Results 1  10
of
43
Fourdimensional GallantLambertVanstone scalar multiplication (full version).
 In Cryptology ePrint Archive, Report 2011/608,
, 2012
"... Abstract. The GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) computes any multiple kP of a point P of prime order n lying on an elliptic curve with a lowdegree endomorphism Φ (called GLV curve) over Fp as kP = k1P + k2Φ(P ), with max{k1, k2} ≤ C1 √ n, for some explicit constant C1 & ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
Abstract. The GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) computes any multiple kP of a point P of prime order n lying on an elliptic curve with a lowdegree endomorphism Φ (called GLV curve) over Fp as kP = k1P + k2Φ(P ), with max{k1, k2} ≤ C1 √ n, for some explicit constant C1 > 0. Recently, Galbraith, Lin and Scott (EUROCRYPT 2009) extended this method to all curves over F p 2 which are twists of curves defined over Fp. We show in this work how to merge the two approaches in order to get, for twists of any GLV curve over F p 2 , a fourdimensional decomposition together with fast endomorphisms Φ, Ψ over F p 2 acting on the group generated by a point P of prime order n, resulting in a proven decomposition for any scalar k ∈ [1, n] given by kP = k1P + k2Φ(P ) + k3Ψ (P ) + k4Ψ Φ(P ) with maxi(ki) < C2 n 1/4 , for some explicit C2 > 0. Remarkably, taking the best C1, C2, we obtain C2/C1 < 412, independently of the curve, ensuring in theory an almost constant relative speedup. In practice, our experiments reveal that the use of the merged GLVGLS approach supports a scalar multiplication that runs up to 50% times faster than the original GLV method. We then improve this performance even further by exploiting the Twisted Edwards model and show that curves originally slower may become extremely efficient on this model. In addition, we analyze the performance of the method on a multicore setting and describe how to efficiently protect GLVbased scalar multiplication against several sidechannel attacks. Our implementations improve the stateoftheart performance of point multiplication for a variety of scenarios including sidechannel protected and unprotected cases with sequential and multicore execution.
Elligator: Ellipticcurve points indistinguishable from uniform random strings
"... Censorshipcircumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorshipcircumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unbloc ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
(Show Context)
Censorshipcircumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorshipcircumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unblocked programs, so that simple traffic profiling cannot identify the tools within a reasonable number of traces; the censors respond by deploying firewalls with increasingly sophisticated deeppacket inspection. Cryptography hides patterns in user data but does not evade censorship if the censor can recognize patterns in the cryptography itself. In particular, ellipticcurve cryptography often transmits points on known elliptic curves, and those points are easily distinguishable from uniform random strings of bits. This paper introduces highsecurity highspeed ellipticcurve systems in which ellipticcurve points are encoded so as to be indistinguishable from uniform random strings. 1.
Succinct noninteractive zeroknowledge for a von Neumann architecture
, 2014
"... We build a system that provides succinct noninteractive zeroknowledge proofs (zkSNARKs) for program executions on a von Neumann RISC architecture. The system has two components: a cryptographic proof system for verifying satisfiability of arithmetic circuits, and a circuit generator to translate ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
We build a system that provides succinct noninteractive zeroknowledge proofs (zkSNARKs) for program executions on a von Neumann RISC architecture. The system has two components: a cryptographic proof system for verifying satisfiability of arithmetic circuits, and a circuit generator to translate program executions to such circuits. Our design of both components improves in functionality and efficiency over prior work, as follows. Our circuit generator is the first to be universal: it does not need to know the program, but only a bound on its running time. Moreover, the size of the output circuit depends additively (rather than multiplicatively) on program size, allowing verification of larger programs. The cryptographic proof system improves proving and verification times, by leveraging new algorithms and a pairing library tailored to the protocol. We evaluated our system for programs with up to 10,000 instructions, running for up to 32,000 machine steps, each of which can arbitrarily access randomaccess memory; and also demonstrated it executing programs that use justintime compilation. Our proofs are 230 bytes long at 80 bits of security, or 288 bytes long at 128 bits of security. Typical verification time is 5 milliseconds, regardless of the original program’s running time.
Software Speed Records for LatticeBased Signatures
"... Abstract. Novel publickey cryptosystems beyond RSA and ECC are urgently required to ensure longterm security in the era of quantum computing. The most critical issue on the construction of such cryptosystems is to achieve security and practicability at the same time. Recently, latticebased constr ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Novel publickey cryptosystems beyond RSA and ECC are urgently required to ensure longterm security in the era of quantum computing. The most critical issue on the construction of such cryptosystems is to achieve security and practicability at the same time. Recently, latticebased constructions were proposed that combine both properties, such as the latticebased digital signature scheme presented at CHES 2012. In this work, we present a first highlyoptimized SIMDbased software implementation of that signature scheme targeting Intel’s Sandy Bridge and Ivy Bridge microarchitectures. This software computes a signature in only 634988 cycles on average on an Intel Core i53210M (Ivy Bridge) processor. Signature verification takes only 45036 cycles. This performance is achieved with full protection against timing attacks.
Selecting Elliptic Curves for Cryptography: An Efficiency and Security Analysis
"... Abstract. We select a set of elliptic curves for cryptography and analyze our selection from a performance and security perspective. This analysis complements recent curve proposals that suggest (twisted) Edwards curves by also considering the Weierstrass model. Working with both Montgomeryfriendly ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Abstract. We select a set of elliptic curves for cryptography and analyze our selection from a performance and security perspective. This analysis complements recent curve proposals that suggest (twisted) Edwards curves by also considering the Weierstrass model. Working with both Montgomeryfriendly and pseudoMersenne primes allows us to consider more possibilities which improves the overall efficiency of base field arithmetic. Our Weierstrass curves are backwards compatible with current implementations of prime order NIST curves, while providing improved efficiency and stronger security properties. We choose algorithms and explicit formulas to demonstrate that our curves support constanttime, exceptionfree scalar multiplications, thereby offering high practical security in cryptographic applications. Our implementation shows that variablebase scalar multiplication on the new Weierstrass curves at the 128bit security level is about 1.4 times faster than the recent implementation record on the corresponding NIST curve. For practitioners who are willing to use a different curve model and sacrifice a few bits of security, we present a collection of twisted Edwards curves with particularly efficient arithmetic that are up to 1.43, 1.26 and 1.24 times faster than the new Weierstrass curves at the 128, 192 and 256bit security levels, respectively. Finally, we discuss how these curves behave in a real world protocol by considering different scalar multiplication scenarios in the transport layer security (TLS) protocol. 1
NaCl on 8bit AVR Microcontrollers
"... Abstract. This paper presents first results of the NetworkingandCryptography library (NaCl) on the 8bit AVR family of microcontrollers. We show that NaCl, which has so far been optimized mainly for different desktop and server platforms, is feasible on resourceconstrained devices while being very ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents first results of the NetworkingandCryptography library (NaCl) on the 8bit AVR family of microcontrollers. We show that NaCl, which has so far been optimized mainly for different desktop and server platforms, is feasible on resourceconstrained devices while being very fast and memory efficient. Our implementation shows that encryption using Salsa20 requires 277 cycles/byte, authentication usingPoly1305 needs211cycles/byte,aCurve25519scalar multiplication needs 22954657 cycles, signing of data using Ed25519 needs 23211611 cycles, and verification can be done within 32937940 cycles. All implemented primitives provide at least 128bit security, run in constant time, do not use secretdatadependent branch conditions, and are open to the public domain (no usage restrictions).
ARPKI: attack resilient publickey infrastructure
 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
"... We present ARPKI, a publickey infrastructure that ensures that certificaterelated operations, such as certificate issuance, update, revocation, and validation, are transparent and accountable. ARPKI is the first such infrastructure that systematically takes into account requirements identified b ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
We present ARPKI, a publickey infrastructure that ensures that certificaterelated operations, such as certificate issuance, update, revocation, and validation, are transparent and accountable. ARPKI is the first such infrastructure that systematically takes into account requirements identified by previous research. Moreover, ARPKI is codesigned with a formal model, and we verify its core security property using the Tamarin prover. We present a proofofconcept implementation providing all features required for deployment. ARPKI efficiently handles the certification process with low overhead and without incurring additional latency to TLS. ARPKI offers extremely strong security guarantees, where compromising n − 1 trusted signing and verifying entities is insufficient to launch an impersonation attack. Moreover, it deters misbehavior as all its operations are publicly visible.
Faster implementation of scalar multiplication on Koblitz curves
 SANTIAGO, CHILE
, 2012
"... We design a stateoftheart software implementation of field and elliptic curve arithmetic in standard Koblitz curves at the 128bit security level. Field arithmetic is carefully crafted by using the best formulae and implementation strategies available, and the increasingly common native support t ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
We design a stateoftheart software implementation of field and elliptic curve arithmetic in standard Koblitz curves at the 128bit security level. Field arithmetic is carefully crafted by using the best formulae and implementation strategies available, and the increasingly common native support to binary field arithmetic in modern desktop computing platforms. The ith power of the Frobenius automorphism on Koblitz curves is exploited to obtain new and faster interleaved versions of the wellknown τNAF scalar multiplication algorithm. The usage of the τ ⌊m/3 ⌋ and τ ⌊m/4 ⌋ maps are employed to create analogues of the 3and 4dimensional GLV decompositions and in general, the ⌊m/s⌋th power of the Frobenius automorphism is applied as an analogue of an sdimensional GLV decomposition. The effectiveness of these techniques is illustrated by timing the scalar multiplication operation for fixed, random and multiple points. To our knowledge, our library was the first to compute a random point scalar multiplication in less than 10 5 clock cycles among all curves with or without endomorphisms defined over binary or prime fields. The results of our optimized implementation suggest a tradeoff between speed, compliance with the published standards and sidechannel protection. Finally, we estimate the performance of curvebased cryptographic protocols instantiated using the proposed techniques and compare our results to related work. Key words: Efficient software implementation, Koblitz elliptic curves, scalar multiplication. 1
Ace: An Efficient KeyExchange Protocol for Onion Routing
"... The onion routing (OR) network Tor provides privacy to Internet users by facilitating anonymous web browsing. It achieves anonymity by routing encrypted traffic across a few routers, where the required encryption keys are established using a key exchange protocol. Goldberg, Stebila and Ustaoglu rece ..."
Abstract

Cited by 4 (4 self)
 Add to MetaCart
The onion routing (OR) network Tor provides privacy to Internet users by facilitating anonymous web browsing. It achieves anonymity by routing encrypted traffic across a few routers, where the required encryption keys are established using a key exchange protocol. Goldberg, Stebila and Ustaoglu recently characterized the security and privacy properties required by the key exchange protocol used in the OR network. They defined the concept of oneway authenticated key exchange (1WAKE) and presented a provably secure 1WAKE protocol called ntor, which is under consideration for deployment in Tor. In this paper, we present a novel 1WAKE protocol Ace that improves on the computation costs of ntor: in numbers, the client has an efficiency improvement of 46 % and the server of nearly 19%. As far as communication costs are concerned, our protocol requires a client to send one additional group element to a server, compared to the ntor protocol. However, an additional group element easily fits into the 512 bytes fixsized Tor packets (or cell) in the elliptic curve cryptography (ECC) setting. Consequently, our protocol does not produce a communication overhead in the Tor protocol. Moreover, we prove that our protocol Ace constitutes a 1WAKE. Given that the ECC setting is under consideration for the Tor system, the improved computational efficiency, and the proven security properties make our 1WAKE an ideal candidate for use in the Tor protocol.
BackRef: Accountability in anonymous communication networks
 In ACNS
, 2014
"... Abstract. Many anonymous communication networks (ACNs) rely on routing traffic through a sequence of proxy nodes to obfuscate the originator of the traffic. Without an accountability mechanism, exit proxy nodes may become embroiled in a criminal investigation if originators commit criminal actions ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Many anonymous communication networks (ACNs) rely on routing traffic through a sequence of proxy nodes to obfuscate the originator of the traffic. Without an accountability mechanism, exit proxy nodes may become embroiled in a criminal investigation if originators commit criminal actions through the ACN. We present BackRef, a generic mechanism for ACNs that provides practical repudiation for the proxy nodes by tracing back the selected outbound traffic to the predecessor node (but not in the forward direction) through a cryptographically verifiable chain. It also provides an option for full (or partial) traceability back to the entry node or even to the corresponding originator when all intermediate nodes are cooperating. Moreover, to maintain a good balance between anonymity and accountability, the protocol incorporates whitelist directories at exit proxy nodes. BackRef offers improved deployability over the related work, and introduces a novel concept of pseudonymous signatures that may be of independent interest. We exemplify the utility of BackRef by integrating it into the onion routing (OR) protocol, and examine its deployability by considering several systemlevel aspects. We also present the security definitions for the BackRef system (namely, anonymity, backward traceability, no forward traceability, and no false accusation) and conduct a formal security analysis of the OR protocol with BackRef using ProVerif, an automated cryptographic protocol verifier, establishing the aforementioned security properties against a strong adversarial model.