17x bits elliptic curve scalar multiplication over GF(2M) using optimal normal basis.

Tang Ko Cheung, Simon.Thesis (M.Phil.)--Chinese University of Hong Kong, 2001.Includes bibliographical references (leaves 89-91).Abstracts in English and Chinese.Chapter 1 --- Theory of Optimal Normal Bases --- p.3Chapter 1.1 --- Introduction --- p.3Chapter 1.2 --- The minimum number of terms --- p.6Chapter 1.3 --- Constructions for optimal normal bases --- p.7Chapter 1.4 --- Existence of optimal normal bases --- p.10Chapter 2 --- Implementing Multiplication in GF(2m) --- p.13Chapter 2.1 --- Defining the Galois fields GF(2m) --- p.13Chapter 2.2 --- Adding and squaring normal basis numbers in GF(2m) --- p.14Chapter 2.3 --- Multiplication formula --- p.15Chapter 2.4 --- Construction of Lambda table for Type I ONB in GF(2m) --- p.16Chapter 2.5 --- Constructing Lambda table for Type II ONB in GF(2m) --- p.21Chapter 2.5.1 --- Equations of the Lambda matrix --- p.21Chapter 2.5.2 --- An example of Type IIa ONB --- p.23Chapter 2.5.3 --- An example of Type IIb ONB --- p.24Chapter 2.5.4 --- Creating the Lambda vectors for Type II ONB --- p.26Chapter 2.6 --- Multiplication in practice --- p.28Chapter 3 --- Inversion over optimal normal basis --- p.33Chapter 3.1 --- A straightforward method --- p.33Chapter 3.2 --- High-speed inversion for optimal normal basis --- p.34Chapter 3.2.1 --- Using the almost inverse algorithm --- p.34Chapter 3.2.2 --- "Faster inversion, preliminary subroutines" --- p.37Chapter 3.2.3 --- "Faster inversion, the code" --- p.41Chapter 4 --- Elliptic Curve Cryptography over GF(2m) --- p.49Chapter 4.1 --- Mathematics of elliptic curves --- p.49Chapter 4.2 --- Elliptic Curve Cryptography --- p.52Chapter 4.3 --- Elliptic curve discrete log problem --- p.56Chapter 4.4 --- Finding good and secure curves --- p.58Chapter 4.4.1 --- Avoiding weak curves --- p.58Chapter 4.4.2 --- Finding curves of appropriate order --- p.59Chapter 5 --- The performance of 17x bit Elliptic Curve Scalar Multiplication --- p.63Chapter 5.1 --- Choosing finite fields --- p.63Chapter 5.2 --- 17x bit test vectors for onb --- p.65Chapter 5.3 --- Testing methodology and sample runs --- p.68Chapter 5.4 --- Proposing an elliptic curve discrete log problem for an 178bit curve --- p.72Chapter 5.5 --- Results and further explorations --- p.74Chapter 6 --- On matrix RSA --- p.77Chapter 6.1 --- Introduction --- p.77Chapter 6.2 --- 2 by 2 matrix RSA scheme 1 --- p.80Chapter 6.3 --- Theorems on matrix powers --- p.80Chapter 6.4 --- 2 by 2 matrix RSA scheme 2 --- p.83Chapter 6.5 --- 2 by 2 matrix RSA scheme 3 --- p.84Chapter 6.6 --- An example and conclusion --- p.85Bibliography --- p.9

Elliptic Curve Cryptography: The Serpentine Course of a Paradigm Shift

Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare this story with the commonly accepted Ideal Model of how research and development function in cryptography. We also discuss to what extent the ideas in the literature on social construction of technology can contribute to a better understanding of this history

On the Cryptanalysis of Public-Key Cryptography

Nowadays, the most popular public-key cryptosystems are based on either the integer factorization or the discrete logarithm problem. The feasibility of solving these mathematical problems in practice is studied and techniques are presented to speed-up the underlying arithmetic on parallel architectures. The fastest known approach to solve the discrete logarithm problem in groups of elliptic curves over finite fields is the Pollard rho method. The negation map can be used to speed up this calculation by a factor √2. It is well known that the random walks used by Pollard rho when combined with the negation map get trapped in fruitless cycles. We show that previously published approaches to deal with this problem are plagued by recurring cycles, and we propose effective alternative countermeasures. Furthermore, fast modular arithmetic is introduced which can take advantage of prime moduli of a special form using efficient "sloppy reduction." The effectiveness of these techniques is demonstrated by solving a 112-bit elliptic curve discrete logarithm problem using a cluster of PlayStation 3 game consoles: breaking a public-key standard and setting a new world record. The elliptic curve method (ECM) for integer factorization is the asymptotically fastest method to find relatively small factors of large integers. From a cryptanalytic point of view the performance of ECM gives information about secure parameter choices of some cryptographic protocols. We optimize ECM by proposing carry-free arithmetic modulo Mersenne numbers (numbers of the form 2M – 1) especially suitable for parallel architectures. Our implementation of these techniques on a cluster of PlayStation 3 game consoles set a new record by finding a 241-bit prime factor of 21181 – 1. A normal form for elliptic curves introduced by Edwards results in the fastest elliptic curve arithmetic in practice. Techniques to reduce the temporary storage and enhance the performance even further in the setting of ECM are presented. Our results enable one to run ECM efficiently on resource-constrained platforms such as graphics processing units

On the Analysis of Public-Key Cryptologic Algorithms

The RSA cryptosystem introduced in 1977 by Ron Rivest, Adi Shamir and Len Adleman is the most commonly deployed public-key cryptosystem. Elliptic curve cryptography (ECC) introduced in the mid 80's by Neal Koblitz and Victor Miller is becoming an increasingly popular alternative to RSA offering competitive performance due the use of smaller key sizes. Most recently hyperelliptic curve cryptography (HECC) has been demonstrated to have comparable and in some cases better performance than ECC. The security of RSA relies on the integer factorization problem whereas the security of (H)ECC is based on the (hyper)elliptic curve discrete logarithm problem ((H)ECDLP). In this thesis the practical performance of the best methods to solve these problems is analyzed and a method to generate secure ephemeral ECC parameters is presented. The best publicly known algorithm to solve the integer factorization problem is the number field sieve (NFS). Its most time consuming step is the relation collection step. We investigate the use of graphics processing units (GPUs) as accelerators for this step. In this context, methods to efficiently implement modular arithmetic and several factoring algorithms on GPUs are presented and their performance is analyzed in practice. In conclusion, it is shown that integrating state-of-the-art NFS software packages with our GPU software can lead to a speed-up of 50%. In the case of elliptic and hyperelliptic curves for cryptographic use, the best published method to solve the (H)ECDLP is the Pollard rho algorithm. This method can be made faster using classes of equivalence induced by curve automorphisms like the negation map. We present a practical analysis of their use to speed up Pollard rho for elliptic curves and genus 2 hyperelliptic curves defined over prime fields. As a case study, 4 curves at the 128-bit theoretical security level are analyzed in our software framework for Pollard rho to estimate their practical security level. In addition, we present a novel many-core architecture to solve the ECDLP using the Pollard rho algorithm with the negation map on FPGAs. This architecture is used to estimate the cost of solving the Certicom ECCp-131 challenge with a cluster of FPGAs. Our design achieves a speed-up factor of about 4 compared to the state-of-the-art. Finally, we present an efficient method to generate unique, secure and unpredictable ephemeral ECC parameters to be shared by a pair of authenticated users for a single communication. It provides an alternative to the customary use of fixed ECC parameters obtained from publicly available standards designed by untrusted third parties. The effectiveness of our method is demonstrated with a portable implementation for regular PCs and Android smartphones. On a Samsung Galaxy S4 smartphone our implementation generates unique 128-bit secure ECC parameters in 50 milliseconds on average

Developing an Automatic Generation Tool for Cryptographic Pairing Functions

Pairing-Based Cryptography is receiving steadily more attention from industry, mainly because of the increasing interest in Identity-Based protocols. Although there are plenty of applications, efficiently implementing the pairing functions is often difficult as it requires more knowledge than previous cryptographic primitives. The author presents a tool for automatically generating optimized code for the pairing functions which can be used in the construction of such cryptographic protocols. In the following pages I present my work done on the construction of pairing function code, its optimizations and how their construction can be automated to ease the work of the protocol implementer. Based on the user requirements and the security level, the created cryptographic compiler chooses and constructs the appropriate elliptic curve. It identifies the supported pairing function: the Tate, ate, R-ate or pairing lattice/optimal pairing, and its optimized parameters. Using artificial intelligence algorithms, it generates optimized code for the final exponentiation and for hashing a point to the required group using the parametrisation of the chosen family of curves. Support for several multi-precision libraries has been incorporated: Magma, MIRACL and RELIC are already included, but more are possible

Implementação eficiente em software de criptossistemas de curvas elipticas

Orientador: Ricardo DahabTese (doutorado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: A criptografia de chave-pública é, reconhecidamente, uma ferramenta muito útil para prover requisitos de segurança tais como confidencialidade, integridade, autenticidade e não-repudio, parte integrante das comunicações. A principal vantagem dos criptossistemas de curvas elípticas (CCE) em relação a outras tecnologias de chave-pública concorrentes tais como RSA e DSA, é que parâmetros significativamente menores podem ser usados nos CCE com o mesmo nível de segurança. Essa vantagem é especialmente importante em aplicações em ambientes computacionais limitados como cartões inteligentes, telefones celulares, computadores de bolso e pagers. De um ponto de vista prático, a implementação dos CCE apresenta vários desafios. Uma aplicação baseada nos CCE precisa que várias escolhas sejam feitas tais como o nível de segurança, algoritmos para implementar a aritmética no corpo finito subjacente, algoritmos para implementar a aritmética na curva elíptica, protocolos de curvas elípticas e a plataforma computacional. Essas escolhas podem ter um grande impacto no desempenho da aplicação resultante. Esta dissertação trata do desenvolvimento de algoritmos eficientes para implementação em software de criptossistemas de curvas elípticas sobre o corpo finito F2m. Neste contexto, foram desenvolvidos métodos eficientes para implementar a aritmética no corpo finito F2m, e para calcular múltiplos de um ponto elíptico, a operação fundamental da criptografia pública baseada em curvas elípticas. Nesta dissertação também foi abordado o problema da implementação eficiente em software dos algoritmos propostos, em diferentes plataformas computacionais tais como PCs, estações de trabalho, e em dispositivos limitados como o pager da RIM.Abstract: It is widely recognized that public-key cryptography is an important tool for providing security services such as confidentiality, data integrity, authentication and non-repudiation, which are requirements present in almost all communications. The main advantage of elliptic curve cryptography (ECC) over competing public-key technologies such as RSA and DSA is that significantly smaller parameters can be used in ECC, but with equivalent levels of security. This advantage is especially important for applications on constrained environments such as smart cards, cell phones, personal device assistants, and pagers. From a practical point of view, the implementation of ECC presents various challenges. An ECC-based application requires that several choices be made including the security level, algorithms for implementing the finite field arithmetic, algorithms for implementing the elliptic group operation, elliptic curve protocols, and the computer platform. These choices may have a significant impact on the performance of the resulting application. This dissertation focuses on developing efficient algorithms for software implementation of ECC over F2m. In this framework, we study different ways of efficiently implementing arithmetic in F2¿, and computing an elliptic scalar multiplication, the central operation of public-key cryptography based on elliptic curves. We also concentrate on the software implementation of these algorithms for different platforms including PCs, workstations, and constrained devices such as the RIM interactive pager. This dissertation is a collection of five papers written in English, with an introduction and conclusions written in Portuguese.DoutoradoDoutor em Ciência da Computaçã

On Fault-based Attacks and Countermeasures for Elliptic Curve Cryptosystems

For some applications, elliptic curve cryptography (ECC) is an attractive choice because it achieves the same level of security with a much smaller key size in comparison with other schemes such as those that are based on integer factorization or discrete logarithm. Unfortunately, cryptosystems including those based on elliptic curves have been subject to attacks. For example, fault-based attacks have been shown to be a real threat in today’s cryptographic implementations. In this thesis, we consider fault-based attacks and countermeasures for ECC. We propose a new fault-based attack against the Montgomery ladder elliptic curve scalar multiplication (ECSM) algorithm. For security reasons, especially to provide resistance against fault-based attacks, it is very important to verify the correctness of computations in ECC applications. We deal with protections to fault attacks against ECSM at two levels: module and algorithm. For protections at the module level, where the underlying scalar multiplication algorithm is not changed, a number of schemes and hardware structures are presented based on re-computation or parallel computation. It is shown that these structures can be used for detecting errors with a very high probability during the computation of ECSM. For protections at the algorithm level, we use the concepts of point verification (PV) and coherency check (CC). We investigate the error detection coverage of PV and CC for the Montgomery ladder ECSM algorithm. Additionally, we propose two algorithms based on the double-and-add-always method that are resistant to the safe error (SE) attack. We demonstrate that one of these algorithms also resists the sign change fault (SCF) attack

Applications of Frobenius Expansions in Elliptic Curve Cryptography

Recent developments in elliptic curve cryptography have heightened the need for fast scalar point multiplication, specially when working on environments with limited computational power. It is well known that point multiplication on elliptic curves over F_{q^m} (with m > 1) can be accelerated using Frobenius expansions. In practice, the computation is much faster than the standard double-and-add scalar multiplication. An efficient implementation of elliptic curve cryptosystems can use a Koblitz curve and convert integers into Frobenius expansions to perform fast scalar multiplications. However, this conversion of integers to Frobenius expansions would lead to extra code on the device (i.e., silicon area) and extra computational cost. According to N. Koblitz, H. Lenstra suggested that rather than choosing a random integer n and then converting to a Frobenius expansion n(\tau), in certain cryptosystems it might be more efficient to generate a random Frobenius expansion directly. The temptation then is to choose a relatively short and/or sparse value for n(\tau). If this is done then we must re-evaluate the difficulty of the discrete logarithm problem (and other computational problems). A further issue is that the existing security proofs may not directly apply. For some systems it may be necessary to develop bespoke security proofs for the Frobenius expansion case. In this thesis, we analyse the Frobenius expansion DLP and present algorithms to solve it. Furthermore, we propose a variant of a well known identification scheme designed for public key cryptography on very restricted devices. More precisely, we construct the Girault-Poupard-Stern (GPS) identification scheme for Koblitz elliptic curves using Frobenius expansions. The idea is to use Frobenius expansions throughout the protocol, so there is no need to convert between integers and Frobenius expansions. We also give a security analysis of the proposed scheme

Unified field multiplier for GF(p) and GF(2 n) with novel digit encoding

In recent years, there has been an increase in demand for unified field multipliers for Elliptic Curve Cryptography in the electronics industry because they provide flexibility for customers to choose between Prime (GF(p)) and Binary (GF(2")) Galois Fields. Also, having the ability to carry out arithmetic over both GF(p) and GF(2") in the same hardware provides the possibility of performing any cryptographic operation that requires the use of both fields. The unified field multiplier is relatively future proof compared with multipliers that only perform arithmetic over a single chosen field. The security provided by the architecture is also very important. It is known that the longer the key length, the more susceptible the system is to differential power attacks due to the increased amount of data leakage. Therefore, it is beneficial to design hardware that is scalable, so that more data can be processed per cycle. Another advantage of designing a multiplier that is capable of dealing with long word length is improvement in performance in terms of delay, because less cycles are needed. This is very important because typical elliptic curve cryptography involves key size of 160 bits. A novel unified field radix-4 multiplier using Montgomery Multiplication for the use of G(p) and GF(2") has been proposed. This design makes use of the unexploited state in number representation for operation in GF(2") where all carries are suppressed. The addition is carried out using a modified (4:2) redundant adder to accommodate the extra 1 * state. The proposed adder and the partial product generator design are capable of radix-4 operation, which reduces the number of computation cycles required. Also, the proposed adder is more scalable than existing designs.EThOS - Electronic Theses Online ServiceGBUnited Kingdo