78 research outputs found
The Design Space of Lightweight Cryptography
International audienceFor constrained devices, standard cryptographic algorithms can be too big, too slow or too energy-consuming. The area of lightweight cryptography studies new algorithms to overcome these problems. In this paper, we will focus on symmetric-key encryption, authentication and hashing. Instead of providing a full overview of this area of research, we will highlight three interesting topics. Firstly, we will explore the generic security of lightweight constructions. In particular, we will discuss considerations for key, block and tag sizes, and explore the topic of instantiating a pseudorandom permutation (PRP) with a non-ideal block cipher construction. This is inspired by the increasing prevalence of lightweight designs that are not secure against related-key attacks, such as PRINCE, PRIDE or Chaskey. Secondly, we explore the efficiency of cryptographic primitives. In particular, we investigate the impact on efficiency when the input size of a primitive doubles. Lastly, we provide some considerations for cryptographic design. We observe that applications do not always use cryptographic algorithms as they were intended, which negatively impacts the security and/or efficiency of the resulting implementations
Faster computation of the Tate pairing
This paper proposes new explicit formulas for the doubling and addition step
in Miller's algorithm to compute the Tate pairing. For Edwards curves the
formulas come from a new way of seeing the arithmetic. We state the first
geometric interpretation of the group law on Edwards curves by presenting the
functions which arise in the addition and doubling. Computing the coefficients
of the functions and the sum or double of the points is faster than with all
previously proposed formulas for pairings on Edwards curves. They are even
competitive with all published formulas for pairing computation on Weierstrass
curves. We also speed up pairing computation on Weierstrass curves in Jacobian
coordinates. Finally, we present several examples of pairing-friendly Edwards
curves.Comment: 15 pages, 2 figures. Final version accepted for publication in
Journal of Number Theor
The Design Space of Lightweight Cryptography
For constrained devices, standard cryptographic algorithms can be too big, too slow or too energy-consuming. The area of lightweight cryptography studies new algorithms to overcome these problems. In this paper, we will focus on symmetric-key encryption, authentication and hashing. Instead of providing a full overview of this area of research, we will highlight three interesting topics. Firstly, we will explore the generic security of lightweight constructions. In particular, we will discuss considerations for key, block and tag sizes, and explore the topic of instantiating a pseudorandom permutation (PRP) with a non-ideal block cipher construction. This is inspired by the increasing prevalence of lightweight designs that are not secure against related-key attacks, such as PRINCE, PRIDE or Chaskey. Secondly, we explore the efficiency of cryptographic primitives. In particular, we investigate the impact on efficiency when the input size of a primitive doubles. Lastly, we provide some considerations for cryptographic design. We observe that applications do not always use cryptographic algorithms as they were intended, which negatively impacts the security and/or efficiency of the resulting implementations
Tradeoff Attacks on Symmetric Ciphers
Tradeoff attacks on symmetric ciphers can be considered as the generalization of the exhaustive search. Their main objective is reducing the time complexity by exploiting the memory after preparing very large tables at a cost of exhaustively searching all the space during the precomputation phase. It is possible to utilize data (plaintext/ciphertext pairs) in some cases like the internal state recovery attacks for stream ciphers to speed up further both online and offline phases. However, how to take advantage of data in a tradeoff attack against block ciphers for single key recovery cases is still unknown. We briefly assess the state of art of tradeoff attacks on symmetric ciphers, introduce some open problems and discuss the security criterion on state sizes. We discuss the strict lower bound for the internal state size of keystream generators and propose more practical and fair bound along with our reasoning. The adoption of our new criterion can break a fresh ground in boosting the security analysis of small keystream generators and in designing ultra-lightweight stream ciphers with short internal states for their usage in specially low source devices such as IoT devices, wireless sensors or RFID tags
Memory-saving computation of the pairing final exponentiation on BN curves
In this paper, we describe and improve efficient methods for computing
the hard part of the final exponentiation of pairings on Barreto-Naehrig
curves.
Thanks to the variants of pairings which decrease the length of the Miller
loop, the final exponentiation has become a significant component of the
overall calculation. Here we exploit the structure of BN curves to improve
this computation.
We will first present the most famous methods in the literature that en-
sure the computing of the hard part of the final exponentiation. We are
particularly interested in the memory resources necessary for the implementation of these methods. Indeed, this is an important constraint in
restricted environments.
More precisely, we are studying Devegili et al. method, Scott et al. addition chain method and Fuentes et al. method. After recalling these methods and their complexities, we determine the number of required registers
to compute the final result, because this is not always given in the literature. Then, we will present new versions of these methods which require
less memory resources (up to 37%). Moreover, some of these variants are
providing algorithms which are also more efficient than the original ones
Adequate Elliptic Curve for Computing the Product of n Pairings
Many pairing-based protocols require the computation of the product
and/or of a quotient of n pairings where n > 1 is a natural integer.
Zhang et al.[1] recently showed that the Kachisa-Schafer and Scott family
of elliptic curves with embedding degree 16 denoted KSS16 at the 192-bit
security level is suitable for such protocols comparatively to the Baretto-
Lynn and Scott family of elliptic curves of embedding degree 12 (BLS12).
In this work, we provide important corrections and improvements to their
work based on the computation of the optimal Ate pairing. We focus on
the computation of the nal exponentiation which represent an important
part of the overall computation of this pairing. Our results improve by
864 multiplications in Fp the computations of Zhang et al.[1]. We prove
that for computing the product or the quotient of 2 pairings, BLS12 curves
are the best solution. In other cases, specially when n > 2 as mentioned in
[1], KSS16 curves are recommended for computing product of n pairings.
Furthermore, we prove that the curve presented by Zhang et al.[1] is not
resistant against small subgroup attacks. We provide an example of KSS16
curve protected against such attacks
On the Computation of the Optimal Ate Pairing at the 192-bit Security Level
Barreto, Lynn and Scott elliptic curves of embedding degree
12 denoted BLS12 have been proven to present fastest results on the
implementation of pairings at the 192-bit security level [1]. The computation
of pairings in general involves the execution of the Miller algorithm
and the final exponentiation. In this paper, we improve the complexity
of these two steps up to 8% by searching an appropriate parameter. We
compute the optimal ate pairing on BLS curves of embedding degree 12
and we also extend the same analysis to BLS curves with embedding degree
24. Furthermore, as many pairing based protocols are implemented
on memory constrained devices such as SIM or smart cards, we describe
an efficient algorithm for the computation of the final exponentiation less
memory intensive with an improvement up to 25% with respect to the
previous work
- …