curve25519 curve41417 e 521 curve25519 d j bernstein
play

Curve25519, Curve41417, E-521 Curve25519 D. J. Bernstein - PowerPoint PPT Presentation

Dec 30, 2023 •554 likes •1.24k views

1 2 Curve25519, Curve41417, E-521 Curve25519 D. J. Bernstein Introduced in ECC 2005 talk University of Illinois at Chicago & and PKC 2006 paper New Technische Universiteit Eindhoven DiffieHellman speed records. Main features

  1. 1 2 Curve25519, Curve41417, E-521 Curve25519 D. J. Bernstein Introduced in ECC 2005 talk University of Illinois at Chicago & and PKC 2006 paper “New Technische Universiteit Eindhoven Diffie–Hellman speed records.” Main features listed in paper: Curve25519 mod ♣ = 2 255 � 19: “extremely high speed”; ② 2 = ① 3 + 486662 ① 2 + ① . “no time variability”; 32-byte secret keys; Equivalent to Edwards curve 32-byte public keys; ① 2 + ② 2 = 1 + (1 � 1 ❂ 121666) ① 2 ② 2 . “free key validation”; Curve41417 mod 2 414 � 17: “short code”. ① 2 + ② 2 = 1 + 3617 ① 2 ② 2 . The big picture: E-521 mod 2 521 � 1: Minimize tensions between ① 2 + ② 2 = 1 � 376014 ① 2 ② 2 . speed, simplicity, security.

  2. 1 2 Curve25519, Curve41417, E-521 Curve25519 Tension: Bernstein Introduced in ECC 2005 talk How will University of Illinois at Chicago & and PKC 2006 paper “New compute ❛❂❜ ♣ echnische Universiteit Eindhoven Diffie–Hellman speed records.” Many bo Main features listed in paper: Passes interop Curve25519 mod ♣ = 2 255 � 19: “extremely high speed”; But variable ① 3 + 486662 ① 2 + ① . ② “no time variability”; presumably 32-byte secret keys; Equivalent to Edwards curve 32-byte public keys; ② 2 = 1 + (1 � 1 ❂ 121666) ① 2 ② 2 . ① “free key validation”; Curve41417 mod 2 414 � 17: “short code”. ② 2 = 1 + 3617 ① 2 ② 2 . ① The big picture: mod 2 521 � 1: Minimize tensions between ② 2 = 1 � 376014 ① 2 ② 2 . ① speed, simplicity, security.

  3. 1 2 Curve41417, E-521 Curve25519 Tension: a neutral Introduced in ECC 2005 talk How will implemento Illinois at Chicago & and PKC 2006 paper “New compute ❛❂❜ mod ♣ Universiteit Eindhoven Diffie–Hellman speed records.” Many books recommend Main features listed in paper: Passes interoperabilit ♣ = 2 255 � 19: “extremely high speed”; But variable time 486662 ① 2 + ① . ② ① “no time variability”; presumably a securit 32-byte secret keys; Edwards curve 32-byte public keys; (1 � 1 ❂ 121666) ① 2 ② 2 . ① ② “free key validation”; 2 414 � 17: “short code”. 3617 ① 2 ② 2 . ① ② The big picture: � 1: Minimize tensions between � 376014 ① 2 ② 2 . ① ② speed, simplicity, security.

  4. 1 2 E-521 Curve25519 Tension: a neutral example Introduced in ECC 2005 talk How will implementors Chicago & and PKC 2006 paper “New compute ❛❂❜ mod ♣ ? Eindhoven Diffie–Hellman speed records.” Many books recommend Euclid. Main features listed in paper: Passes interoperability tests. ♣ � 19: “extremely high speed”; But variable time , ② ① ① ① “no time variability”; presumably a security problem. 32-byte secret keys; curve 32-byte public keys; � ❂ 121666) ① 2 ② 2 . ① ② “free key validation”; � 17: “short code”. ① ② ① ② The big picture: � Minimize tensions between ① ② ① ② . � speed, simplicity, security.

  5. 2 3 Curve25519 Tension: a neutral example Introduced in ECC 2005 talk How will implementors and PKC 2006 paper “New compute ❛❂❜ mod ♣ ? Diffie–Hellman speed records.” Many books recommend Euclid. Main features listed in paper: Passes interoperability tests. “extremely high speed”; But variable time , “no time variability”; presumably a security problem. 32-byte secret keys; 32-byte public keys; “free key validation”; “short code”. The big picture: Minimize tensions between speed, simplicity, security.

  6. 2 3 Curve25519 Tension: a neutral example Introduced in ECC 2005 talk How will implementors and PKC 2006 paper “New compute ❛❂❜ mod ♣ ? Diffie–Hellman speed records.” Many books recommend Euclid. Main features listed in paper: Passes interoperability tests. “extremely high speed”; But variable time , “no time variability”; presumably a security problem. 32-byte secret keys; Defense 1: Encourage 32-byte public keys; implementors to use ❛❜ ♣ � 2 . “free key validation”; Simpler than Euclid, fast enough. “short code”. The big picture: Minimize tensions between speed, simplicity, security.

  7. 2 3 Curve25519 Tension: a neutral example Introduced in ECC 2005 talk How will implementors and PKC 2006 paper “New compute ❛❂❜ mod ♣ ? Diffie–Hellman speed records.” Many books recommend Euclid. Main features listed in paper: Passes interoperability tests. “extremely high speed”; But variable time , “no time variability”; presumably a security problem. 32-byte secret keys; Defense 1: Encourage 32-byte public keys; implementors to use ❛❜ ♣ � 2 . “free key validation”; Simpler than Euclid, fast enough. “short code”. But maybe implementor finds it The big picture: simplest to use a Euclid library, Minimize tensions between and wants the Euclid speed. speed, simplicity, security.

  8. 2 3 Curve25519 Tension: a neutral example Defense implemento duced in ECC 2005 talk How will implementors verify constant-time PKC 2006 paper “New compute ❛❂❜ mod ♣ ? e.g. 2010 Diffie–Hellman speed records.” Many books recommend Euclid. Almeida–Ba features listed in paper: Passes interoperability tests. “extremely high speed”; But variable time , time variability”; presumably a security problem. yte secret keys; Defense 1: Encourage yte public keys; implementors to use ❛❜ ♣ � 2 . ey validation”; Simpler than Euclid, fast enough. code”. But maybe implementor finds it big picture: simplest to use a Euclid library, Minimize tensions between and wants the Euclid speed. eed, simplicity, security.

  9. 2 3 Tension: a neutral example Defense 2: Encourage implementors to use ECC 2005 talk How will implementors verify constant-time paper “New compute ❛❂❜ mod ♣ ? e.g. 2010 Langley speed records.” Many books recommend Euclid. Almeida–Barbosa–Pinto–Vieira. listed in paper: Passes interoperability tests. speed”; But variable time , riability”; presumably a security problem. eys; Defense 1: Encourage eys; implementors to use ❛❜ ♣ � 2 . validation”; Simpler than Euclid, fast enough. But maybe implementor finds it simplest to use a Euclid library, tensions between and wants the Euclid speed. simplicity, security.

  10. 2 3 Tension: a neutral example Defense 2: Encourage implementors to use tools to talk How will implementors verify constant-time behavio “New compute ❛❂❜ mod ♣ ? e.g. 2010 Langley “ctgrind”; rds.” Many books recommend Euclid. Almeida–Barbosa–Pinto–Vieira. er: Passes interoperability tests. But variable time , presumably a security problem. Defense 1: Encourage implementors to use ❛❜ ♣ � 2 . Simpler than Euclid, fast enough. But maybe implementor finds it simplest to use a Euclid library, een and wants the Euclid speed. security.

  11. 3 4 Tension: a neutral example Defense 2: Encourage implementors to use tools to How will implementors verify constant-time behavior. compute ❛❂❜ mod ♣ ? e.g. 2010 Langley “ctgrind”; 2013 Many books recommend Euclid. Almeida–Barbosa–Pinto–Vieira. Passes interoperability tests. But variable time , presumably a security problem. Defense 1: Encourage implementors to use ❛❜ ♣ � 2 . Simpler than Euclid, fast enough. But maybe implementor finds it simplest to use a Euclid library, and wants the Euclid speed.

  12. 3 4 Tension: a neutral example Defense 2: Encourage implementors to use tools to How will implementors verify constant-time behavior. compute ❛❂❜ mod ♣ ? e.g. 2010 Langley “ctgrind”; 2013 Many books recommend Euclid. Almeida–Barbosa–Pinto–Vieira. Passes interoperability tests. Defense 3: Encourage But variable time , implementors to use fractions presumably a security problem. (e.g., “projective coordinates”). Defense 1: Encourage Then Euclid speedup is negligible. implementors to use ❛❜ ♣ � 2 . Simpler than Euclid, fast enough. But maybe implementor finds it simplest to use a Euclid library, and wants the Euclid speed.

  13. 3 4 Tension: a neutral example Defense 2: Encourage implementors to use tools to How will implementors verify constant-time behavior. compute ❛❂❜ mod ♣ ? e.g. 2010 Langley “ctgrind”; 2013 Many books recommend Euclid. Almeida–Barbosa–Pinto–Vieira. Passes interoperability tests. Defense 3: Encourage But variable time , implementors to use fractions presumably a security problem. (e.g., “projective coordinates”). Defense 1: Encourage Then Euclid speedup is negligible. implementors to use ❛❜ ♣ � 2 . Defense 4: Choose curves that Simpler than Euclid, fast enough. naturally avoid all divisions. But maybe implementor finds it simplest to use a Euclid library, and wants the Euclid speed.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The first 10 years of Curve25519 Abstract: This paper explains the design and implementation

The first 10 years of Curve25519 Abstract: This paper explains the design and implementation

1 2 The first 10 years of Curve25519 Abstract: This paper explains the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische

2.07k views • 192 slides
The first 10 years of Curve25519 Daniel J. Bernstein University of Illinois at Chicago &

The first 10 years of Curve25519 Daniel J. Bernstein University of Illinois at Chicago &

1 The first 10 years of Curve25519 Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2005.05.19: Seminar talk; design+software close to done. 2005.09.15: Software online. 2005.09.20: Invited talk

869 views • 73 slides
Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D. J. Bernstein Real-world cost measures: Pentium cycles, Athlon cycles, Thanks to: etc. for generating keys, signing, University of Illinois at

541 views • 35 slides
Curve25519: Proving datatypes with a rooster Beno t Viguier MSc ( x y. x@y.nl ) benoit

Curve25519: Proving datatypes with a rooster Beno t Viguier MSc ( x y. x@y.nl ) benoit

Curve25519: Proving datatypes with a rooster Beno t Viguier MSc ( x y. x@y.nl ) benoit viguier https://www.viguier.nl DS Lunch talk 9th December 2016 Institute for Computing and Information Sciences Digital Security Radboud

761 views • 29 slides
Modern ECC signatures Many papers have explored Curve25519/Ed25519 speed. 2011

Modern ECC signatures Many papers have explored Curve25519/Ed25519 speed. 2011

1 2 Modern ECC signatures Many papers have explored Curve25519/Ed25519 speed. 2011 BernsteinDuifLange SchwabeYang: e.g. 2015 Chou software: Ed25519 signature scheme = on Intel Sandy Bridge (2011), EdDSA using conservative

2.15k views • 125 slides
Verification of TweetNaCls Curve25519 Peter Schwabe, Beno t Viguier , Timmy Weerwag, Freek

Verification of TweetNaCls Curve25519 Peter Schwabe, Beno t Viguier , Timmy Weerwag, Freek

Verification of TweetNaCls Curve25519 Peter Schwabe, Beno t Viguier , Timmy Weerwag, Freek Wiedijk Journ ee GT M ethodes Formelles pour la S ecurit e March 18 th , 2019 Institute for Computing and Information Sciences

621 views • 47 slides
Roger Dingledine March 2013 update 1 2 3 4 5 6 7 8 9 10 Tor 0.2.4.7-alpha ..

Roger Dingledine March 2013 update 1 2 3 4 5 6 7 8 9 10 Tor 0.2.4.7-alpha ..

Roger Dingledine March 2013 update 1 2 3 4 5 6 7 8 9 10 Tor 0.2.4.7-alpha .. 0.2.4.9-alpha New stronger/faster ECC-based link encryption New stronger/faster ECC-based circuit handshake (ntor, curve25519) Support for exiting

237 views • 23 slides
Fast, Safe, Pure-Rust Elliptic Curve Cryptography Isis Lovecruft / Henry de Valence RustConf 2017

Fast, Safe, Pure-Rust Elliptic Curve Cryptography Isis Lovecruft / Henry de Valence RustConf 2017

Fast, Safe, Pure-Rust Elliptic Curve Cryptography Isis Lovecruft / Henry de Valence RustConf 2017 Overview What is curve25519-dalek ? Implementing low-level arithmetic in Rust Rust features we love, and features we want to improve Implementing

806 views • 28 slides
Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein,

Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein,

1 Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein, Henry de Valence, Tanja Lange, Christine van Vredendaal. Short generators without quantum computers: the case of multiquadratics. Eurocrypt

1.13k views • 97 slides
Why Fuzzy Interpretation of . . . Bernstein Polynomials Fuzzy Interpretation . . . How Can We .

Why Fuzzy Interpretation of . . . Bernstein Polynomials Fuzzy Interpretation . . . How Can We .

Functional . . . Need for Polynomial . . . How to Represent . . . Bernstein . . . Why Fuzzy Interpretation of . . . Bernstein Polynomials Fuzzy Interpretation . . . How Can We . . . Are Better: Fuzzy Analysis (cont-d) Why Bernstein . . .

420 views • 18 slides
The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many contributors libpqcrypto.org Daniel J. Bernstein Context libpqcrypto.org Daniel J. Bernstein Redesigning crypto for security New requirements for

541 views • 51 slides
Jeffrey Bernstein Jeffrey Bernstein Kathy Guilbert Kathy Guilbert CTE schools have changed

Jeffrey Bernstein Jeffrey Bernstein Kathy Guilbert Kathy Guilbert CTE schools have changed

Jeffrey Bernstein Jeffrey Bernstein Kathy Guilbert Kathy Guilbert CTE schools have changed with the times. CTE schools are academically strenuous CTE schools emphasize college CTE schools are for all students Dispelling Myths

532 views • 26 slides
Jonathan and Erik Bernstein Bernstein Crisis Management, Inc Crisis Management Best Practices

Jonathan and Erik Bernstein Bernstein Crisis Management, Inc Crisis Management Best Practices

BEST PRACTICES IN CRISIS MANAGEMENT Jonathan and Erik Bernstein Bernstein Crisis Management, Inc Crisis Management Best Practices Crisis Prevention Organizations must plan for crises or they are, de facto, planning to have a crisis.

417 views • 18 slides
Un solveur de syst` emes non lin eaires bas e sur le polytope de Bernstein Christoph F

Un solveur de syst` emes non lin eaires bas e sur le polytope de Bernstein Christoph F

Nonlinear Systems Solver based on a Bernstein Polytope Chr. F unfzig Un solveur de syst` emes non lin eaires bas e sur le polytope de Bernstein Christoph F unfzig Dominique Michelucci Sebti Foufou LE2I, Universit e de

514 views • 38 slides
Announcement of the CAESAR finalists Daniel J. Bernstein Announcement of the CAESAR finalists

Announcement of the CAESAR finalists Daniel J. Bernstein Announcement of the CAESAR finalists

Announcement of the CAESAR finalists Daniel J. Bernstein Announcement of the CAESAR finalists Daniel J. Bernstein CAESAR timeline planned in 2012 2013.01: Announce tentative schedule. 2014.01: Deadline for first-round submissions.

527 views • 10 slides
Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Crypto horror stories Daniel J. Bernstein Horror story 1 RC4 Crypto horror stories Daniel J. Bernstein RC4 stream cipher:

799 views • 61 slides
4 5 6 CSE 142 vs CSE 143 CSE 142 / AP CS A CSE 143 You learned how to write Return of

4 5 6 CSE 142 vs CSE 143 CSE 142 / AP CS A CSE 143 You learned how to write Return of

4 5 6 CSE 142 vs CSE 143 CSE 142 / AP CS A CSE 143 You learned how to write Return of the objects programs and You learned to solve decompose large more complex tasks problems with: efficiently Print statements Data

705 views • 22 slides
ECEN 5682 Theory and Practice of Error Control Codes Short Introduction Peter Mathys University

ECEN 5682 Theory and Practice of Error Control Codes Short Introduction Peter Mathys University

Introduction ECEN 5682 Theory and Practice of Error Control Codes Short Introduction Peter Mathys University of Colorado Spring 2007 Peter Mathys ECEN 5682 Theory and Practice of Error Control Codes Introduction Symbols, Algebraic

558 views • 7 slides
Work Track 5 meeting 4 April 2018 Agenda 2 3 1 Welcome/Agenda Update from Review of

Work Track 5 meeting 4 April 2018 Agenda 2 3 1 Welcome/Agenda Update from Review of

Work Track 5 meeting 4 April 2018 Agenda 2 3 1 Welcome/Agenda Update from Review of existing review/SOI updates ICANN61 and where defined geographic (5 mins) are we now? terms (65 mins) (15 mins) 4 AOB (5 mins) AOB (5 mins)

469 views • 15 slides
Dimensionality reduction AI F UN DAMEN TALS Nemanja Radojkovic Senior Data Scientist

Dimensionality reduction AI F UN DAMEN TALS Nemanja Radojkovic Senior Data Scientist

Dimensionality reduction AI F UN DAMEN TALS Nemanja Radojkovic Senior Data Scientist Denition "Dimensionality reduction is the process of reducing the number of variables under consideration by obtaining a set of principal

693 views • 33 slides
Skills & Outcomes You should know and be able to apply the following skills with

Skills & Outcomes You should know and be able to apply the following skills with

1.1 1.2 Skills & Outcomes You should know and be able to apply the following skills with confidence Unit 1 Convert an unsigned binary number to and from decimal Integer Representation Understand the finite number of

434 views • 11 slides
Ultimate Capabilities of High Power Proton Cyclotrons: Challenges Future Directions for

Ultimate Capabilities of High Power Proton Cyclotrons: Challenges Future Directions for

Ultimate Capabilities of High Power Proton Cyclotrons: Challenges Future Directions for Accelerator R&D at Fermilab Workshop May 11-13, 2009 - Lake Geneva, Wisconsin Joachim Grillenberger Paul-Scherrer-Institut, CH-Villigen Workshop on the

547 views • 21 slides
LibreOffice on Android Tor Lillqvist <tor.lillqvist@collabora.com> Toma Vajngerl

LibreOffice on Android Tor Lillqvist <tor.lillqvist@collabora.com> Toma Vajngerl

LibreOffice on Android Tor Lillqvist <tor.lillqvist@collabora.com> Toma Vajngerl <tomaz.vajngerl@collabora.com> Thanks Smoose LibreOffjce on Android Based on Fennec Firefox for Android Interfaces with LibreOffjceKit

400 views • 9 slides
Ruby Monstas Session 24 Agenda Recap Layout elements HTML 5 Exercises Recap

Ruby Monstas Session 24 Agenda Recap Layout elements HTML 5 Exercises Recap

Ruby Monstas Session 24 Agenda Recap Layout elements HTML 5 Exercises Recap https://docs.google.com/presentation/d/1rxHrB4wLk7TMMMtIwC9azwNgnYQAFrae620IxjLHygI/edit#slide=id.ge8e058835_0_0 Layout Elements DIV element Text

163 views • 14 slides

More recommend