Results 1  10
of
16
Selecting Elliptic Curves for Cryptography: An Efficiency and Security Analysis
"... Abstract. We select a set of elliptic curves for cryptography and analyze our selection from a performance and security perspective. This analysis complements recent curve proposals that suggest (twisted) Edwards curves by also considering the Weierstrass model. Working with both Montgomeryfriendly ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Abstract. We select a set of elliptic curves for cryptography and analyze our selection from a performance and security perspective. This analysis complements recent curve proposals that suggest (twisted) Edwards curves by also considering the Weierstrass model. Working with both Montgomeryfriendly and pseudoMersenne primes allows us to consider more possibilities which improves the overall efficiency of base field arithmetic. Our Weierstrass curves are backwards compatible with current implementations of prime order NIST curves, while providing improved efficiency and stronger security properties. We choose algorithms and explicit formulas to demonstrate that our curves support constanttime, exceptionfree scalar multiplications, thereby offering high practical security in cryptographic applications. Our implementation shows that variablebase scalar multiplication on the new Weierstrass curves at the 128bit security level is about 1.4 times faster than the recent implementation record on the corresponding NIST curve. For practitioners who are willing to use a different curve model and sacrifice a few bits of security, we present a collection of twisted Edwards curves with particularly efficient arithmetic that are up to 1.43, 1.26 and 1.24 times faster than the new Weierstrass curves at the 128, 192 and 256bit security levels, respectively. Finally, we discuss how these curves behave in a real world protocol by considering different scalar multiplication scenarios in the transport layer security (TLS) protocol. 1
Faster Compact DiffieHellman: Endomorphisms on the xline
"... Abstract. We describe an implementation of fast elliptic curve scalar multiplication, optimized for Diffie–Hellman Key Exchange at the 128bit security level. The algorithms are compact (using only xcoordinates), run in constant time with uniform execution patterns, and do not distinguish between t ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
Abstract. We describe an implementation of fast elliptic curve scalar multiplication, optimized for Diffie–Hellman Key Exchange at the 128bit security level. The algorithms are compact (using only xcoordinates), run in constant time with uniform execution patterns, and do not distinguish between the curve and its quadratic twist; they thus have a builtin measure of sidechannel resistance. The core of our construction is a suite of twodimensional differential addition chains driven by efficient endomorphism decompositions, built on curves selected from a family of Qcurve reductions over F p 2 with p = 2 127 −1. We include stateoftheart experimental results for twistsecure, constanttime, xcoordinateonly scalar multiplication.
A Formal Treatment of Backdoored Pseudorandom Generators
"... We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited fo ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited form and not in the context of subverting cryptographic protocols. The latter has become increasingly important due to revelations about NIST’s backdoored Dual EC PRG and new results about its practical exploitability using a trapdoor. We show that backdoored PRGs are equivalent to publickey encryption schemes with pseudorandom ciphertexts. We use this equivalence to build backdoored PRGs that avoid a well known drawback of the Dual EC PRG, namely biases in outputs that an attacker can exploit without the trapdoor. Our results also yield a number of new constructions and an explanatory framework for why there are no reported observations in the wild of backdoored PRGs using only symmetric primitives. We also investigate folklore suggestions for countermeasures to backdoored PRGs, which we call immunizers. We show that simply hashing PRG outputs is not an effective immunizer against an attacker that knows the hash function in use. Salting the hash, however, does yield a secure immunizer, a fact we prove using a surprisingly subtle proof in the random oracle model. We also give a proof in the standard model under the assumption that the hash function is a universal computational extractor (a recent notion introduced by Bellare, Tung, and Keelveedhi).
Elligator Squared Uniform Points on Elliptic Curves of Prime Order as Uniform Random Strings
"... Abstract. When represented as a bit string in a standard way, even using point compression, an elliptic curve point is easily distinguished from a random bit string. This property potentially allows an adversary to tell apart network traffic that makes use of elliptic curve cryptography from random ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
Abstract. When represented as a bit string in a standard way, even using point compression, an elliptic curve point is easily distinguished from a random bit string. This property potentially allows an adversary to tell apart network traffic that makes use of elliptic curve cryptography from random traffic, and then intercept, block or otherwise tamper with such traffic. Recently, Bernstein, Hamburg, Krasnova and Lange proposed a partial solution to this problem in the form of Elligator: an algorithm for representing around half of the points on a large class of elliptic curves as close to uniform random strings. Their proposal has the advantage of being very efficient, but suffers from several limitations: – Since only a subset of all elliptic curve points can be encoded as a string, their approach only applies to cryptographic protocols transmitting points that are rerandomizable in some sense. – Supported curves all have nontrivial 2torsion, so that Elligator cannot be used with primeorder curves, ruling out standard ECC parameters and many other cryptographically interesting curves such as BN curves. – For indistinguishability to hold, transmitted points have to be uniform in the whole set of representable points; in particular, they cannot be taken from a prime order subgroup, which, in conjunction
TapDance: EndtoMiddle Anticensorship without Flow Blocking
"... In response to increasingly sophisticated statesponsored Internet censorship, recent work has proposed a new approach to censorship resistance: endtomiddle proxying. This concept, developed in systems such as Telex, Decoy Routing, and Cirripede, moves anticensorship technology into the core of th ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
In response to increasingly sophisticated statesponsored Internet censorship, recent work has proposed a new approach to censorship resistance: endtomiddle proxying. This concept, developed in systems such as Telex, Decoy Routing, and Cirripede, moves anticensorship technology into the core of the network, at large ISPs outside the censoring country. In this paper, we focus on two technical obstacles to the deployment of certain endtomiddle schemes: the need to selectively block flows and the need to observe both directions of a connection. We propose a new construction, TapDance, that removes these requirements. TapDance employs a novel TCPlevel technique that allows the anticensorship station at an ISP to function as a passive network tap, without an inline blocking component. We also apply a novel steganographic encoding to embed control messages in TLS ciphertext, allowing us to operate on HTTPS connections even under asymmetric routing. We implement and evaluate a TapDance prototype that demonstrates how the system could function with minimal impact on an ISP’s network operations. 1
Complete addition formulas for prime order elliptic curves, available at http://eprint.iacr.org/2015/1060
"... Abstract. An elliptic curve addition law is said to be complete if it correctly computes the sum of any two points in the elliptic curve group. One of the main reasons for the increased popularity of Edwards curves in the ECC community is that they can allow a complete group law that is also relativ ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. An elliptic curve addition law is said to be complete if it correctly computes the sum of any two points in the elliptic curve group. One of the main reasons for the increased popularity of Edwards curves in the ECC community is that they can allow a complete group law that is also relatively efficient (e.g., when compared to all known addition laws on Edwards curves). Such complete addition formulas can simplify the task of an ECC implementer and, at the same time, can greatly reduce the potential vulnerabilities of a cryptosystem. Unfortunately, until now, complete addition laws that are relatively efficient have only been proposed on curves of composite order and have thus been incompatible with all of the currently standardized prime order curves. In this paper we present optimized addition formulas that are complete on every prime order short Weierstrass curve defined over a field k with char(k) 6 = 2, 3. Compared to their incomplete counterparts, these formulas require a larger number of field additions, but interestingly require fewer field multiplications. We discuss how these formulas can be used to achieve secure, exceptionfree implementations on all of the prime order curves in the NIST (and many other) standards. 1
USENIX Association 23rd USENIX Security Symposium 159 TapDance: EndtoMiddle Anticensorship without Flow Blocking
, 2014
"... is sponsored by USENIX ..."
(Show Context)
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
"... AbstractOver the last decade botnets survived by adopting a sequence of increasingly sophisticated strategies to evade detection and take overs, and to monetize their infrastructure. At the same time, the success of privacy infrastructures such as Tor opened the door to illegal activities, includi ..."
Abstract
 Add to MetaCart
(Show Context)
AbstractOver the last decade botnets survived by adopting a sequence of increasingly sophisticated strategies to evade detection and take overs, and to monetize their infrastructure. At the same time, the success of privacy infrastructures such as Tor opened the door to illegal activities, including botnets, ransomware, and a marketplace for drugs and contraband. We contend that the next waves of botnets will extensively attempt to subvert privacy infrastructure and cryptographic mechanisms. In this work we propose to preemptively investigate the design and mitigation of such botnets. We first, introduce OnionBots, what we believe will be the next generation of resilient, stealthy botnets. OnionBots use privacy infrastructures for cyber attacks by completely decoupling their operation from the infected host IP address and by carrying traffic that does not leak information about its source, destination, and nature. Such bots live symbiotically within the privacy infrastructures to evade detection, measurement, scale estimation, observation, and in general all IPbased current mitigation techniques. Furthermore, we show that with an adequate selfhealing network maintenance scheme, that is simple to implement, OnionBots can achieve a low diameter and a low degree and be robust to partitioning under node deletions. We develop a mitigation technique, called SOAP, that neutralizes the nodes of the basic OnionBots. In light of the potential of such botnets, we believe that the research community should proactively develop detection and mitigation methods to thwart OnionBots, potentially making adjustments to privacy infrastructure.
ForwardSecure Distributed Encryption⋆
"... Abstract. Distributed encryption is a cryptographic primitive that implements revocable privacy. The primitive allows a recipient of a message to decrypt it only if enough senders encrypted that same message. We present a new distributed encryption scheme that is simpler than the previous solution b ..."
Abstract
 Add to MetaCart
Abstract. Distributed encryption is a cryptographic primitive that implements revocable privacy. The primitive allows a recipient of a message to decrypt it only if enough senders encrypted that same message. We present a new distributed encryption scheme that is simpler than the previous solution by Hoepman and Galindo—in particular it does not rely on pairings—and that satisfies stronger security requirements. Moreover, we show how to achieve key evolution, which is necessary to ensure scalability in many practical applications, and prove that the resulting scheme is forward secure. Finally, we present a provably secure batched distributed encryption scheme that is much more efficient for small plaintext domains, but that requires more storage. 1
Same Value Analysis on Edwards Curves
, 2015
"... Recently, several research groups in cryptography have presented new elliptic curve model based on Edwards curves. These new curves were selected for their good performance and security perspectives. Cryptosystems based on elliptic curves in embedded devices can be vulnerable to SideChannel Attacks ..."
Abstract
 Add to MetaCart
(Show Context)
Recently, several research groups in cryptography have presented new elliptic curve model based on Edwards curves. These new curves were selected for their good performance and security perspectives. Cryptosystems based on elliptic curves in embedded devices can be vulnerable to SideChannel Attacks (SCA), such as the Simple Power Analysis (SPA) or the Differential Power Analysis (DPA). In this paper, we analyze the existence of special points whose use in SCA is known as Same Value Analysis (SVA), for Edwards curves. These special points show up as internal collisions under power analysis. Our results indicate that no Edwards curve is safe from such an attacks.