568 research outputs found
Fast, uniform, and compact scalar multiplication for elliptic curves and genus 2 Jacobians with applications to signature schemes
We give a general framework for uniform, constant-time one-and
two-dimensional scalar multiplication algorithms for elliptic curves and
Jacobians of genus 2 curves that operate by projecting to the x-line or Kummer
surface, where we can exploit faster and more uniform pseudomultiplication,
before recovering the proper "signed" output back on the curve or Jacobian.
This extends the work of L{\'o}pez and Dahab, Okeya and Sakurai, and Brier and
Joye to genus 2, and also to two-dimensional scalar multiplication. Our results
show that many existing fast pseudomultiplication implementations (hitherto
limited to applications in Diffie--Hellman key exchange) can be wrapped with
simple and efficient pre-and post-computations to yield competitive full scalar
multiplication algorithms, ready for use in more general discrete
logarithm-based cryptosystems, including signature schemes. This is especially
interesting for genus 2, where Kummer surfaces can outperform comparable
elliptic curve systems. As an example, we construct an instance of the Schnorr
signature scheme driven by Kummer surface arithmetic
Point compression for the trace zero subgroup over a small degree extension field
Using Semaev's summation polynomials, we derive a new equation for the
-rational points of the trace zero variety of an elliptic curve
defined over . Using this equation, we produce an optimal-size
representation for such points. Our representation is compatible with scalar
multiplication. We give a point compression algorithm to compute the
representation and a decompression algorithm to recover the original point (up
to some small ambiguity). The algorithms are efficient for trace zero varieties
coming from small degree extension fields. We give explicit equations and
discuss in detail the practically relevant cases of cubic and quintic field
extensions.Comment: 23 pages, to appear in Designs, Codes and Cryptograph
Computational and Energy Costs of Cryptographic Algorithms on Handheld Devices
Networks are evolving toward a ubiquitous model in which heterogeneous
devices are interconnected. Cryptographic algorithms are required for developing security
solutions that protect network activity. However, the computational and energy limitations
of network devices jeopardize the actual implementation of such mechanisms. In this
paper, we perform a wide analysis on the expenses of launching symmetric and asymmetric
cryptographic algorithms, hash chain functions, elliptic curves cryptography and pairing
based cryptography on personal agendas, and compare them with the costs of basic operating
system functions. Results show that although cryptographic power costs are high and such
operations shall be restricted in time, they are not the main limiting factor of the autonomy
of a device
From Dragondoom to Dragonstar: Side-channel Attacks and Formally Verified Implementation of WPA3 Dragonfly Handshake
It is universally acknowledged that Wi-Fi communications are important to
secure. Thus, the Wi-Fi Alliance published WPA3 in 2018 with a distinctive
security feature: it leverages a Password-Authenticated Key Exchange (PAKE)
protocol to protect users' passwords from offline dictionary attacks.
Unfortunately, soon after its release, several attacks were reported against
its implementations, in response to which the protocol was updated in a
best-effort manner.
In this paper, we show that the proposed mitigations are not enough,
especially for a complex protocol to implement even for savvy developers.
Indeed, we present **Dragondoom**, a collection of side-channel vulnerabilities
of varying strength allowing attackers to recover users' passwords in widely
deployed Wi-Fi daemons, such as hostap in its default settings. Our findings
target both password conversion methods, namely the default probabilistic
hunting-and-pecking and its newly standardized deterministic alternative based
on SSWU. We successfully exploit our leakage in practice through
microarchitectural mechanisms, and overcome the limited spatial resolution of
Flush+Reload. Our attacks outperform previous works in terms of required
measurements.
Then, driven by the need to end the spiral of patch-and-hack in Dragonfly
implementations, we propose **Dragonstar**, an implementation of Dragonfly
leveraging a formally verified implementation of the underlying mathematical
operations, thereby removing all the related leakage vector. Our implementation
relies on HACL*, a formally verified crypto library guaranteeing
secret-independence. We design Dragonstar, so that its integration within
hostap requires minimal modifications to the existing project. Our experiments
show that the performance of HACL*-based hostap is comparable to OpenSSL-based,
implying that Dragonstar is both efficient and proved to be leakage-free.Comment: Accepted at 2023 IEEE 8th European Symposium on Security and Privacy
(EuroS&P
Secure Data Aggregation in Wireless Sensor Networks. Homomorphism versus Watermarking Approach
International audienceWireless sensor networks are now in widespread use to monitor regions, detect events and acquire information. Since the deployed nodes are separated, they need to cooperatively communicate sensed data to the base station. Hence, transmissions are a very energy consuming operation. To reduce the amount of sending data, an aggregation approach can be applied along the path from sensors to the sink. However, usually the carried information contains confidential data. Therefore, an end-to-end secure aggregation approach is required to ensure a healthy data reception. End-to-end encryption schemes that support operations over cypher-text have been proved important for private party sensor network implementations. These schemes offer two main advantages: end-to-end concealment of data and ability to operate on cipher text, then no more decryption is required for aggregation. Unfortunately, nowadays these methods are very complex and not suitable for sensor nodes having limited resources. In this paper, we propose a secure end-to-end encrypted-data aggregation scheme. It is based on elliptic curve cryptography that exploits a smaller key size. Additionally, it allows the use of higher number of operations on cypher-texts and prevents the distinction between two identical texts from their cryptograms. These properties permit to our approach to achieve higher security levels than existing cryptosystems in sensor networks. Our experiments show that our proposed secure aggregation method significantly reduces computation and communication overhead and can be practically implemented in on-the-shelf sensor platforms. By using homomorphic encryption on elliptic curves, we thus have realized an efficient and secure data aggregation in sensor networks. Lastly, to enlarge the aggregation functions that can be used in a secure wireless sensor network, a watermarking-based authentication scheme is finally proposed
Optimising Spatial and Tonal Data for PDE-based Inpainting
Some recent methods for lossy signal and image compression store only a few
selected pixels and fill in the missing structures by inpainting with a partial
differential equation (PDE). Suitable operators include the Laplacian, the
biharmonic operator, and edge-enhancing anisotropic diffusion (EED). The
quality of such approaches depends substantially on the selection of the data
that is kept. Optimising this data in the domain and codomain gives rise to
challenging mathematical problems that shall be addressed in our work.
In the 1D case, we prove results that provide insights into the difficulty of
this problem, and we give evidence that a splitting into spatial and tonal
(i.e. function value) optimisation does hardly deteriorate the results. In the
2D setting, we present generic algorithms that achieve a high reconstruction
quality even if the specified data is very sparse. To optimise the spatial
data, we use a probabilistic sparsification, followed by a nonlocal pixel
exchange that avoids getting trapped in bad local optima. After this spatial
optimisation we perform a tonal optimisation that modifies the function values
in order to reduce the global reconstruction error. For homogeneous diffusion
inpainting, this comes down to a least squares problem for which we prove that
it has a unique solution. We demonstrate that it can be found efficiently with
a gradient descent approach that is accelerated with fast explicit diffusion
(FED) cycles. Our framework allows to specify the desired density of the
inpainting mask a priori. Moreover, is more generic than other data
optimisation approaches for the sparse inpainting problem, since it can also be
extended to nonlinear inpainting operators such as EED. This is exploited to
achieve reconstructions with state-of-the-art quality.
We also give an extensive literature survey on PDE-based image compression
methods
Batch point compression in the context of advanced pairing-based protocols
This paper continues previous ones about compression of points on elliptic curves (with -invariant ) over a finite field of characteristic . It is shown in detail how any two (resp., three) points from can be quickly compressed to two (resp., three) elements of (apart from a few auxiliary bits) in such a way that the corresponding decompression stage requires to extract only one cubic (resp., sextic) root in . As a result, for many fields occurring in practice, the new compression-decompression methods are more efficient than the classical one with the two (resp., three) or coordinates of the points, which extracts two (resp., three) roots in . As a by-product, it is also explained how to sample uniformly at random two (resp., three) ``independent\u27\u27 -points on essentially at the cost of only one cubic (resp., sextic) root in . Finally, the cases of four and more points from are commented on as well
Key Compression for Isogeny-Based Cryptosystems
We present a method for key compression in quantum-resistant isogeny-based cryptosystems, which reduces storage and transmission costs of per-party public information by a factor of two, with no effect on the security level of the scheme.
We achieve this reduction by compressing both the representation of an elliptic curve, and torsion points on said curve.
Compression of the elliptic curve is achieved by associating each j-invariant to a canonical choice of elliptic curve, and the torsion points will be represented as linear combinations with respect to a canonical choice of basis for this subgroup.
This method of compressing public information can be applied to numerous isogeny-based protocols, such as key exchange, zero-knowledge identification, and public-key encryption.
The details of utilizing compression for each of these cryptosystems is explained.
We provide implementation results showing the computational cost of key compression and decompression at various security levels.
Our results show that isogeny-based cryptosystems achieve the smallest possible key sizes among all existing families of post-quantum cryptosystems at practical security levels
Fast and compact elliptic-curve cryptography

Elliptic curve cryptosystems have improved greatly in speed over the past few years. In this paper we outline a new elliptic curve signature and key agreement implementation which achieves record speeds while remaining relatively compact. For example, on Intel Sandy Bridge, a curve with about points produces a signature in just under 60k clock cycles, verifies in under 169k clock cycles, and computes a Diffie-Hellman shared secret in under 153k clock cycles. Our implementation has a small footprint: the library is under 55kB. We also post competitive timings on ARM processors, verifying a signature in under 626k Tegra-2 cycles. We introduce faster field arithmetic, a new point compression algorithm, an improved fixed-base scalar multiplication algorithm and a new way to verify signatures without inversions or coordinate recovery. Some of these improvements should be applicable to other systems
- âŠ