclature viii 1. Introduction 1 1.1. Modern cryptology - basics, goals, applications and threats . 7 1.1.1. Cryptology basics . 7 1.1.2. Symmetric cryptography (SecretKey Cryptography) . 10 1.1.3. Asymmetric cryptography (PublicKey Cryptography) . 11 1.1.4. Modern cryptosystems - application, requirements, security (robustness) . 14 1.2. Dissertation overview . 16 2. Elliptic curves over finite fields - application to cryptography (overview) 19 2.1. Elliptic curves and cryptography . 19 2.1.1. Elliptic curves . 20 2.1.2. Elliptic Curve Cryptography . 23 2.2. Finite Fields . 26 2.2.1. Binary finite field extensions GF (2m) .................... 29 2.3. Problem definition . 29 2.4. Thesis formulation and research objectives . 31 3. Arithmetic operators on GF (2m) 33 3.1. Finite Field Addition . 35 3.2. Finite Field Multiplication . 36 3.2.1. Twostep algorithms . 37 3.2.2. Interleaved algorithms . 56 3.2.3. Summary, conclusions and comparison . 66 4. Physical security of ECC cryptosystems 69 4.1. Physical security of hardware GF (2m) arithmetic operators . 74 4.1.1. Security level verification, problem identification . 77 4.1.2. Proposed countermeasures, circuit modifications . 80 4.1.3. Conclusions . 89 5. Summary and Conclusions 91 iii List of Figures 1.1. Typical plain (not secured) communication model . 8 1.2. Secure communication model . 9 1.3. Secretkey cryptography communication model . 10 1.4. PKC communication model . 12 1.5. Security layer model [8, 98] . 17 1.6. ECC cryptosystem layers . 17 2.1. Elliptic curves over R. ................................. 21 2.2. Elliptic curves over Fp. ................................ 21 2.3. Addition and Doubling of a point on E(K) ..................... 23 3.1. Idea of circuit performing shiftandadd method for m = 4 . 43 3.2. Classic divideandconquer approach . 46 3.3. KaratsubaOfman approach . 46 3.4. Illustration of AL matrix partitioning for m = 233 . 59 3.5. Illustration of AH matrix partitioning for m = 233 . 60 3.6. Illustration of R partitioning matrix for m = 233 . 60 3.7. Illustration of Mastrovito matrix partitioning for m = 233 . 63 4.1. Differential power analysis principle [80] . 71 4.2. Useful (left) and parasitic (right) transitions. 75 4.3. Activity counter architecture for a 1bit signal s(t) (control not represented). 76 4.4. Useful activity measurement results for random GF (2m) multiplications with clas sical algorithm (left). Extract for a single representative multiplication (right). 78 4.5. Useful activity measurement results for random GF (2m) multiplications with Montgomery algorithm (left). Extract for a single representative multiplication (right). 79 4.6. Useful activity measurement results for random GF (2m) multiplications with Mastrovito algorithm (left). Extract for a single representative multiplication (right). 79 4.7. Useful activity measurement results for random GF (2m) multiplications with modified classical algorithm. 80 v 4.8. Useful activity measurement results for random GF (2m) multiplications with Montgomery algorithm. 81 4.9. Illustration of Mastrovito matrix partitioning for m = 233 . 82 4.10. Useful activity measurement results for random GF (2m) multiplications with 4 versions of modified Mastrovito algorithm. 83 4.11. Random start sequence generator based on 4bit LFSR. 84 4.12. Data dependency on activity variations curves for Mastrovito multiplier . 85 4.13. FFT analysis results for unprotected and protected versions of multipliers (top: classic algorithm, middle and bottom: Mastrovito algorithm for various versions). 86 4.14. Useful activity measurement results for 2P operation for unprotected (top figure) and protected (bottom figure) GF (2m) operators. 87 4.15. Comparison of activity traces and current measurements for: Mastrovito multiplier unprotected version – 5 multiplications in a row and pro tected version (uniformised) – 3 multiplications in a row . 88 vi Nomenclature [k]P scalar point multiplication Fq finite field AT efficiency factor f(x) irreducible polynomial, field generator m GF (2 ), F2m binary extension fields GF (p), Fp prime field m field size ASIC Application Specific Integrated Circuits DLP Discrete logarithm problem DPA Differential Power Analysis ECC Elliptic curve cryptography ECDLP Elliptic curve discrete logarithm problem FFT Fast Fourier Transform FFT Fast Fourier Transform FPGA Field Programmable Gate Arrays FSM finite state machine HDL Hardware Description Language LFSR Linear feedback shift register LUT lookup table MSB most significant bit NIST National Institute of Standards and Technology NPhard nondeterministic polynomialtime hard PKC Public Key Cryptography RSA RivestShamirAdleman SCA Side Channel Attack vii SECG Standards for Efficient Cryptography Group SFM Spectral Flatness Measure SPA Simple Power Analysis viii 1. Introduction Digital systems and Internet are nowadays spanning most domains of our lives. They are respon sible for communication between people, institutions, for controlling airport systems, transport systems, managing medical systems, etc. Digital systems start to appear everywhere and are responsible for more and more important and confidential processes. We are flooded with digital data, which are not always easy to authenticate, manage and secure. Generally majority of com mon users of digital systems do not care much about authentication, confidentiality, integrity and security of their data. They are still little aware of possibilities of stealing, tampering or using their digital data or what is worse their digital identity (identity fraud is a serious threat [90]). They are even less aware of consequences resulting from such abuses or negligence of security matters [90, 63]. Fortunately security awareness slowly increases mainly due to rapid development and increase of number of services performed in a digital way. People start to perceive the meaning (necessity) of securing data. Everyone wants to securely perform banking transactions, safely sign impor tant documents, protect confidential data (tax, medical, etc.) or just safely shop online. On the other hand, nobody wants to be bothered about securing data and nobody wants that the process will in any way interrupt normal work of a system. Luckily most system developers have information security awareness and tend to equip digital systems and communication channels with efficient security mechanisms, depending on application and requirements. The security of a system has to be very often verified because although users start to take precautions and new ways for securing data are developed, new ways
Recommended publications
  • Future EW Capabilities
    CRITICAL UNCLASSIFIED INFORMATION Future EW Capabilities COL Daniel Holland, ACM-EW Director [email protected] 706-791-8476 CRITICAL17 UNCLASSIFIEDAug 2021 INFORMATION Future Army EW Capabilities AISR Target identification, geo-location, and advanced non-kinetic effects delivery for the MDO fight. HELIOS (MDSS) Altitude 60k’ EW Planning and Management Tool LOS 500 kms (nadir 18 kms) HADES (MDSS) Altitude 40k+’ UAV LOS 400 kms Spectrum Analyzer MFEW Air Large MFEW Air Small Altitude 15k-25k’ Altitude 2500-8000’ LOS 250-300 kms LOS 100-150 kms C2 Counter Fire XX Radar SAM SRBM MEMSS C2 TT Radar Tech Effects CP TA Radar C2 AISR – Aerial ISR DEA – Defensive Electromagnetic Attack GSR- Ground Surveillance Radar TA Radar ERCA – Extended Range Cannon Artillery FLOT – Forward Line of Troops IFPC – Indirect Fire Protection Capability GMLS-ER – Guided Multiple Launch Rocket System Extended Rng UGS HADES – High Accuracy Detection & Exploitation System HELIOS – High altitude Extended range Long endurance Intel Observation System LOS – Line of Sight MDSS – Multi-Domain Sensor System MEMSS - Modular Electromagnetic Spectrum System TLS EAB MFEW – Multifunction Electromagnetic Warfare Ground to Air TLS BCT M-SHORAD – Mobile Short Range Air Defense Close fight TLS – Terrestrial Layer System 30km 70km 150km TT – Target Tracking 500km FLOT THREAT TA – Target Acquisition PrSM Ver 14.6 – 30 Jul 21 155mm ERCA GMLS-ER UGS – Unmanned Ground System AREA UNCLASSIFIED Electronic Warfare Planning and Management Tool (EWPMT) Electromagnetic Warfare/Spectrum
    [Show full text]
  • Electromagnetic Side Channels of an FPGA Implementation of AES
    Electromagnetic Side Channels of an FPGA Implementation of AES Vincent Carlier, Herv´e Chabanne, Emmanuelle Dottax and Herv´e Pelletier SAGEM SA Abstract. We show how to attack an FPGA implementation of AES where all bytes are processed in parallel using differential electromag- netic analysis. We first focus on exploiting local side channels to isolate the behaviour of our targeted byte. Then, generalizing the Square at- tack, we describe a new way of retrieving information, mixing algebraic properties and physical observations. Keywords: side channel attacks, DEMA, FPGA, AES hardware im- plementation, Square attack. 1 Introduction Side channel attacks first appear in [Koc96] where timing attacks are de- scribed. This kind of attack tends to retrieve information from the secret items stored inside a device by observing its behaviour during a crypto- graphical computation. In a timing attack, the adversary measures the time taken to perform the computations and deduces additionnal information about the cryptosystems. Similarly, power analysis attacks are introduced in [KJJ99] where the attacker wants to discover the secrets by analysing the power consumption. Smart cards are targets of choice as their power is sup- plied externally. Usually we distinguish Simple Power Analysis (SPA), that tries to gain information directly from the power consumption, and Differ- ential Power Analysis (DPA) where a large number of traces are acquired and statistically processed. Another side channel is the one that exploits the Electromagnetic (EM) emanations. Indeed, these emanations are correlated with the current flowing through the device. EM leakage in a PC environ- ment where eavesdroppers reconstruct video screens has been known for a 1 long time [vE85], see also [McN] for more references.
    [Show full text]
  • Conductive Concrete’ Shields Electronics from EMP Attack
    ‘Conductive concrete’ shields electronics from EMP attack November 14, 2016 Credit: Craig Chandler/University Communication/University of Nebraska-Lincoln An attack via a burst of electromagnetic energy could cripple vital electronic systems, threatening national security and critical infrastructure, such as power grids and data centers. The technology is ready for commercialization, and the University of Nebraska-Lincoln has signed an agreement to license this shielding technology to American Business Continuity Group LLC, a developer of disaster-resistant structures. Electromagnetic energy is everywhere. It travels in waves and spans a wide spectrum, from sunlight, radio waves and microwaves to X- rays and gamma rays. But a burst of electromagnetic waves caused by a high-altitude nuclear explosion or an EMP device could induce electric current and voltage surges that cause widespread electronic failures. "EMP is very lethal to electronic equipment," said Tuan, professor of civil engineering. "We found a key ingredient that dissipates wave energy. This technology oöers a lot of advantages so the construction industry is very interested." EMP-shielding concrete stemmed from Tuan and Nguyen's partnership to study concrete that conducts electricity. They ñrst developed their patented conductive concrete to melt snow and ice from surfaces, such as roadways and bridges. They also recognized and conñrmed it has another important property – the ability to block electromagnetic energy. Their technology works by both absorbing and reòecting electromagnetic waves. The team replaced some standard concrete aggregates with their key ingredient – magnetite, a mineral with magnetic properties that absorbs microwaves like a sponge. Their patented recipe includes carbon and metal components for better absorption as well as reòection.
    [Show full text]
  • Analysis of EM Emanations from Cache Side-Channel Attacks on Iot Devices
    Analysis of EM Emanations from Cache Side-Channel Attacks on IoT Devices Moumita Dey School of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, USA [email protected] Abstract— As the days go by, the number of IoT devices are growing exponentially and because of their low computing capabilities, they are being targeted to perform bigger attacks that are compromising their security. With cache side channel attacks increasing on devices working on different platforms, it is important to take precautions beforehand to detect when a cache side channel attack is performed on an IoT device. In this paper, the FLUSH+RELOAD attack, a popular cache side channel attack, is first implemented and the proof of concept is demonstrated on GnuPG RSA and bitcnts benchmark of MiBench suite. The effects it has are then seen through EM emanations of the device under different conditions. There was distinctive activity observed due to FLUSH+RELOAD attack, which can be identified by profiling the applications to be monitored. INTRODUCTION Fig. 1. IoT devices demand trend [1] The Internet of Things (IoT) is the next frontier in technology, and there’s already several companies trying to capitalize it. Its a network of products that are connected to the Internet, thus they have their own IP address and can GitHub, Netflix, Shopify, SoundCloud, Spotify, Twitter, and connect to each other to automate simple tasks. As prices a number of other major websites. This piece of malicious of semiconductor fall and connectivity technology develops, code took advantage of devices running out-of-date versions more machines are going online.
    [Show full text]
  • A Casual Primer on Finite Fields
    A very brief introduction to finite fields Olivia Di Matteo December 10, 2015 1 What are they and how do I make one? Definition 1 (Finite fields). Let p be a prime number, and n ≥ 1 an integer. A finite field n n n of order p , denoted by Fpn or GF(p ), is a collection of p objects and two binary operations, addition and multiplication, such that the following properties hold: 1. The elements are closed under addition modulo p, 2. The elements are closed under multiplication modulo p, 3. For all non-zero elements, there exists a multiplicative inverse. 1.1 Prime dimensions Nothing much to see here. In prime dimension p, the finite field Fp is very simple: Fp = Zp = f0; 1; : : : ; p − 1g: (1) 1.2 Power of prime dimensions and field extensions Fields of prime-power dimension are constructed by extending a field of smaller order using a primitive polynomial. See section 2.1.2 in [1]. 1.2.1 Primitive polynomials Definition 2. Consider a polynomial n q(x) = a0 + a1x + ··· + anx ; (2) having degree n and coefficients ai 2 Fq. Such a polynomial is called monic if an = 1. Definition 3. A polynomial n q(x) = a0 + a1x + ··· + anx ; ai 2 Fq (3) is called irreducible if q(x) has positive degree, and q(x) = u(x)v(x); (4) 1 and either u(x) or v(x) a constant polynomial. In other words, the equation n q(x) = a0 + a1x + ··· + anx = 0 (5) has no solutions in the field Fq. Example 1 (Irreducible polynomial).
    [Show full text]
  • Key Update Countermeasure for Correlation-Based Side-Channel Attacks
    Key Update Countermeasure for Correlation-Based Side-Channel Attacks Yutian Gui, Suyash Mohan Tamore, Ali Shuja Siddiqui & Fareena Saqib Journal of Hardware and Systems Security ISSN 2509-3428 J Hardw Syst Secur DOI 10.1007/s41635-020-00094-x 1 23 Your article is protected by copyright and all rights are held exclusively by Springer Nature Switzerland AG. This e-offprint is for personal use only and shall not be self- archived in electronic repositories. If you wish to self-archive your article, please use the accepted manuscript version for posting on your own website. You may further deposit the accepted manuscript version in any repository, provided it is only made publicly available 12 months after official publication or later and provided acknowledgement is given to the original source of publication and a link is inserted to the published article on Springer's website. The link must be accompanied by the following text: "The final publication is available at link.springer.com”. 1 23 Author's personal copy Journal of Hardware and Systems Security https://doi.org/10.1007/s41635-020-00094-x Key Update Countermeasure for Correlation-Based Side-Channel Attacks Yutian Gui1 · Suyash Mohan Tamore1 · Ali Shuja Siddiqui1 · Fareena Saqib1 Received: 14 January 2020 / Accepted: 13 April 2020 © Springer Nature Switzerland AG 2020 Abstract Side-channel analysis is a non-invasive form of attack that reveals the secret key of the cryptographic circuit by analyzing the leaked physical information. The traditional brute-force and cryptanalysis attacks target the weakness in the encryption algorithm, whereas side-channel attacks use statistical models such as differential analysis and correlation analysis on the leaked information gained from the cryptographic device during the run-time.
    [Show full text]
  • Type-II Optimal Polynomial Bases
    Type-II Optimal Polynomial Bases Daniel J. Bernstein1 and Tanja Lange2 1 Department of Computer Science (MC 152) University of Illinois at Chicago, Chicago, IL 60607{7053, USA [email protected] 2 Department of Mathematics and Computer Science Technische Universiteit Eindhoven, P.O. Box 513, 5600 MB Eindhoven, Netherlands [email protected] Abstract. In the 1990s and early 2000s several papers investigated the relative merits of polynomial-basis and normal-basis computations for F2n . Even for particularly squaring-friendly applications, such as implementations of Koblitz curves, normal bases fell behind in performance unless a type-I normal basis existed for F2n . In 2007 Shokrollahi proposed a new method of multiplying in a type-II normal basis. Shokrol- lahi's method efficiently transforms the normal-basis multiplication into a single multiplication of two size-(n + 1) polynomials. This paper speeds up Shokrollahi's method in several ways. It first presents a simpler algorithm that uses only size-n polynomials. It then explains how to reduce the transformation cost by dynamically switching to a `type-II optimal polynomial basis' and by using a new reduction strategy for multiplications that produce output in type-II polynomial basis. As an illustration of its improvements, this paper explains in detail how the multiplication over- head in Shokrollahi's original method has been reduced by a factor of 1:4 in a major cryptanalytic computation, the ongoing attack on the ECC2K-130 Certicom challenge. The resulting overhead is also considerably smaller than the overhead in a traditional low-weight-polynomial-basis ap- proach. This is the first state-of-the-art binary-elliptic-curve computation in which type-II bases have been shown to outperform traditional low-weight polynomial bases.
    [Show full text]
  • Time Complexity Analysis of Cloud Data Security: Elliptical Curve and Polynomial Cryptography
    International Journal of Computer Sciences and Engineering Open Access Research Paper Vol.-7, Issue-2, Feb 2019 E-ISSN: 2347-2693 Time Complexity Analysis of Cloud Data Security: Elliptical Curve and Polynomial Cryptography D.Pharkkavi1*, D. Maruthanayagam2 1Sri Vijay Vidyalaya College of Arts & Science, Dharmapuri, Tamilnadu, India 2PG and Research Department of Computer Science, Sri Vijay Vidyalaya College of Arts & Science, Dharmapuri, Tamilnadu, India *Corresponding Author: [email protected] DOI: https://doi.org/10.26438/ijcse/v7i2.321331 | Available online at: www.ijcseonline.org Accepted: 10/Feb/2019, Published: 28/Feb/2019 Abstract- Encryption becomes a solution and different encryption techniques which roles a significant part of data security on cloud. Encryption algorithms is to ensure the security of data in cloud computing. Because of a few limitations of pre-existing algorithms, it requires for implementing more efficient techniques for public key cryptosystems. ECC (Elliptic Curve Cryptography) depends upon elliptic curves defined over a finite field. ECC has several features which distinguish it from other cryptosystems, one of that it is relatively generated a new cryptosystem. Several developments in performance have been found out during the last few years for Galois Field operations both in Normal Basis and in Polynomial Basis. On the other hand, there is still some confusion to the relative performance of these new algorithms and very little examples of practical implementations of these new algorithms. Efficient implementations of the basic arithmetic operations in finite fields GF(2m) are need for the applications of coding theory and cryptography. The elements in GF(2m) know how to be characterized in a choice of bases.
    [Show full text]
  • Method for Effectiveness Assessment of Electronic Warfare Systems In
    S S symmetry Article Method for Effectiveness Assessment of Electronic Warfare Systems in Cyberspace Seungcheol Choi 1, Oh-Jin Kwon 1,* , Haengrok Oh 2 and Dongkyoo Shin 3 1 Department of Electrical Engineering, Sejong University, 209 Neungdong-ro, Gwangjin-gu, Seoul 05006, Korea; [email protected] 2 Agency for Defense Development (ADD), Seoul 05771, Korea; [email protected] 3 Department of Computer Engineering, Sejong University, 209 Neungdong-ro, Gwangjin-gu, Seoul 05006, Korea; [email protected] * Correspondence: [email protected] Received: 27 November 2020; Accepted: 16 December 2020; Published: 18 December 2020 Abstract: Current electronic warfare (EW) systems, along with the rapid development of information and communication technology, are essential elements in the modern battlefield associated with cyberspace. In this study, an efficient evaluation framework is proposed to assess the effectiveness of various types of EW systems that operate in cyberspace, which is recognized as an indispensable factor affecting modern military operations. The proposed method classifies EW systems into primary and sub-categories according to EWs’ types and identifies items for the measurement of the effectiveness of each EW system by considering the characteristics of cyberspace for evaluating the damage caused by cyberattacks. A scenario with an integrated EW system incorporating two or more different types of EW equipment is appropriately provided to confirm the effectiveness of the proposed framework in cyber electromagnetic warfare. The scenario explicates an example of assessing the effectiveness of EW systems under cyberattacks. Finally, the proposed method is demonstrated sufficiently by assessing the effectiveness of the EW systems using the scenario.
    [Show full text]
  • Intra-Basis Multiplication of Polynomials Given in Various Polynomial Bases
    Intra-Basis Multiplication of Polynomials Given in Various Polynomial Bases S. Karamia, M. Ahmadnasabb, M. Hadizadehd, A. Amiraslanic,d aDepartment of Mathematics, Institute for Advanced Studies in Basic Sciences (IASBS), Zanjan, Iran bDepartment of Mathematics, University of Kurdistan, Sanandaj, Iran cSchool of STEM, Department of Mathematics, Capilano University, North Vancouver, BC, Canada dFaculty of Mathematics, K. N. Toosi University of Technology, Tehran, Iran Abstract Multiplication of polynomials is among key operations in computer algebra which plays important roles in developing techniques for other commonly used polynomial operations such as division, evaluation/interpolation, and factorization. In this work, we present formulas and techniques for polynomial multiplications expressed in a variety of well-known polynomial bases without any change of basis. In particular, we take into consideration degree-graded polynomial bases including, but not limited to orthogonal polynomial bases and non-degree-graded polynomial bases including the Bernstein and Lagrange bases. All of the described polynomial multiplication formulas and tech- niques in this work, which are mostly presented in matrix-vector forms, preserve the basis in which the polynomials are given. Furthermore, using the results of direct multiplication of polynomials, we devise techniques for intra-basis polynomial division in the polynomial bases. A generalization of the well-known \long division" algorithm to any degree-graded polynomial basis is also given. The proposed framework deals with matrix-vector computations which often leads to well-structured matrices. Finally, an application of the presented techniques in constructing the Galerkin repre- sentation of polynomial multiplication operators is illustrated for discretization of a linear elliptic problem with stochastic coefficients.
    [Show full text]
  • Hardware and Software Normal Basis Arithmetic for Pairing Based
    Hardware and Software Normal Basis Arithmetic for Pairing Based Cryptography in ? Characteristic Three R. Granger, D. Page and M. Stam Department of Computer Science, University of Bristol, MerchantVenturers Building, Wo o dland Road, Bristol, BS8 1UB, United Kingdom. fgranger, page, [email protected] Abstract. Although identity based cryptography o ers a number of functional advantages over conventional public key metho ds, the compu- tational costs are signi cantly greater. The dominant part of this cost is the Tate pairing which, in characteristic three, is b est computed using the algorithm of Duursma and Lee. However, in hardware and constrained environments this algorithm is unattractive since it requires online com- putation of cub e ro ots or enough storage space to pre-compute required results. We examine the use of normal basis arithmetic in characteristic three in an attempt to get the b est of b oth worlds: an ecient metho d for computing the Tate pairing that requires no pre-computation and that may also be implemented in hardware to accelerate devices such as smart-cards. Since normal basis arithmetic in characteristic three has not received much attention b efore, we also discuss the construction of suitable bases and asso ciated curve parameterisations. 1 Intro duction Since it was rst suggested in 1984 by Shamir [29], the concept of identity based cryptography has b een an attractive target for researchers b ecause of the p oten- tial for simplifying conventional approaches to public key based systems. The central idea is that the public key for a user is simply their identity and is hence implicitly known to all other users.
    [Show full text]
  • Lecture 8: Stream Ciphers - LFSR Sequences
    Lecture 8: Stream ciphers - LFSR sequences Thomas Johansson T. Johansson (Lund University) 1 / 42 Introduction Symmetric encryption algorithms are divided into two main categories, block ciphers and stream ciphers. Block ciphers tend to encrypt a block of characters of a plaintext message using a fixed encryption transformation A stream cipher encrypt individual characters of the plaintext using an encryption transformation that varies with time. A stream cipher built around LFSRs and producing one bit output on each clock = classic stream cipher design. T. Johansson (Lund University) 2 / 42 A stream cipher z , z ,... keystream 1 2 generator m , m , . .? c , c ,... 1 2 - 1 2 - m z = z1, z2,... keystream key K T. Johansson (Lund University) 3 / 42 A stream cipher Design goal is to efficiently produce random-looking sequences that are as “indistinguishable” as possible from truly random sequences. Recall the unbreakable Vernam cipher. For a synchronous stream cipher, a known-plaintext attack (or chosen-plaintext or chosen-ciphertext) is equivalent to having access to the keystream z = z1, z2, . , zN . We assume that an output sequence z of length N from the keystream generator is known to Eve. T. Johansson (Lund University) 4 / 42 Type of attacks Key recovery attack: Eve tries to recover the secret key K. Distinguishing attack: Eve tries to determine whether a given sequence z = z1, z2, . , zN is likely to have been generated from the considered stream cipher or whether it is just a truly random sequence. Distinguishing attack is a much weaker attack T. Johansson (Lund University) 5 / 42 Distinguishing attack Let D(z) be an algorithm that takes as input a length N sequence z and as output gives either “X” or “RANDOM”.
    [Show full text]