Elliptic curve cryptosystem over optimal extension fields for computationally constrained devices

Data security will play a central role in the design of future IT systems. The PC has been a major driver of the digital economy. Recently, there has been a shift towards IT applications realized as embedded systems, because they have proved to be good solutions for many applications, especially those which require data processing in real time. Examples include security for wireless phones, wireless computing, pay-TV, and copy protection schemes for audio/video consumer products and digital cinemas. Most of these embedded applications will be wireless, which makes the communication channel vulnerable. The implementation of cryptographic systems presents several requirements and challenges. For example, the performance of algorithms is often crucial, and guaranteeing security is a formidable challenge. One needs encryption algorithms to run at the transmission rates of the communication links at speeds that are achieved through custom hardware devices. Public-key cryptosystems such as RSA, DSA and DSS have traditionally been used to accomplish secure communication via insecure channels. Elliptic curves are the basis for a relatively new class of public-key schemes. It is predicted that elliptic curve cryptosystems (ECCs) will replace many existing schemes in the near future. The main reason for the attractiveness of ECC is the fact that significantly smaller parameters can be used in ECC than in other competitive system, but with equivalent levels of security. The benefits of having smaller key size include faster computations, and reduction in processing power, storage space and bandwidth. This makes ECC ideal for constrained environments where resources such as power, processing time and memory are limited. The implementation of ECC requires several choices, such as the type of the underlying finite field, algorithms for implementing the finite field arithmetic, the type of the elliptic curve, algorithms for implementing the elliptic curve group operation, and elliptic curve protocols. Many of these selections may have a major impact on overall performance. In this dissertation a finite field from a special class called the Optimal Extension Field (OEF) is chosen as the underlying finite field of implementing ECC. OEFs utilize the fast integer arithmetic available on modern microcontrollers to produce very efficient results without resorting to multiprecision operations or arithmetic using polynomials of large degree. This dissertation discusses the theoretical and implementation issues associated with the development of this finite field in a low end embedded system. It also presents various improvement techniques for OEF arithmetic. The main objectives of this dissertation are to --Implement the functions required to perform the finite field arithmetic operations. -- Implement the functions required to generate an elliptic curve and to embed data on that elliptic curve. -- Implement the functions required to perform the elliptic curve group operation. All of these functions constitute a library that could be used to implement any elliptic curve cryptosystem. In this dissertation this library is implemented in an 8-bit AVR Atmel microcontroller.Dissertation (MEng (Computer Engineering))--University of Pretoria, 2006.Electrical, Electronic and Computer Engineeringunrestricte

Efficient Arithmetic for the Implementation of Elliptic Curve Cryptography

The technology of elliptic curve cryptography is now an important branch in public-key based crypto-system. Cryptographic mechanisms based on elliptic curves depend on the arithmetic of points on the curve. The most important arithmetic is multiplying a point on the curve by an integer. This operation is known as elliptic curve scalar (or point) multiplication operation. A cryptographic device is supposed to perform this operation efficiently and securely. The elliptic curve scalar multiplication operation is performed by combining the elliptic curve point routines that are defined in terms of the underlying finite field arithmetic operations. This thesis focuses on hardware architecture designs of elliptic curve operations. In the first part, we aim at finding new architectures to implement the finite field arithmetic multiplication operation more efficiently. In this regard, we propose novel schemes for the serial-out bit-level (SOBL) arithmetic multiplication operation in the polynomial basis over F_2^m. We show that the smallest SOBL scheme presented here can provide about 26-30\% reduction in area-complexity cost and about 22-24\% reduction in power consumptions for F_2^{163} compared to the current state-of-the-art bit-level multiplier schemes. Then, we employ the proposed SOBL schemes to present new hybrid-double multiplication architectures that perform two multiplications with latency comparable to the latency of a single multiplication. Then, in the second part of this thesis, we investigate the different algorithms for the implementation of elliptic curve scalar multiplication operation. We focus our interest in three aspects, namely, the finite field arithmetic cost, the critical path delay, and the protection strength from side-channel attacks (SCAs) based on simple power analysis. In this regard, we propose a novel scheme for the scalar multiplication operation that is based on processing three bits of the scalar in the exact same sequence of five point arithmetic operations. We analyse the security of our scheme and show that its security holds against both SCAs and safe-error fault attacks. In addition, we show how the properties of the proposed elliptic curve scalar multiplication scheme yields an efficient hardware design for the implementation of a single scalar multiplication on a prime extended twisted Edwards curve incorporating 8 parallel multiplication operations. Our comparison results show that the proposed hardware architecture for the twisted Edwards curve model implemented using the proposed scalar multiplication scheme is the fastest secure SCA protected scalar multiplication scheme over prime field reported in the literature

On the Computation of Multi-Scalar Multiplication for Pairing-Based zkSNARKs

Multi-scalar multiplication refers to the operation of computing multiple scalar multiplications in an elliptic curve group and then adding them together. It is an essential operation for proof generation and verification in pairing-based trusted setup zero-knowledge succinct non-interactive argument of knowledge (zkSNARK) schemes, which enable privacy-preserving features in many blockchain applications. Pairing-based trusted setup zkSNARKs usually follow a common paradigm. A public string composed of a list of fixed points in an elliptic curve group called common reference string is generated in a trusted setup and accessible to all parties involved. The prover generates a zkSNARK proof by computing multi-scalar multiplications over the points in the common reference string and performing other operations. The verifier verifies the proof by computing multi-scalar multiplications and elliptic curve bilinear pairings. Multi-scalar multiplication in pairing-based trusted setup zkSNARKs has two characteristics. First, all the points are fixed once the common reference string is generated. Second, the number of points n is typically large, with the thesis targeting at n = 2^e (10 ≤ e ≤ 21). Our goal in this thesis is to propose and implement efficient algorithms for computing multi-scalar multiplication in order to enable efficient zkSNARKs. This thesis primarily includes three aspects. First, the background knowledge is introduced and the classical multi-scalar multiplication algorithms are reviewed. Second, two frameworks for computing multi-scalar multiplications over fixed points and five corresponding auxiliary set pairs are proposed. Finally, the theoretical analysis, software implementation, and experimental tests on the representative instantiations of the proposed frameworks are presented

On the Analysis of Public-Key Cryptologic Algorithms

The RSA cryptosystem introduced in 1977 by Ron Rivest, Adi Shamir and Len Adleman is the most commonly deployed public-key cryptosystem. Elliptic curve cryptography (ECC) introduced in the mid 80's by Neal Koblitz and Victor Miller is becoming an increasingly popular alternative to RSA offering competitive performance due the use of smaller key sizes. Most recently hyperelliptic curve cryptography (HECC) has been demonstrated to have comparable and in some cases better performance than ECC. The security of RSA relies on the integer factorization problem whereas the security of (H)ECC is based on the (hyper)elliptic curve discrete logarithm problem ((H)ECDLP). In this thesis the practical performance of the best methods to solve these problems is analyzed and a method to generate secure ephemeral ECC parameters is presented. The best publicly known algorithm to solve the integer factorization problem is the number field sieve (NFS). Its most time consuming step is the relation collection step. We investigate the use of graphics processing units (GPUs) as accelerators for this step. In this context, methods to efficiently implement modular arithmetic and several factoring algorithms on GPUs are presented and their performance is analyzed in practice. In conclusion, it is shown that integrating state-of-the-art NFS software packages with our GPU software can lead to a speed-up of 50%. In the case of elliptic and hyperelliptic curves for cryptographic use, the best published method to solve the (H)ECDLP is the Pollard rho algorithm. This method can be made faster using classes of equivalence induced by curve automorphisms like the negation map. We present a practical analysis of their use to speed up Pollard rho for elliptic curves and genus 2 hyperelliptic curves defined over prime fields. As a case study, 4 curves at the 128-bit theoretical security level are analyzed in our software framework for Pollard rho to estimate their practical security level. In addition, we present a novel many-core architecture to solve the ECDLP using the Pollard rho algorithm with the negation map on FPGAs. This architecture is used to estimate the cost of solving the Certicom ECCp-131 challenge with a cluster of FPGAs. Our design achieves a speed-up factor of about 4 compared to the state-of-the-art. Finally, we present an efficient method to generate unique, secure and unpredictable ephemeral ECC parameters to be shared by a pair of authenticated users for a single communication. It provides an alternative to the customary use of fixed ECC parameters obtained from publicly available standards designed by untrusted third parties. The effectiveness of our method is demonstrated with a portable implementation for regular PCs and Android smartphones. On a Samsung Galaxy S4 smartphone our implementation generates unique 128-bit secure ECC parameters in 50 milliseconds on average

Security Analysis of Isogeny-Based Cryptosystems

Let $E$ be a supersingular elliptic curve over a finite field. In this document we study public-key encryption schemes which use non-constant rational maps from $E$. The purpose of this study is to determine if such cryptosystems are secure. Supersingular Isogeny Diffie-Hellman (SIDH) and other supersingular isogeny-based cryptosystems are considered. The content is naturally divided by cryptosystem, and in the case of SIDH, further divided by type of cryptanalysis: SIDH when the endomorphism ring of the base elliptic curve is given (as is done in practice), repeated use of keys in SIDH, and endomorphism ring constructing algorithms. In each case the relevent background material is presented to develop the theory. In studying the security of SIDH when the endomorphism ring of the base curve $E$ is known, one of the main results is the following. This theorem is then used to reduce the security of such an SIDH instantiation to the problem of finding particular endomorphisms in \End(E). \begin{thm} Given \begin{enumerate} \item a supersingular elliptic curve E/\FQ such that $p = N_1 N_2 - 1$ for coprime $N_1\approx N_2$, where $N_2$ is $\log p$-smooth, \item an elliptic curve $E'$ that is the codomain of an $N_1$-isogeny $\phi:E\rightarrow E'$, \item the action of $\phi$ on $E[N_2]$, and \item a $k$-endomorphism $\psi$ of $E$, where $\gcd(k, N_1) = 1$, and if \g is the greatest integer such that $g\mid N_2^2$ and $g\mid k$, then \h := \frac{k}{g} < N_1, \end{enumerate} there exists a classical algorithm with worst case runtime \tilde{O}(\h^3) which decides whether $\psi(\ker\phi) = \ker\phi$ or not, but may give false positives with probability $\approx \frac{1}{\sqrt{p}}$. Further, if \h is $\log{p}$-smooth, then the runtime is \tilde{O} (\sqrt{\h}). \end{thm} In studying the security of repeated use of SIDH public keys, the main result presented is the following theorem, which proves that performing multiple pairwise instances of SIDH prevents certain active attacks when keys are reused. \begin{thm} Assuming that the CSSI problem is intractable, it is computationally infeasible for a malicious adversary, with non-negligible probability, to modify a public key $(E_B,\phi_B(P_A),\phi_B(Q_A))$ to some $(E_B,R,S)$ which is malicious for SIDH. \end{thm} It is well known that the problem of computing hidden supersingular isogenies can be reduced to computing the endomorphism rings of the domain and codomain elliptic curves. A novel algorithm for computing an order in the endomorphism ring of a supersingular elliptic curve is presented and analyzed to have runtime $O(p^{1/2}(\log p)^2)$. In studying non-SIDH cryptosystems, four other isogeny-based cryptosystems are examined. The first three were all proposed by the same authors and use secret endomorphisms. These are each shown to be either totally insecure (private keys can be recovered directly from public keys) or impractical to implement efficiently. The fourth scheme is a novel proposal which attempts to combine isogenies with the learning with errors problem. This proposal is also shown to be totally insecure