curve25519 which public key systems new diffie hellman
play

Curve25519: Which public-key systems new Diffie-Hellman speed - PowerPoint PPT Presentation

Oct 12, 2023 •182 likes •541 views

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D. J. Bernstein Real-world cost measures: Pentium cycles, Athlon cycles, Thanks to: etc. for generating keys, signing, University of Illinois at

  1. Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D. J. Bernstein Real-world cost measures: Pentium cycles, Athlon cycles, Thanks to: etc. for generating keys, signing, University of Illinois at Chicago verifying, encrypting, decrypting; Danmarks Tekniske Universitet key bytes, signed-message bytes, Alfred P. Sloan Foundation ciphertext bytes, etc. More useful than simplified cost measures, although harder to analyze.

  2. Which public-key systems eBATS (ECRYPT Diffie-Hellman speed records are smallest? Fastest? of Asymmetric Systems): new project to measure Real-world cost measures: time and space consumed Pentium cycles, Athlon cycles, public-key signature etc. for generating keys, signing, Illinois at Chicago public-key encryption verifying, encrypting, decrypting; ekniske Universitet public-key secret-sha key bytes, signed-message bytes, Foundation ciphertext bytes, etc. http://ebats.cr.yp.to More useful than simplified cost measures, although harder to analyze.

  3. Which public-key systems eBATS (ECRYPT Benchmarking are smallest? Fastest? of Asymmetric Systems): new project to measure Real-world cost measures: time and space consumed by Pentium cycles, Athlon cycles, public-key signature systems, etc. for generating keys, signing, public-key encryption systems, verifying, encrypting, decrypting; public-key secret-sharing systems. key bytes, signed-message bytes, ciphertext bytes, etc. http://ebats.cr.yp.to More useful than simplified cost measures, although harder to analyze.

  4. ey systems eBATS (ECRYPT Benchmarking This talk’s scope astest? of Asymmetric Systems): Focus on private new project to measure cost measures: ssh, email, purchasing, time and space consumed by cycles, Athlon cycles, Typical setup: public-key signature systems, generating keys, signing, Each communicating public-key encryption systems, encrypting, decrypting; has a long-term secret public-key secret-sharing systems. signed-message bytes, and a long-term public ytes, etc. http://ebats.cr.yp.to Alice authenticates than encrypts messages measures, using Alice’s secret rder to analyze. and Bob’s public Bob verifies and decrypts using Alice’s public and Bob’s secret

  5. eBATS (ECRYPT Benchmarking This talk’s scope of Asymmetric Systems): Focus on private communications: new project to measure ssh, email, purchasing, etc. time and space consumed by Typical setup: public-key signature systems, Each communicating party public-key encryption systems, has a long-term secret key public-key secret-sharing systems. and a long-term public key. http://ebats.cr.yp.to Alice authenticates and encrypts messages to Bob using Alice’s secret key and Bob’s public key. Bob verifies and decrypts using Alice’s public key and Bob’s secret key.

  6. (ECRYPT Benchmarking This talk’s scope This talk’s recommendations Systems): Focus on private communications: The “asymmetric” measure ssh, email, purchasing, etc. Alice, Bob use Curve25519 consumed by compute long-term Typical setup: signature systems, from secret keys, Each communicating party encryption systems, Note: minimal asymmetric has a long-term secret key secret-sharing systems. and a long-term public key. The “symmetric” http://ebats.cr.yp.to Alice, Bob use sha Alice authenticates and as key for Poly1305+Salsa20 encrypts messages to Bob to authenticate+encrypt using Alice’s secret key and Bob’s public key. Curve25519 is the Bob verifies and decrypts if there aren’t many using Alice’s public key This talk focuses and Bob’s secret key.

  7. This talk’s scope This talk’s recommendations Focus on private communications: The “asymmetric” part: ssh, email, purchasing, etc. Alice, Bob use Curve25519 to compute long-term shared secret Typical setup: from secret keys, public keys. Each communicating party Note: minimal asymmetric usage! has a long-term secret key and a long-term public key. The “symmetric” part: Alice, Bob use shared secret Alice authenticates and as key for Poly1305+Salsa20 encrypts messages to Bob to authenticate+encrypt packets. using Alice’s secret key and Bob’s public key. Curve25519 is the bottleneck Bob verifies and decrypts if there aren’t many packets. using Alice’s public key This talk focuses on Curve25519. and Bob’s secret key.

  8. scope This talk’s recommendations Curve25519 secret Curve25519 public rivate communications: The “asymmetric” part: Time to compute purchasing, etc. Alice, Bob use Curve25519 to 957904 Pentium compute long-term shared secret 624786 Athlon cycles from secret keys, public keys. communicating party plus negligible hashing Note: minimal asymmetric usage! secret key No data-dependent public key. The “symmetric” part: No data-dependent Alice, Bob use shared secret authenticates and No known patent as key for Poly1305+Salsa20 messages to Bob Software is in public to authenticate+encrypt packets. secret key http://cr.yp.to/ecdh.html public key. Curve25519 is the bottleneck Best attack known and decrypts if there aren’t many packets. more expensive than public key This talk focuses on Curve25519. 128-bit brute-force secret key.

  9. This talk’s recommendations Curve25519 secret key: 32 bytes. Curve25519 public key: 32 bytes. The “asymmetric” part: Time to compute shared secret: Alice, Bob use Curve25519 to 957904 Pentium 4 cycles or compute long-term shared secret 624786 Athlon cycles or : : : from secret keys, public keys. plus negligible hashing time. Note: minimal asymmetric usage! No data-dependent branches. The “symmetric” part: No data-dependent indexing. Alice, Bob use shared secret No known patent problems. as key for Poly1305+Salsa20 Software is in public domain. to authenticate+encrypt packets. http://cr.yp.to/ecdh.html Curve25519 is the bottleneck Best attack known is if there aren’t many packets. more expensive than typical This talk focuses on Curve25519. 128-bit brute-force search.

  10. recommendations Curve25519 secret key: 32 bytes. Alice’s secret key Curve25519 public key: 32 bytes. integer a ; minor restrictions. “asymmetric” part: Time to compute shared secret: Curve25519 to Alice’s public key 957904 Pentium 4 cycles or power 9 a in Curve25519 long-term shared secret 624786 Athlon cycles or : : : eys, public keys. If Bob’s secret key plus negligible hashing time. asymmetric usage! Curve25519 uses No data-dependent branches. “symmetric” part: as f Alice ; Bob g ’s No data-dependent indexing. shared secret Bob computes sha No known patent problems. oly1305+Salsa20 with just one exp Software is in public domain. authenticate+encrypt packets. and one short hash. http://cr.yp.to/ecdh.html the bottleneck Best attack known is many packets. more expensive than typical cuses on Curve25519. 128-bit brute-force search.

  11. Curve25519 secret key: 32 bytes. Alice’s secret key is Curve25519 public key: 32 bytes. integer a ; minor restrictions. Time to compute shared secret: Alice’s public key is 957904 Pentium 4 cycles or power 9 a in Curve25519 group. 624786 Athlon cycles or : : : If Bob’s secret key is b : plus negligible hashing time. Curve25519 uses hash of 9 ab No data-dependent branches. as f Alice ; Bob g ’s shared secret. No data-dependent indexing. Bob computes shared secret No known patent problems. with just one exponentiation Software is in public domain. and one short hash. http://cr.yp.to/ecdh.html Best attack known is more expensive than typical 128-bit brute-force search.

  12. secret key: 32 bytes. Alice’s secret key is Exponentiation metho public key: 32 bytes. integer a ; minor restrictions. in the previous literature compute shared secret: take more than twice Alice’s public key is entium 4 cycles or at the Curve25519 power 9 a in Curve25519 group. cycles or : : : (Other secret-sha If Bob’s secret key is b : hashing time. even slower.) Curve25519 uses hash of 9 ab endent branches. Many interacting as f Alice ; Bob g ’s shared secret. endent indexing. in design and implementation. Bob computes shared secret patent problems. Hard to find optimal with just one exponentiation public domain. Remainder of this and one short hash. http://cr.yp.to/ecdh.html some of the choices known is in designing and than typical Curve25519. rute-force search.

  13. Alice’s secret key is Exponentiation methods integer a ; minor restrictions. in the previous literature take more than twice as long Alice’s public key is at the Curve25519 security level. power 9 a in Curve25519 group. (Other secret-sharing methods: If Bob’s secret key is b : even slower.) Curve25519 uses hash of 9 ab Many interacting parameters as f Alice ; Bob g ’s shared secret. in design and implementation. Bob computes shared secret Hard to find optimal parameters. with just one exponentiation Remainder of this talk discusses and one short hash. some of the choices made in designing and implementing Curve25519.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

810 views • 42 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

256 views • 22 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption: with

445 views • 17 slides
The first 10 years of Curve25519 Abstract: This paper explains the design and implementation

The first 10 years of Curve25519 Abstract: This paper explains the design and implementation

1 2 The first 10 years of Curve25519 Abstract: This paper explains the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische

2.07k views • 192 slides
Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a number of perspectives Today: authenticating users, services Agreeing on Secret Keys Without Prior Arrangement Diffie-Hellman Key Exchange

1.07k views • 73 slides
RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bobs secret key K to two parts: K E , to be used for encrypting messages to Bob. K D , to be used for

482 views • 32 slides
Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn

Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn

CSS441 Public Key Crypto Principles RSA Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015

461 views • 29 slides
Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based on joint work: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry,

879 views • 63 slides
High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic question about the Diffie-Hellman system: How quickly can we compute n th powers mod p ? Modular exponentiation. p ; Assume standard prime p =

684 views • 45 slides
Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary

Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary

Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message

243 views • 20 slides
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key PKE scheme Encryption (a.k.a. private-key encryption) a.k.a. asymmetric-key encryption PKE SKE: Syntax Syntax KeyGen outputs KeyGen

366 views • 13 slides
Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over

Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over

Multilinear Maps and Their Applications Mark Zhandry Stanford University Diffie-Hellman Key Exchange Exchange keys over a public channel: Public group , generator , order (Potential) Hard Problems in Groups Discrete Log (DL):

621 views • 60 slides
Agreeing on a secret language : Diffie-Hellman Bobs secret language Alices public lock

Agreeing on a secret language : Diffie-Hellman Bobs secret language Alices public lock

Cryptography : how to talk in a secret language in public You broke ! my heart Agreeing on a secret language : Diffie-Hellman Bobs secret language Alices public lock box Only Alice Bob slams knows the the door combination

81 views • 7 slides
Public Key Infrastructure Chester Rebeiro IIT Madras Recollect Diffie-Hellman Key Exchange

Public Key Infrastructure Chester Rebeiro IIT Madras Recollect Diffie-Hellman Key Exchange

Public Key Infrastructure Chester Rebeiro IIT Madras Recollect Diffie-Hellman Key Exchange Key Establishment : Alice and Bob want to use a block cipher for encryption. How do they agree upon the secret key Alice and Bob agree upon a

972 views • 56 slides
Outline Public key crypto Computer Security: Public Key Crypto RSA Essentials Bart Jacobs

Outline Public key crypto Computer Security: Public Key Crypto RSA Essentials Bart Jacobs

Public key crypto Public key crypto RSA Essentials RSA Essentials Public key protocols Radboud University Nijmegen Public key protocols Radboud University Nijmegen Diffie-Hellman and El Gamal Diffie-Hellman and El Gamal Outline Public key

328 views • 10 slides
1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

Symmetric cryptography Both parties must agree on a secret key, K message is encrypted, sent, decrypted at other side E K (P) D K (C) Secure Communication Bob Alice Key distribution must be secret otherwise messages can be

553 views • 10 slides
Part I: RELIC Diego F. Aranha Efficient Binary Field Arithmetic Numbers RELIC is an Efficient

Part I: RELIC Diego F. Aranha Efficient Binary Field Arithmetic Numbers RELIC is an Efficient

Efficient Binary Field Arithmetic and Applications to Curve-based Cryptography Diego F. Aranha Department of Computer Science University of Bras lia CHES 2012 Tutorial Diego F. Aranha Efficient Binary Field Arithmetic Part I: RELIC

738 views • 48 slides
Avoiding Full Extension Field Arithmetic in Pairing Computations Craig Costello

Avoiding Full Extension Field Arithmetic in Pairing Computations Craig Costello

Introduction Motivation Miller 2 n -tupling Results Related Work Avoiding Full Extension Field Arithmetic in Pairing Computations Craig Costello craig.costello@qut.edu.au Queensland University of Technology AfricaCrypt 2010 Joint work with

556 views • 26 slides
Fields and model-theoretic classification, 2 Artem Chernikov UCLA Model Theory conference

Fields and model-theoretic classification, 2 Artem Chernikov UCLA Model Theory conference

Fields and model-theoretic classification, 2 Artem Chernikov UCLA Model Theory conference Stellenbosch, South Africa, Jan 11 2017 NIP Definition Let T be a complete first-order theory in a language L . 1. A (partitioned) formula ( x , y )

562 views • 25 slides
Normal Field Extensions Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University,

Normal Field Extensions Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University,

Characterizing Splitting Fields Normal Extensions Size of the Galois Group Normal Field Extensions Bernd Schr oder logo1 Bernd Schr oder Louisiana Tech University, College of Engineering and Science Normal Field Extensions

1.69k views • 131 slides
tr trssrs

tr trssrs

tr trssrs rs rst s r t

699 views • 21 slides
Construction of the Lindstr om valuation of an algebraic matroid Dustin Cartwright University

Construction of the Lindstr om valuation of an algebraic matroid Dustin Cartwright University

Construction of the Lindstr om valuation of an algebraic matroid Dustin Cartwright University of Tennessee, Knoxville August 3, 2017 Dustin Cartwright Construction of Lindstr om valuation Algebraic matroids Given K L = K ( x 1 , . .

468 views • 11 slides
Hardy Fields, Transseries, and Surreal Numbers Lou van den Dries University of Illinois at

Hardy Fields, Transseries, and Surreal Numbers Lou van den Dries University of Illinois at

Hardy Fields, Transseries, and Surreal Numbers Lou van den Dries University of Illinois at Urbana-Champaign PAULO RIBENBOIM DAY at IHP, March 20, 2018 PAULO RIBENBOIM DAY at IHP, March 20, 2018 1 Lou van den Dries Hardy Fields, Transseries,

517 views • 30 slides
An Efficient Implementation for Computing Gr obner bases over algebraic number fields

An Efficient Implementation for Computing Gr obner bases over algebraic number fields

An Efficient Implementation for Computing Gr obner bases over algebraic number fields Masayuki Noro Kobe University An Efficient Implementation for Computing Gr obner bases over algebraic number fields p. 1 Multiple algebraic

447 views • 25 slides

More recommend