Generalised Mersenne Numbers Revisited

Generalised Mersenne Numbers (GMNs) were defined by Solinas in 1999 and feature in the NIST (FIPS 186-2) and SECG standards for use in elliptic curve cryptography. Their form is such that modular reduction is extremely efficient, thus making them an attractive choice for modular multiplication implementation. However, the issue of residue multiplication efficiency seems to have been overlooked. Asymptotically, using a cyclic rather than a linear convolution, residue multiplication modulo a Mersenne number is twice as fast as integer multiplication; this property does not hold for prime GMNs, unless they are of Mersenne's form. In this work we exploit an alternative generalisation of Mersenne numbers for which an analogue of the above property --- and hence the same efficiency ratio --- holds, even at bitlengths for which schoolbook multiplication is optimal, while also maintaining very efficient reduction. Moreover, our proposed primes are abundant at any bitlength, whereas GMNs are extremely rare. Our multiplication and reduction algorithms can also be easily parallelised, making our arithmetic particularly suitable for hardware implementation. Furthermore, the field representation we propose also naturally protects against side-channel attacks, including timing attacks, simple power analysis and differential power analysis, which is essential in many cryptographic scenarios, in constrast to GMNs.Comment: 32 pages. Accepted to Mathematics of Computatio

Açık Anahtarlı Kriptografi için Verimli Algoritmaların Geliştirilmesi

TÜBİTAK EEEAG Proje01.06.2018Projenin genel amacı, kriptografide sıklıkla kullanılan modüler üst alma, polinom çarpması veeliptik egriler üzerindeki islemlerin karmasıklıgını iyilestirecek gelistirmelerin yapılması ve eldeedilecek yeni algoritmaların çesitli platformlar üzerinde gerçeklenmesidir. Bu çalısmalarsonucunda modüler üst alma, eliptik egri aritmetigi ve polinom çarpma islemlerindeiyilestirmeler elde edilmistir. Çalısmalar kapsamında P-521, E-521 ve Curve25519 egrileriüzerindeki islemler Toeplitz matris vektör çarpımları (TMVÇ) kullanılarak hızlandırılmıstır.Eliptik egrilerin üzerinde tanımlandıgı ve eleman sayıları 521 ve 255 bitlik asal sayılar olancisimlerde çarpma islemleri için yeni TMVÇ algoritmaları tasarlanmıs ve bu algoritmalarınsagladıgı iyilestirmeler teorik olarak gösterilmistir. Yapılan gerçeklemeler ile teorikçıkarımlardaki iyilestimeler pratikte de gözlemlenmistir. Diger taraftan polinom çarpmaisleminin iyilestirilmesi için arama algoritmalarının verimi üzerine çalısmalar yapılmıstır.Polinomun terim sayısı arttıkça arama uzayı oldukça büyüdügü için, çarpım polinomunun tümterimlerini hesaplamak yerine, n terimli iki polinomun çarpmının ilk n teriminin hesaplanmasıüzerine analizler yapılmıstır. Böylece arama uzayının boyutu düsürülmüs ve Çinli KalanTeoremi ile polinom çarpımı için algoritmalar elde edebilme olanagı saglanmıstır. Diger biryaklasım ise n terimli iki polinomum ilk l teriminin hesaplanmasıdır. Ayrıca, bu yaklasımdaarama uzayının boyutunun düsürülmesi için ikili dogrusal formların simetriklerinin alınması vebazı terimlerin elenmesi yöntemleri kullanılmıstır. Bu yaklasımlar arama uzayının boyutunubelirgin sekilde azaltmıstır. Ek olarak interpolasyon metodunda hesaplanacak noktalardikkatlice seçilerek, süper singüler izojen bazlı kuantum sonrası kriptografide kullanılan Fp2çarpma islemi ve büyük sayıların çarpımları hızlandırılmıstır. Proje kapsamında çalısılan digerbir konu olan modüler üst alma isleminin hızlandırılması için, literatürdeki küp sekeralgoritması incelenmistir. Bu algoritma, en küçük toplam zinciri ve karma üst alma metotları ilebirlikte kullanılmıstır. Ayrıca, sonuçların daha da hızlandırılması adına, n bitlik bir tamsayınınküp alma isleminden sonra 3n olan boyutunu indirgemek için kullanılan Barett metodudegistirilmis ve böylece teorik olarak islem karmasıklıgında iyilestirmeler yapılmıstır.The primary aim of this project is to develop algebraic techniques for improving the complexity ofthe operations that are widely used in cryptography such as modular exponentiation, polynomialmultiplication, arithmetic on elliptic curves and to implement these algorithms on various platforms.As a result of the studies, improvements on modular exponentiation, polynomial multiplication andelliptic curve arithmetic are obtained. Within the scope of studies, the arithmetic on the curvesP-521, E-521 and Curve25519 are accelarated by using Toeplitz matrix vector product (TMVP).For the multiplication in 521 and 255 bit prime fields on which the elliptic curves are defined, newTMVP algorithms are designed and the improvements that these algorithms provide are provedtheoretically. The implementations show that the improvements can also be observed in practice.On the other side, to improve the polynomial multiplication, studies are focused on the efficiencyof the search algorithms. As the number of the terms of the polynomials increases the size ofthe search space grows so instead of computing all the terms, computing first n terms of theproduct of two n term polynomials is analyzed. By this, the size of the search space decreasesand this makes it possible to develop new polynomial multiplication algorithms using the Chineseremainder theorem. Another approach is to compute the first ` terms of the product of two nterm polynomials. (n + 1 ? ` ? 2n ?? 1). Moreover, in this approach, to reduce the size of thesearch space, symmetric bilinear forms and elimination of some terms are used. These methodsdecrease the size of the search space significantly. In addition, by choosing the evaluation pointscarefully in the interpolation method, the multiplication over Fp2 that is used for supersingularisogeny based post quantum cryptography and large integer multiplicaitons are accelerated. Tospeed up modular exponentiation which is another subject studied in this project, the sugar cubealgorithm is examined. Sugar cube algorithm is combined with the addition chains and hybridexponentiation methods. Moreover, to speed up the operations more, the Barrett reduction methodfor reducing the 3n bit size of the cube of a n bit integer is modified and by this the computationalcomplexity is improved theoretically.Keywords: Cryptographic computations, polynomial multiplication, integer multiplicaiton, ellipticcurve cryptography, modular exponentiation, RS

Efficient Modular Multiplication

This paper is concerned with one of the fundamental building blocks used in modern public-key cryptography: modular multiplication. Speed-ups applied to the modular multiplication algorithm or implementation directly translate in a faster modular exponentiation for RSA or a faster realization of the group law when using elliptic curve cryptography

Combining leak--resistant arithmetic for elliptic curves defined over \F_p and RNS representation

In this paper we combine the residue number system (RNS) representation and the leak-resistant arithmetic on elliptic curves. These two techniques are relevant for implementation of elliptic curve cryptography on embedded devices.\\ % since they have leak-resistance properties. It is well known that the RNS multiplication is very efficient whereas the reduction step is costly. Hence, we optimize formulae for basic operations arising in leak-resistant arithmetic on elliptic curves (unified addition, Montgomery ladder) in order to minimize the number of modular reductions. We also improve the complexity of the RNS modular reduction step. As a result, we show how to obtain a competitive secured implementation.\\ Finally, %we recall the main advantages of the RNS representation, %especially in hardware and for embedded devices, and we show that, contrary to other approaches, ours takes optimally the advantage of a dedicated parallel architecture

On the Cryptanalysis of Public-Key Cryptography

Nowadays, the most popular public-key cryptosystems are based on either the integer factorization or the discrete logarithm problem. The feasibility of solving these mathematical problems in practice is studied and techniques are presented to speed-up the underlying arithmetic on parallel architectures. The fastest known approach to solve the discrete logarithm problem in groups of elliptic curves over finite fields is the Pollard rho method. The negation map can be used to speed up this calculation by a factor √2. It is well known that the random walks used by Pollard rho when combined with the negation map get trapped in fruitless cycles. We show that previously published approaches to deal with this problem are plagued by recurring cycles, and we propose effective alternative countermeasures. Furthermore, fast modular arithmetic is introduced which can take advantage of prime moduli of a special form using efficient "sloppy reduction." The effectiveness of these techniques is demonstrated by solving a 112-bit elliptic curve discrete logarithm problem using a cluster of PlayStation 3 game consoles: breaking a public-key standard and setting a new world record. The elliptic curve method (ECM) for integer factorization is the asymptotically fastest method to find relatively small factors of large integers. From a cryptanalytic point of view the performance of ECM gives information about secure parameter choices of some cryptographic protocols. We optimize ECM by proposing carry-free arithmetic modulo Mersenne numbers (numbers of the form 2M – 1) especially suitable for parallel architectures. Our implementation of these techniques on a cluster of PlayStation 3 game consoles set a new record by finding a 241-bit prime factor of 21181 – 1. A normal form for elliptic curves introduced by Edwards results in the fastest elliptic curve arithmetic in practice. Techniques to reduce the temporary storage and enhance the performance even further in the setting of ECM are presented. Our results enable one to run ECM efficiently on resource-constrained platforms such as graphics processing units

Practical realisation and elimination of an ECC-related software bug attack

We analyse and exploit implementation features in OpenSSL version 0.9.8g which permit an attack against ECDH-based functionality. The attack, although more general, can recover the entire (static) private key from an associated SSL server via $633$ adaptive queries when the NIST curve P-256 is used. One can view it as a software-oriented analogue of the bug attack concept due to Biham et al. and, consequently, as the first bug attack to be successfully applied against a real-world system. In addition to the attack and a posteriori countermeasures, we show that formal verification, while rarely used at present, is a viable means of detecting the features which the attack hinges on. Based on the security implications of the attack and the extra justification posed by the possibility of intentionally incorrect implementations in collaborative software development, we conclude that applying and extending the coverage of formal verification to augment existing test strategies for OpenSSL-like software should be deemed a worthwhile, long-term challenge.This work has been supported in part by EPSRC via grant EP/H001689/1 and by project SMART, funded by ENIAC Joint Undertaking (GA 120224)

Low-Latency Elliptic Curve Scalar Multiplication

This paper presents a low-latency algorithm designed for parallel computer architectures to compute the scalar multiplication of elliptic curve points based on approaches from cryptographic side-channel analysis. A graphics processing unit implementation using a standardized elliptic curve over a 224-bit prime field, complying with the new 112-bit security level, computes the scalar multiplication in 1.9ms on the NVIDIA GTX 500 architecture family. The presented methods and implementation considerations can be applied to any parallel 32-bit architectur

Elliptic curve cryptosystem over optimal extension fields for computationally constrained devices

Data security will play a central role in the design of future IT systems. The PC has been a major driver of the digital economy. Recently, there has been a shift towards IT applications realized as embedded systems, because they have proved to be good solutions for many applications, especially those which require data processing in real time. Examples include security for wireless phones, wireless computing, pay-TV, and copy protection schemes for audio/video consumer products and digital cinemas. Most of these embedded applications will be wireless, which makes the communication channel vulnerable. The implementation of cryptographic systems presents several requirements and challenges. For example, the performance of algorithms is often crucial, and guaranteeing security is a formidable challenge. One needs encryption algorithms to run at the transmission rates of the communication links at speeds that are achieved through custom hardware devices. Public-key cryptosystems such as RSA, DSA and DSS have traditionally been used to accomplish secure communication via insecure channels. Elliptic curves are the basis for a relatively new class of public-key schemes. It is predicted that elliptic curve cryptosystems (ECCs) will replace many existing schemes in the near future. The main reason for the attractiveness of ECC is the fact that significantly smaller parameters can be used in ECC than in other competitive system, but with equivalent levels of security. The benefits of having smaller key size include faster computations, and reduction in processing power, storage space and bandwidth. This makes ECC ideal for constrained environments where resources such as power, processing time and memory are limited. The implementation of ECC requires several choices, such as the type of the underlying finite field, algorithms for implementing the finite field arithmetic, the type of the elliptic curve, algorithms for implementing the elliptic curve group operation, and elliptic curve protocols. Many of these selections may have a major impact on overall performance. In this dissertation a finite field from a special class called the Optimal Extension Field (OEF) is chosen as the underlying finite field of implementing ECC. OEFs utilize the fast integer arithmetic available on modern microcontrollers to produce very efficient results without resorting to multiprecision operations or arithmetic using polynomials of large degree. This dissertation discusses the theoretical and implementation issues associated with the development of this finite field in a low end embedded system. It also presents various improvement techniques for OEF arithmetic. The main objectives of this dissertation are to --Implement the functions required to perform the finite field arithmetic operations. -- Implement the functions required to generate an elliptic curve and to embed data on that elliptic curve. -- Implement the functions required to perform the elliptic curve group operation. All of these functions constitute a library that could be used to implement any elliptic curve cryptosystem. In this dissertation this library is implemented in an 8-bit AVR Atmel microcontroller.Dissertation (MEng (Computer Engineering))--University of Pretoria, 2006.Electrical, Electronic and Computer Engineeringunrestricte

Improving Modular Inversion in RNS using the Plus-Minus Method

The paper describes a new RNS modular inversion algorithm based on the extended Euclidean algorithm and the plus-minus trick. In our algorithm, comparisons over large RNS values are replaced by cheap computations modulo 4. Comparisons to an RNS version based on Fermat’s little theorem were carried out. The number of elementary modular operations is significantly reduced: a factor 12 to 26 for multiplications and 6 to 21 for additions. Virtex 5 FPGAs implementations show that for a similar area, our plus-minus RNS modular inversion is 6 to 10 times faster