Results 1  10
of
236
Faster addition and doubling on elliptic curves
 In Asiacrypt 2007 [10
, 2007
"... Abstract. Edwards recently introduced a new normal form for elliptic curves. Every elliptic curve over a nonbinary field is birationally equivalent to a curve in Edwards form over an extension of the field, and in many cases over the original field. This paper presents fast explicit formulas (and r ..."
Abstract

Cited by 85 (10 self)
 Add to MetaCart
Abstract. Edwards recently introduced a new normal form for elliptic curves. Every elliptic curve over a nonbinary field is birationally equivalent to a curve in Edwards form over an extension of the field, and in many cases over the original field. This paper presents fast explicit formulas (and register allocations) for group operations on an Edwards curve. The algorithm for doubling uses only 3M + 4S, i.e., 3 field multiplications and 4 field squarings. If curve parameters are chosen to be small then the algorithm for mixed addition uses only 9M + 1S and the algorithm for nonmixed addition uses only 10M + 1S. Arbitrary Edwards curves can be handled at the cost of just one extra multiplication by a curve parameter. For comparison, the fastest algorithms known for the popular “a4 = −3 Jacobian ” form use 3M + 5S for doubling; use 7M + 4S for mixed addition; use 11M + 5S for nonmixed addition; and use 10M + 4S for nonmixed addition when one input has been added before. The explicit formulas for nonmixed addition on an Edwards curve can be used for doublings at no extra cost, simplifying protection against sidechannel attacks. Even better, many elliptic curves (approximately 1/4 of all isomorphism classes of elliptic curves over a nonbinary finite field) are birationally equivalent — over the original field — to Edwards curves where this addition algorithm works for all pairs of curve points, including inverses, the neutral element, etc. This paper contains an extensive comparison of different forms of elliptic curves and different coordinate systems for the basic group operations (doubling, mixed addition, nonmixed addition, and unified addition) as well as higherlevel operations such as multiscalar multiplication.
A leakageresilient mode of operation
 In EUROCRYPT
, 2009
"... Abstract. A weak pseudorandom function (wPRF) is a pseudorandom functions with a relaxed security requirement, where one only requires the output to be pseudorandom when queried on random (and not adversarially chosen) inputs. We show that unlike standard PRFs, wPRFs are secure against memory attack ..."
Abstract

Cited by 77 (5 self)
 Add to MetaCart
(Show Context)
Abstract. A weak pseudorandom function (wPRF) is a pseudorandom functions with a relaxed security requirement, where one only requires the output to be pseudorandom when queried on random (and not adversarially chosen) inputs. We show that unlike standard PRFs, wPRFs are secure against memory attacks, that is they remain secure even if a bounded amount of information about the secret key is leaked to the adversary. As an application of this result we propose a simple mode of operation which – when instantiated with any wPRF – gives a leakageresilient streamcipher. Such a cipher is secure against any sidechannel attack, as long as the amount of information leaked per round is bounded, but overall can be arbitrary large. This construction is simpler than the only previous one (DziembowskiPietrzak FOCS’08) as it only uses a single primitive (a wPRF) in a straight forward manner. 1
Differential Power Analysis in the Presence of Hardware Countermeasures
, 2000
"... The silicon industry has lately been focusing on side channel attacks, that is attacks that exploit information that leaks from the physical devices. Although different countermeasures to thwart these attacks have been proposed and implemented in general, such protections do not make attacks infeasi ..."
Abstract

Cited by 70 (2 self)
 Add to MetaCart
The silicon industry has lately been focusing on side channel attacks, that is attacks that exploit information that leaks from the physical devices. Although different countermeasures to thwart these attacks have been proposed and implemented in general, such protections do not make attacks infeasible, but increase the attacker's experimental (data acquisition) and computational (data processing) workload beyond reasonable limits. This paper examines different...
Lowcost solutions for preventing simple sidechannel analysis: Sidechannel atomicity
 IEEE Transactions on Computers
, 2004
"... Abstract—This paper introduces simple methods to convert a cryptographic algorithm into an algorithm protected against simple sidechannel attacks. Contrary to previously known solutions, the proposed techniques are not at the expense of the execution time. Moreover, they are generic and apply to vi ..."
Abstract

Cited by 67 (6 self)
 Add to MetaCart
(Show Context)
Abstract—This paper introduces simple methods to convert a cryptographic algorithm into an algorithm protected against simple sidechannel attacks. Contrary to previously known solutions, the proposed techniques are not at the expense of the execution time. Moreover, they are generic and apply to virtually any algorithm. In particular, we present several novel exponentiation algorithms, namely, a protected squareandmultiply algorithm, its righttoleft counterpart, and several protected slidingwindow algorithms. We also illustrate our methodology applied to point multiplication on elliptic curves. All these algorithms share the common feature that the complexity is globally unchanged compared to the corresponding unprotected implementations. Index Terms—Cryptographic algorithms, sidechannel analysis, protected implementations, atomicity, exponentiation, elliptic curves. 1
The Montgomery Powering Ladder
, 2002
"... This paper gives a comprehensive analysis of Montgomery powering ladder. Initially developed for fast scalar multiplication on elliptic curves, we extend the scope of Montgomery ladder to any exponentiation in an abelian group. Computationally, the Montgomery ladder has the triple advantage of prese ..."
Abstract

Cited by 61 (7 self)
 Add to MetaCart
(Show Context)
This paper gives a comprehensive analysis of Montgomery powering ladder. Initially developed for fast scalar multiplication on elliptic curves, we extend the scope of Montgomery ladder to any exponentiation in an abelian group. Computationally, the Montgomery ladder has the triple advantage of presenting a Lucas chain structure, of being parallelized, and of sharing a common operand. Furthermore, contrary to the classical binary algorithms, it behaves very regularly, which makes it naturally protected against a large variety of implementation attacks.
Protections against differential analysis for elliptic curve cryptography: An algebraic approach
 Cryptographic Hardware and Embedded Systems (CHES’01), LNCS2162
"... Abstract. We propose several new methods to protect the scalar multiplication on an elliptic curve against Differential Analysis. The basic idea consists in transforming the curve through various random morphisms to provide a nondeterministic execution of the algorithm. The solutions we suggest co ..."
Abstract

Cited by 60 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We propose several new methods to protect the scalar multiplication on an elliptic curve against Differential Analysis. The basic idea consists in transforming the curve through various random morphisms to provide a nondeterministic execution of the algorithm. The solutions we suggest complement and improve the stateoftheart, but also provide a practical toolbox of efficient countermeasures. These should suit most of the needs for protecting implementations of cryptoalgorithms based on elliptic curves.
Hessian Elliptic Curves and SideChannel Attacks
 of Lecture Notes in Computer Science
, 2001
"... Sidechannel attacks are a recent class of attacks that have been revealed to be very powerful in practice. By measuring some sidechannel information (running time, power consumption, . . . ), an attacker is able to recover some secret data from a carelessly implemented cryptoalgorithm. ..."
Abstract

Cited by 59 (8 self)
 Add to MetaCart
(Show Context)
Sidechannel attacks are a recent class of attacks that have been revealed to be very powerful in practice. By measuring some sidechannel information (running time, power consumption, . . . ), an attacker is able to recover some secret data from a carelessly implemented cryptoalgorithm.
Hardware countermeasures against DPA ? A statistical analysis of their effectiveness
 Topics in Cryptology  CTRSA 2004, volume 2964 of LNCS
, 2004
"... ..."
(Show Context)
Weierstraß Elliptic Curves and SideChannel Attacks
 Public Key Cryptography – PKC 2002, volume 2274 of LNCS
, 2002
"... Recent attacks show how an unskilled implementation of elliptic curve cryptosystems may reveal the involved secrets from a single execution of the algorithm. Most attacks exploit the property that addition and doubling on elliptic curves are di#erent operations and so can be distinguished from s ..."
Abstract

Cited by 47 (6 self)
 Add to MetaCart
(Show Context)
Recent attacks show how an unskilled implementation of elliptic curve cryptosystems may reveal the involved secrets from a single execution of the algorithm. Most attacks exploit the property that addition and doubling on elliptic curves are di#erent operations and so can be distinguished from sidechannel analysis. Known countermeasures suggest to add dummy operations or to use specific parameterizations.
A Fast Parallel Elliptic Curve Multiplication Resistant against Side Channel Attacks
, 2002
"... Abstract. This paper proposes a fast elliptic curve multiplication algorithm applicable for any types of curves over finite fields Fp (p a prime), based on [Mon87], together with criteria which make our algorithm resistant against the side channel attacks (SCA). The algorithm improves both on an add ..."
Abstract

Cited by 41 (7 self)
 Add to MetaCart
Abstract. This paper proposes a fast elliptic curve multiplication algorithm applicable for any types of curves over finite fields Fp (p a prime), based on [Mon87], together with criteria which make our algorithm resistant against the side channel attacks (SCA). The algorithm improves both on an addition chain and an addition formula in the scalar multiplication. Our addition chain requires no table lookup (or a very small number of precomputed points) and a prominent property is that it can be implemented in parallel. The computing time for nbit scalar multiplication is one ECDBL + (n − 1) ECADDs in the parallel case and (n − 1) ECDBLs + (n − 1) ECADDs in the single case. We also propose faster addition formulas which only use the xcoordinates of the points. By combination of our addition chain and addition formulas, we establish a faster scalar multiplication resistant against the SCA in both single and parallel computation. The improvement of our scalar multiplications over the previous method is about 37 % for two processors and 5.7 % for a single processor. Our scalar multiplication is suitable for the implementation on smart cards. 1