Fast implementation of Curve25519 using AVX2

AVX2 is the newest instruction set on the Intel Haswell processor that provides simultaneous execution of operations over vectors of 256 bits. This work presents the advances on the applicability of AVX2 on the development of an efficient software implementation of the elliptic curve Diffie-Hellman protocol using the Curve25519 elliptic curve. Also, we will discuss some advantages that vector instructions offer as an alternative method to accelerate prime field and elliptic curve arithmetic. The performance of our implementation shows a slight improvement against the fastest state-of-the-art implementations.AVX2 is the newest instruction set on the Intel Haswell processor that provides simultaneous execution of operations over vectors of 256 bits. This work presents the advances on the applicability of AVX2 on the development of an efficient software impleme9230329345FAPESP - FUNDAÇÃO DE AMPARO À PESQUISA DO ESTADO DE SÃO PAULOSEM INFOMAÇÃO4th International Conference on Cryptology and Information Security in Latin AmericaThe authors would like to thank the anonymous reviewers for their helpful suggestions and comments. Additionally, they would like to show their gratitude to J´er´emie Detrey for his valuable comments on an earlier version of the manuscrip

ZKAttest: Ring and Group Signatures for Existing ECDSA Keys

Cryptographic keys are increasingly stored in dedicated hardware or behind software interfaces. Doing so limits access, such as permitting only signing via ECDSA. This makes using them in existing ring and group signature schemes impossible as these schemes assume the ability to access the private key for other operations. We present a $\Sigma$-protocol that uses a committed public key to verify an ECDSA or Schnorr signature on a message, without revealing the public key. We then discuss how this protocol may be used to derive ring signatures in combination with Groth–Kohlweiss membership proofs and other applications. This scheme has been implemented and source code is freely available

Post-Quantum Privacy Pass via Post-Quantum Anonymous Credentials

It is known that one can generically construct a post-quantum anonymous credential scheme, supporting the showing of arbitrary predicates on its attributes using general-purpose zero-knowledge proofs secure against quantum adversaries [Fischlin, CRYPTO 2006]. Traditionally, such a generic instantiation is thought to come with impractical sizes and performance. We show that with careful choices and optimizations, such a scheme can perform surprisingly well. In fact, it performs competitively against state-of-the-art post-quantum blind signatures, for the simpler problem of post-quantum unlinkable tokens, required for a post-quantum version of Privacy Pass. To wit, a post-quantum Privacy Pass constructed in this way using zkDilithium, our proposal for a STARK-friendly variation on Dilithium2, allows for a trade-off between token size (85–175KB) and generation time (0.3–5s) with a proof security level of 115 bits. Verification of these tokens can be done in 20–30ms. We argue that these tokens are reasonably practical, adding less than a second upload time over traditional tokens, supported by a measurement study. Finally, we point out a clear advantage of our approach: the flexibility afforded by the general purpose zero-knowledge proofs. We demonstrate this by showing how we can construct a rate-limited variant of Privacy Pass that doesn\u27t not rely on non-collusion for privacy

A Faster Software Implementation of the Supersingular Isogeny Diffie-Hellman Key Exchange Protocol

Since its introduction by Jao and De Feo in 2011, the supersingular isogeny Diffie-Hellman (SIDH) key exchange protocol has positioned itself as a promising candidate for post-quantum cryptography. One salient feature of the SIDH protocol is that it requires exceptionally short key sizes. However, the latency associated to SIDH is higher than the ones reported for other post-quantum cryptosystem proposals. Aiming to accelerate the SIDH runtime performance, we present in this work several algorithmic optimizations targeting both elliptic-curve and field arithmetic operations. We introduce in the context of the SIDH protocol a more efficient approach for calculating the elliptic curve operation P + [k]Q. Our strategy achieves a factor 1.4 speedup compared with the popular variable-three-point ladder algorithm regularly used in the SIDH shared secret phase. Moreover, profiting from pre-computation techniques our algorithm yields a factor 1.7 acceleration for the computation of this operation in the SIDH key generation phase. We also present an optimized evaluation of the point tripling formula, and discuss several algorithmic and implementation techniques that lead to faster field arithmetic computations. A software implementation of the above improvements on an Intel Skylake Core i7-6700 processor gives a factor 1.33 speedup against the state-of-the-art software implementation of the SIDH protocol reported by Costello-Longa-Naehrig in CRYPTO 2016

Software implementation of binary elliptic curves: impact of the carry-less multiplier on scalar multiplication

The availability of a new carry-less multiplication instruction in the latest Intel desktop processors significantly accelerates multiplication in binary fields and hence presents the opportunity for reevaluating algorithms for binary field arithmetic and scalar multiplication over elliptic curves. We describe how to best employ this instruction in field multiplication and the effect on performance of doubling and halving operations. Alternate strategies for implementing inversion and half-trace are examined to restore most of their competitiveness relative to the new multiplier. These improvements in field arithmetic are complemented by a study on serial and parallel approaches for Koblitz and random curves, where parallelization strategies are implemented and compared. The contributions are illustrated with experimental results improving the state-of-the-art performance of halving and doubling-based scalar multiplication on NIST curves at the 112- and 192-bit security levels, and a new speed record for side-channel resistant scalar multiplication in a random curve at the 128-bit security level

Efficient and secure algorithms for GLV-based scalar multiplication and their implementation on GLV-GLS curves

We propose efficient algorithms and formulas that improve the performance of side channel protected elliptic curve computations with special focus on scalar multiplication exploiting the Gallant-Lambert-Vanstone (CRYPTO 2001) and Galbraith-Lin-Scott (EUROCRYPT 2009) methods. Firstly, by adapting Feng et al.’s recoding to the GLV setting, we derive new regular algorithms for variable-base scalar multiplication that offer protection against simple side-channel and timing attacks. Secondly, we propose an efficient, sidechannel protected algorithm for fixed-base scalar multiplication which combines Feng et al.’s recoding with Lim-Lee’s comb method. Thirdly, we propose an efficient technique that interleaves ARM and NEON-based multiprecision operations over an extension field to improve performance of GLS curves on modern ARM processors. Finally, we showcase the efficiency of the proposed techniques by implementing a state-of-the-art GLV-GLS curve in twisted Edwards form defined over F p 2, which supports a four dimensional decomposition of the scalar and is fully protected against timing attacks. Analysis and performance results are reported for modern x64 and ARM processors. Fo

Híbridos de maíz para la producción de forraje con alta digestibilidad en el norte de México

Núñez HG, Faz CR, Tovar GMR, Zavala GA. Téc Pecu Méx 2001,39(2):77-88. Three experiments were carried out to evaluate: corn hybrids differing in cycle to harvest, temperate and tropical hybrids, and high lysine and normal corn hybrids. The experiments were seeded in April 1999 on wet soil. Exp 1 was fertilized with 229-80-00, of N-P-K, respectively. Experiments 2 and 3 were fertilized with 200-80-00 of N-P-K. Plant density varied from 80 to 90 thousand plants/ha in all three experiments. All experiments received four additional irrigations while the third experiment received five. All experiments were harvest at boot stage of the plant. Early corn hybrids tended to have lower dry matter per hectare than the intermediate hybrids in Exp 1. The in vitro digestibility was negatively correlated with days to harvest (r=0.64, P0.05) on dry matter yield among early temperate hybrids, intermediate tropical hybrids or intermediate temperate hybrids. In this experiment, early temperate hybrids showed greater in vitro digestibility (P0.05). The in vitro digestibility was similar between high lysine and control corn hybrids (P>0.05). In vitro digestibility was associated to acid detergent fiber (r2=0.63, PNúñez HG, Faz CR, Tovar GMR, Zavala GA. Téc Pecu Méx 2001,39(2):77-88. Se realizaron tres experimentos para evaluar híbridos de maíz, de diferente ciclo a cosecha, diferente origen (templado y tropical) y de alta calidad proteínica y normal. Los experimentos se sembraron en abril de 1999. El Exp 1 se fertilizó con 229-80-00 de N-P-K, respectivamente. Los otros experimentos se fertilizaron con 200-80-00 de N-P-K, respectivamente. La densidad fue de 80 a 90 mil plantas/ha en los tres experimentos. La siembra se efectuó en suelo húmedo y se aplicaron cuatro riegos de auxilio, con excepción del Exp 3, en el que se aplicaron cinco riegos de auxilio. La cosecha se realizó cuando la línea de leche en el grano presentó 1/3 de avance. En el Exp 1, se observó una tendencia a que los híbridos precoces tuvieran menores rendimientos de materia seca por hectárea que los híbridos de ciclo intermedio. La digestibilidad in vitro se correlacionó negativamente con días a cosecha de los híbridos (r=-0.64). En el Exp 2, no hubo diferencia en el rendimiento de materia seca por hectárea entre híbridos precoces de origen templado o intermedios tropicales o intermedios templados, los híbridos precoces tuvieron mayor digestibilidad in vitro (P0.05) entre maíces de alta calidad proteínica y el testigo normal en rendimiento de materia seca. La digestibilidad in vitro fue similar entre híbridos de alta calidad proteínica y normal (P>0.05). Considerando los tres experimentos, la digestibilidad in vitro se relacionó con las concentraciones de fibra ácido detergente (r 2 =0.63) y de fibra detergente neutro (r 2 =0.62), independientemente del tipo de híbrido de maíz