Results 1  10
of
22
On the security of 1024bit RSA and 160bit elliptic curve cryptography: version 2.1. Cryptology ePrint Archive, Report 2009/389
, 2009
"... Abstract. Meeting the requirements of NIST’s new cryptographic standards means phasing out usage of 1024bit RSA and 160bit elliptic curve cryptography (ECC) by the end of the year 2010. This writeup comments on the vulnerability of these systems to an open community attack effort and aims to asse ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Abstract. Meeting the requirements of NIST’s new cryptographic standards means phasing out usage of 1024bit RSA and 160bit elliptic curve cryptography (ECC) by the end of the year 2010. This writeup comments on the vulnerability of these systems to an open community attack effort and aims to assess the risk of their unavoidable continued usage beyond 2010 until the migration to the new standards has been completed. We conclude that for 1024bit RSA the risk is small at least until the year 2014, and that 160bit ECC over a prime field may safely be used for much longer – with the current state of the art in cryptanalysis we would be surprised if a public effort can make a dent in 160bit prime field ECC by the year 2020. Our assessment is based on the latest practical data of large scale integer factorization and elliptic curve discrete logarithm computation efforts.
Huff’s Model for Elliptic Curves
"... Abstract. This paper revisits a model for elliptic curves over Q introduced by Huff in 1948 to study a diophantine problem. Huff’s model readily extends over fields of odd characteristic. Every elliptic curve over such a field and containing a copy of Z/4Z × Z/2Z is birationally equivalent to a Huff ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
(Show Context)
Abstract. This paper revisits a model for elliptic curves over Q introduced by Huff in 1948 to study a diophantine problem. Huff’s model readily extends over fields of odd characteristic. Every elliptic curve over such a field and containing a copy of Z/4Z × Z/2Z is birationally equivalent to a Huff curve over the original field. This paper extends and generalizes Huff’s model. It presents fast explicit formulæ for point addition and doubling on Huff curves. It also addresses the problem of the efficient evaluation of pairings over Huff curves. Remarkably, the soobtained formulæ feature some useful properties, including completeness and independence of the curve parameters.
Practical Cryptographic Civil GPS Signal Authentication
"... AbstractA practical technique is proposed to authenticate civil GPS signals. The technique combines cryptographic authentication of the GPS navigation message with signal timing authentication based on statistical hypothesis tests to secure civil GPS receivers against spoofing attacks. The notion ..."
Abstract

Cited by 8 (5 self)
 Add to MetaCart
(Show Context)
AbstractA practical technique is proposed to authenticate civil GPS signals. The technique combines cryptographic authentication of the GPS navigation message with signal timing authentication based on statistical hypothesis tests to secure civil GPS receivers against spoofing attacks. The notion of GNSS signal authentication is defined in probabilistic terms. Candidate GPS signal authentication schemes are evaluated in terms of effectiveness and practicality leading to a proposal for incorporating digital signatures into the extensible GPS civil navigation (CNAV) message. The proposal is sufficiently detailed to facilitate nearterm implementation of securityhardened civil GPS.
Another Look at Security Definitions
, 2011
"... Abstract. We take a critical look at security models that are often used to give “provable security ” guarantees. We pay particular attention to digital signatures, symmetrickey encryption, and leakage resilience. We find that there has been a surprising amount of uncertainty about what the “right ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We take a critical look at security models that are often used to give “provable security ” guarantees. We pay particular attention to digital signatures, symmetrickey encryption, and leakage resilience. We find that there has been a surprising amount of uncertainty about what the “right ” definitions might be. Even when definitions have an appealing logical elegance and nicely reflect certain notions of security, they fail to take into account many types of attacks and do not provide a comprehensive model of adversarial behavior. 1.
INTRACTABLE PROBLEMS IN CRYPTOGRAPHY
"... Abstract. We examine several variants of the DiffieHellman and Discrete Log problems that are connected to the security of cryptographic protocols. We discuss the reductions that are known between them and the challenges in trying to assess the true level of difficulty of these problems, particular ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We examine several variants of the DiffieHellman and Discrete Log problems that are connected to the security of cryptographic protocols. We discuss the reductions that are known between them and the challenges in trying to assess the true level of difficulty of these problems, particularly if they are interactive or have complicated input. 1.
The brave new world of bodacious assumptions in cryptography
 Notices of the American Mathematical Society
, 2010
"... ..."
(Show Context)
Optimizing the Control Hierarchy of an ECC Coprocessor Design on an FPGA based SoC Platform
, 2009
"... Abstract. Most hardware/software codesigns of Elliptic Curve Cryptography only have one central control unit, typically a 32 bit or 8 bit processor core. With the ability of integrating several soft processor cores into one FPGA fabric, we can have a hierarchy of controllers in one SoC design. Comp ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Most hardware/software codesigns of Elliptic Curve Cryptography only have one central control unit, typically a 32 bit or 8 bit processor core. With the ability of integrating several soft processor cores into one FPGA fabric, we can have a hierarchy of controllers in one SoC design. Compared to the previous codesigns trying to optimize the communication overhead between the central control unit and coprocessor over bus by using different bus protocols (e.g. OPB, PLB and FSL) or advanced techniques (e.g. DMA), our approach prevents overhead in bus transactions by introducing a local 8 bit microcontroller, PicoBlaze, in the coprocessor. As a result, the performance of the ECC coprocessor can be almost independent of the selection of bus protocols. To further accelerate the UniPicoBlaze based ECC SoC design, a DualPicoBlaze based architecture is proposed, which can achieve the maximum instruction rate of 1 instruction/cycle to the ECC datapath. Using design space exploration of a large number of system configurations of different architectures discussed in this paper, our proposed DualPicoBlaze based design also shows best tradeoff between area and speed. 1
Improved Algorithm for the Isogeny Problem for Ordinary Elliptic Curves
 Applicable Algebra in Engineering, Communication and Computing
"... ar ..."
Optimizing the hw/sw boundary of an ECC SoC design using control hierarchy and distributed storage
 Design, Automation and Test in Europe (DATE2009
, 2009
"... tography has been extensively studied in recent years. However, most of these designs have focused on the computational aspect of the ECC hardware, and not on the system integration into a SoC architecture. We study the impact of the communication link between CPU and coprocessor hardware for a typi ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
tography has been extensively studied in recent years. However, most of these designs have focused on the computational aspect of the ECC hardware, and not on the system integration into a SoC architecture. We study the impact of the communication link between CPU and coprocessor hardware for a typical ECC design, and demonstrate that the SoC may become performancelimited due to coprocessor data and instructiontransfers. A dual strategy is proposed to remove the bottleneck: introduction of local control as well as local storage in the coprocessor. We quantify the impact of this strategy on a prototype implementation for Field Programmable Gate Arrays (FPGA) and measured an average speedup in the resulting design of 9.4 times over the baseline ECC system, while the resulting system area increases by a factor of 1.6. The optimal areatime product improvement of our ECC coprocessor is 4.3 times compared to that of the baseline ECC coprocessor. Using design space exploration of a large number of system configurations using the latest FPGA technology and tools, we show that the optimal choice of ECC coprocessor parameters is strongly dependent on the efficiency of systemlevel communication. I.
FourQ: fourdimensional decompositions on a Qcurve over the Mersenne prime
"... Abstract. We introduce FourQ, a highsecurity, highperformance elliptic curve that targets the 128bit security level. At the highest arithmetic level, cryptographic scalar multiplications on FourQ can use a fourdimensional GallantLambertVanstone decomposition to minimize the total number of ell ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Abstract. We introduce FourQ, a highsecurity, highperformance elliptic curve that targets the 128bit security level. At the highest arithmetic level, cryptographic scalar multiplications on FourQ can use a fourdimensional GallantLambertVanstone decomposition to minimize the total number of elliptic curve group operations. At the group arithmetic level, FourQ admits the use of extended twisted Edwards coordinates and can therefore exploit the fastest known elliptic curve addition formulas over large prime characteristic fields. Finally, at the finite field level, arithmetic is performed modulo the extremely fast Mersenne prime p = 2127 − 1. We show that this powerful combination facilitates scalar multiplications that are significantly faster than all prior works. On Intel’s Haswell, Ivy Bridge and Sandy Bridge architectures, our software computes a variablebase scalar multiplication in 59,000, 71,000 cycles and 74,000 cycles, respectively; and, on the same platforms, our software computes a DiffieHellman shared secret in 92,000, 110,000 cycles and 116,000 cycles, respectively. These results show that, in practice, FourQ is around four to five times faster than the original NIST P256 curve and between two and three times faster than curves that are currently under consideration as NIST alternatives, such as Curve25519. 1