41,048 research outputs found
BINARY EDWARDS CURVES IN ELLIPTIC CURVE CRYPTOGRAPHY
Get PDFEdwards curves are a new normal form for elliptic curves that exhibit some cryp- tographically desirable properties and advantages over the typical Weierstrass form. Because the group law on an Edwards curve (normal, twisted, or binary) is complete and unified, implementations can be safer from side channel or exceptional procedure attacks. The different types of Edwards provide a better platform for cryptographic primitives, since they have more security built into them from the mathematic foun- dation up.
Of the three types of Edwards curvesβoriginal, twisted, and binaryβthere hasnβt been as much work done on binary curves. We provide the necessary motivation and background, and then delve into the theory of binary Edwards curves. Next, we examine practical considerations that separate binary Edwards curves from other recently proposed normal forms. After that, we provide some of the theory for bi- nary curves that has been worked on for other types already: pairing computations. We next explore some applications of elliptic curve and pairing-based cryptography wherein the added security of binary Edwards curves may come in handy. Finally, we finish with a discussion of e2c2, a modern C++11 library weβve developed for Edwards Elliptic Curve Cryptography
Halving on Binary Edwards Curves
Get PDFEdwards curves have attracted great interest for their efficient addition and doubling formulas. Furthermore, the addition formulas are strongly unified or even complete, i.e., work without change for all inputs. In this paper, we propose the first halving algorithm on binary Edwards curves, which can be used for scalar multiplication. We present a point halving algorithm on binary Edwards curves in case of . The halving algorithm costs about , which is slower than the doubling one. We also give a theorem to prove that the binary Edwards curves have no minimal two-torsion in case of , and we briefly explain how to achieve the point halving algorithm using an improved algorithm in this case. Finally, we apply our halving algorithm in scalar multiplication with -coordinate using Montgomery ladder
Curves, codes, and cryptography
Get PDFThis thesis deals with two topics: elliptic-curve cryptography and code-based cryptography. In 2007 elliptic-curve cryptography received a boost from the introduction of a new way of representing elliptic curves. Edwards, generalizing an example from Euler and Gauss, presented an addition law for the curves x2 + y2 = c2(1 + x2y2) over non-binary fields. Edwards showed that every elliptic curve can be expressed in this form as long as the underlying field is algebraically closed. Bernstein and Lange found fast explicit formulas for addition and doubling in coordinates (X : Y : Z) representing (x, y) = (X/Z, Y/Z) on these curves, and showed that these explicit formulas save time in elliptic-curve cryptography. It is easy to see that all of these curves are isomorphic to curves x2 + y2 = 1 + dx2y2 which now are called "Edwards curves" and whose shape covers considerably more elliptic curves over a finite field than x2 + y2 = c2(1 + x2y2). In this thesis the Edwards addition law is generalized to cover all curves ax2 +y2 = 1+dx2y2 which now are called "twisted Edwards curves." The fast explicit formulas for addition and doubling presented here are almost as fast in the general case as they are for the special case a = 1. This generalization brings the speed of the Edwards addition law to every Montgomery curve. Tripling formulas for Edwards curves can be used for double-base scalar multiplication where a multiple of a point is computed using a series of additions, doublings, and triplings. The use of double-base chains for elliptic-curve scalar multiplication for elliptic curves in various shapes is investigated in this thesis. It turns out that not only are Edwards curves among the fastest curve shapes, but also that the speed of doublings on Edwards curves renders double bases obsolete for this curve shape. Elliptic curves in Edwards form and twisted Edwards form can be used to speed up the Elliptic-Curve Method for integer factorization (ECM). We show how to construct elliptic curves in Edwards form and twisted Edwards form with large torsion groups which are used by the EECM-MPFQ implementation of ECM. Code-based cryptography was invented by McEliece in 1978. The McEliece public-key cryptosystem uses as public key a hidden Goppa code over a finite field. Encryption in McElieceβs system is remarkably fast (a matrix-vector multiplication). This system is rarely used in implementations. The main complaint is that the public key is too large. The McEliece cryptosystem recently regained attention with the advent of post-quantum cryptography, a new field in cryptography which deals with public-key systems without (known) vulnerabilities to attacks by quantum computers. The McEliece cryptosystem is one of them. In this thesis we underline the strength of the McEliece cryptosystem by improving attacks against it and by coming up with smaller-key variants. McEliece proposed to use binary Goppa codes. For these codes the most effective attacks rely on information-set decoding. In this thesis we present an attack developed together with Daniel J. Bernstein and Tanja Lange which uses and improves Sternβs idea of collision decoding. This attack is faster by a factor of more than 150 than previous attacks, bringing it within reach of a moderate computer cluster. We were able to extract a plaintext from a ciphertext by decoding 50 errors in a [1024, 524] binary code. The attack should not be interpreted as destroying the McEliece cryptosystem. However, the attack demonstrates that the original parameters were chosen too small. Building on this work the collision-decoding algorithm is generalized in two directions. First, we generalize the improved collision-decoding algorithm for codes over arbitrary fields and give a precise analysis of the running time. We use the analysis to propose parameters for the McEliece cryptosystem with Goppa codes over fields such as F31. Second, collision decoding is generalized to ball-collision decoding in the case of binary linear codes. Ball-collision decoding is asymptotically faster than any previous attack against the McEliece cryptosystem. Another way to strengthen the system is to use codes with a larger error-correction capability. This thesis presents "wild Goppa codes" which contain the classical binary Goppa codes as a special case. We explain how to encrypt and decrypt messages in the McEliece cryptosystem when using wild Goppa codes. The size of the public key can be reduced by using wild Goppa codes over moderate fields which is explained by evaluating the security of the "Wild McEliece" cryptosystem against our generalized collision attack for codes over finite fields. Code-based cryptography not only deals with public-key cryptography: a code-based hash function "FSB"was submitted to NISTβs SHA-3 competition, a competition to establish a new standard for cryptographic hashing. Wagnerβs generalized birthday attack is a generic attack which can be used to find collisions in the compression function of FSB. However, applying Wagnerβs algorithm is a challenge in storage-restricted environments. The FSBday project showed how to successfully mount the generalized birthday attack on 8 nodes of the Coding and Cryptography Computer Cluster (CCCC) at Technische Universiteit Eindhoven to find collisions in the toy version FSB48 which is contained in the submission to NIST
Isomorphic to the initial form elliptic of Edwards curves over expanded fields of characteristic 2
Get PDFΠΡΠΈΠ²Π΅Π΄Π΅Π½Π° ΡΠΎΡΠΌΠ° ΠΠ΄Π²Π°ΡΠ΄ΡΠ° ΡΠ»Π»ΠΈΠΏΡΠΈΡΠ΅ΡΠΊΠΎΠΉ ΠΊΡΠΈΠ²ΠΎΠΉ Π½Π°Π΄ ΡΠ°ΡΡΠΈΡΠ΅Π½Π½ΡΠΌΠΈ ΠΏΠΎΠ»ΡΠΌΠΈ Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊΠΈ 2 ΠΈ ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΡΡΡΠΈΠΉ Π³ΡΡΠΏΠΏΠΎΠ²ΠΎΠΉ Π·Π°ΠΊΠΎΠ½. Π Π°ΡΡΠΌΠΎΡΡΠ΅Π½Ρ ΠΏΡΠ°Π²ΠΈΠ»Π° ΠΈΠ·ΠΎΠΌΠΎΡΡΠΈΠ·ΠΌΠ° ΠΌΠ΅ΠΆΠ΄Ρ ΠΊΡΠΈΠ²ΠΎΠΉ ΠΠ΄Π²Π°ΡΠ΄ΡΠ° ΠΈ Π½Π΅ΡΡΠΏΠ΅ΡΡΠΈΠ½Π³ΡΠ»ΡΡΠ½ΠΎΠΉ ΡΠ»Π»ΠΈΠΏΡΠΈΡΠ΅ΡΠΊΠΎΠΉ ΠΊΡΠΈΠ²ΠΎΠΉ Π½Π°Π΄ ΡΠ°ΡΡΠΈΡΠ΅Π½Π½ΡΠΌ ΠΏΠΎΠ»Π΅ΠΌ Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊΠΈ 2. ΠΠΎΠ»ΡΡΠ΅Π½Ρ 90 ΠΊΡΠΈΠ²ΡΡ
Π² ΡΠΎΡΠΌΠ΅ ΠΠ΄Π²Π°ΡΠ΄ΡΠ° Π½Π°Π΄ ΠΏΠΎΠ»ΡΠΌΠΈ ΡΠ΅ΡΠ½ΠΎΠΉ Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊΠΈ ΡΠ°Π·Π»ΠΈΡΠ½ΠΎΠΉ Π±ΠΈΡΠΎΠ²ΠΎΠΉ Π΄Π»ΠΈΠ½Ρ, Π²ΡΡΠΈΡΠ»Π΅Π½Ρ ΠΊΠΎΠΎΡΠ΄ΠΈΠ½Π°ΡΡ Π³Π΅Π½Π΅ΡΠ°ΡΠΎΡΠ° Π΄Π»Ρ ΠΊΠ°ΠΆΠ΄ΠΎΠΉ ΠΊΡΠΈΠ²ΠΎΠΉ.ΠΠ°Π²Π΅Π΄Π΅Π½Π° ΡΠΎΡΠΌΠ° ΠΠ΄Π²Π°ΡΠ΄ΡΠ° Π΅Π»ΡΠΏΡΠΈΡΠ½ΠΎΡ ΠΊΡΠΈΠ²ΠΎΡ Π½Π°Π΄ ΡΠΎΠ·ΡΠΈΡΠ΅Π½ΠΈΠΌΠΈ ΠΏΠΎΠ»ΡΠΌΠΈ Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊΠΈ 2 ΡΠ° Π²ΡΠ΄ΠΏΠΎΠ²ΡΠ΄Π½ΠΈΠΉ Π³ΡΡΠΏΠΎΠ²ΠΈΠΉ Π·Π°ΠΊΠΎΠ½. Π ΠΎΠ·Π³Π»ΡΠ½ΡΡΡ ΠΏΡΠ°Π²ΠΈΠ»Π° ΡΠ·ΠΎΠΌΠΎΡΡΡΠ·ΠΌΡ ΠΌΡΠΆ ΠΊΡΠΈΠ²ΠΎΡ ΠΠ΄Π²Π°ΡΠ΄ΡΠ° ΡΠ° Π½Π΅ΡΡΠΏΠ΅ΡΡΠΈΠ½Π³ΡΠ»ΡΡΠ½ΠΎΡ Π΅Π»ΡΠΏΡΠΈΡΠ½ΠΎΡ ΠΊΡΠΈΠ²ΠΎΡ Π½Π°Π΄ ΡΠΎΠ·ΡΠΈΡΠ΅Π½ΠΈΠΌ ΠΏΠΎΠ»Π΅ΠΌ Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊΠΈ 2. ΠΡΡΠΈΠΌΠ°Π½Ρ 90 ΠΊΡΠΈΠ²ΠΈΡ
Ρ ΡΠΎΡΠΌΡ ΠΠ΄Π²Π°ΡΠ΄ΡΠ° Π½Π°Π΄ ΠΏΠΎΠ»ΡΠΌΠΈ ΠΏΠ°ΡΠ½ΠΎΡ Ρ
Π°ΡΠ°ΠΊΡΠ΅ΡΠΈΡΡΠΈΠΊΠΈ ΡΡΠ·Π½ΠΎΡ Π±ΡΡΠΎΠ²ΠΎΡ Π΄ΠΎΠ²ΠΆΠΈΠ½ΠΈ, ΠΎΠ±ΡΠΈΡΠ»Π΅Π½Ρ ΠΊΠΎΠΎΡΠ΄ΠΈΠ½Π°ΡΠΈ Π³Π΅Π½Π΅ΡΠ°ΡΠΎΡΠ° Π΄Π»Ρ ΠΊΠΎΠΆΠ½ΠΎΡ ΠΊΡΠΈΠ²ΠΎΡ.An Edwards-form elliptic curve over fields of characteristic 2 and appropriate group law are given. Birational equivalence is considered between the Edwards curve and an ordinary elliptic curve over a binary field. 90 Edwards curves are obtained over binary fields of various bit-length, coordinates of base point are evaluated for every curve
Low-Resource and Fast Elliptic Curve Implementations over Binary Edwards Curves
Get PDFElliptic curve cryptography (ECC) is an ideal choice for low-resource applications because it provides the same level of security with smaller key sizes than other existing public key encryption schemes. For low-resource applications, designing efficient functional units for elliptic curve computations over binary fields results in an effective platform for an embedded co-processor. This thesis investigates co-processor designs for area-constrained devices. Particularly, we discuss an implementation utilizing state of the art binary Edwards curve equations over mixed point addition and doubling. The binary Edwards curve offers the security advantage that it is complete and is, therefore, immune to the exceptional points attack. In conjunction with Montgomery ladder, such a curve is naturally immune to most types of simple power and timing attacks. Finite field operations were performed in the small and efficient Gaussian normal basis. The recently presented formulas for mixed point addition by K. Kim, C. Lee, and C. Negre at Indocrypt 2014 were found to be invalid, but were corrected such that the speed and register usage were maintained. We utilize corrected mixed point addition and doubling formulas to achieve a secure, but still fast implementation of a point multiplication on binary Edwards curves. Our synthesis results over NIST recommended fields for ECC indicate that the proposed co-processor requires about 50% fewer clock cycles for point multiplication and occupies a similar silicon area when compared to the most recent in literature
Binary Kummer Line
Get PDFGaudry and Lubicz introduced the idea of Kummer line in 2009, and Karati and Sarkar proposed three
Kummer lines over prime fields in 2017. In this work, we explore the problem of secure and efficient scalar
multiplications on binary field using Kummer line and investigate the possibilities of speedups using Kummer line compared to Koblitz curves, binary Edwards curve and Weierstrass curves. We propose a binary Kummer line over binary field where the associated elliptic curve satisfies the required security conditions and offers 124.5-bit security which is the same as that of Binary Edwards curve and Weierstrass curve
. has small curve parameter and small base point. We implement our software of using the instruction of modern Intel processors and batch software using bitslicing technique. For fair comparison, we also implement the software for binary Edwards curve. In both the implementations, scalar multiplications take constant time which use Montgomery ladders. In case of left-to-right Montgomery ladder, both the Kummer line and Edwards curve have almost the same number of field operations. For right-to-left Montgomery ladder scalar multiplication, each ladder step of binary Kummer line needs less number of field operations compared to Edwards curve. Our experimental results show that left-to-right Montgomery scalar
multiplications of are and faster than those of for fixed-base and
variable-base, respectively. Left-to-right Montgomery scalar multiplication for variable-base of is 39.74\%,
23.25\% and 32.92\% faster than those of the curves , K-283 and B-283 respectively. Using
right-to-left Montgomery ladder with precomputation, achieves 17.84\% speedup over for fixed-base scalar multiplication. For batch computation, has comparatively the same (slightly faster) performance as and . Also it is clear from our experiments that scalar multiplications on and are (approximately) 65\% faster than one scalar multiplication (after scaling down) of batch software and
Efficient Implementation of Elliptic Curve Point Operations Using Binary Edwards Curves
Get PDFThis paper presents a deterministic algorithm for converting points on an ordinary elliptic curve (defined over a field of characteristic 2) to points on a complete binary Edwards curve. This avoids the problem of choosing curve parameters at random. When implemented on a large (512 bit) hardware multiplier, computation of point multiplication using this algorithm performs significantly better, in terms of code complexity, code coverage and timing, than the standard implementation. In addition, we propose a simple modification to the birational equivalence detailed in the paper by Bernstein et al. which both reduces the number of inversions required in the affine mapping and has fewer exceptional points. Finally, we compare software implementations using this efficient point multiplication for binary Edwards curves with computations on elliptic curves in Weierstrass form
High-speed Hardware Implementations of Point Multiplication for Binary Edwards and Generalized Hessian Curves
Get PDFIn this paper high-speed hardware architectures of point multiplication based on Montgomery ladder algorithm for binary Edwards and generalized Hessian curves in Gaussian normal basis are presented. Computations of the point addition and point doubling in the proposed architecture are concurrently performed by pipelined digit-serial finite field multipliers. The multipliers in parallel form are scheduled for lower number of clock cycles. The structure of proposed digit-serial Gaussian normal basis multiplier is constructed based on regular and low-cost modules of exponentiation by powers of two and multiplication by normal elements. Therefore, the structures are area efficient and have low critical path delay. Implementation results of the proposed architectures on Virtex-5 XC5VLX110 FPGA show that then execution time of the point multiplication for binary Edwards and generalized Hessian curves over GF(2163) and GF(2233) are 8.62Β΅s and 11.03Β΅s respectively. The proposed architectures have high-performance and high-speed compared to other works
Multi-Base Chains for Faster Elliptic Curve Cryptography
Get PDFThis research addresses a multi-base number system (MBNS) for faster elliptic curve cryptography (ECC). The emphasis is on speeding up the main operation of ECC: scalar multiplication (tP). Mainly, it addresses the two issues of using the MBNS with ECC: deriving optimized formulas and choosing fast methods. To address the first issue, this research studies the optimized formulas (e.g., 3P, 5P) in different elliptic curve coordinate systems over prime and binary fields. For elliptic curves over prime fields, affine Weierstrass, Jacobian Weierstrass, and standard twisted Edwards coordinate systems are reviewed. For binary elliptic curves, affine, Lambda-projective, and twisted mu4-normal coordinate systems are reviewed. Additionally, whenever possible, this research derives several optimized formulas for these coordinate systems.
To address the second issue, this research theoretically and experimentally studies the MBNS methods with respect to the average chain length, the average chain cost, and the average conversion cost. The reviewed MBNS methods are greedy, ternary/binary, multi-base NAF, tree-based, and rDAG-based. The emphasis is on these methods\u27 techniques to convert integer t to multi-base chains. Additionally, this research develops bucket methods that advance the MBNS methods. The experimental results show that the MBNS methods with the optimized formulas, in general, have good improvements on the performance of scalar multiplication, compared to the single-base number system methods
- β¦
