DOCSLIB.ORG

Four Dimensional Decompositions on a Q-Curve Over the Mersenne

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Four Dimensional Decompositions on a Q-Curve Over the Mersenne Four-dimensional decompositions on a -curve Joint work with Patrick Longa http://research.microsoft.com/pubs/246916/main.pdf “NIST should generate a new set of elliptic curves […] and should incorporate the latest knowledge…” [Edward Felten, VCAT document, page 9]. “NIST should generate a new set of elliptic curves […] and should incorporate the latest knowledge…” [Edward Felten, VCAT document, page 9]. Some 21st century ECC milestones 2001: CM endomorphisms [GLV01] 2007: Edwards curves [Edw07,BL07] 2008: Twisted Edwards coordinates [BBJ+08,HCWD08] 2009: Frobenius endomorphisms [GLS09] 2013: Q-curve endomorphisms [Smi13] “NIST should generate a new set of elliptic curves […] and should incorporate the latest knowledge…” [Edward Felten, VCAT document, page 9]. Some 21st century ECC milestones 2001: CM endomorphisms [GLV01] 2007: Edwards curves [Edw07,BL07] 2008: Twisted Edwards coordinates [BBJ+08,HCWD08] 2009: Frobenius endomorphisms [GLS09] 2013: Q-curve endomorphisms [Smi13] “I don't care about a performance difference unless it is at least a factor of two.” [Phillip Hallam-Baker, CFRG mailing list, 12 Mar 2015, 3 Feb 2015,…]. “I don't care about a performance difference unless it is at least a factor of two.” [Phillip Hallam-Baker, CFRG mailing list, 12 Mar 2015, 3 Feb 2015,…]. #cycles(NUMS,curve25519,etc) #cycles( ) ≫ 2.5 #cycles(NIST Curvep256) #cycles( ) ≫ 4.5 “Minimize tensions between speed, simplicity, & security.” [Daniel J. Bernstein, CFRG mailing list, 1 Aug 2014, 21 Nov 2014, …]. “Minimize tensions between speed, simplicity, & security.” [Daniel J. Bernstein, CFRG mailing list, 1 Aug 2014, 21 Nov 2014, …]. speed 3 speed 푇3 푇1 푇푖 = 0 푖=1 simplicity 푇2 security The curve 2 2 2 2 퐸/ 픽푝2: −푥 + 푦 = 1 + 푑푥 푦 , 푑 = 125317048443780598345676279555970305165 ⋅ 푖 + 4205857648805777768770 #퐸 = 392 ⋅ 푁 , where 푁 is a 246-bit prime The curve 2 2 2 2 퐸/ 픽푝2: −푥 + 푦 = 1 + 푑푥 푦 , 푑 = 125317048443780598345676279555970305165 ⋅ 푖 + 4205857648805777768770 #퐸 = 392 ⋅ 푁 , where 푁 is a 246-bit prime • Fastest (large char) ECC addition laws are complete on 퐸 • 퐸 is a degree-2 Q-curve: endomorphism 휓 • 퐸 has CM by order of 퐷 = −40: endomorphism 휙 256 • 휓 푃 = 휆휓 푃 and 휙 푃 = 휆휙 푃 for all 푃 ∈ 퐸[푁] and 푚 ∈ [0,2 ) 푚 ↦ 푎1, 푎2, 푎3, 푎4 푚 푃 = 푎1 푃 + 푎2 휙 푃 + 푎3 휓 푃 + 푎4 휓(휙(푃)) Security aspects • Pollard rho best attack on ECDLP: 2122.5 additions in 퐸 푁 Security aspects • Pollard rho best attack on ECDLP: 2122.5 additions in 퐸 푁 • Unlike typical GLV and GLS endomorphisms, no speedup in rho from 휓 and 휙 Security aspects • Pollard rho best attack on ECDLP: 2122.5 additions in 퐸 푁 • Unlike typical GLV and GLS endomorphisms, no speedup in rho from 휓 and 휙 • 픽푝2 safe against index calculus/Weil descent Security aspects • Pollard rho best attack on ECDLP: 2122.5 additions in 퐸 푁 • Unlike typical GLV and GLS endomorphisms, no speedup in rho from 휓 and 휙 • 픽푝2 safe against index calculus/Weil descent • Large MOV degree and trace of Frobenius Security aspects • Pollard rho best attack on ECDLP: 2122.5 additions in 퐸 푁 • Unlike typical GLV and GLS endomorphisms, no speedup in rho from 휓 and 휙 • 픽푝2 safe against index calculus/Weil descent • Large MOV degree and trace of Frobenius • Yes, small discriminant (퐷 = −40), just like other standardized curves 푠푒푐푝192푘1, 푠푒푐푝224푘1, 푠푒푐푝256푘1 (Bitcoin’s curve) Optimal Scalar Decompositions 푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd. Optimal Scalar Decompositions 푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd. 푚 = 64840569332679984426672436340494668739430332089137885001096300239355695153788 푎1 = 14445124749170047041 푎2 = 11638376461179115075 푎3 = 5032911711680286358 푎4 = 881092582828842431 Optimal Scalar Decompositions 푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd. 푚 = 64840569332679984426672436340494668739430332089137885001096300239355695153788 푎1 = 14445124749170047041 푎2 = 11638376461179115075 푎3 = 5032911711680286358 푎4 = 881092582828842431 푎1 = 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1 푃 푎2 = 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1 휙(푃) 푎3 = 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0 휓(푃) 푎4 = 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 0 휙 휓 푃 Optimal Scalar Decompositions 푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd. 푚 = 64840569332679984426672436340494668739430332089137885001096300239355695153788 푎1 = 14445124749170047041 푎2 = 11638376461179115075 푎3 = 5032911711680286358 푎4 = 881092582828842431 푎1 = 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1 푃 푎2 = 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1 휙(푃) 푎3 = 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0 휓(푃) 푎4 = 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 0 휙 휓 푃 do nothings can leak info! Optimal Scalar Decompositions 푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd. 푚 = 64840569332679984426672436340494668739430332089137885001096300239355695153788 푎1 = 14445124749170047041 푎2 = 11638376461179115075 푎3 = 5032911711680286358 푎4 = 881092582828842431 푎1 = 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1 푃 푎2 = 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1 휙(푃) 푎3 = 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0 휓(푃) 푎4 = 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 0 휙 휓 푃 0, 1 1, −1 Optimal Scalar Decompositions 푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd. 푚 = 64840569332679984426672436340494668739430332089137885001096300239355695153788 푎1 = 14445124749170047041 푎2 = 11638376461179115075 푎3 = 5032911711680286358 푎4 = 881092582828842431 푎1 = 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1,-1 푃 푎2 = 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1 휙(푃) 푎3 = 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0 휓(푃) 푎4 = 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 0 휙 휓 푃 0, 1 1, −1 Optimal Scalar Decompositions 푚 ↦ 푎1, 푎2, 푎3, 푎4 256 64 Prop 5: for all 푚 ∈ [0,2 ), decomposition yields four 푎푖 ∈ [1,2 ) with 푎1 odd.
Load more

Recommended publications
  • Microsoft Opensources Its C Standard Library STL
    Microsoft Open-sources Its C Standard Library (STL) 1 / 4 2 / 4 Microsoft Open-sources Its C Standard Library (STL) 3 / 4 Microsoft Visual Studio Team just opened sourced the C++ Standard Library (aka STL) ... The STL (Standard Template Library) was developed separately, and then ... But it was not developed as part of the C++ standard, and for this ... of the C++ Standard Library (also known as the STL) as open source.. That means you'll be able to compile C++ programs against both and it'll work, but it also means reactos can just include the actual C++ standard binary and .... STL, their C++ standard library... http://www.phoronix.com/scan.php?page=news_item&px=Microsoft-STL-Open-Source.. ... our implementation of the C++ Standard Library (also known as the STL) as open source. https://github.com/microsoft/STL is our new repository, containing all of ... As it explains, we're still working on migrating to GitHub.. Microsoft has made its implementation of the Standard Library of C++ open-source on GitHub. The implementation becomes available under .... Microsoft C++ Standard Library wordt open source ... Op de Github site https://github.com/microsoft/STL staat de nieuwe repository, die een .... Last week, Microsoft open-sourced its implementation of the C++ Standard Library, also known as STL. The library is shipped along with MSVC (Microsoft Visual C++ compiler) toolset and the Visual Studio IDE. ... Users can use the C++ library repo for participating in the STL’s .... MSVC's implementation of the C++ Standard Library. ... But if you need parts of your own source code to trigger the STL bug, you need to extract that for us.
    [Show full text]
  • Downloaded from the Same Web Page
    Finding short and implementation-friendly addition chains with evolutionary algorithms The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation Picek, Stjepan et al. “Finding Short and Implementation-Friendly Addition Chains with Evolutionary Algorithms.” Journal of Heuristics 24, 3 (June 2017): 457–481 © 2017 Springer Science+Business Media, LLC As Published https://doi.org/10.1007/s10732-017-9340-2 Publisher Springer-Verlag Version Author's final manuscript Citable link http://hdl.handle.net/1721.1/115968 Terms of Use Article is made available in accordance with the publisher's policy and may be subject to US copyright law. Please refer to the publisher's site for terms of use. Journal of Heuristics manuscript No. (will be inserted by the editor) Finding Short and Implementation-friendly Addition Chains with Evolutionary Algorithms Stjepan Picek · Carlos A. Coello Coello · Domagoj Jakobovic · Nele Mentens Received: date / Accepted: date Abstract Finding the shortest addition chain for a given exponent is a sig- nificant problem in cryptography. In this work, we present a genetic algorithm with a novel encoding of solutions and new crossover and mutation opera- tors to minimize the length of the addition chains corresponding to a given exponent. We also develop a repair strategy that significantly enhances the performance of our approach. The results are compared with respect to those generated by other metaheuristics for exponents of moderate size, but we also investigate values up to 2255 − 21. For numbers of such size, we were unable to find any results produced by other metaheuristics which could be used for comparison purposes.
    [Show full text]
  • A NATIONAL STRATEGY to RESTORE COASTAL and ESTUARINE HABITAT Dear Friend
    A NATIONAL STRATEGY TO RESTORE COASTAL AND ESTUARINE HABITAT Dear Friend, The rich interplay between the land and the sea creates one of America’s most valuable natural, economic, and cultural res o u r ces—its estuaries and coasts. In this unique nexus— characterized by the dynamic blending of salt and fresh water during tidal cycles—abundant life is created and nurtu re d . Estuaries nurtu r e not only shellfish, fish, and wildlife, but also nourish the human spirit. We ar e from the sea, and we are continually lured back to its edge, rei n f o r cing the kinship we sh a r e with this place as we sail, fish, swim, and relax near a glistening bay or a rocky shore. And yet, no place on earth more directly embodies the challenge of balancing human needs and the needs of other species than estuaries. By 2025, 75 percent of our population will live within 50 miles of the coast. We must learn how to develop our own habitat while also pro- tecting and restoring the very essence of what binds us to our coasts. Re s t o r e America’s Estuaries and the National Oceanic and Atmospheric Administration are pleased to present A National Strategy to Restore Coastal and Estuarine Habitat, and we are grateful to the scores of scientists, restoration practitioners, program managers, and others who contributed their expertise and insights. This National Strategy takes a major step to w a r d reclaiming losses of the past 200 years. We look forwa r d to continued collaboration as we move forwa r d and reinvest in our coastal and estuarine habitats.
    [Show full text]
  • Fourq on ASIC: Breaking Speed Records for Elliptic Curve Scalar Multiplication
    FourQ on ASIC: Breaking Speed Records for Elliptic Curve Scalar Multiplication Hiromitsu Awano∗ and Makoto Ikeda† VLSI Design and Education Center, The University of Tokyo Hongo 7-3-1, Bunkyo-ku, Tokyo, Japan, 113–8656 Email: ∗[email protected], †[email protected] Abstract—An ASIC cryptoprocessor for scalar multiplication To reduce the key size without degrading the security level, (SM) on FourQ is proposed. By exploiting Karatsuba multi- elliptic curve digital signature algorithms (ECDSAs) have been plication and lazy reduction techniques, the arithmetic units developed. In comparison to RSA, ECDSA exploits a scalar of the proposed processor are tailored for operations over multiplication, the repetitive additions of a point along an quadratic extension field (Fp2 ). We also propose an automated instruction scheduling methodology based on a combinatorial elliptic curve, to produce a one-way function. ECDSA is optimization solver to fully exploit the available instruction- known to achieve the same security strength with only a 1/10 level parallelism. With the proposed processor fabricated by of key length used in RSA [4], e.g., a 256 bit elliptic curve using a 65 nm silicon-on-thin-box (SOTB) CMOS process, we public key should provide comparable security to a 3072 bit demonstrate that an SM can be computed in 10.1 μs when a typical operating voltage of 1.20 V is applied, which corresponds RSA public key, which drastically reduce the key storage and to 3.66× acceleration compared to the conventional P-256 curve transmission cost and is suitable for embedded applications.
    [Show full text]
  • Compact Variable-Base ECC Scalar Multiplication Using Euclidean Addition Chains
    Compact Variable-base ECC Scalar Multiplication using Euclidean Addition Chains Fabien Herbaut1, Nicolas Meloni´ 2 and Pascal Veron´ 2 1INSPE Nice-Toulon, Universite´ Coteˆ d’Azur, Institut de Mathematiques´ de Toulon, France 2Institut de Mathematiques´ de Toulon, Universite´ de Toulon, France Keywords: Elliptic Curves, Scalar Multiplication, Side-channel Protection, Memory Usage, Addition Chain. Abstract: The random generation of Euclidean addition chains fits well with a GLV context (Dosso et al., 2018) and provides a method with decent performance despite the growth of the base field required to get the same level of security. The aim of this paper is to reduce the size of the base field required. Combined with an algorithmic improvement, we obtain a reduction of 21% of the memory usage. Hence, our method appears to be one of the most compact scalar multiplication procedure and is particularly suitable for lightweight applications. 1 INTRODUCTION AND a larger curve as compared to other methods for the CONTEXT same security level. But despite the growth of the base field, it provides decent speed results and very The increasing importance of smart devices such as good memory usage performance. smart cards or sensor networks comes with growing The aim of this paper is to improve the method needs for low cost algorithms in the area of crypto- described in Section 4 of (Dosso et al., 2018). First, graphic primitives. Relevant solutions should involve we obtain an asymptotic reduction of 7.97% of the low memory usage and a compact code which does size of the base field required. Next, we modify the not sacrifice protection against physical attacks.
    [Show full text]
  • Listening in Paris: a Cultural History, by James H
    Listening in Paris STUDIES ON THE HISTbRY OF SOCIETY AND CULTURE Victoria E. Bonnell and Lynn Hunt, Editors 1. Politics, Culture, and Class in the French Revolution, by Lynn Hunt 2. The People ofParis: An Essay in Popular Culture in the Eighteenth Century, by Daniel Roche 3. Pont-St-Pierre, 1398-1789: Lordship, Community, and Capitalism in Early Modern France, by Jonathan Dewald 4. The Wedding of the Dead: Ritual, Poetics, and Popular Culture in Transylvania, by Gail Kligman 5. Students, Professors, and the State in Tsarist Russia, by Samuel D. Kass ow 6. The New Cultural History, edited by Lynn Hunt 7. Art Nouveau in Fin-de-Siecle France: Politics, Psychology, and Style, by Debora L. Silverman 8. Histories ofa Plague Year: The Social and the Imaginary in Baroque Florence, by Giulia Calvi 9. Culture ofthe Future: The Proletkult Movement in Revolutionary Russia, by Lynn Mally 10. Bread and Authority in Russia, 1914-1921, by Lars T. Lih 11. Territories ofGrace: Cultural Change in the Seventeenth-Century Diocese of Grenoble, by Keith P. Luria 12. Publishing and Cultural Politics in Revolutionary Paris, 1789-1810, by Carla Hesse 13. Limited Livelihoods: Gender and Class in Nineteenth-Century England, by Sonya 0. Rose 14. Moral Communities: The Culture of Class Relations in the Russian Printing Industry, 1867-1907, by Mark Steinberg 15. Bolshevik Festivals, 1917-1920, by James von Geldern 16. 'l&nice's Hidden Enemies: Italian Heretics in a Renaissance City, by John Martin 17. Wondrous in His Saints: Counter-Reformation Propaganda in Bavaria, by Philip M. Soergel 18. Private Lives and Public Affairs: The Causes Celebres ofPre­ Revolutionary France, by Sarah Maza 19.
    [Show full text]
  • Symbolic Verification of Cache Side-Channel Freedom
    1 Symbolic Verification of Cache Side-channel Freedom Sudipta Chattopadhyay, Abhik Roychoudhury Abstract—Cache timing attacks allow third-party observers reasoning over multiple execution traces. To this end, we pro- to retrieve sensitive information from program executions. But, pose a symbolic verification technique within our CACHEFIX is it possible to automatically check the vulnerability of a framework. Concretely, we capture the cache behaviour of a program against cache timing attacks and then, automatically shield program executions against these attacks? For a given program via symbolic constraints over program inputs. Then, program, a cache configuration and an attack model, our we leverage recent advances on satisfiability modulo theory CACHEFIX framework either verifies the cache side-channel (SMT) and constraint solving to (dis)prove the cache side- freedom of the program or synthesizes a series of patches to channel freedom of a program. ensure cache side-channel freedom during program execution. An appealing feature of our CACHEFIX approach is to At the core of our framework is a novel symbolic verification technique based on automated abstraction refinement of cache employ symbolic reasoning over the real counterexample semantics. The power of such a framework is to allow symbolic traces. To this end, we systematically explore real counterex- reasoning over counterexample traces and to combine it with ample traces and apply such symbolic reasoning to synthesize runtime monitoring for eliminating cache side channels during patches. Each synthesized patch captures a symbolic condition program execution. Our evaluation with routines from OpenSSL, ν on input variables and a sequence of actions that needs libfixedtimefixedpoint, GDK and FourQlib libraries to be applied when the program is processed with inputs reveals that our CACHEFIX approach (dis)proves cache side- channel freedom within an average of 75 seconds.
    [Show full text]
  • View Protocol for Digital TV, Is Mostly Implemented in Lua of the Entire System
    Oliveira et al. Journal of Internet Services and Applications (2018) 9:24 Journal of Internet Services https://doi.org/10.1186/s13174-018-0095-2 and Applications RESEARCH Open Access The computer for the 21st century: present security & privacy challenges Leonardo B. Oliveira1*, Fernando Magno Quintão Pereira2, Rafael Misoczki3, Diego F. Aranha4, Fábio Borges5, Michele Nogueira6, Michelle Wangham7,MinWu8 and Jie Liu9 Abstract Decades went by since Mark Weiser published his influential work on the computer of the 21st century. Over the years, some of the UbiComp features presented in that paper have been gradually adopted by industry players in the technology market. While this technological evolution resulted in many benefits to our society, it has also posed, along the way, countless challenges that we have yet to surpass. In this paper, we address major challenges from areas that most afflict the UbiComp revolution: 1. Software Protection: weakly typed languages, polyglot software, and networked embedded systems. 2. Long-term Security: recent advances in cryptanalysis and quantum attacks. 3. Cryptography Engineering: lightweight cryptosystems and their secure implementation. 4. Resilience: issues related to service availability and the paramount role of resilience. 5. Identity Management: requirements to identity management with invisibility. 6. Privacy Implications: sensitivity data identification and regulation. 7. Forensics: trustworthy evidence from the synergy of digital and physical world. We point out directions towards the solutions of those problems and claim that if we get all this right, we will turn the science fiction of UbiComp into science fact. Keywords: UbiComp, Security, Privacy, Cryptography, Forensics 1 Introduction concepts regarding pervasive and ubiquitous comput- In 1991, Mark Weiser described a vision of the Com- ing (UbiComp) [2, 3]havebeenmaterializedintowhat puter for the 21st Century [1].
    [Show full text]
  • Artificial Intelligence Is Taking Over Banking. but What Are Its Limitations — and Is the Industry Prepared for a Future Without Those Limitations?
    April 2021 | americanbanker.com Artificial intelligence is taking over banking. But what are its limitations — and is the industry prepared for a future without those limitations? BEST FINTECHS TO WORK FOR 2021 P. 20 HOW THE PANDEMIC CHANGED BANK MARKETING P. 26 0C1_ABM0421.indd 1 3/24/21 10:59 AM It’s time to hear their voices Access Denied is a revolutionary podcast featuring more than two dozen professionals providing a comprehensive examination of institutional barriers and outright racism across many sectors of fi nancial services. Sign up and listen: fi nancial-planning.com/access-denied ABM_0421.indd 2 3/24/2021 12:55:51 PM 0C4_ABM0121.indd 1 1/13/21 6:09 PM Photo: Gettyimages Photo: Table of Contents Deposits & Withdrawals: Should banks look beyond FICO? p. 4 Credit reports and credit scores are central to the way consumer credit is determined. But do those scores accurately reflect a borrower’s ability to repay? Photo: Bloomberg News Bloomberg Photo: The ghosts of AI present and future Teller’s Window: p. 10 Connection interrupted p. 6 Artificial intelligence is transforming the U.S. bank- ing industry, influencing verythinge from customer The pandemic forced many banks to rethink their on- service to credit underwriting. But what areas are out boarding and marketing strategies to serve and retain of AI’s reach, and what risks are there in adopting AI customers. A survey by Arizent finds that omes banks aggressively — or not aggressively enough? are making the change more proactively than others. Bank Marketing: Changing channels p. 26 Banks have had to switch their marketing strategy rapidly during the pandemic, eschewing TV and bill- boards and turning to online spots and virtual events.
    [Show full text]
  • Fourq: Four-Dimensional Decompositions on a Q-Curve Over the Mersenne Prime
    FourQ: four-dimensional decompositions on a Q-curve over the Mersenne prime Craig Costello and Patrick Longa Microsoft Research, USA {craigco,plonga}@microsoft.com Abstract. We introduce FourQ, a high-security, high-performance elliptic curve that targets the 128- bit security level. At the highest arithmetic level, cryptographic scalar multiplications on FourQ can use a four-dimensional Gallant-Lambert-Vanstone decomposition to minimize the total number of el- liptic curve group operations. At the group arithmetic level, FourQ admits the use of extended twisted Edwards coordinates and can therefore exploit the fastest known elliptic curve addition formulas over large prime characteristic fields. Finally, at the finite field level, arithmetic is performed modulo the extremely fast Mersenne prime p = 2127 − 1. We show that this powerful combination facilitates scalar multiplications that are significantly faster than all prior works. On Intel's Broadwell, Haswell, Ivy Bridge and Sandy Bridge architectures, our software computes a variable-base scalar multiplication in 50,000, 56,000, 69,000 cycles and 72,000 cycles, respectively; and, on the same platforms, our soft- ware computes a Diffie-Hellman shared secret in 80,000, 88,000, 104,000 cycles and 112,000 cycles, respectively. These results show that, in practice, FourQ is around four to five times faster than the original NIST P-256 curve and between two and three times faster than curves that are currently under consideration as NIST alternatives, such as Curve25519. 1 Introduction 2 2 2 2 This paper introduces a new, complete twisted Edwards [5] curve E(Fp2 ): −x + y = 1 + dx y , 127 where p is the Mersenne prime p = 2 − 1, and d is a non-square in Fp2 .
    [Show full text]
  • Verifying Constant-Time Implementations
    Verifying Constant-Time Implementations José Bacelar Almeida, HASLab/INESC TEC and University of Minho; Manuel Barbosa, HASLab/INESC TEC and DCC FCUP; Gilles Barthe and François Dupressoir, IMDEA Software Institute; Michael Emmi, Bell Labs and Nokia https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/almeida This paper is included in the Proceedings of the 25th USENIX Security Symposium August 10–12, 2016 • Austin, TX ISBN 978-1-931971-32-4 Open access to the Proceedings of the 25th USENIX Security Symposium is sponsored by USENIX Verifying Constant-Time Implementations José Bacelar Almeida Manuel Barbosa HASLab - INESC TEC & Univ. Minho HASLab - INESC TEC & DCC FCUP Gilles Barthe François Dupressoir Michael Emmi IMDEA Software Institute IMDEA Software Institute Bell Labs, Nokia Abstract in the execution platform [23] or by interacting remotely The constant-time programming discipline is an effective with the implementation through a network. Notable ex- countermeasure against timing attacks, which can lead to amples of the latter include Brumley and Boneh’s key complete breaks of otherwise secure systems. However, recovery attacks against OpenSSL’s implementation of adhering to constant-time programming is hard on its the RSA decryption operation [15]; and the Canvel et own, and extremely hard under additional efficiency and al. [16] and Lucky 13 [4] timing-based padding-oracle legacy constraints. This makes automated verification of attacks, that recover application data from SSL/TLS con- constant-time code an essential component for building nections [38]. A different class of timing attacks exploit secure software. side-effects of cache-collisions; here the attacker infers We propose a novel approach for verifying constant- memory-access patterns of the target program — which time security of real-world code.
    [Show full text]
  • Fourq on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography Over Large Prime Characteristic Fields
    FourQ on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime Characteristic Fields B Kimmo J¨arvinen1, Andrea Miele2, Reza Azarderakhsh3, and Patrick Longa4( ) 1 Department of Computer Science, Aalto University, Espoo, Finland [email protected] 2 Intel Corporation, Santa Clara, USA [email protected] 3 Department of Computer Engineering, Rochester Institute of Technology, Rochester, USA [email protected] 4 Microsoft Research, Redmond, USA [email protected] Abstract. We present fast and compact implementations of FourQ (ASIACRYPT 2015) on field-programmable gate arrays (FPGAs), and demonstrate, for the first time, the high efficiency of this new ellip- tic curve on reconfigurable hardware. By adapting FourQ’s algorithms to hardware, we design FPGA-tailored architectures that are sig- nificantly faster than any other ECC alternative over large prime characteristic fields. For example, we show that our single-core and multi-core implementations can compute at a rate of 6389 and 64730 scalar multiplications per second, respectively, on a Xilinx Zynq-7020 FPGA, which represent factor-2.5 and 2 speedups in comparison with the corresponding variants of the fastest Curve25519 implementation on the same device. These results show the potential of deploying FourQ on hardware for high-performance and embedded security applications. All the presented implementations exhibit regular, constant-time execution, protecting against timing and simple side-channel attacks. Keywords: Elliptic curves · FourQ · FPGA · Efficient hardware imple- mentation · Constant-time · Simple side-channel attacks 1 Introduction With the growing deployment of elliptic curve cryptography (ECC) [15,24]in place of traditional cryptosystems such as RSA, compact, high-performance ECC-based implementations have become crucial for embedded systems and hardware applications.
    [Show full text]