Montgomery曲線を用いたKMOV暗号について

東京都立大

Arithmetic using compression on elliptic curves in Huff's form and its applications

In this paper for elliptic curves provided by Huff's equation $H_{a,b}: ax(y^2-1) = by(x^2-1)$ and general Huff's equation $G_{\overline{a},\overline{b}}\ :\ {\overline{x}}(\overline{a}{\overline{y}}^2-1)={\overline{y}}(\overline{b}{\overline{x}}^2-1)$ and degree 2 compression function $f(x,y) = xy$ on these curves, herein we provide formulas for doubling and differential addition after compression, which for Huff's curves are as efficient as Montgomery's formulas for Montgomery's curves $By^2 = x^3 + Ax^2 + x$. For these curves we also provided point recovery formulas after compression, which for a point $P$ on these curves allows to compute $[n]f(P)$ after compression using the Montgomery ladder algorithm, and then recover $[n]P$. Using formulas of Moody and Shumow for computing odd degree isogenies on general Huff's curves, we have also provide formulas for computing odd degree isogenies after compression for these curves.Moreover, it is shown herein how to apply obtained formulas using compression to the ECM algorithm. In the appendix, we present examples of Huff's curves convenient for the isogeny-based cryptography, where compression can be used

Fast, uniform, and compact scalar multiplication for elliptic curves and genus 2 Jacobians with applications to signature schemes

We give a general framework for uniform, constant-time one-and two-dimensional scalar multiplication algorithms for elliptic curves and Jacobians of genus 2 curves that operate by projecting to the x-line or Kummer surface, where we can exploit faster and more uniform pseudomultiplication, before recovering the proper "signed" output back on the curve or Jacobian. This extends the work of L{\'o}pez and Dahab, Okeya and Sakurai, and Brier and Joye to genus 2, and also to two-dimensional scalar multiplication. Our results show that many existing fast pseudomultiplication implementations (hitherto limited to applications in Diffie--Hellman key exchange) can be wrapped with simple and efficient pre-and post-computations to yield competitive full scalar multiplication algorithms, ready for use in more general discrete logarithm-based cryptosystems, including signature schemes. This is especially interesting for genus 2, where Kummer surfaces can outperform comparable elliptic curve systems. As an example, we construct an instance of the Schnorr signature scheme driven by Kummer surface arithmetic

Optimizations of Isogeny-based Key Exchange

Supersingular Isogeny Diffie-Hellman (SIDH) is a key exchange scheme that is believed to be quantum-resistant. It is based on the difficulty of finding a certain isogeny between given elliptic curves. Over the last nine years, optimizations have been proposed that significantly increased the performance of its implementations. Today, SIDH is a promising candidate in the US National Institute for Standards and Technology’s (NIST’s) post-quantum cryptography standardization process. This work is a self-contained introduction to the active research on SIDH from a high-level, algorithmic lens. After an introduction to elliptic curves and SIDH itself, we describe the mathematical and algorithmic building blocks of the fastest known implementations. Regarding elliptic curves, we describe which algorithms, data structures and trade-offs regard- ing elliptic curve arithmetic and isogeny computations exist and quantify their runtime cost in field operations. These findings are then tailored to the situation of SIDH. As a result, we give efficient algorithms for the performance-critical parts of the protocol

On Fault-based Attacks and Countermeasures for Elliptic Curve Cryptosystems

For some applications, elliptic curve cryptography (ECC) is an attractive choice because it achieves the same level of security with a much smaller key size in comparison with other schemes such as those that are based on integer factorization or discrete logarithm. Unfortunately, cryptosystems including those based on elliptic curves have been subject to attacks. For example, fault-based attacks have been shown to be a real threat in today’s cryptographic implementations. In this thesis, we consider fault-based attacks and countermeasures for ECC. We propose a new fault-based attack against the Montgomery ladder elliptic curve scalar multiplication (ECSM) algorithm. For security reasons, especially to provide resistance against fault-based attacks, it is very important to verify the correctness of computations in ECC applications. We deal with protections to fault attacks against ECSM at two levels: module and algorithm. For protections at the module level, where the underlying scalar multiplication algorithm is not changed, a number of schemes and hardware structures are presented based on re-computation or parallel computation. It is shown that these structures can be used for detecting errors with a very high probability during the computation of ECSM. For protections at the algorithm level, we use the concepts of point verification (PV) and coherency check (CC). We investigate the error detection coverage of PV and CC for the Montgomery ladder ECSM algorithm. Additionally, we propose two algorithms based on the double-and-add-always method that are resistant to the safe error (SE) attack. We demonstrate that one of these algorithms also resists the sign change fault (SCF) attack

Surcoût de l'authentification et du consensus dans la sécurité des réseaux sans fil véhiculaires

Les réseaux ad hoc sans fil véhiculaires (VANET) permettent les communications entre véhicules afin d'augmenter la sécurité routière et d'agrémenter l'expérience de conduite. Une catégorie d'applications ayant suscité un fort intérêt est celle liée à la sécurité du trafic routier. Un exemple prometteur est l'alerte de danger local qui permet d'accroitre la " ligne de vue " du conducteur en lui proposant un ensemble d'alertes afin d'anticiper des situations potentiellement dangereuses. En raison de leurs contraintes temporelles fortes et les conséquences critiques d'une mauvaise utilisation, il est primordial d'assurer des communications sécurisées. Mais l'ajout de services de sécurité entraîne un surcoût de calcul et réseau. C'est pourquoi l'objectif de notre travail est d'établir un cadre général (de manière analytique) du surcoût de la sécurité sur le délai de transfert d'une alerte. Parmi les mécanismes de sécurité conventionnels, le service d'authentification apparaît comme la pierre angulaire de la sécurité des VANETs. De plus, l'authentification est utilisée pour chaque message émis ou reçu. Il est donc potentiellement le service le plus consommateur. C'est pourquoi, nous nous focalisons sur ce service. Nous nous posons ainsi les questions suivantes : quel est le coût de l'authentification ? Quel est son impact sur l'application d'alerte de danger local ? La première contribution de cette thèse est l'élaboration d'une formule permettant le calcul du surcoût de la signature numérique. Mais l'authentification ne sera pas le seul mécanisme de sécurité déployé. Le consensus est notamment un des mécanismes fréquemment employés afin d'instaurer une confiance entre les véhicules. En effet, grâce à une méthode de décision et à partir d'un ensemble de messages, le consensus vise à obtenir un commun accord sur une valeur ou une action entre les véhicules. Ainsi, nous devons comprendre comment définir les paramètres de consensus afin de réduire l'impact de ce mécanisme sur le délai et la distance de freinage ? Comment s'intègre le consensus dans la formule globale de surcoût de l'authentification ? C'est notamment à ces questions que cette thèse répond. Notre deuxième contribution est une méthode de décision dynamique qui analyse l'environnement réseau courant (nombre de voisins à portée de communication), et explore le contenu des alertes. Il en résulte une réduction du nombre de paquets à examiner et donc une réaction plus rapide et plus adaptée à l'alerte.In 2007, road accidents have cost 110 deaths, 4600 injuries and €438 millions daily in the European Union. The damage is similarly devastating in the United States with 102 deaths, 7900 injuries and $630 millions daily. Therefore, industry consortia, governments, and automotive companies, have made the reduction of vehicular fatalities a top priority. To raise this challenge, a main idea is to make vehicles and roads smarter thanks to wireless communications. Indeed, wireless communications will increase the line-of-sight of the driver and make vehicles aware of their environment. Smart vehicles and roads will form a wireless vehicular network (VANET). The VSC Project details 75 applications that could be deployed on vehicular networks. Applications are divided in three categories: safety-related, traffic optimization and infotainment. Automotive safety-related applications aim to assist drivers in avoiding vehicular accidents, by providing advisories and early warnings to drivers, using broadcast vehicle-to-vehicle (V2V) communications. Vehicles typically communicate as per the Dedicated Short Range Communication standard (DSRC), and broadcast messages in response to certain notified events (emergency message) or periodically (beacon message). In this thesis, we focus on V2V communications in Local Danger Warning (LDW) application, which is considered one of the most promising active safety applications for inter-vehicle communication. Since drivers of vehicles participating in V2V communications are expected to act on messages received from other participants, it is clearly necessary that these messages be transmitted in a secure fashion. Unfortunately, security mechanisms come with overhead that impact the performance of the V2V communications, and hence that of the safety applications. The IEEE 1609.2 standard for vehicular ad hoc networks is based on the ECDSA algorithm for supporting the authentication mechanism. The main goal of this work is to define a formula, which assesses the authentication overhead in VANET. We also introduce the problem of consensus, which is an additional mechanism that impacts the total time overhead of ECDSA. Indeed, when you receive a message, you could legitimately ask: "Should I trust this message?". The consensus aims at increasing trust. But consensus mechanism comes with overheads. We investigate the network performance and propose new decision methods and techniques to reduce these overheads

Unified field multiplier for GF(p) and GF(2 n) with novel digit encoding

In recent years, there has been an increase in demand for unified field multipliers for Elliptic Curve Cryptography in the electronics industry because they provide flexibility for customers to choose between Prime (GF(p)) and Binary (GF(2')) Galois Fields. Also, having the ability to carry out arithmetic over both GF(p) and GF(2') in the same hardware provides the possibility of performing any cryptographic operation that requires the use of both fields. The unified field multiplier is relatively future proof compared with multipliers that only perform arithmetic over a single chosen field. The security provided by the architecture is also very important. It is known that the longer the key length, the more susceptible the system is to differential power attacks due to the increased amount of data leakage. Therefore, it is beneficial to design hardware that is scalable, so that more data can be processed per cycle. Another advantage of designing a multiplier that is capable of dealing with long word length is improvement in performance in terms of delay, because less cycles are needed. This is very important because typical elliptic curve cryptography involves key size of 160 bits. A novel unified field radix-4 multiplier using Montgomery Multiplication for the use of G(p) and GF(2') has been proposed. This design makes use of the unexploited state in number representation for operation in GF(2') where all carries are suppressed. The addition is carried out using a modified (4:2) redundant adder to accommodate the extra 1 * state. The proposed adder and the partial product generator design are capable of radix-4 operation, which reduces the number of computation cycles required. Also, the proposed adder is more scalable than existing designs

Unified field multiplier for GF(p) and GF(2 n) with novel digit encoding

In recent years, there has been an increase in demand for unified field multipliers for Elliptic Curve Cryptography in the electronics industry because they provide flexibility for customers to choose between Prime (GF(p)) and Binary (GF(2")) Galois Fields. Also, having the ability to carry out arithmetic over both GF(p) and GF(2") in the same hardware provides the possibility of performing any cryptographic operation that requires the use of both fields. The unified field multiplier is relatively future proof compared with multipliers that only perform arithmetic over a single chosen field. The security provided by the architecture is also very important. It is known that the longer the key length, the more susceptible the system is to differential power attacks due to the increased amount of data leakage. Therefore, it is beneficial to design hardware that is scalable, so that more data can be processed per cycle. Another advantage of designing a multiplier that is capable of dealing with long word length is improvement in performance in terms of delay, because less cycles are needed. This is very important because typical elliptic curve cryptography involves key size of 160 bits. A novel unified field radix-4 multiplier using Montgomery Multiplication for the use of G(p) and GF(2") has been proposed. This design makes use of the unexploited state in number representation for operation in GF(2") where all carries are suppressed. The addition is carried out using a modified (4:2) redundant adder to accommodate the extra 1 * state. The proposed adder and the partial product generator design are capable of radix-4 operation, which reduces the number of computation cycles required. Also, the proposed adder is more scalable than existing designs.EThOS - Electronic Theses Online ServiceGBUnited Kingdo