Isogenies of Elliptic Curves: A Computational Approach

Isogenies, the mappings of elliptic curves, have become a useful tool in cryptology. These mathematical objects have been proposed for use in computing pairings, constructing hash functions and random number generators, and analyzing the reducibility of the elliptic curve discrete logarithm problem. With such diverse uses, understanding these objects is important for anyone interested in the field of elliptic curve cryptography. This paper, targeted at an audience with a knowledge of the basic theory of elliptic curves, provides an introduction to the necessary theoretical background for understanding what isogenies are and their basic properties. This theoretical background is used to explain some of the basic computational tasks associated with isogenies. Herein, algorithms for computing isogenies are collected and presented with proofs of correctness and complexity analyses. As opposed to the complex analytic approach provided in most texts on the subject, the proofs in this paper are primarily algebraic in nature. This provides alternate explanations that some with a more concrete or computational bias may find more clear.Comment: Submitted as a Masters Thesis in the Mathematics department of the University of Washingto

Incorrectly Generated RSA Keys: How To Recover Lost Plaintexts

When generating primes $p$ and $q$ for an RSA key, the algorithm specifies that they should be checked to see that $p-1$ and $q-1$ are relatively prime to the public exponent $e$, and regenerated if this is not the case. If this is not done, then the calculation of the decrypt exponent will fail. However, what if a software bug allows the generation of public parameters $N$ and $e$ of an RSA key with this property and then it is subsequently used for encryption? Though this may seem like a purely academic question, a software bug in the RSA key generation implementation in the CNG API of a preview release of the Windows 10 operating system makes this question of more than purely hypothetical value. Without a well defined decrypt exponent, plaintexts encrypted to such keys will be undecryptable thus potentially losing user data, a serious software defect. Though the decrypt exponent is no longer well defined, it is in fact possible to recover the plaintext, or a small number of potential plaintexts if the prime factors $p$ and $q$ of the public modulus $N$ are known. This paper presents an analysis of what steps fail in the RSA algorithm and use this to give a plaintext recovery algorithm. The runtime of the algorithm scales linearly in the magnitude of the public exponent, in practice this is manageable as there are only a few small public exponents that are used. This algorithm has been implemented in a publicly available python script. We further discuss the software bug that lead to this and derive lessons that can be used while testing randomized functions in cryptographic software. Specifically, we derive an explicit formula that describes the trade off between number of iterations of tests of a randomized cryptographic functions and the potential number of users affected by a bug dependent on the random values

Verified Correctness and Security of mbedTLS HMAC-DRBG

We have formalized the functional specification of HMAC-DRBG (NIST 800-90A), and we have proved its cryptographic security--that its output is pseudorandom--using a hybrid game-based proof. We have also proved that the mbedTLS implementation (C program) correctly implements this functional specification. That proof composes with an existing C compiler correctness proof to guarantee, end-to-end, that the machine language program gives strong pseudorandomness. All proofs (hybrid games, C program verification, compiler, and their composition) are machine-checked in the Coq proof assistant. Our proofs are modular: the hybrid game proof holds on any implementation of HMAC-DRBG that satisfies our functional specification. Therefore, our functional specification can serve as a high-assurance reference.Comment: Appearing in CCS '1

Addressing the STEM Gender Gap by Designing and Implementing an Educational Outreach Chemistry Camp for Middle School Girls

There continues to be a persistent, widespread gender gap in multiple STEM disciplines at all educational and professional levels: from the self-reported interest of preschool aged students in scientific exploration to the percentages of tenured faculty in these disciplines, more men than women express an interest in science, a confidence in their scientific abilities, and ultimately decide to pursue scientific careers. Reported herein is an intensive outreach effort focused on addressing this gender gap: a full-time, week-long chemistry camp that was designed and implemented for middle school girls in the state of Rhode Island. The camp schedule included multiple hands-on experiments, field trips, and significant interactions with female scientists, all of which were designed to increase the participants’ interest in and enthusiasm for science. The success of the program in changing the participants’ attitudes toward science was measured through administration of a precamp and postcamp survey, and the survey results demonstrated a strong success in changing the participants’ attitudes toward the widespread applicability of science, their perceived level of support for scientific study, and their interest in pursuing STEM-related careers

An Analysis of the NIST SP 800-90A Standard

We investigate the security properties of the three deterministic random bit generator (DRBG) mechanisms in the NIST SP 800-90A standard [2]. This standard received a considerable amount of negative attention, due to the controversy surrounding the now retracted DualEC-DRBG, which was included in earlier versions. Perhaps because of the attention paid to the DualEC, the other algorithms in the standard have received surprisingly patchy analysis to date, despite widespread deployment. This paper addresses a number of these gaps in analysis, with a particular focus on HASH-DRBG and HMAC-DRBG. We uncover a mix of positive and less positive results. On the positive side, we prove (with a caveat) the robustness [16] of HASH-DRBG and HMAC-DRBG in the random oracle model (ROM). Regarding the caveat, we show that if an optional input is omitted, then – contrary to claims in the standard — HMAC-DRBG does not even achieve the (weaker) property of forward security. We also conduct a more informal and practice-oriented exploration of flexibility in implementation choices permitted by the standard. Specifically, we argue that these DRBGs have the property that partial state leakage may lead security to break down in unexpected ways. We highlight implementation choices allowed by the overly flexible standard that exacerbate both the likelihood, and impact, of such attacks. While our attacks are theoretical, an analysis of two open source implementations of CTR-DRBG shows that potentially problematic implementation choices are made in the real world

Analogues of Velu\u27s Formulas for Isogenies on Alternate Models of Elliptic Curves

Isogenies are the morphisms between elliptic curves, and are accordingly a topic of interest in the subject. As such, they have been well-studied, and have been used in several cryptographic applications. Velu’s formulas show how to explicitly evaluate an isogeny, given a specification of the kernel as a list of points. However, Velu’s formulas only work for elliptic curves specified by a Weierstrass equation. This paper presents formulas similar to Velu’s that can be used to evaluate isogenies on Edwards curves and Huff curves, which are normal forms of elliptic curves that provide an alternative to the traditional Weierstrass form. Our formulas are not simply compositions of Velu’s formulas with mappings to and from Weierstrass form. Our alternate derivation yields efficient formulas for isogenies with lower algebraic complexity than such compositions. In fact, these formulas have lower algebraic complexity than Velu’s formulas on Weierstrass curves

Are Certificate Thumbprints Unique?

A certificate thumbprint is a hash of a certificate, computed over all certificate data and its signature. Thumbprints are used as unique identifiers for certificates, in applications when making trust decisions, in configuration files, and displayed in interfaces. In this paper we show that thumbprints are not unique in two cases. First, we demonstrate that creating two X.509 certificates with the same thumbprint is possible when the hash function is weak, in particular when chosen-prefix collision attacks are possible. This type of collision attack is now practical for MD5, and expected to be practical for SHA-1 in the near future. Second, we show that certificates may be mauled in a way that they remain valid, but that they have different thumbprints. While these properties may be unexpected, we believe the scenarios where this could lead to a practical attack are limited and require very sophisticated attackers. We also checked the thumbprints of a large dataset of certificates used on the Internet, and found no evidence that would indicate thumbprints of certificates in use today are not unique

Adolescents' experience doing homework: Associations among context, quality of experience, and outcomes

Abstract Extant data collected through the Experience Sampling Method -a signal contingent method for gathering data about students' immediate experienceswere analyzed to describe adolescents' subjective experiences doing homework. Analyses were conducted to explore variation in subjective experience in relation to the contexts in which homework was completed, and in relation to academic and social-emotional outcomes. Students' cognitive, affective, and motivational states showed significant variations depending on who they were with when they were doing homework, as well as whether homework was their primary or secondary activity. Variations in the quality of homework experience were, in turn, significantly associated with several outcomes, such as self-esteem, future expectations, and school grades. Findings are discussed in terms of contributions to the homework literature by addressing the much needed link between homework and students' cognitive, affective, and motivational states

Montgomery Multiplication Using Vector Instructions

In this paper we present a parallel approach to compute interleaved Montgomery multiplication. This approach is particularly suitable to be computed on 2-way single instruction, multiple data platforms as can be found on most modern computer architectures in the form of vector instruction set extensions. We have implemented this approach for tablet devices which run the x86 architecture (Intel Atom Z2760) using SSE2 instructions as well as devices which run on the ARM platform (Qualcomm MSM8960, NVIDIA Tegra 3 and 4) using NEON instructions. When instantiating modular exponentiation with this parallel version of Montgomery multiplication we observed a performance increase of more than a factor of 1.5 compared to the sequential implementation in OpenSSL for the classical arithmetic logic unit on the Atom platform for 2048-bit moduli