DOCSLIB.ORG

Cryptography for Next Generation TLS

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Cryptography for Next Generation TLS: Implementing the RFC 7748 Elliptic Curve448 Cryptosystem in Hardware Pascal Sasdrich Tim Güneysu Horst Görtz Institute for IT Security, University of Bremen & DFKI Ruhr-Universität Bochum [email protected] [email protected] ABSTRACT has to be implemented on various physical and embedded With RFC 7748 the two elliptic curves Curve25519 and devices. But since both curves were primarily designed for Curve448 were proposed for the next generation of TLS. software platforms (x86/x64) and without explicit evalua- Both curves were designed and optimized purely for software tion of their resistance against low-level physical such as implementation; their implementation in hardware or phys- side-channel attacks, we still need to investigate the hard- ical protection against side-channel attacks were not con- ware implementation of both curves in combination with sidered in the design phase. Recently, it has been shown suitable countermeasures. that for Curve25519 an efficient implementations in hard- ware along with side-channel protection is feasible { yet re- Contribution. In this work, we present an efficient hard- sults for the high-security Curve448 are missing. In this ware implementation of Curve448 for modern Xilinx Field- work we demonstrate that Curve448 can indeed be efficiently Programmable Gate Array (FPGA) devices. Our work fills and securely implemented in hardware. We present a novel the gap left from the previous work on Curve25519 [14, 15]. architecture for Curve448 that can compute more than 1000 Despite of the similarity of Curve448 and Curve25519, we point multiplications per second with 1580 logic slices and were faced with completely revising the design rationales 33 DSP units of a Xilinx XC7Z020 FPGA. due to specially-crafted parameters and the significantly in- creased field size of 448 bits. Interestingly, we can demon- Keywords strate that even in light of the asymptotically growing com- plexity in the field size, Curve448 still can provide similarly Curve448, RFC 7748, FPGA, high-performance, implemen- high throughput on a mid-range Xilinx XC7Z020 FPGA, tation, side-channel, countermeasure providing a performance of more than 1000 point multipli- cations per second at moderate resource costs. 1. INTRODUCTION Elliptic Curve Cryptography (ECC) has become the most Outline. This work is organized as follows: In Section 2 predominant scheme in the area of asymmetric cryptogra- we summarize and discuss previous but related work of rel- phy during the last decade. However, recent revelations on evance before we give a brief introduction into the topic of manipulations and backdoors have undermined the confi- ECC in Section 3, focusing on Curve448 in particular. Be- dence in existing schemes and led to discussion among re- fore presenting the final implementation details in Section 5, searchers and standardization bodies on the selection of new we discuss optimization strategies and justify our final de- curves and the rigidity of existing curve generation pro- sign choices in Section 4. Eventually, implementation and cesses. Within these discussions, the Internet Engineering performance results are summarized and presented in Sec- Task Force (IETF) Transport Layer Security (TLS) working tion 6 before we conclude in Section 7. group requested new recommendations on elliptic curves for the next generation of TLS on which the Internet Research 2. PREVIOUS WORK Task Force (IRTF) Crypto Forum Research Group (CFRG) ECC has been proposed independently by Neal Koblitz [7] has selected two candidates for the RFC 7748: Curve25519 and Victor Miller [10] in 1985. Since then, it has established and Curve448. Simultaneously, the IETF curdle group pro- as a viable field of research in public-key cryptography and posed both curves for application in future protocols such as has been implemented in a great number of industrial prod- DNSSEC. With further emergence of, e.g., self-driving cars, ucts. Up to date, there exists a plethora of publications on high-performance TLS (including Curve25519 and Curve448) hardware implementations that we will not cover or discuss Permission to make digital or hard copies of all or part of this work for personal or within the scope of this work. Instead we restrict ourselves classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation to briefly list the most relevant ones. However, for a de- on the first page. Copyrights for components of this work owned by others than the tailed history and list of references we would like to refer author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or the interested reader to [2]. republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. As one of the first ECC architectures implemented on a DAC ’17, June 18 - 22, 2017, Austin, TX, USA FPGA, in 2001, Orlando and Paar [12] presented a design using pre-computations and Montgomery multiplications for c 2017 Copyright held by the owner/author(s). Publication rights licensed to ACM. ISBN 978-1-4503-4927-7/17/06. $15.00 improved performance results. Their work was followed by DOI: http://dx.doi.org/10.1145/3061639.3062222 many more, including designs based on dedicated multi- pliers [13] and integrated Digital Signal Processor (DSP) Due to its golden ratio φ the Solinas prime allows fast and units embedded into modern FPGAs [4]. In 2014, Sasdrich efficient Karatsuba-based multiplication of two operands A = and Guneysu¨ [14, 15] presented an FPGA architecture for (a0 + a1φ) and B = (b0 + b1φ), such that: Curve25519, the first candidate of RFC 7748. Recently, C = A · B = (a + a φ) · (b + b φ) = J¨arvinen et al. [6] presented a high-performance architecture 0 1 0 1 for FourQ, a novel elliptic curve with about 128 bit security (a0b0 + a1b1) + ((a0 + a1) · (b0 + b1) − a0b0)φ (2) that supports highly-efficient point multiplications. Eventually, modular inversion can be tweaked compared to modular inversions based on Fermat's Little Theorem 3. BACKGROUND (FLT) using that, if p ≡ 3 mod 4, the Inverse Square Root (p−3) p1 4 In this section we will briefly cover basic aspects of ECC. (ISR) can be computed as ± x = x , which directly Note, however, that we will only focus on ECC over prime leads to: fields. Further, we give a short introduction to Curve448 −1 1 2 2 (p−3) 2 p−2 and its specification. x = x · ( p ) = x · [(x ) 4 ] = x (3) ± x2 3.1 Elliptic Curve Cryptography 3.2.2 Group Arithmetic Given an elliptic curve E over the Galois Field GF (p) According to RFC 7748, the function X448 performs a (with p > 3), defined by the Edwards equation variable scalar-point multiplication on the Montgomery curve 2 2 2 2 (Curve448) using the Montgomery ladder algorithm [11] that Ed : y + x ≡ 1 + dx y (mod p); (1) enables the computation of a point addition and a point dou- we can define tuples of affine coordinates (xi; yi) as points bling in a single combined step. Hence, given two points Pi 2 E on the elliptic curve. Considering two points Pi; Pj , Q1; Q2 2 E and their difference Q3 = Q1 − Q2, a single step we can define the basic group operations as point addition of the Montgomery ladder algorithm computes two points if i 6= j and point doubling if i = j. Moving from affine Q4; Q5 2 E such that Q4 = 2 ·Q1 = (x4; z4) is the point coordinate to projective coordinate representations, hence doubling with: defining points on E as tuples (xi; yi; zi), curve equations can 2 2 be relaxed in order to reduce the number of costly operations x4 = (x1 − z1) · (x1 + z1) (4) 2 2 (i.e., modular inversions). z4 = 4x1z1 · (x1 + dx1z1 + z1 ) (5) Applying elliptic curves for cryptographic purposes relies on the Elliptic Curve Discrete Logarithm Problem (ECDLP) and Q5 = Q1 + Q2 = (x5; z5) is the point addition with: 2 which states that, given two points P; Q 2 E, it is hard to x5 = z3((x1 − z1) · (x2 + z2) + (x1 + z1) · (x2 − z2)) (6) find a scalar k such that Q = k ·P holds, whereas the point 2 multiplication is defined as a k-fold point addition of P. z5 = x3((x1 − z1) · (x2 + z2) − (x1 + z1) · (x2 − z2)) (7) Eventually, the ECDLP is the fundamental problem that Fortunately, these equations are independent of the y- allows building cryptographic protocols and schemes based coordinate which can be omitted during the intermediate on elliptic curves. Common examples include the Elliptic computation and only has to be restored for the final result. Curve Diffie-Hellman (ECDH) key exchange, the Elliptic In total, a single step of the Montgomery ladder algorithm Curve Digital Signature Algorithm (ECDSA) and the El- involves 6 multiplications, 4 squarings, 4 additions, and 4 Gamal encryption scheme. subtractions over GF (p). 3.2 Specification of Curve448 3.2.3 Point Multiplication Ed448-Goldilocks, in RFC 7748 denoted as Curve448, was Given a public point P 2 E and a secret 448-bit scalar proposed and designed by Mike Hamburg [5] in order to pro- k, the point multiplication routine computes another point vide a high-security alternative (i.e., a field size between 384 Q = k ·P using a sequence of consecutive Montgomery lad- and 521 bits) to existing NIST [9] and Brainpool curves [8]. der steps. For this purpose, the scalar is scanned bitwise The design process of Curve448 strictly heeded the Safe- (starting from the most significant bit) and depending on Curves policies and criteria [1] which should enable simple the value of the currently processed bit, inputs to a sin- but secure implementations of an elliptic curve that meets gle step of the Montgomery ladder algorithm are swapped.
Recommended publications
  • How to (Pre-)Compute a Ladder

    How to (Pre-)Compute a Ladder

    How to (pre-)compute a ladder Improving the performance of X25519 and X448 Thomaz Oliveira1, Julio L´opez2, H¨useyinHı¸sıl3, Armando Faz-Hern´andez2, and Francisco Rodr´ıguez-Henr´ıquez1 1 Computer Science Department, Cinvestav-IPN [email protected], [email protected] 2 Institute of Computing, University of Campinas [email protected], [email protected] 3 Yasar University [email protected] Abstract. In the RFC 7748 memorandum, the Internet Research Task Force specified a Montgomery-ladder scalar multiplication function based on two recently adopted elliptic curves, \curve25519" and \curve448". The purpose of this function is to support the Diffie-Hellman key ex- change algorithm that will be included in the forthcoming version of the Transport Layer Security cryptographic protocol. In this paper, we describe a ladder variant that permits to accelerate the fixed-point mul- tiplication function inherent to the Diffie-Hellman key pair generation phase. Our proposal combines a right-to-left version of the Montgomery ladder along with the pre-computation of constant values directly de- rived from the base-point and its multiples. To our knowledge, this is the first proposal of a Montgomery ladder procedure for prime elliptic curves that admits the extensive use of pre-computation. In exchange of very modest memory resources and a small extra programming effort, the proposed ladder obtains significant speedups for software implemen- tations. Moreover, our proposal fully complies with the RFC 7748 spec- ification. A software implementation of the X25519 and X448 functions using our pre-computable ladder yields an acceleration factor of roughly 1.20, and 1.25 when implemented on the Haswell and the Skylake micro- architectures, respectively.
  • The Complete Cost of Cofactor H = 1

    The Complete Cost of Cofactor H = 1

    The complete cost of cofactor h = 1 Peter Schwabe and Daan Sprenkels Radboud University, Digital Security Group, P.O. Box 9010, 6500 GL Nijmegen, The Netherlands [email protected], [email protected] Abstract. This paper presents optimized software for constant-time variable-base scalar multiplication on prime-order Weierstraß curves us- ing the complete addition and doubling formulas presented by Renes, Costello, and Batina in 2016. Our software targets three different mi- croarchitectures: Intel Sandy Bridge, Intel Haswell, and ARM Cortex- M4. We use a 255-bit elliptic curve over F2255−19 that was proposed by Barreto in 2017. The reason for choosing this curve in our software is that it allows most meaningful comparison of our results with optimized software for Curve25519. The goal of this comparison is to get an under- standing of the cost of using cofactor-one curves with complete formulas when compared to widely used Montgomery (or twisted Edwards) curves that inherently have a non-trivial cofactor. Keywords: Elliptic Curve Cryptography · SIMD · Curve25519 · scalar multiplication · prime-field arithmetic · cofactor security 1 Introduction Since its invention in 1985, independently by Koblitz [34] and Miller [38], elliptic- curve cryptography (ECC) has widely been accepted as the state of the art in asymmetric cryptography. This success story is mainly due to the fact that attacks have not substantially improved: with a choice of elliptic curve that was in the 80s already considered conservative, the best attack for solving the elliptic- curve discrete-logarithm problem is still the generic Pollard-rho algorithm (with minor speedups, for example by exploiting the efficiently computable negation map in elliptic-curve groups [14]).
  • Twisted Edwards Curves

    Twisted Edwards Curves

    Twisted Edwards Curves Daniel J. Bernstein1, Peter Birkner2, Marc Joye3, Tanja Lange2, and Christiane Peters2 1 Department of Mathematics, Statistics, and Computer Science (M/C 249) University of Illinois at Chicago, Chicago, IL 60607–7045, USA [email protected] 2 Department of Mathematics and Computer Science Technische Universiteit Eindhoven, P.O. Box 513, 5600 MB Eindhoven, Netherlands [email protected], [email protected], [email protected] 3 Thomson R&D France Technology Group, Corporate Research, Security Laboratory 1 avenue de Belle Fontaine, 35576 Cesson-S´evign´eCedex, France [email protected] Abstract. This paper introduces “twisted Edwards curves,” a general- ization of the recently introduced Edwards curves; shows that twisted Edwards curves include more curves over finite fields, and in particular every elliptic curve in Montgomery form; shows how to cover even more curves via isogenies; presents fast explicit formulas for twisted Edwards curves in projective and inverted coordinates; and shows that twisted Edwards curves save time for many curves that were already expressible as Edwards curves. Keywords: Elliptic curves, Edwards curves, twisted Edwards curves, Montgomery curves, isogenies. 1 Introduction Edwards in [13], generalizing an example from Euler and Gauss, introduced an addition law for the curves x2 + y2 = c2(1 + x2y2) over a non-binary field k. Edwards showed that every elliptic curve over k can be expressed in the form x2 + y2 = c2(1 + x2y2) if k is algebraically closed. However, over a finite field, only a small fraction of elliptic curves can be expressed in this form. Bernstein and Lange in [4] presented fast explicit formulas for addition and doubling in coordinates (X : Y : Z) representing (x, y) = (X/Z, Y/Z) on an Edwards curve, and showed that these explicit formulas save time in elliptic- curve cryptography.
  • Efficient Elliptic Curve Diffie-Hellman Computation at the 256-Bit Security

    Efficient Elliptic Curve Diffie-Hellman Computation at the 256-Bit Security

    Efficient Elliptic Curve Diffie-Hellman Computation at the 256-bit Security Level Kaushik Nath and Palash Sarkar Applied Statistics Unit Indian Statistical Institute 203, B. T. Road Kolkata - 700108 India fkaushikn r,[email protected] Abstract In this paper we introduce new Montgomery and Edwards form elliptic curve targeted at the 506 510 256-bit security level. To this end, we work with three primes, namely p1 := 2 − 45, p2 = 2 − 75 521 and p3 := 2 − 1. While p3 has been considered earlier in the literature, p1 and p2 are new. We define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agree- ment protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over p1 leads to a 3%-4% slowdown and the new Montgomery curve over p2 leads to a 4:5%-5% slowdown; on the other hand, 29 and 30.5 extra bits of security respectively are gained. For designers aiming for the 256-bit security level, the new curves over p1 and p2 provide an acceptable trade-off between security and efficiency. Keywords: Elliptic curve cryptography, Elliptic curve Diffie-Hellman key agreement, Montgomery form, Edwards form, 256-bit security.
  • BINARY EDWARDS CURVES in ELLIPTIC CURVE CRYPTOGRAPHY by Graham Enos a Dissertation Submitted to the Faculty of the University Of

    BINARY EDWARDS CURVES in ELLIPTIC CURVE CRYPTOGRAPHY by Graham Enos a Dissertation Submitted to the Faculty of the University Of

    BINARY EDWARDS CURVES IN ELLIPTIC CURVE CRYPTOGRAPHY by Graham Enos A dissertation submitted to the faculty of The University of North Carolina at Charlotte in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Applied Mathematics Charlotte 2013 Approved by: Dr. Yuliang Zheng Dr. Gabor Hetyei Dr. Thomas Lucas Dr. Evan Houston Dr. Shannon Schlueter ii ©2013 Graham Enos ALL RIGHTS RESERVED iii ABSTRACT GRAHAM ENOS. Binary edwards curves in elliptic curve cryptography. (Under the direction of DR. YULIANG ZHENG) Edwards curves are a new normal form for elliptic curves that exhibit some cryp- tographically desirable properties and advantages over the typical Weierstrass form. Because the group law on an Edwards curve (normal, twisted, or binary) is complete and unified, implementations can be safer from side channel or exceptional procedure attacks. The different types of Edwards provide a better platform for cryptographic primitives, since they have more security built into them from the mathematic foun- dation up. Of the three types of Edwards curves|original, twisted, and binary|there hasn't been as much work done on binary curves. We provide the necessary motivation and background, and then delve into the theory of binary Edwards curves. Next, we examine practical considerations that separate binary Edwards curves from other recently proposed normal forms. After that, we provide some of the theory for bi- nary curves that has been worked on for other types already: pairing computations. We next explore some applications of elliptic curve and pairing-based cryptography wherein the added security of binary Edwards curves may come in handy.
  • Two Kinds of Division Polynomials for Twisted Edwards Curves

    Two Kinds of Division Polynomials for Twisted Edwards Curves

    Two Kinds of Division Polynomials For Twisted Edwards Curves Richard Moloney and Gary McGuire∗ School of Mathematical Sciences University College Dublin Ireland Email: [email protected], [email protected] December 1, 2018 Abstract This paper presents two kinds of division polynomials for twisted Edwards curves. Their chief property is that they characterise the n-torsion points of a given twisted Edwards curve. We also present results concerning the coefficients of these polynomials, which may aid computation. 1 Introduction The famous last entry in the diary of Gauss concerns the curve with equation x2 + y2 + x2y2 = 1 (1) 2 3 and its rational points over Fp. This curve is related to the elliptic curve y = 4x − 4x. The idea of division polynomials on a curve with a group law on its points, is that we try to write down a formula for [n]P in terms of the coordinates of P , where [n]P denotes P added to itself n times under the group law. In this paper we shall give two distinct arXiv:0907.4347v1 [math.AG] 24 Jul 2009 solutions to this problem, in the general context of twisted Edwards curves, of which (1) is a special case. Edwards [5], generalising (1), introduced an addition law on the curves x2 + y2 = c2(1 + x2y2) for c ∈ k, where k is a field of characteristic not equal to 2. He showed that every elliptic curve over k is birationally equivalent (over some extension of k) to a curve of this form. ∗ Research supported by Claude Shannon Institute, Science Foundation Ireland Grant 06/MI/006, and Grant 07/RFP/MATF846, and the Irish Research Council for Science, Engineering and Technology 1 In [3], Bernstein and Lange generalised this addition law to the curves x2+y2 = 1+dx2y2 for d ∈ k \ {0, 1}.
  • Curves, Codes, and Cryptography Copyright C 2011 by Christiane Peters

    Curves, Codes, and Cryptography Copyright C 2011 by Christiane Peters

    Curves, Codes, and Cryptography Copyright c 2011 by Christiane Peters. Printed by Printservice Technische Universiteit Eindhoven. Cover: Starfish found in Bouldin Creek, Austin, Texas. Fossils originate from the late Cretaceous, about 85 million years ago. Picture taken by Laura Hitt O’Connor at the Texas Natural Science Center, Austin, Texas. Design in cooperation with Verspaget & Bruinink. CIP-DATA LIBRARY TECHNISCHE UNIVERSITEIT EINDHOVEN Peters, Christiane Curves, Codes, and Cryptography / by Christiane Peters. – Eindhoven: Technische Universiteit Eindhoven, 2011. Proefschrift. – ISBN 978-90-386-2476-1 NUR 919 Subject heading: Cryptology 2000 Mathematics Subject Classification: 94A60, 11Y16, 11T71 Curves, Codes, and Cryptography PROEFSCHRIFT ter verkrijging van de graad van doctor aan de Technische Universiteit Eindhoven, op gezag van de rector magnificus, prof.dr.ir. C.J. van Duijn, voor een commissie aangewezen door het College voor Promoties in het openbaar te verdedigen op dinsdag 10 mei 2011 om 16.00 uur door Christiane Pascale Peters geboren te Paderborn, Duitsland Dit proefschrift is goedgekeurd door de promotoren: prof.dr. T. Lange en prof.dr. D.J. Bernstein Fur¨ meine Eltern Angelika und Jurgen¨ Peters Thanks I would like to thank many people for their support and company during my Ph.D. studies. First of all, I am most grateful to my supervisors Tanja Lange and Daniel J. Bernstein. I thank Tanja for giving me the opportunity to come to Eindhoven to do research and to get to know the (crypto) world. I thank Tanja and Dan for letting me participate in great projects such as working on Edwards curves in cryptographic and number-theoretic settings, and for helping me find my way into the world of code-based cryptography.
  • Measuring and Securing Cryptographic Deployments

    Measuring and Securing Cryptographic Deployments

    University of Pennsylvania ScholarlyCommons Publicly Accessible Penn Dissertations 2019 Measuring And Securing Cryptographic Deployments Luke Taylor Valenta University of Pennsylvania, [email protected] Follow this and additional works at: https://repository.upenn.edu/edissertations Part of the Computer Sciences Commons Recommended Citation Valenta, Luke Taylor, "Measuring And Securing Cryptographic Deployments" (2019). Publicly Accessible Penn Dissertations. 3507. https://repository.upenn.edu/edissertations/3507 This paper is posted at ScholarlyCommons. https://repository.upenn.edu/edissertations/3507 For more information, please contact [email protected]. Measuring And Securing Cryptographic Deployments Abstract This dissertation examines security vulnerabilities that arise due to communication failures and incentive mismatches along the path from cryptographic algorithm design to eventual deployment. I present six case studies demonstrating vulnerabilities in real-world cryptographic deployments. I also provide a framework with which to analyze the root cause of cryptographic vulnerabilities by characterizing them as failures in four key stages of the deployment process: algorithm design and cryptanalysis, standardization, implementation, and endpoint deployment. Each stage of this process is error-prone and influenced by various external factors, the incentives of which are not always aligned with security. I validate the framework by applying it to the six presented case studies, tracing each vulnerability back to communication
  • BINARY EDWARDS CURVES in ELLIPTIC CURVE CRYPTOGRAPHY by Graham Enos a Dissertation Submitted to the Faculty of the University Of

    BINARY EDWARDS CURVES in ELLIPTIC CURVE CRYPTOGRAPHY by Graham Enos a Dissertation Submitted to the Faculty of the University Of

    BINARY EDWARDS CURVES IN ELLIPTIC CURVE CRYPTOGRAPHY by Graham Enos A dissertation submitted to the faculty of The University of North Carolina at Charlotte in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Applied Mathematics Charlotte 2013 Approved by: Dr. Yuliang Zheng Dr. Gabor Hetyei Dr. Thomas Lucas Dr. Evan Houston Dr. Shannon Schlueter ii ©2013 Graham Enos ALL RIGHTS RESERVED iii ABSTRACT GRAHAM ENOS. Binary Edwards Curves in Elliptic Curve Cryptography. (Under the direction of DR. YULIANG ZHENG) Edwards curves are a new normal form for elliptic curves that exhibit some cryp- tographically desirable properties and advantages over the typical Weierstrass form. Because the group law on an Edwards curve (normal, twisted, or binary) is complete and unified, implementations can be safer from side channel or exceptional procedure attacks. The different types of Edwards provide a better platform for cryptographic primitives, since they have more security built into them from the mathematic foun- dation up. Of the three types of Edwards curves|original, twisted, and binary|there hasn't been as much work done on binary curves. We provide the necessary motivation and background, and then delve into the theory of binary Edwards curves. Next, we examine practical considerations that separate binary Edwards curves from other recently proposed normal forms. After that, we provide some of the theory for bi- nary curves that has been worked on for other types already: pairing computations. We next explore some applications of elliptic curve and pairing-based cryptography wherein the added security of binary Edwards curves may come in handy.
  • Maire Model of an Elliptic Curve)

    Maire Model of an Elliptic Curve)

    INVERTED BINARY EDWARDS COORDINATES (MAIRE MODEL OF AN ELLIPTIC CURVE) by STEVEN M. MAIRE Submitted in partial fulfillment of the requirements for the degree of Master of Science Dissertation Advisor: Dr. David Singer Department of Mathematics CASE WESTERN RESERVE UNIVERSITY May, 2014 CASE WESTERN RESERVE UNIVERSITY SCHOOL OF GRADUATE STUDIES We hereby approve the thesis/dissertation of STEVEN M. MAIRE candidate for the Master of Science degree*. Dr. David Singer Dr. Elisabeth Werner Dr. Johnathan Duncan (date) March 25, 2014 *We also certify that written approval has been obtained for any proprietary material contained therein. Dedication To my mother, Lynda O. Maire, whose lessons to me as a child came as encrypted signals, where the only cipher, is time. i Contents Dedication i List of Tables iv List of Figures v Acknowledgements vi Abstract vii 1 Introduction 1 1.1 Elliptic Curves in Cryptography . .1 2 Weierstrass Form: Paving the Way 3 2.1 Weierstrass Addition Law . .4 2.1.1 Geometric Interpretation . .4 2.1.2 Algebraic Interpretation . .6 3 Edwards Curves: Unifying Finite Field Operations 9 3.1 The Addition Law . 10 3.1.1 Geometric Interpretation . 11 3.1.2 Algebraic Interpretation . 12 4 Binary Edwards Curves: Doubling down on Deuces 14 4.1 Building the New Shape for the Edwards' Form . 14 4.2 The First Complete Addition Law Over a Binary Field . 16 ii CONTENTS CONTENTS 5 Maire Model 18 5.1 Inverted Binary Edwards . 19 5.2 The Addition Law . 21 5.3 Operations Unification . 23 6 Elliptic Curves in Cryptography: A Revolution 25 6.1 Advantages of the Edwards' Forms .
  • Faster Cofactorization with ECM Using Mixed Representations Cyril Bouvier, Laurent Imbert

    Faster Cofactorization with ECM Using Mixed Representations Cyril Bouvier, Laurent Imbert

    Faster Cofactorization with ECM Using Mixed Representations Cyril Bouvier, Laurent Imbert To cite this version: Cyril Bouvier, Laurent Imbert. Faster Cofactorization with ECM Using Mixed Representations. IACR International Conference on Public-Key Cryptography (PKC), Jun 2020, Virtual, United King- dom. pp.483-504, 10.1007/978-3-030-45388-6_17. lirmm-02613652 HAL Id: lirmm-02613652 https://hal-lirmm.ccsd.cnrs.fr/lirmm-02613652 Submitted on 20 May 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Faster cofactorization with ECM using mixed representations Cyril Bouvier and Laurent Imbert LIRMM, CNRS, Univ. Montpellier, France Abstract. This paper introduces a novel implementation of the ellip- tic curve factoring method specifically designed for medium-size integers such as those arising by billions in the cofactorization step of the Num- ber Field Sieve. In this context, our algorithm requires fewer modular multiplications than any other publicly available implementation. The main ingredients are: the use of batches of primes, fast point tripling, optimal double-base decompositions and Lucas chains, and a good mix of Edwards and Montgomery representations. Keywords: Elliptic curve method, cofactorization, double-base representation, twisted Edwards curve, Montgomery curve, CADO-NFS 1 Introduction The Elliptic Curve Method (ECM) invented by H.
  • Fast and Compact Elliptic-Curve Cryptography

    Fast and Compact Elliptic-Curve Cryptography

    Fast and compact elliptic-curve cryptography Mike Hamburg∗ Abstract Elliptic curve cryptosystems have improved greatly in speed over the past few years. Here we outline a new elliptic curve signature and key agreement implementation which achieves record speeds while remaining relatively compact. For example, on Intel Sandy Bridge, a curve with about 2250 points produces a signature in just under 52k clock cycles, verifies in under 170k clock cycles, and computes a Diffie- Hellman shared secret in under 153k clock cycles. Our implementation has a small footprint: the library is under 60kB. Our implementation is also fast on ARM processors, verifying a signature in under 625k Tegra-2 cycles. We introduce faster field arithmetic, a new point compression al- gorithm, an improved fixed-base scalar multiplication algorithm and a new way to verify signatures without inversions or coordinate recovery. Some of these improvements should be applicable to other systems. 1 Introduction Of the many applications for digital signatures, most use some variant of the venerable RSA scheme. RSA signatures have several advan- tages, such as age, simplicity and extreme speed of verification. For ∗Cryptography Research, a division of Rambus. 1 example, NIST's recommendations [2] hold RSA-2048 and the elliptic 1 curve signature scheme ECDSA-p224 to be similarly secure , and the former verifies signatures more than 13× faster than the latter [7]. Elliptic curve signatures have many advantages, however. Current attacks against elliptic curves scale exponentially with key size. There- fore ECC key and signatures can be considerably smaller than their RSA counterparts, and key generation and signing are much faster.