On multi-exponentiation in cryptography

We describe and analyze new combinations of multi-exponentiation algorithms with representations of the exponents. We deal mainly but not exclusively with the case where the inversion of group elements is fast: These methods are most attractive with exponents in the range from 80 to 256 bits, and can also be used for computing single exponentiations in groups which admit an automorphism satisfying a monic equation of small degree over the integers. The choice of suitable exponent representations allows us to match or improve the running time of the best multi-exponentiation techniques in the aforementioned range, while keeping the memory requirements as small as possible. Hence some of the methods presented here are particularly attractive for deployment in memory constrained environments such as smart cards. By construction, such methods provide good resistance against side channel attacks. We also describe some applications of these algorithms

The QARMAv2 Family of Tweakable Block Ciphers

We introduce the QARMAv2 family of tweakable block ciphers. It is a redesign of QARMA (from FSE 2017) to improve its security bounds and allow for longer tweaks, while keeping similar latency and area. The wider tweak input caters to both specific use cases and the design of modes of operation with higher security bounds. This is achieved through new key and tweak schedules, revised S-Box and linear layer choices, and a more comprehensive security analysis. QARMAv2 offers competitive latency and area in fully unrolled hardware implementations. Some of our results may be of independent interest. These include: new MILP models of certain classes of diffusion matrices; the comparative analysis of a full reflection cipher against an iterative half-cipher; our boomerang attack framework; and an improved approach to doubling the width of a block cipher

Minimality of the Hamming Weight of the \tau-NAF for Koblitz Curves and Improved Combination with Point Halving

In order to efficiently perform scalar multiplications on elliptic Koblitz curves, expansions of the scalar to a complex base associated with the Frobenius endomorphism are commonly used. One such expansion is the $\tau$-adic NAF, introduced by Solinas. Some properties of this expansion, such as the average weight, are well known, but in the literature there is no proof of its {\em optimality}, i.e.~that it always has minimal weight. In this paper we provide the first proof of this fact. Point halving, being faster than doubling, is also used to perform fast scalar multiplications on generic elliptic curves over binary fields. Since its computation is more expensive than that of the Frobenius, halving was thought to be uninteresting for Koblitz curves. At PKC 2004, Avanzi, Ciet, and Sica combined Frobenius operations with one point halving to compute scalar multiplications on Koblitz curves using on average 14\% less group additions than with the usual $\tau$-and-add method without increasing memory usage. The second result of this paper is an improvement over their expansion, that is simpler to compute, and optimal in a suitable sense, i.e.\ it has minimal Hamming weight among all $\tau$-adic expansions with digits $\{0,\pm1\}$ that allow one halving to be inserted in the corresponding scalar multiplication algorithm. The resulting scalar multiplication requires on average 25\% less group operations than the Frobenius method, and is thus 12.5\% faster than the previous known combination

Estimation of the susceptibility of a road network to shallow landslides with the integration of the sediment connectivity

Abstract. Landslides cause severe damage to the road network of the hit zone, in terms of both direct (partial or complete destruction of a road or blockages) and indirect (traffic restriction or the cut-off of a certain area) costs. Thus, the identification of the parts of the road network that are more susceptible to landslides is fundamental to reduce the risk to the population potentially exposed and the financial expense caused by the damage. For these reasons, this paper aimed to develop and test a data-driven model for the identification of road sectors that are susceptible to being hit by shallow landslides triggered in slopes upstream from the infrastructure. This model was based on the Generalized Additive Method, where the function relating predictors and response variable is an empirically fitted smooth function that allows fitting the data in the more likely functional form, considering also non-linear relations. This work also analyzed the importance, on the estimation of the susceptibility, of considering or not the sediment connectivity, which influences the path and the travel distance of the materials mobilized by a slope failure until hitting a potential barrier such as a road. The study was carried out in a catchment of northeastern Oltrepò Pavese (northern Italy), where several shallow landslides affected roads in the last 8 years. The most significant explanatory variables were selected by a random partition of the available dataset in two parts (training and test subsets), 100 times according to a bootstrap procedure. These variables (selected 80 times by the bootstrap procedure) were used to build the final susceptibility model, the accuracy of which was estimated through a 100-fold repetition of the holdout method for regression, based on the training and test sets created through the 100 bootstrap model selection. The presented methodology allows the identification, in a robust and reliable way, of the most susceptible road sectors that could be hit by sediments delivered by landslides. The best predictive capability was obtained using a model in which the index of connectivity was also calculated according to a linear relationship, was considered. Most susceptible road traits resulted to be located below steep slopes with a limited height (lower than 50 m), where sediment connectivity is high. Different land use scenarios were considered in order to estimate possible changes in road susceptibility. Land use classes of the study area were characterized by similar connectivity features. As a consequence, variations on the susceptibility of the road network according to different scenarios of distribution of land cover were limited. The results of this research demonstrate the ability of the developed methodology in the assessment of susceptible roads. This could give the managers of infrastructure information about the criticality of the different road traits, thereby allowing attention and economic budgets to be shifted towards the most critical assets, where structural and non-structural mitigation measures could be implemented

Side Channel Attacks on Implementations of Curve-Based Cryptographic Primitives

The present survey deals with the recent research in side channel analysis and related attacks on implementations of cryptographic primitives. The focus is on software contermeasures for primitives built around algebraic groups. Many countermeasures are described, together with their extent of applicability, and their weaknesses. Some suggestions are made, conclusion are drawn, some directions for future research are given. An extensive bibliography on recent developments concludes the survey

Scalar Multiplication on Koblitz Curves Using the Frobenius Endomorphism and its Combination with Point Halving: Extensions and Mathematical Analysis

In this paper we prove the optimality and other properties of the τ-adic nonadjacent form: this expansion has been introduced in order to efficiently compute scalar multiplications on Koblitz curves. We also refine and extend results about double expansions of scalars introduced by Avanzi, Ciet and Sica in order to further improve scalar multiplications. Our double expansions are optimal and their properties are carefully analysed. In particular we provide first and second order terms for the expected weight, determine the variance and prove a central limit theorem. Transducers for all the involved expansions are provided, as well as automata accepting all expansions of minimal weight