A New Encoding Algorithm for a Multidimensional Version of the - - PowerPoint PPT Presentation

A New Encoding Algorithm for a Multidimensional Version of the Montgomery Ladder

Aaron Hutchinson1 Koray Karabina2,3

1University of Waterloo

a5hutchinson@uwaterloo.ca

2Florida Atlantic University

kkarabina@fau.edu

3National Research Council Canada

koray.karabina@nrc-cnrc.gc.ca

July 21, 2020

Aaron Hutchinson, Koray Karabina July 21, 2020 1 / 32

Background

This work builds on that of two previous works: [2] A. Hutchinson and K. Karabina. Constructing Multidimensional Differential Addition Chains and Their Applications. Journal of Cryptographic Engineering, 9(1):1–19, 2019 [1] H. Hisil, A. Hutchinson, and K. Karabina. d-MUL: Optimizing and Implementing a Multidimensional Scalar Multiplication Algorithm over Elliptic Curves. 8th International Conference on Security, Privacy, and Applied Cryptography Engineering - SPACE 2018, Lecture Notes in Computer Science, 11348:198–217, 2018 In all three works the topic of interest is the multidimensional scalar multiplication algorithm d-MUL.

Aaron Hutchinson, Koray Karabina Background July 21, 2020 2 / 32

Scalar Multiplication Algorithms

Let G be an abelian group. A d-dimensional scalar multiplication algorithm for G takes input a1, . . . , ad ∈ N and P1, . . . , Pd ∈ G and outputs the element a1P1 + · · · + adPd. Such algorithms often see use in cryptography: 1 dimension: Elliptic Curve Diffie-Hellman, Elliptic Curve Digital Signature Generation, Isogeny-based cryptography 2 or 3 dimensions: Elliptic Curve Digital Signature Verification d dimensions: batch signature verification

Aaron Hutchinson, Koray Karabina Background July 21, 2020 3 / 32

Cryptographically Secure Scalar Multiplication

For use in a cryptographic setting the following properties are desired: Uniformity: the algorithm performs the same sequence of

• perations during each execution

Isochronous: the algorithm always takes the same amount of time to execute independent of the input Differential additions: computing P + Q can sometimes be done much more efficiently if P − Q is already known. Parallelizability of operations

Aaron Hutchinson, Koray Karabina Background July 21, 2020 4 / 32

Example: Montgomery Chain

To compute 10P with the Montgomery Chain: 10 = (1010)2 = 1 · 23 + 0 · 22 + 1 · 21 + 0 · 20. Initialize variables R1 ← 1P and R0 ← 0P = 0. If the i-th bit of a is x, replace R1−x with R1 + R0 and double the value of Rx. Initial 3 2 1 R1: P 2P → 3P → 6P → 11P R0: P → 2P → 5P → 10P Montgomery Chain uses ⌈log2(a)⌉ iterations, each uniformly performing 1 doubling and 1 addition. Every difference is P. Total cost: ⌈log2(a)⌉(D + A).

Aaron Hutchinson, Koray Karabina Background July 21, 2020 5 / 32

Example: Bernstein Chain

(2006) Bernstein proposed a 2 dimensional differential addition chain. If a, b are ℓ-bit integers, the algorithm computes aP + bQ using an operation count of ℓ(2A + D). For every point addition, the corresponding difference is in the set {0, P, Q, P + Q, P − Q}. Highly parallelizable. The Bernstein Chain generalizes the Montgomery Chain to 2 dimensions.

Aaron Hutchinson, Koray Karabina Background July 21, 2020 6 / 32

Example: Bernstein Chain

Aaron Hutchinson, Koray Karabina Background July 21, 2020 7 / 32

d-MUL Overview

The d-MUL algorithm generalizes the Montgomery and Bernstein Chains to d dimensions for general d ≥ 1. Based on an algorithm of Dan Brown (2006). Properties: Given a1, . . . , ad ∈ Z and P1, . . . , Pd ∈ G, outputs aiPi. Performs ℓ := max(log2 |ai|) iterations, each performing 1 doubling and d additions. Total cost: ℓ(D + dA) In each iteration, the doubling and additions are independent, so highly parallelizable. Differences are fixed in the set { ciPi : ci ∈ {0, 1, −1}}.

Aaron Hutchinson, Koray Karabina Background July 21, 2020 8 / 32

d-MUL Version 1

First version of d-MUL [2] uses state matrices to construct a differential addition chain:

Definition

A state matrix is a (d + 1) × d integer-valued matrix A such that: every row Ai has i − 1 odd entries. Ai+1 − Ai has a single nonzero entry which is ±1.

Aaron Hutchinson, Koray Karabina Background July 21, 2020 9 / 32

d-MUL Version 1

First version of d-MUL [2] uses state matrices to construct a differential addition chain:

Definition

A state matrix is a (d + 1) × d integer-valued matrix A such that: every row Ai has i − 1 odd entries. Ai+1 − Ai has a single nonzero entry which is ±1. Algorithm is a 3 step process:

1 Initialization: construct a (any) state matrix A(ℓ) having

(a1, . . . , ad) as a row.

2 Recoding: construct a sequence of state matrices {A(i)} such

that every row in A(i+1) is the sum of two rows from A(i).

3 Evaluation: use row relationships between consecutive A(i)

to add points Pj together.

Aaron Hutchinson, Koray Karabina Background July 21, 2020 9 / 32

d-MUL Version 1: Example

Example: compute 10P1 + 14P2 + 9P3 + 11P4.       10 14 10 12 10 14 10 11 10 14 9 11 10 15 9 11 11 15 9 11      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 10 / 32

d-MUL Version 1: Example

Example: compute 10P1 + 14P2 + 9P3 + 11P4.       10 14 10 12 10 14 10 11 10 14 9 11 10 15 9 11 11 15 9 11       →       5 7 5 6      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 11 / 32

d-MUL Version 1: Example

Example: compute 10P1 + 14P2 + 9P3 + 11P4.       10 14 10 12 10 14 10 11 10 14 9 11 10 15 9 11 11 15 9 11       →       5 7 5 6 5 7 5 5      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 11 / 32

d-MUL Version 1: Example

Example: compute 10P1 + 14P2 + 9P3 + 11P4.       10 14 10 12 10 14 10 11 10 14 9 11 10 15 9 11 11 15 9 11       →       5 7 4 6 5 7 5 6 5 7 5 5      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 11 / 32

d-MUL Version 1: Example

Example: compute 10P1 + 14P2 + 9P3 + 11P4.       10 14 10 12 10 14 10 11 10 14 9 11 10 15 9 11 11 15 9 11       →       5 8 4 6 5 7 4 6 5 7 5 6 5 7 5 5      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 11 / 32

d-MUL Version 1: Example

Example: compute 10P1 + 14P2 + 9P3 + 11P4.       10 14 10 12 10 14 10 11 10 14 9 11 10 15 9 11 11 15 9 11       →       6 8 4 6 5 8 4 6 5 7 4 6 5 7 5 6 5 7 5 5      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 11 / 32

d-MUL Version 1: Example

Example: compute 10P1 + 14P2 + 9P3 + 11P4.       10 14 10 12 10 14 10 11 10 14 9 11 10 15 9 11 11 15 9 11       →       6 8 4 6 5 8 4 6 5 7 4 6 5 7 5 6 5 7 5 5       →       2 4 2 2 2 4 2 3 3 4 2 3 3 3 2 3 3 3 3 3       A(5) A(4) A(3)       2 2 2 2 2 2 1 2 1 2 1 2 1 2 1 1 1 1 1 1       →       1 1 1 1 1 1 1 1 1 1       A(2) A(1)

Aaron Hutchinson, Koray Karabina Background July 21, 2020 11 / 32

d-MUL Version 1: Example

      1 1 1 1 1 1 1 1 1 1       = ⇒ Q1

1 =

Q1

2 =

P2 Q1

3 =

P2 + P4 Q1

4 = P1 + P2

+ P4 Q1

5 = P1 + P2 + P3 + P4

Aaron Hutchinson, Koray Karabina Background July 21, 2020 12 / 32

d-MUL Version 1: Example

      1 1 1 1 1 1 1 1 1 1       = ⇒ Q1

1 =

Q1

2 =

P2 Q1

3 =

P2 + P4 Q1

4 = P1 + P2

+ P4 Q1

5 = P1 + P2 + P3 + P4

↓ ↓       2 2 2 2 2 2 1 2 1 2 1 2 1 2 1 1 1 1 1 1       = ⇒ Q2

1 = 2Q1 5

(= 2P1 + 2P2 + 2P3 + 2P4) Q2

2 = Q1 4 + Q1 5

(= 2P1 + 2P2 + 1P3 + 2P4) Q2

3 = Q1 3 + Q1 5

(= 1P1 + 1P2 + 1P3 + 2P4) Q2

4 = Q1 2 + Q1 5

(= 1P1 + 2P2 + 1P3 + 1P4) Q2

5 = Q1 1 + Q1 5

(= 1P1 + 1P2 + 1P3 + 1P4)

Aaron Hutchinson, Koray Karabina Background July 21, 2020 12 / 32

d-MUL Version 1: Example

      1 1 1 1 1 1 1 1 1 1       = ⇒ Q1

1 =

Q1

2 =

P2 Q1

3 =

P2 + P4 Q1

4 = P1 + P2

+ P4 Q1

5 = P1 + P2 + P3 + P4

↓ ↓       2 2 2 2 2 2 1 2 1 2 1 2 1 2 1 1 1 1 1 1       = ⇒ Q2

1 = 2Q1 5

(= 2P1 + 2P2 + 2P3 + 2P4) Q2

2 = Q1 4 + Q1 5

(= 2P1 + 2P2 + 1P3 + 2P4) Q2

3 = Q1 3 + Q1 5

(= 1P1 + 1P2 + 1P3 + 2P4) Q2

4 = Q1 2 + Q1 5

(= 1P1 + 2P2 + 1P3 + 1P4) Q2

5 = Q1 1 + Q1 5

(= 1P1 + 1P2 + 1P3 + 1P4) ↓ ↓ . . . . . . Q5

3 = Q4 3 + Q4 5

(= 10P1 + 14P2 + 9P3 + 11P4)

Aaron Hutchinson, Koray Karabina Background July 21, 2020 12 / 32

d-MUL Version 2

The second version of d-MUL in [1] is a randomized variant that encodes row relationships as binary strings. Constructs a similar sequence of matrices, but increasing in magnitude starting from a 0/1 matrix. This is done by:

1 A random initial state matrix is generated having 0 or 1

values.

2 A random binary string is chosen from which a new state

matrix is generated having the property that every row in the new matrix is the sum of two rows from the previous matrix.

3 Previous step is repeated as many times as desired. 4 Last row of last matrix is output. Aaron Hutchinson, Koray Karabina Background July 21, 2020 13 / 32

d-MUL Version 2: Example

Say the initial randomly chosen matrix is:       1 1 1 1 1 1 1 1 1 1       The corresponding combinations of the Pi are computed.

Aaron Hutchinson, Koray Karabina Background July 21, 2020 14 / 32

d-MUL Version 2: Example

Iteration 1: Randomly chosen binary string: b = (0, 1, 1, 0)       1 1 1 1 1 1 1 1 1 1 1      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 15 / 32

d-MUL Version 2: Example

Iteration 1: Randomly chosen binary string: b = (0, 1, 1, 0) Row to be doubled is row H(0110) + 1 = 2 + 1 = 3, where H is Hamming weight.       1 1 1 1 1 1 1 1 1 1 1       →       2 2      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 15 / 32

d-MUL Version 2: Example

Iteration 1: Randomly chosen binary string: b = ( 0 , 1, 1, 0)       1 1 1 1 1 1 1 1 1 1 1       →       2 2 1 2 2      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 15 / 32

d-MUL Version 2: Example

Iteration 1: Randomly chosen binary string: b = (0, 1 , 1, 0)       1 1 1 1 1 1 1 1 1 1 1       →       2 2 1 2 2 1 2 1      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 15 / 32

d-MUL Version 2: Example

Iteration 1: Randomly chosen binary string: b = (0, 1, 1 , 0)       1 1 1 1 1 1 1 1 1 1 1       →       2 2 1 2 2 1 2 1 1 1 1      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 15 / 32

d-MUL Version 2: Example

Iteration 1: Randomly chosen binary string: b = (0, 1, 1, 0 )       1 1 1 1 1 1 1 1 1 1 1       →       2 2 1 2 2 1 2 1 1 1 1 1 1 1 1      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 15 / 32

d-MUL Version 2: Example

Iteration 2: Randomly chosen binary string: b = (1, 1, 0, 1)       2 2 1 2 2 1 2 1 1 1 1 1 1 1 1      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 16 / 32

d-MUL Version 2: Example

Iteration 2: Randomly chosen binary string: b = (1, 1, 0, 1) Row to be doubled is row H(1101) + 1 = 3 + 1 = 4, where H is Hamming weight.       2 2 1 2 2 1 2 1 1 1 1 1 1 1 1       →       2 2 2      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 16 / 32

d-MUL Version 2: Example

Iteration 2: Randomly chosen binary string: b = ( 1 , 1, 0, 1)       2 2 1 2 2 1 2 1 1 1 1 1 1 1 1       →       2 2 2 2 3 2      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 16 / 32

d-MUL Version 2: Example

Iteration 2: Randomly chosen binary string: b = (1, 1 , 0, 1)       2 2 1 2 2 1 2 1 1 1 1 1 1 1 1       →       2 2 2 2 3 2 2 3 3      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 16 / 32

d-MUL Version 2: Example

Iteration 2: Randomly chosen binary string: b = (1, 1, 0 , 1)       2 2 1 2 2 1 2 1 1 1 1 1 1 1 1       →       2 2 2 2 3 2 2 3 3 2 3 1 3      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 16 / 32

d-MUL Version 2: Example

Iteration 2: Randomly chosen binary string: b = (1, 1, 0, 1 )       2 2 1 2 2 1 2 1 1 1 1 1 1 1 1       →       2 2 2 2 3 2 2 3 3 2 3 1 3 1 3 1 3      

Aaron Hutchinson, Koray Karabina Background July 21, 2020 16 / 32

d-MUL Version 2

Iteration continues for as long as desired. Last row of last matrix is output. 1 iteration ≈ 1 additional bit in output scalars. Retains uniform structure of 1 doublings, d additions per iteration (all parallelizable). Important: The matrices don’t actually need to be computed. All arithmetic can be done with points right from the start.

Aaron Hutchinson, Koray Karabina Background July 21, 2020 17 / 32

d-MUL Comparison

d-MUL Version 1:

◮ Pros: d-dimensional scalar multiplication algorithm with

desirable cryptographic properties.

◮ Cons: Computing matrices and storing their row

relationships is extremely inefficient.

d-MUL Version 2:

◮ Pros: Writing row relationships between matrices as binary

strings gives very efficient encoding of the addition chain.

◮ Cons: Completely random, very little control over output

point.

Aaron Hutchinson, Koray Karabina Background July 21, 2020 18 / 32

d-MUL Comparison

Is it possible to apply the efficiency of the encoding of Version 2 to Version 1?

◮ More precisely: given a1, . . . , ad ∈ Z, how can the binary

string corresponding to the sequence of matrices constructed in Version 1 be determined?

This work gives an efficient answer to this question.

Aaron Hutchinson, Koray Karabina Background July 21, 2020 19 / 32

Definitions

Definition

For a state matrix A, the column sequence for A is the bijection σ : {2, 3, . . . , d + 1} → {1, 2, . . . , d} defined as σ(i) being the position in which the row vector Ai − Ai−1 is nonzero.

Definition

Let B be a (d + 1) × d state matrix and r a binary string of length

• d. Let h be the number of 1’s in r. Define a recursive sequence

ak = (xk, yk) by x1 = y1 = h + 1 and ak = (xk−1, yk−1 + 1) if rk−1 = 0 (xk−1 − 1, yk−1) if rk−1 = 1 for 2 ≤ k ≤ d + 1. The extension matrix of B corresponding to r is the (d + 1) × d state matrix A defined by Ak = Bxk + Byk.

Aaron Hutchinson, Koray Karabina Theoretical Results July 21, 2020 20 / 32

Definitions

By iterating the construction of an extension matrix using multiple binary strings, we can form a sequence of matrices such that every row in a matrix is the sum of two rows from the previous matrix.

Definition

Let B be a (d + 1) × d state matrix. Let r1, . . . , rℓ be binary strings of length d, and r = r1|| · · · ||rℓ. The extension sequence with base B corresponding to r is a sequence {A(i)}ℓ+1

i=1 of

(d + 1) × d state matrices defined recursively by A(1) = B, and A(i+1) is the extension matrix of A(i) corresponding to ri. This allows encoding of a sequence of matrices given only an initial matrix and a long binary string.

Aaron Hutchinson, Koray Karabina Theoretical Results July 21, 2020 21 / 32

Contributions

In the paper, the following two problems are solved:

• 1. Let {A(k)}ℓ

k=1 be an extension sequence with A(1) having

entries in {0, 1}. Given only the binary representation of the entries in the row vector A(ℓ)

1 + A(ℓ) d+1, find a simple expression

giving the binary representations of the entries in A(k)

1

for all k = 1, . . . , ℓ.

• 2. Let A be an extension matrix of B corresponding to the

bitstring r, and let σA and σB be the column sequences for A and B, respectively. Find a simple method for determining (σB, r) given only (A1, σA).

Aaron Hutchinson, Koray Karabina Theoretical Results July 21, 2020 22 / 32

Solution to Problem (1)

Problem (1) is solved by the following corollary:

Corollary

Let {A(i)}ℓ

i=1 be an extension sequence such that A(1) has entries

in {0, 1}. Let (b(i)

1 b(i) 2 · · · b(i) ℓ−11)2 be the binary representation of

A(ℓ)

1,i + A(ℓ) d+1,i for 1 ≤ i ≤ d. Then for 1 ≤ k ≤ ℓ,

(1) A(k)

1,i + A(k) d+1,i = (b(i) 1 b(i) 2 · · · b(i) k−11)2,

(2) A(k)

1,i = (b(i) 1 b(i) 2 · · · b(i) k−1)2 + b(i) k−1,

(3) A(k)

d+1,i = (b(i) 1 b(i) 2 · · · b(i) k−1)2 + 1 − b(i) k−1.

with b(i)

0 := 0.

In other words, the entries of A(k)

1

are determined by the first k bits of the entries of A(ℓ)

1 + A(ℓ) d+1.

Aaron Hutchinson, Koray Karabina Theoretical Results July 21, 2020 23 / 32

Solution to Problem (2)

For Problem (2), the bitstring r is determined using the following corollary:

Corollary

Let A be an extension matrix of B. Let A1 =

• 2α1

· · · 2αd

• and

let σA be the column sequence for A. Then r = (ασA(2) mod 2)|| · · · ||(ασA(d+1) mod 2) is the binary string giving the addition sequence for A corresponding to B, where || denotes concatenation of bits.

Aaron Hutchinson, Koray Karabina Theoretical Results July 21, 2020 24 / 32

Solution to Problem (2)

For Problem (2), the column sequence σB is determined by:

Lemma

Let A be an extension matrix of B. Let σA and σB be the column sequences for A and B, respectively, and let A1 =

• 2α1

· · · 2αd

• . Then

σB = Ψ

• σA, (ασA(2) mod 2, . . . , ασA(d+1) mod 2)
• .

Here, Ψ is a simple auxiliary function which can be computed with a short algorithm. With these problems solved, we use them to formulate a new recoding algorithm for d-MUL. We get the following main result

• f the paper.

Aaron Hutchinson, Koray Karabina Theoretical Results July 21, 2020 25 / 32

New Encoding Algorithm for d-MUL

Theorem

Suppose the following are given: (α1, α2, . . . , αd), where each αi is an odd positive integer with ℓ bits or less σℓ : {2, 3, . . . , d + 1} → {1, 2, . . . , d} a bijection. From this information, let αi = (b(i)

1 b(i) 2 · · · b(i) ℓ−11)2 and:

• 1. Let A(ℓ) be the state matrix having

i) A(ℓ)

1,i = (b(i) 1 b(i) 2 · · · b(i) ℓ−1)2 + b(i) ℓ−1,

ii) A(ℓ)

d+1,i = (b(i) 1 b(i) 2 · · · b(i) ℓ−1)2 + 1 − b(i) ℓ−1,

iii) column sequence σℓ.

Let {A(i)}ℓ

i=1 be the unique sequence of state matrices such

that every row from A(i) is the sum of two rows from A(i−1) for 1 < i ≤ ℓ, and let σi be the column sequence for A(i).

Aaron Hutchinson, Koray Karabina Theoretical Results July 21, 2020 26 / 32

New Encoding Algorithm for d-MUL

Theorem (Cont.)

• 2. Define a recursive sequence by ˆ

σℓ = σℓ and

ˆ σk = Ψ

• ˆ

σk+1, ((b(ˆ

σk+1(2)) k−1

⊕ b(ˆ

σk+1(2)) k

), . . . , (b(ˆ

σk+1(d+1)) k−1

⊕ b(ˆ

σk+1(d+1)) k

))

• for 1 ≤ k < ℓ, where b(i)

0 := 0 and “⊕” denotes XOR. Let

r(k) = (b(ˆ

σk+1(2)) k−1

⊕ b(ˆ

σk+1(2)) k

)|| · · · ||(b(ˆ

σk+1(d+1)) k−1

⊕ b(ˆ

σk+1(d+1)) k

) for 1 ≤ k < ℓ, where || denotes concatenation. Then σk = ˆ σk for 1 ≤ k ≤ ℓ and {A(i)}ℓ

i=1 is the extension

sequence corresponding to r = r(1)||r(2)|| · · · ||r(ℓ−1) with an initial matrix entries in {0, 1} and column sequence ˆ σ1.

Aaron Hutchinson, Koray Karabina Theoretical Results July 21, 2020 27 / 32

New Encoding Algorithm for d-MUL

Significance of the theorem: d-MUL Version 1 uses the method of item (1) in the theorem, explicitly constructing the sequence of matrices. Instead, we may run d-MUL with item (2) of the theorem, using only XOR of consecutive bits and the simple algorithm to evaluate Ψ.

◮ Algorithm 4 uses item (2) to perform d-MUL.

Significantly reduced storage and computational cost in the recoding stage; cost of group arithmetic phase remains the same. When taking d = 1 this new encoding of d-MUL reduces to an equivalent version of the Montgomery Chain, except that the even integer is placed in row 1 at every step.

Aaron Hutchinson, Koray Karabina Theoretical Results July 21, 2020 28 / 32

Conclusions

Conclusions: New encoding algorithm for d-MUL was derived, combining the best aspects of d-MUL Version 1 and Version 2. Given this encoding, d-MUL Version 1 seems to be obsolete. No longer any use for it? If a randomized output is desired, d-MUL Version 2 may still be preferable over the new encoding.

Aaron Hutchinson, Koray Karabina Conclusion July 21, 2020 29 / 32

Conclusions

Future directions: Understanding of d-MUL algorithm seems to be mostly complete. Any way to make the recoding nonrecursive? How does choice of initial σℓ impact the resulting addition chain? Can one choice result in “nicer” properties than another? Software/hardware implementation would be very interesting to see.

Aaron Hutchinson, Koray Karabina Conclusion July 21, 2020 30 / 32

Thank You!

Aaron Hutchinson, Koray Karabina Conclusion July 21, 2020 31 / 32

References I

• H. Hisil, A. Hutchinson, and K. Karabina.

d-MUL: Optimizing and Implementing a Multidimensional Scalar Multiplication Algorithm over Elliptic Curves. 8th International Conference on Security, Privacy, and Applied Cryptography Engineering - SPACE 2018, Lecture Notes in Computer Science, 11348:198–217, 2018.

• A. Hutchinson and K. Karabina.

Constructing Multidimensional Differential Addition Chains and Their Applications. Journal of Cryptographic Engineering, 9(1):1–19, 2019.

Aaron Hutchinson, Koray Karabina Conclusion July 21, 2020 32 / 32