Low-Weight Primes for Lightweight Elliptic Curve Cryptography on 8-bit AVR Processors

Small 8-bit RISC processors and micro-controllers based on the AVR instruction set architecture are widely used in the embedded domain with applications ranging from smartcards over control systems to wireless sensor nodes. Many of these applications require asymmetric encryption or authentication, which has spurred a body of research into implementation aspects of Elliptic Curve Cryptography (ECC) on the AVR platform. In this paper, we study the suitability of a special class of finite fields, the so-called Optimal Prime Fields (OPFs), for a "lightweight" implementation of ECC with a view towards high performance and security. An OPF is a finite field Fp defined by a prime of the form p = u*2^k + v, whereby both u and v are "small" (in relation to 2^k) so that they fit into one or two registers of an AVR processor. OPFs have a low Hamming weight, which allows for a very efficient implementation of the modular reduction since only the non-zero words of p need to be processed. We describe a special variant of Montgomery multiplication for OPFs that does not execute any input-dependent conditional statements (e.g. branch instructions) and is, hence, resistant against certain side-channel attacks. When executed on an Atmel ATmega processor, a multiplication in a 160-bit OPF takes just 3237 cycles, which compares favorably with other implementations of 160-bit modular multiplication on an 8-bit processor. We also describe a performance-optimized and a security-optimized implementation of elliptic curve scalar multiplication over OPFs. The former uses a GLV curve and executes in 4.19M cycles (over a 160-bit OPF), while the latter is based on a Montgomery curve and has an execution time of approximately 5.93M cycles. Both results improve the state-of-the-art in lightweight ECC on 8-bit processors

A New Encoding Algorithm for a Multidimensional Version of the Montgomery Ladder

We propose a new encoding algorithm for the simultaneous differential multidimensional scalar point multiplication algorithm $d$-MUL. Previous encoding algorithms are known to have major drawbacks in their efficient and secure implementation. Some of these drawbacks have been avoided in a recent paper in 2018 at a cost of losing the general functionality of the point multiplication algorithm. In this paper, we address these issues. Our new encoding algorithm takes the binary representations of scalars as input, and constructs a compact binary sequence and a permutation, which explicitly determines a regular sequence of group operations to be performed in $d$-MUL. Our algorithm simply slides windows of size two over the scalars and it is very efficient. As a result, while preserving the full generality of $d$-MUL, we successfully eliminate the recursive integer matrix computations in the originally proposed encoding algorithms. We also expect that our new encoding algorithm will make it easier to implement $d$-MUL in constant time. Our results can be seen as the efficient and full generalization of the one dimensional Montgomery ladder to arbitrary dimension

McBits Revisited

This paper presents a constant-time fast implementation for a high-security code-based encryption system. The implementation is based on the “McBits” paper by Bernstein, Chou, and Schwabe in 2013: we use the same FFT algorithms for root finding and syndrome computation, similar algorithms for secret permutation, and bitslicing for low-level operations. As opposed to McBits, where a high decryption throughput is achieved by running many decryption operations in parallel, we take a different approach to exploit the internal parallelism in one decryption operation for the use of more applications. As the result, we manage to achieve a slightly better decryption throughput at a much higher security level than McBits. As a minor contribution, we also present a constant-time implementation for encryption and key-pair generation, with similar techniques used for decryption

Quantum resource estimates for computing elliptic curve discrete logarithms

We give precise quantum resource estimates for Shor's algorithm to compute discrete logarithms on elliptic curves over prime fields. The estimates are derived from a simulation of a Toffoli gate network for controlled elliptic curve point addition, implemented within the framework of the quantum computing software tool suite LIQ$Ui|\rangle$. We determine circuit implementations for reversible modular arithmetic, including modular addition, multiplication and inversion, as well as reversible elliptic curve point addition. We conclude that elliptic curve discrete logarithms on an elliptic curve defined over an $n$-bit prime field can be computed on a quantum computer with at most $9n + 2\lceil\log_2(n)\rceil+10$ qubits using a quantum circuit of at most $448 n^3 \log_2(n) + 4090 n^3$ Toffoli gates. We are able to classically simulate the Toffoli networks corresponding to the controlled elliptic curve point addition as the core piece of Shor's algorithm for the NIST standard curves P-192, P-224, P-256, P-384 and P-521. Our approach allows gate-level comparisons to recent resource estimates for Shor's factoring algorithm. The results also support estimates given earlier by Proos and Zalka and indicate that, for current parameters at comparable classical security levels, the number of qubits required to tackle elliptic curves is less than for attacking RSA, suggesting that indeed ECC is an easier target than RSA.Comment: 24 pages, 2 tables, 11 figures. v2: typos fixed and reference added. ASIACRYPT 201

Improved quantum circuits for elliptic curve discrete logarithms

We present improved quantum circuits for elliptic curve scalar multiplication, the most costly component in Shor's algorithm to compute discrete logarithms in elliptic curve groups. We optimize low-level components such as reversible integer and modular arithmetic through windowing techniques and more adaptive placement of uncomputing steps, and improve over previous quantum circuits for modular inversion by reformulating the binary Euclidean algorithm. Overall, we obtain an affine Weierstrass point addition circuit that has lower depth and uses fewer $T$ gates than previous circuits. While previous work mostly focuses on minimizing the total number of qubits, we present various trade-offs between different cost metrics including the number of qubits, circuit depth and $T$-gate count. Finally, we provide a full implementation of point addition in the Q# quantum programming language that allows unit tests and automatic quantum resource estimation for all components.Comment: 22 pages, to appear in: Int'l Conf. on Post-Quantum Cryptography (PQCrypto 2020

Recursive double-size fixed precision arithmetic

International audienceThis work is a part of the SHIVA (Secured Hardware Immune Versatile Architecture) project whose purpose is to provide a programmable and reconfigurable hardware module with high level of security. We propose a recursive double-size fixed precision arithmetic called RecInt. Our work can be split in two parts. First we developped a C++ software library with performances comparable to GMP ones. Secondly our simple representation of the integers allows an implementation on FPGA. Our idea is to consider sizes that are a power of 2 and to apply doubling techniques to implement them efficiently: we design a recursive data structure where integers of size 2^k, for k>k0 can be stored as two integers of size 2^{k-1}. Obviously for k<=k0 we use machine arithmetic instead (k0 depending on the architecture)

Improved Classical Cryptanalysis of SIKE in Practice

Item does not contain fulltextPKC 202

Characterization and Comparison of 2 Distinct Epidemic Community-Associated Methicillin-Resistant Staphylococcus aureus Clones of ST59 Lineage.

Sequence type (ST) 59 is an epidemic lineage of community-associated (CA) methicillin-resistant Staphylococcus aureus (MRSA) isolates. Taiwanese CA-MRSA isolates belong to ST59 and can be grouped into 2 distinct clones, a virulent Taiwan clone and a commensal Asian-Pacific clone. The Taiwan clone carries the Panton-Valentine leukocidin (PVL) genes and the staphylococcal chromosomal cassette mec (SCCmec) VT, and is frequently isolated from patients with severe disease. The Asian-Pacific clone is PVL-negative, carries SCCmec IV, and a frequent colonizer of healthy children. Isolates of both clones were characterized by their ability to adhere to respiratory A549 cells, cytotoxicity to human neutrophils, and nasal colonization of a murine and murine sepsis models. Genome variation was determined by polymerase chain reaction of selected virulence factors and by multi-strain whole genome microarray. Additionally, the expression of selected factors was compared between the 2 clones. The Taiwan clone showed a much higher cytotoxicity to the human neutrophils and caused more severe septic infections with a high mortality rate in the murine model. The clones were indistinguishable in their adhesion to A549 cells and persistence of murine nasal colonization. The microarray data revealed that the Taiwan clone had lost the ø3-prophage that integrates into the β-hemolysin gene and includes staphylokinase- and enterotoxin P-encoding genes, but had retained the genes for human immune evasion, scn and chps. Production of the virulence factors did not differ significantly in the 2 clonal groups, although more α-toxin was expressed in Taiwan clone isolates from pneumonia patients. In conclusion, the Taiwan CA-MRSA clone was distinguished by enhanced virulence in both humans and an animal infection model. The evolutionary acquisition of PVL, the higher expression of α-toxin, and possibly the loss of a large portion of the β-hemolysin-converting prophage likely contribute to its higher pathogenic potential than the Asian-Pacific clone