166 research outputs found
Accelerating the CM method
Given a prime q and a negative discriminant D, the CM method constructs an
elliptic curve E/\Fq by obtaining a root of the Hilbert class polynomial H_D(X)
modulo q. We consider an approach based on a decomposition of the ring class
field defined by H_D, which we adapt to a CRT setting. This yields two
algorithms, each of which obtains a root of H_D mod q without necessarily
computing any of its coefficients. Heuristically, our approach uses
asymptotically less time and space than the standard CM method for almost all
D. Under the GRH, and reasonable assumptions about the size of log q relative
to |D|, we achieve a space complexity of O((m+n)log q) bits, where mn=h(D),
which may be as small as O(|D|^(1/4)log q). The practical efficiency of the
algorithms is demonstrated using |D| > 10^16 and q ~ 2^256, and also |D| >
10^15 and q ~ 2^33220. These examples are both an order of magnitude larger
than the best previous results obtained with the CM method.Comment: 36 pages, minor edits, to appear in the LMS Journal of Computation
and Mathematic
Reconfigurable Architectures for Cryptographic Systems
Field Programmable Gate Arrays (FPGAs) are suitable platforms for implementing cryptographic
algorithms in hardware due to their flexibility, good performance and low power consumption.
Computer security is becoming increasingly important and security requirements
such as key sizes are quickly evolving. This creates the need for customisable hardware designs
for cryptographic operations capable of covering a large design space. In this thesis we explore
the four design dimensions relevant to cryptography - speed, area, power consumption and
security of the crypto-system - by developing parametric designs for public-key generation and
encryption as well as side-channel attack countermeasures. There are four contributions.
First, we present new architectures for Montgomery multiplication and exponentiation based
on variable pipelining and variable serial replication. Our implementations of these architectures
are compared to the best implementations in the literature and the design space is explored in
terms of speed and area trade-offs.
Second, we generalise our Montgomery multiplier design ideas by developing a parametric
model to allow rapid optimisation of a general class of algorithms containing loops with dependencies
carried from one iteration to the next. By predicting the throughput and the area of
the design, our model facilitates and speeds up design space exploration.
Third, we develop new architectures for primality testing including the first hardware architecture
for the NIST approved Lucas primality test. We explore the area, speed and power
consumption trade-offs by comparing our Lucas architectures on CPU, FPGA and ASIC.
Finally, we tackle the security issue by presenting two novel power attack countermeasures
based on on-chip power monitoring. Our constant power framework uses a closed-loop
control system to keep the power consumption of any FPGA implementation constant. Our
attack detection framework uses a network of ring-oscillators to detect the insertion of a shunt
resistor-based power measurement circuit on a device's power rail. This countermeasure is
lightweight and has a relatively low power overhead compared to existing masking and hiding
countermeasures
Orienteering with One Endomorphism
In supersingular isogeny-based cryptography, the path-finding problem reduces
to the endomorphism ring problem. Can path-finding be reduced to knowing just
one endomorphism? It is known that a small endomorphism enables polynomial-time
path-finding and endomorphism ring computation (Love-Boneh [36]). An
endomorphism gives an explicit orientation of a supersingular elliptic curve.
In this paper, we use the volcano structure of the oriented supersingular
isogeny graph to take ascending/descending/horizontal steps on the graph and
deduce path-finding algorithms to an initial curve. Each altitude of the
volcano corresponds to a unique quadratic order, called the primitive order. We
introduce a new hard problem of computing the primitive order given an
arbitrary endomorphism on the curve, and we also provide a sub-exponential
quantum algorithm for solving it. In concurrent work (Wesolowski [54]), it was
shown that the endomorphism ring problem in the presence of one endomorphism
with known primitive order reduces to a vectorization problem, implying
path-finding algorithms. Our path-finding algorithms are more general in the
sense that we don't assume the knowledge of the primitive order associated with
the endomorphism.Comment: 40 pages, 1 figure; 3rd revision implements small corrections and
expositional improvement
- …