Hard Homogenous Spaces and Commutative Supersingular Isogeny based Diffie-Hellman

Tema ovog rada jest proces stvaranja 3D stvarnih ili imaginarnih objekata pomoću alata SolidWorks koji je u današnje vrijeme jedan od najpoznatijih alata kod modeliranja mehaničkih i projektnih objekata. Kako bi ga što više približio svakoj osobi, ukratko sam naveo najvažnije činjenice o samom alatu, prošao kroz njegovu povijest, objasnio za što ga možemo koristiti te najvećim dijelom prikazao kako se od jednog tehničkog nacrta dođe do gotovog objekta i modela

Low-cost, low-power FPGA implementation of ED25519 and CURVE25519 point multiplication

Twisted Edwards curves have been at the center of attention since their introduction by Bernstein et al. in 2007. The curve ED25519, used for Edwards-curve Digital Signature Algorithm (EdDSA), provides faster digital signatures than existing schemes without sacrificing security. The CURVE25519 is a Montgomery curve that is closely related to ED25519. It provides a simple, constant time, and fast point multiplication, which is used by the key exchange protocol X25519. Software implementations of EdDSA and X25519 are used in many web-based PC and Mobile applications. In this paper, we introduce a low-power, low-area FPGA implementation of the ED25519 and CURVE25519 scalar multiplication that is particularly relevant for Internet of Things (IoT) applications. The efficiency of the arithmetic modulo the prime number 2 255 − 19, in particular the modular reduction and modular multiplication, are key to the efficiency of both EdDSA and X25519. To reduce the complexity of the hardware implementation, we propose a high-radix interleaved modular multiplication algorithm. One benefit of this architecture is to avoid the use of large-integer multipliers relying on FPGA DSP modules

Arithmetic using compression on elliptic curves in Huff\u27s form and its applications

In this paper for elliptic curves provided by Huff\u27s equation $H_{a,b}: ax(y^2-1) = by(x^2-1)$ and general Huff\u27s equation $G_{\overline{a},\overline{b}}\ :\ {\overline{x}}(\overline{a}{\overline{y}}^2-1)={\overline{y}}(\overline{b}{\overline{x}}^2-1)$ and degree 2 compression function $f(x,y) = xy$ on these curves, herein we provide formulas for doubling and differential addition after compression, which for Huff\u27s curves are as efficient as Montgomery\u27s formulas for Montgomery\u27s curves $By^2 = x^3 + Ax^2 + x$. For these curves we also provided point recovery formulas after compression, which for a point $P$ on these curves allows to compute $[n]f(P)$ after compression using the Montgomery ladder algorithm, and then recover $[n]P$. Using formulas of Moody and Shumow for computing odd degree isogenies on general Huff\u27s curves, we have also provide formulas for computing odd degree isogenies after compression for these curves.Moreover, it is shown herein how to apply obtained formulas using compression to the ECM algorithm. In the appendix, we present examples of Huff\u27s curves convenient for the isogeny-based cryptography, where compression can be used

Arithmetic using compression on elliptic curves in Huff's form and its applications

In this paper for elliptic curves provided by Huff's equation $H_{a,b}: ax(y^2-1) = by(x^2-1)$ and general Huff's equation $G_{\overline{a},\overline{b}}\ :\ {\overline{x}}(\overline{a}{\overline{y}}^2-1)={\overline{y}}(\overline{b}{\overline{x}}^2-1)$ and degree 2 compression function $f(x,y) = xy$ on these curves, herein we provide formulas for doubling and differential addition after compression, which for Huff's curves are as efficient as Montgomery's formulas for Montgomery's curves $By^2 = x^3 + Ax^2 + x$. For these curves we also provided point recovery formulas after compression, which for a point $P$ on these curves allows to compute $[n]f(P)$ after compression using the Montgomery ladder algorithm, and then recover $[n]P$. Using formulas of Moody and Shumow for computing odd degree isogenies on general Huff's curves, we have also provide formulas for computing odd degree isogenies after compression for these curves.Moreover, it is shown herein how to apply obtained formulas using compression to the ECM algorithm. In the appendix, we present examples of Huff's curves convenient for the isogeny-based cryptography, where compression can be used

Post-Quantum Cryptography from Supersingular Isogenies (Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties)

This paper is based on a presentation made at RIMS conference on “Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties”, so-called “Supersingular 2020”. Post-quantum cryptography is a next-generation public-key cryptosystem that resistant to cryptoanalysis by both classical and quantum computers. Isogenies between supersingular elliptic curves present one promising candidate, which is called isogeny-based cryptography. In this paper, we give an introduction to two isogeny-based key exchange protocols, SIDH [17] and CSIDH [2], which are considered as a standard in the subject so far. Moreover, we explain briefly our recent result [24] about cycles in the isogeny graphs used in some parameters of SIKE, which is a key encapsulation mechanism based on SIDH

Constant Time Montgomery Ladder

In this work various approaches for constant time conditional branching in Montgomery ladder have been studied. A previous method appearing in a code for implementing X25519 has been formalized algorithmically. This algorithm is based on a conditional select operation. We consider a variant of this algorithm which groups together operations in a more convenient manner. Further, we provide a new implementation of the conditional select operation using the cmov operation such that cmov works only on registers. This provides a better guarantee of constant time behavior

Truncated EdDSA/ECDSA Signatures

This note presents some techniques to slightly reduce the size of EdDSA and ECDSA signatures without lowering their security or breaking compatibility with existing signers, at the cost of an increase in signature verification time; verifying a 64-byte Ed25519 signature truncated to 60 bytes has an average cost of 4.1 million cycles on 64-bit x86 (i.e. about 35 times the cost of verifying a normal, untruncated signature)

The Existence of Cycles in the Supersingular Isogeny Graphs Used in SIKE

In this paper, we consider the structure of isogeny graphs in SIDH, that is an isogeny-based key-exchange protocol. SIDH is the underlying protocol of SIKE, which is one of the candidates for NIST post quantum cryptography standardization. Since the security of SIDH is based on the hardness of the path-finding problem in isogeny graphs, it is important to study those structure. The existence of cycles in isogeny graph is related to the path-finding problem, so we investigate cycles in the graphs used in SIKE. In particular, we focus on SIKEp434 and SIKEp503, which are the parameter sets of SIKE claimed to satisfy the NIST security level 1 and 2, respectively. We show that there are two cycles in the 3-isogeny graph in SIKEp434, and there is no cycles in the other graphs in SIKEp434 and SIKEp503

Efficient Elliptic Curve Diffie-Hellman Computation at the 256-bit Security Level

In this paper we introduce new Montgomery and Edwards form elliptic curve targeted at the 256-bit security level. To this end, we work with three primes, namely $p_1:=2^{506}-45$, $p_2=2^{510}-75$ and $p_3:=2^{521}-1$. While $p_3$ has been considered earlier in the literature, $p_1$ and $p_2$ are new. We define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agreement protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over $p_1$ leads to a $3\%$-$4\%$ slowdown and the new Montgomery curve over $p_2$ leads to a $4.5\%$-$5\%$ slowdown; on the other hand, 29 and 30.5 extra bits of security respectively are gained. For designers aiming for the 256-bit security level, the new curves over $p_1$ and $p_2$ provide an acceptable trade-off between security and efficiency