High-Speed Elliptic Curve and Pairing-Based Cryptography

Elliptic Curve Cryptography (ECC), independently proposed by Miller [Mil86] and Koblitz [Kob87] in mid 80’s, is finding momentum to consolidate its status as the public-key system of choice in a wide range of applications and to further expand this position to settings traditionally occupied by RSA and DL-based systems. The non-existence of known subexponential attacks on this cryptosystem directly translates to shorter keylengths for a given security level and, consequently, has led to implementations with better bandwidth usage, reduced power and memory requirements, and higher speeds. Moreover, the dramatic entry of pairing-based cryptosystems defined on elliptic curves at the beginning of the new millennium has opened the possibility of a plethora of innovative applications, solving in some cases longstanding problems in cryptography. Nevertheless, public-key cryptography (PKC) is still relatively expensive in comparison with its symmetric-key counterpart and it remains an open challenge to reduce further the computing cost of the most time-consuming PKC primitives to guarantee their adoption for secure communication in commercial and Internet-based applications. The latter is especially true for pairing computations. Thus, it is of paramount importance to research methods which permit the efficient realization of Elliptic Curve and Pairing-based Cryptography on the several new platforms and applications. This thesis deals with efficient methods and explicit formulas for computing elliptic curve scalar multiplication and pairings over fields of large prime characteristic with the objective of enabling the realization of software implementations at very high speeds. To achieve this main goal in the case of elliptic curves, we accomplish the following tasks: identify the elliptic curve settings with the fastest arithmetic; accelerate the precomputation stage in the scalar multiplication; study number representations and scalar multiplication algorithms for speeding up the evaluation stage; identify most efficient field arithmetic algorithms and optimize them; analyze the architecture of the targeted platforms for maximizing the performance of ECC operations; identify most efficient coordinate systems and optimize explicit formulas; and realize implementations on x86-64 processors with an optimal algorithmic selection among all studied cases. In the case of pairings, the following tasks are accomplished: accelerate tower and curve arithmetic; identify most efficient tower and field arithmetic algorithms and optimize them; identify the curve setting with the fastest arithmetic and optimize it; identify state-of-the-art techniques for the Miller loop and final exponentiation; and realize an implementation on x86-64 processors with optimal algorithmic selection. The most outstanding contributions that have been achieved with the methodologies above in this thesis can be summarized as follows: • Two novel precomputation schemes are introduced and shown to achieve the lowest costs in the literature for different curve forms and scalar multiplication primitives. The detailed cost formulas of the schemes are derived for most relevant scenarios. • A new methodology based on the operation cost per bit to devise highly optimized and compact multibase algorithms is proposed. Derived multibase chains using bases {2,3} and {2,3,5} are shown to achieve the lowest theoretical costs for scalar multiplication on certain curve forms and for scenarios with and without precomputations. In addition, the zero and nonzero density formulas of the original (width-w) multibase NAF method are derived by using Markov chains. The application of “fractional” windows to the multibase method is described together with the derivation of the corresponding density formulas. • Incomplete reduction and branchless arithmetic techniques are optimally combined for devising high-performance field arithmetic. Efficient algorithms for “small” modular operations using suitably chosen pseudo-Mersenne primes are carefully analyzed and optimized for incomplete reduction. • Data dependencies between contiguous field operations are discovered to be a source of performance degradation on x86-64 processors. Three techniques for reducing the number of potential pipeline stalls due to these dependencies are proposed: field arithmetic scheduling, merging of point operations and merging of field operations. • Explicit formulas for two relevant cases, namely Weierstrass and Twisted Edwards curves over and , are carefully optimized employing incomplete reduction, minimal number of operations and reduced number of data dependencies between contiguous field operations. • Best algorithms for the field, point and scalar arithmetic, studied or proposed in this thesis, are brought together to realize four high-speed implementations on x86-64 processors at the 128-bit security level. Presented results set new speed records for elliptic curve scalar multiplication and introduce up to 34% of cost reduction in comparison with the best previous results in the literature. • A generalized lazy reduction technique that enables the elimination of up to 32% of modular reductions in the pairing computation is proposed. Further, a methodology that keeps intermediate results under Montgomery reduction boundaries maximizing operations without carry checks is introduced. Optimized formulas for the popular tower are explicitly stated and a detailed operation count that permits to determine the theoretical cost improvement attainable with the proposed method is carried out for the case of an optimal ate pairing on a Barreto-Naehrig (BN) curve at the 128-bit security level. • Best algorithms for the different stages of the pairing computation, including the proposed techniques and optimizations, are brought together to realize a high-speed implementation at the 128-bit security level. Presented results on x86-64 processors set new speed records for pairings, introducing up to 34% of cost reduction in comparison with the best published result. From a general viewpoint, the proposed methods and optimized formulas have a practical impact in the performance of cryptographic protocols based on elliptic curves and pairings in a wide range of applications. In particular, the introduced implementations represent a direct and significant improvement that may be exploited in performance-dominated applications such as high-demand Web servers in which millions of secure transactions need to be generated

Degenerate Curve Attacks

Invalid curve attacks are a well-known class of attacks against implementations of elliptic curve cryptosystems, in which an adversary tricks the cryptographic device into carrying out scalar multiplication not on the expected secure curve, but on some other, weaker elliptic curve of his choosing. In their original form, however, these attacks only affect elliptic curve implementations using addition and doubling formulas that are independent of at least one of the curve parameters. This property is typically satisfied for elliptic curves in Weierstrass form but not for newer models that have gained increasing popularity in recent years, like Edwards and twisted Edwards curves. It has therefore been suggested (e.g. in the original paper on invalid curve attacks) that such alternate models could protect against those attacks. In this paper, we dispel that belief and present the first attack of this nature against (twisted) Edwards curves, Jacobi quartics, Jacobi intersections and more. Our attack differs from invalid curve attacks proper in that the cryptographic device is tricked into carrying out a computation not on another elliptic curve, but on a group isomorphic to the multiplicative group of the underlying base field. This often makes it easy to recover the secret scalar with a single invalid computation. We also show how our result can be used constructively, especially on curves over random base fields, as a fault attack countermeasure similar to Shamir\u27s trick

Fast Multibase Methods and Other Several Optimizations for Elliptic Curve Scalar Multiplication

Recently, the new Multibase Non-Adjacent Form (mbNAF) method was introduced and shown to speed up the execution of the scalar multiplication with an efficient use of multiple bases to represent the scalar. In this work, we first optimize the previous method using fractional windows, and then introduce further improvements to achieve additional cost reductions. Moreover, we present new improvements in the point operation formulae. Specifically, we reduce further the cost of composite operations such as quintupling and septupling of a point, which are relevant for the speed up of multibase methods in general. Remarkably, our tests show that, in the case of standard elliptic curves, the refined mbNAF method can be as efficient as Window-w NAF using an optimal fractional window size. Thus, this is the first published method that does not require precomputations to achieve comparable efficiency to the standard window-based NAF method using precomputations. On other highly efficient curves as Jacobi quartics and Edwards curves, our tests show that the refined mbNAF currently attains the highest performance for both scenarios using precomputations and those without precomputations

Survey for Performance & Security Problems of Passive Side-channel Attacks Countermeasures in ECC

The main objective of the Internet of Things is to interconnect everything around us to obtain information which was unavailable to us before, thus enabling us to make better decisions. This interconnection of things involves security issues for any Internet of Things key technology. Here we focus on elliptic curve cryptography (ECC) for embedded devices, which offers a high degree of security, compared to other encryption mechanisms. However, ECC also has security issues, such as Side-Channel Attacks (SCA), which are a growing threat in the implementation of cryptographic devices. This paper analyze the state-of-the-art of several proposals of algorithmic countermeasures to prevent passive SCA on ECC defined over prime fields. This work evaluates the trade-offs between security and the performance of side-channel attack countermeasures for scalar multiplication algorithms without pre-computation, i.e. for variable base point. Although a number of results are required to study the state-of-the-art of side-channel attack in elliptic curve cryptosystems, the interest of this work is to present explicit solutions that may be used for the future implementation of security mechanisms suitable for embedded devices applied to Internet of Things. In addition security problems for the countermeasures are also analyzed

Efficient Arithmetic for the Implementation of Elliptic Curve Cryptography

The technology of elliptic curve cryptography is now an important branch in public-key based crypto-system. Cryptographic mechanisms based on elliptic curves depend on the arithmetic of points on the curve. The most important arithmetic is multiplying a point on the curve by an integer. This operation is known as elliptic curve scalar (or point) multiplication operation. A cryptographic device is supposed to perform this operation efficiently and securely. The elliptic curve scalar multiplication operation is performed by combining the elliptic curve point routines that are defined in terms of the underlying finite field arithmetic operations. This thesis focuses on hardware architecture designs of elliptic curve operations. In the first part, we aim at finding new architectures to implement the finite field arithmetic multiplication operation more efficiently. In this regard, we propose novel schemes for the serial-out bit-level (SOBL) arithmetic multiplication operation in the polynomial basis over F_2^m. We show that the smallest SOBL scheme presented here can provide about 26-30\% reduction in area-complexity cost and about 22-24\% reduction in power consumptions for F_2^{163} compared to the current state-of-the-art bit-level multiplier schemes. Then, we employ the proposed SOBL schemes to present new hybrid-double multiplication architectures that perform two multiplications with latency comparable to the latency of a single multiplication. Then, in the second part of this thesis, we investigate the different algorithms for the implementation of elliptic curve scalar multiplication operation. We focus our interest in three aspects, namely, the finite field arithmetic cost, the critical path delay, and the protection strength from side-channel attacks (SCAs) based on simple power analysis. In this regard, we propose a novel scheme for the scalar multiplication operation that is based on processing three bits of the scalar in the exact same sequence of five point arithmetic operations. We analyse the security of our scheme and show that its security holds against both SCAs and safe-error fault attacks. In addition, we show how the properties of the proposed elliptic curve scalar multiplication scheme yields an efficient hardware design for the implementation of a single scalar multiplication on a prime extended twisted Edwards curve incorporating 8 parallel multiplication operations. Our comparison results show that the proposed hardware architecture for the twisted Edwards curve model implemented using the proposed scalar multiplication scheme is the fastest secure SCA protected scalar multiplication scheme over prime field reported in the literature

Cryptographic Protection of Digital Identity

Dizertační práce se zabývá kryptografickými schématy zvyšující ochranu soukromí uživatelů v systémech řízení přístupu a sběru dat. V současnosti jsou systémy fyzického řízení přístupu na bázi čipových karet využívány téměř dennodenně většinou z nás, například v zaměstnání, ve veřejné dopravě a v hotelech. Tyto systémy však stále neposkytují dostatečnou kryptografickou ochranu a tedy bezpečnost. Uživatelské identifikátory a klíče lze snadno odposlechnout a padělat. Funkce, které by zajišťovaly ochranu soukromí uživatele, téměř vždy chybí. Proto je zde reálné riziko možného sledovaní lidí, jejich pohybu a chovaní. Poskytovatelé služeb nebo případní útočníci, kteří odposlouchávají komunikaci, mohou vytvářet profily uživatelů, ví, co dělají, kde se pohybují a o co se zajímají. Za účelem zlepšení tohoto stavu jsme navrhli čtyři nová kryptografická schémata založená na efektivních důkazech s nulovou znalostí a kryptografii eliptických křivek. Konkrétně dizertační práce prezentuje tři nová autentizační schémata pro využití v systémech řízení přístupu a jedno nové schéma pro využití v systémech sběru dat. První schéma využívá distribuovaný autentizační přístup vyžadující spolupráci více RFID prvků v autentizačním procesu. Tato vlastnost je výhodná zvláště v případech řízení přístupu do nebezpečných prostor, kdy pro povolení přístupu uživatele je nezbytné, aby byl uživatel vybaven ochrannými pomůckami (se zabudovanými RFID prvky). Další dvě schémata jsou založena na atributovém způsobu ověření, tj. schémata umožňují anonymně prokázat vlastnictví atributů uživatele, jako je věk, občanství a pohlaví. Zatím co jedno schéma implementuje efektivní revokační a identifikační mechanismy, druhé schéma poskytuje nejrychlejší verifikaci držení uživatelských atributů ze všech současných řešení. Poslední, čtvrté schéma reprezentuje schéma krátkého skupinového podpisu pro scénář sběru dat. Schémata sběru dat se používají pro bezpečný a spolehlivý přenos dat ze vzdálených uzlů do řídící jednotky. S rostoucím významem chytrých měřičů v energetice, inteligentních zařízení v domácnostech a rozličných senzorových sítí, se potřeba bezpečných systémů sběru dat stává velmi naléhavou. Tato schémata musí podporovat nejen standardní bezpečnostní funkce, jako je důvěrnost a autentičnost přenášených dat, ale také funkce nové, jako je silná ochrana soukromí a identity uživatele či identifikace škodlivých uživatelů. Navržená schémata jsou prokazatelně bezpečná a nabízí celou řadu funkcí rozšiřující ochranu soukromí a identity uživatele, jmenovitě se pak jedná o zajištění anonymity, nesledovatelnosti a nespojitelnosti jednotlivých relací uživatele. Kromě úplné kryptografické specifikace a bezpečnostní analýzy navržených schémat, obsahuje tato práce také výsledky měření implementací jednotlivých schémat na v současnosti nejpoužívanějších zařízeních v oblasti řízení přístupu a sběru dat.The doctoral thesis deals with privacy-preserving cryptographic schemes in access control and data collection areas. Currently, card-based physical access control systems are used by most people on a daily basis, for example, at work, in public transportation and at hotels. However, these systems have often very poor cryptographic protection. For instance, user identifiers and keys can be easily eavesdropped and counterfeited. Furthermore, privacy-preserving features are almost missing and, therefore, user’s movement and behavior can by easily tracked. Service providers (and even eavesdroppers) can profile users, know what they do, where they go, and what they are interested in. In order to improve this state, we propose four novel cryptographic schemes based on efficient zero-knowledge proofs and elliptic curve cryptography. In particular, the thesis presents three novel privacy-friendly authentication schemes for access control and one for data collection application scenarios. The first scheme supports distributed multi-device authentication with multiple Radio-Frequency IDentification (RFID) user’s devices. This feature is particularly important in applications for controlling access to dangerous areas where the presence of protective equipment is checked during each access control session. The other two presented schemes use attribute-based approach to protect user’s privacy, i.e. these schemes allow users to anonymously prove the ownership of their attributes, such as age, citizenship, and gender. While one of our scheme brings efficient revocation and identification mechanisms, the other one provides the fastest authentication phase among the current state of the art solutions. The last (fourth) proposed scheme is a novel short group signature scheme for data collection scenarios. Data collection schemes are used for secure and reliable data transfer from multiple remote nodes to a central unit. With the increasing importance of smart meters in energy distribution, smart house installations and various sensor networks, the need for secure data collection schemes becomes very urgent. Such schemes must provide standard security features, such as confidentiality and authenticity of transferred data, as well as novel features, such as strong protection of user’s privacy and identification of malicious users. The proposed schemes are provably secure and provide the full set of privacy-enhancing features, namely anonymity, untraceability and unlinkability of users. Besides the full cryptographic specification and security analysis, we also show the results of our implementations on devices commonly used in access control and data collection applications.

Elliptic Curve Arithmetic for Cryptography

The advantages of using public key cryptography over secret key cryptography include the convenience of better key management and increased security. However, due to the complexity of the underlying number theoretic algorithms, public key cryptography is slower than conventional secret key cryptography, thus motivating the need to speed up public key cryptosystems. A mathematical object called an elliptic curve can be used in the construction of public key cryptosystems. This thesis focuses on speeding up elliptic curve cryptography which is an attractive alternative to traditional public key cryptosystems such as RSA. Speeding up elliptic curve cryptography can be done by speeding up point arithmetic algorithms and by improving scalar multiplication algorithms. This thesis provides a speed up of some point arithmetic algorithms. The study of addition chains has been shown to be useful in improving scalar multiplication algorithms, when the scalar is fixed. A special form of an addition chain called a Lucas chain or a differential addition chain is useful to compute scalar multiplication on some elliptic curves, such as Montgomery curves for which differential addition formulae are available. While single scalar multiplication may suffice in some systems, there are others where a double or a triple scalar multiplication algorithm may be desired. This thesis provides triple scalar multiplication algorithms in the context of differential addition chains. Precomputations are useful in speeding up scalar multiplication algorithms, when the elliptic curve point is fixed. This thesis focuses on both speeding up point arithmetic and improving scalar multiplication in the context of precomputations toward double scalar multiplication. Further, this thesis revisits pairing computations which use elliptic curve groups to compute pairings such as the Tate pairing. More specifically, the thesis looks at Stange's algorithm to compute pairings and also pairings on Selmer curves. The thesis also looks at some aspects of the underlying finite field arithmetic

On the Analysis of Public-Key Cryptologic Algorithms

The RSA cryptosystem introduced in 1977 by Ron Rivest, Adi Shamir and Len Adleman is the most commonly deployed public-key cryptosystem. Elliptic curve cryptography (ECC) introduced in the mid 80's by Neal Koblitz and Victor Miller is becoming an increasingly popular alternative to RSA offering competitive performance due the use of smaller key sizes. Most recently hyperelliptic curve cryptography (HECC) has been demonstrated to have comparable and in some cases better performance than ECC. The security of RSA relies on the integer factorization problem whereas the security of (H)ECC is based on the (hyper)elliptic curve discrete logarithm problem ((H)ECDLP). In this thesis the practical performance of the best methods to solve these problems is analyzed and a method to generate secure ephemeral ECC parameters is presented. The best publicly known algorithm to solve the integer factorization problem is the number field sieve (NFS). Its most time consuming step is the relation collection step. We investigate the use of graphics processing units (GPUs) as accelerators for this step. In this context, methods to efficiently implement modular arithmetic and several factoring algorithms on GPUs are presented and their performance is analyzed in practice. In conclusion, it is shown that integrating state-of-the-art NFS software packages with our GPU software can lead to a speed-up of 50%. In the case of elliptic and hyperelliptic curves for cryptographic use, the best published method to solve the (H)ECDLP is the Pollard rho algorithm. This method can be made faster using classes of equivalence induced by curve automorphisms like the negation map. We present a practical analysis of their use to speed up Pollard rho for elliptic curves and genus 2 hyperelliptic curves defined over prime fields. As a case study, 4 curves at the 128-bit theoretical security level are analyzed in our software framework for Pollard rho to estimate their practical security level. In addition, we present a novel many-core architecture to solve the ECDLP using the Pollard rho algorithm with the negation map on FPGAs. This architecture is used to estimate the cost of solving the Certicom ECCp-131 challenge with a cluster of FPGAs. Our design achieves a speed-up factor of about 4 compared to the state-of-the-art. Finally, we present an efficient method to generate unique, secure and unpredictable ephemeral ECC parameters to be shared by a pair of authenticated users for a single communication. It provides an alternative to the customary use of fixed ECC parameters obtained from publicly available standards designed by untrusted third parties. The effectiveness of our method is demonstrated with a portable implementation for regular PCs and Android smartphones. On a Samsung Galaxy S4 smartphone our implementation generates unique 128-bit secure ECC parameters in 50 milliseconds on average