49 research outputs found
Faster computation of the Tate pairing
This paper proposes new explicit formulas for the doubling and addition step
in Miller's algorithm to compute the Tate pairing. For Edwards curves the
formulas come from a new way of seeing the arithmetic. We state the first
geometric interpretation of the group law on Edwards curves by presenting the
functions which arise in the addition and doubling. Computing the coefficients
of the functions and the sum or double of the points is faster than with all
previously proposed formulas for pairings on Edwards curves. They are even
competitive with all published formulas for pairing computation on Weierstrass
curves. We also speed up pairing computation on Weierstrass curves in Jacobian
coordinates. Finally, we present several examples of pairing-friendly Edwards
curves.Comment: 15 pages, 2 figures. Final version accepted for publication in
Journal of Number Theor
Security proof of the canonical form of self-synchronizing stream ciphers
International audienceThis paper studies the security level expected by the canon-ical form of the Self-Synchronizing Stream Cipher (SSSC). A SSSC can be viewed as the combination of a shift register together with a filtering function. The maximum security of such a cipher is reached when the filtering function is random. However, in practice, Pseudo Random Functions (PRF) are used as filtering functions. In this case, we show that the security against chosen ciphertext attacks (IND-CCA security) cannot be reached for the canonical form of the SSSC, but it is however secure against chosen plaintext attacks (IND-CPA secure). Then, a weaker property than pseudo-randomness is introduced in order to characterize the security of the canonical SSSC from its filtering function. A connection with the left-or-right indistinguishability (LOR-IND) is made. This property provides a necessary and sufficient condition to characterize the indistinguishablity of SSSC
Flaws in Differential Cryptanalysis of Reduced Round PRESENT
In this paper, we have presented flaws in differential cryptanalysis of reduced round variant of PRESENT given by M.Wang in [3] [4] for 80 bits key length and we have shown that it is not possible to recover 32 subkey bits by differential cryptanalysis of 16-round PRESENT as claimed in [3] [4].We have also shown that at the most 30 subkey bits can be recovered by the attack given in [4] after some modifications in the algorithm presented in [3][4]
Mean value formulas for twisted Edwards curves
R. Feng, and H. Wu recently established a certain mean-value formula
for the x-coordinates of the n-division points on an elliptic curve given in Weierstrass form (A mean value formula for elliptic curves, 2010, available at http://eprint.iacr.org/2009/586.pdf ). We prove a similar result for both the x and y-coordinates on a twisted Edwards elliptic curve
Exploiting the Order of Multiplier Operands: A Low Cost Approach for HCCA Resistance
Horizontal collision correlation analysis (HCCA) imposes a serious threat to simple power analysis resistant elliptic curve cryptosystems involving unified algorithms, for e.g. Edward curve unified formula. This attack can be mounted even in presence of differential power analysis resistant randomization schemes. In this paper we have designed an effective countermeasure for HCCA protection, where the dependency of side-channel leakage from a school-book multiplication with the underling multiplier operands is investigated. We have shown
how changing the sequence in which the operands are passed to the multiplication algorithm introduces dissimilarity in the information leakage. This disparity has been utilized in constructing a zero-cost countermeasure against HCCA. This countermeasure integrated with an effective randomization method has been shown to successfully thwart HCCA. Additionally we provide experimental validation for our proposed countermeasure technique on a SASEBO platform. To the best of our knowledge, this is the first time that asymmetry in information leakage has been utilized in designing a side channel countermeasure
Message Encryption in Robot Operating System: Collateral Effects of Hardening Mobile Robots
[EN] In human–robot interaction situations, robot sensors collect huge amounts of data from
the environment in order to characterize the situation. Some of the gathered data ought
to be treated as private, such as medical data (i.e., medication guidelines), personal, and
safety information (i.e., images of children, home habits, alarm codes, etc.). However,
most robotic software development frameworks are not designed for securely managing
this information. This paper analyzes the scenario of hardening one of the most widely
used robotic middlewares, Robot Operating System (ROS). The study investigates a
robot’s performance when ciphering the messages interchanged between ROS nodes
under the publish/subscribe paradigm. In particular, this research focuses on the nodes
that manage cameras and LIDAR sensors, which are two of the most extended sensing
solutions in mobile robotics, and analyzes the collateral effects on the robot’s achievement under different computing capabilities and encryption algorithms (3DES, AES, and
Blowfish) to robot performance. The findings present empirical evidence that simple
encryption algorithms are lightweight enough to provide cyber-security even in lowpowered robots when carefully designed and implemented. Nevertheless, these techniques come with a number of serious drawbacks regarding robot autonomy and performance if they are applied randomly. To avoid these issues, we define a taxonomy that links
the type of ROS message, computational units, and the encryption methods. As a result,
we present a model to select the optimal options for hardening a mobile robot using ROS.SIInstituto Nacional de Ciberseguridad (Adenda21)Junta de Castilla y León (LE028P17
Quantum resource estimates for computing elliptic curve discrete logarithms
We give precise quantum resource estimates for Shor's algorithm to compute
discrete logarithms on elliptic curves over prime fields. The estimates are
derived from a simulation of a Toffoli gate network for controlled elliptic
curve point addition, implemented within the framework of the quantum computing
software tool suite LIQ. We determine circuit implementations for
reversible modular arithmetic, including modular addition, multiplication and
inversion, as well as reversible elliptic curve point addition. We conclude
that elliptic curve discrete logarithms on an elliptic curve defined over an
-bit prime field can be computed on a quantum computer with at most qubits using a quantum circuit of at most Toffoli gates. We are able to classically simulate the
Toffoli networks corresponding to the controlled elliptic curve point addition
as the core piece of Shor's algorithm for the NIST standard curves P-192,
P-224, P-256, P-384 and P-521. Our approach allows gate-level comparisons to
recent resource estimates for Shor's factoring algorithm. The results also
support estimates given earlier by Proos and Zalka and indicate that, for
current parameters at comparable classical security levels, the number of
qubits required to tackle elliptic curves is less than for attacking RSA,
suggesting that indeed ECC is an easier target than RSA.Comment: 24 pages, 2 tables, 11 figures. v2: typos fixed and reference added.
ASIACRYPT 201
Efficient Elliptic Curve Diffie-Hellman Computation at the 256-bit Security Level
In this paper we introduce new Montgomery and Edwards form elliptic curve targeted at the 256-bit security level.
To this end, we work with three primes, namely , and . While has been considered earlier in the literature, and are new. We define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agreement protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over leads to a - slowdown and the new Montgomery curve over leads to a - slowdown; on the other hand, 29 and 30.5 extra bits of security respectively are gained. For designers aiming for the 256-bit security level, the new curves over and provide an acceptable trade-off between security and efficiency