deterministic generation of elliptic curves a k a nums
play

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" - PowerPoint PPT Presentation

Oct 09, 2022 •180 likes •306 views

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

  1. Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves)

  2. Motivation • Reduced customer confidence in NIST-standardized curves (FIPS 186-3) • Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE) • We need new curves that have independently- verifiable provenance and also perform better for the standard ECC algorithms and protocols

  3. Our Requirements (1 of 2) • New curves must support standard security levels • 128-bit and 256-bit mandatory, 192-bit desired • New curves generated deterministically from the security level • Rigid parameter generation for primes and curve constants • New curves must work with the existing ECC protocol infrastructure • Must support standard ECDHE and ECDSA algorithms • Must work with TLS 1.2, X.509v3/PKIX, CMS (both for S/MIME and code signing)

  4. Our Requirements (2 of 2) • New curves must have good performance for both key agreement and digital signatures • New curves must support standard EC point representations • Retain existing (x,y) coordinate encoding formats • New curves must support standard group and field order bit length • Recommend alignment at CPU register boundary: 64-bit length alignment

  5. Our EC Research • Comprehensive analysis • Curve forms and their arithmetic • Prime forms • Performance in protocols • Constant-time and exception-free implementation • Full paper at http://eprint.iacr.org/2014/130 • Open source implementation • http://research.microsoft.com/en-us/projects/nums/default.aspx

  6. Findings -- Curve Form Pros & Cons Curve Family Pros Cons Prime order Slower than T-Edwards • • Weierstrass Widely deployed in existing Harder constant-time • • infrastructure implementation Easier constant-time Slower ECDHE than T-Edwards • • Montgomery implementation Can’t be used with ECDSA • x-coordinate only Not prime order • • Fastest overall performance Twisted • Not prime order • Easier constant-time • Edwards implementation Twisted Edwards represents the best overall option

  7. NUMS Curves -- "Nothing Up My Sleeves" • NUMS parameter generation algorithm: Start with security level s (e.g. s = 128) 1. Find smallest c>0 such that p = 2 2s - c is prime and p  3 mod 4 2. Given this p 3. • For Weierstrass, find smallest |b| such that #E(GF(p)) and #E'(GF(p)) are prime, choose  b based on smaller group order • For T-Edwards, find smallest d>0 such that #E(GF(p))=4q and #E'(GF(p))= 4q' where q, q' prime, q < q' • For standard security levels, resulting primes and curves are: Weierstrass (b) T-Edwards (d) Security Level Prime (p) E: y 2 =x 3 -3x+b E: -x 2 +y 2 =1+dx 2 y 2 128 2 256 -189 152961 15342 192 2 384 -317 -34568 333194 256 2 512 -569 121243 637608

  8. NUMS Benchmarks: Scalar Multiplication Scalar Multiplication (in 10 3 cycles) Security Level Prime (p) Weierstrass T-Edwards Fixed base Variable base Fixed base Variable base 128 2 256 -189 107 270 82 216 192 2 384 -317 252 714 201 588 256 2 512 -569 488 1504 391 1242 Results for scalar multiplication on an Intel Core i7-2600K (Sandy Bridge) processor running Linux (Ubuntu). Compilation tool: GNU GCC.

  9. NUMS Benchmarks: ECDHE ECDHE Cost (in 10 3 cycles) Security Level Prime (p) Weierstrass T-Edwards 128 2 256 -189 379 300 192 2 384 -317 968 791 256 2 512 -569 1993 1638 Results for ECDHE on an Intel Core i7-2600K (Sandy Bridge) processor running Linux (Ubuntu). Compilation tool: GNU GCC. • Gueron-Krasnov (2013): an implementation of the NIST curve P-256, computes ECDHE in 490,000 cycles • ECDHE cost: 1 fixed base cost + 1 variable base cost +  overhead

  10. Recommendations to CFRG • The requirements on Slides 3 & 4 should form the basis for defining new ECC curves for the IETF. • While TLS is the first group to ask for new curves, the CFRG's process and recommendations here will establish precedent for future requests from other WGs. • Our Weierstrass-form curves are suitable "drop-in" replacements for the NIST curves that provide significantly improved performance. • Our twisted Edwards curves provide even greater performance and are compatible with ECDHE, ECDSA, TLS 1.2, PKIX, CMS, ...

  11. Questions? {bal,craigco}@microsoft.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Deterministic Hashing to Elliptic and Hyperelliptic Curves Mehdi Tibouchi LORIA, 2010-11-08

Deterministic Hashing to Elliptic and Hyperelliptic Curves Mehdi Tibouchi LORIA, 2010-11-08

Introduction Problems Outlook and Conclusion Deterministic Hashing to Elliptic and Hyperelliptic Curves Mehdi Tibouchi LORIA, 2010-11-08 Introduction Problems Outlook and Conclusion Outline Introduction Elliptic curves Hashing to

337 views • 30 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo Questions? October 19 at ECC 2010 Lowest (known) conductor elliptic curves of ranks 0,1,2,3,4 Abstract Elliptic Curves in Sage

628 views • 14 slides
Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex tori E a , b : y 2 x 3 ` ax ` b , 4 a 3 ` 27 b 2 0 4 a 3 j p E a , b q 1728 4 a 3 ` 27 b 2 Theorem. The map z r p z q : 1 2 1 p

646 views • 9 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
List Processing in SML - 5 :: nums; val it = [5,9,4,7] : int list - nums; val it = [9,4,7] : int

List Processing in SML - 5 :: nums; val it = [5,9,4,7] : int list - nums; val it = [9,4,7] : int

Consing Elements into Lists - val nums = 9 :: 4 :: 7 :: []; val nums = [9,4,7] : int list List Processing in SML - 5 :: nums; val it = [5,9,4,7] : int list - nums; val it = [9,4,7] : int list (* nums is unchanged *) - (1+2) :: (3*4) :: (5-6)

515 views • 5 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
List Processing in SML val it = [5,9,4,7] : int list - nums; val it = [9,4,7] : int list (* nums

List Processing in SML val it = [5,9,4,7] : int list - nums; val it = [9,4,7] : int list (* nums

Consing Elements into Lists - val nums = 9 :: 4 :: 7 :: []; val nums = [9,4,7] : int list - 5 :: nums; List Processing in SML val it = [5,9,4,7] : int list - nums; val it = [9,4,7] : int list (* nums is unchanged *) - (1+2) :: (3*4) :: (5-6)

170 views • 5 slides
List Processing in SML val it = [5,9,4,7] : int list - nums; val it = [9,4,7] : int list (* nums

List Processing in SML val it = [5,9,4,7] : int list - nums; val it = [9,4,7] : int list (* nums

Consing Elements into Lists - val nums = 9 :: 4 :: 7 :: []; val nums = [9,4,7] : int list - 5 :: nums; List Processing in SML val it = [5,9,4,7] : int list - nums; val it = [9,4,7] : int list (* nums is unchanged *) - (1+2) :: (3*4) :: (5-6)

79 views • 4 slides
Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration with Adrian Barquero-Sanchez, Lindsay Cadwallader, Olivia Cannon, Riad Masri Tyler Genao Faltings Heights of CM Elliptic Curves Elliptic Curves

571 views • 41 slides
Elliptic Curves II Reinier Br oker Fields Institute &amp; University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute &amp; University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute &amp; University of Calgary Summer School before ECC September 2006 Elliptic curves An elliptic curve E over a field K is given by a Weierstra equation Y 2 + h ( X ) Y = f ( X ) with h, f

416 views • 13 slides
Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

662 views • 41 slides
The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick joint work with Nuno Freitas (Warwick) AGC 2 T Luminy, 10 June 2019 Overview 1. Elliptic curves, mod p Galois representations, Weil pairing. 2.

954 views • 70 slides
Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Elliptic curves over F q F. Pappalardi Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j -invariant Research School: Algebraic curves over finite fields Points of finite order

581 views • 29 slides
ReactJS and Drupal 8 Writing content rich JavaScript/REST web apps. DrupalCamp Atlanta Jitesh

ReactJS and Drupal 8 Writing content rich JavaScript/REST web apps. DrupalCamp Atlanta Jitesh

ReactJS and Drupal 8 Writing content rich JavaScript/REST web apps. DrupalCamp Atlanta Jitesh Doshi, SpinSpire @spinspire_com Screencast video and Source code for this presentation. Motivation Drupal is your favorite CMS AJAX apps and

820 views • 13 slides
USER XML XML Announcements 2 Second Test: Wednesday April 23 Project Presentations

USER XML XML Announcements 2 Second Test: Wednesday April 23 Project Presentations

CSC 210 1 USER XML XML Announcements 2 Second Test: Wednesday April 23 Project Presentations Monday, April 28 Wednesday, April 30 CSC 210 Scrum Masters 3 Backslash MICHAEL HOLUPKA C.O.D.E.

496 views • 32 slides
INFORMATION ORGANIZATION LAB INFORMATION ORGANIZATION LAB SEPTEMBER 17, 2012 LAST TIME ON IOLAB

INFORMATION ORGANIZATION LAB INFORMATION ORGANIZATION LAB SEPTEMBER 17, 2012 LAST TIME ON IOLAB

INFORMATION ORGANIZATION LAB SEPTEMBER 17, 2012 INFORMATION ORGANIZATION LAB INFORMATION ORGANIZATION LAB SEPTEMBER 17, 2012 LAST TIME ON IOLAB INFORMATION ORGANIZATION LAB SEPTEMBER 17, 2012 GIT GUI CLIENTS MAC GitX GitT ower

538 views • 24 slides
Web Architecture and Development SWEN-261 Introduction to Software Engineering Department of

Web Architecture and Development SWEN-261 Introduction to Software Engineering Department of

Web Architecture and Development SWEN-261 Introduction to Software Engineering Department of Software Engineering Rochester Institute of Technology HTTP is the protocol of the world-wide-web. The Hypertext Transfer Protocol (HTTP) was

621 views • 28 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Advanced JavaScript and ECMAScript ECMAScript and JavaScript

CS/COE 1520 pitt.edu/~ach54/cs1520 Advanced JavaScript and ECMAScript ECMAScript and JavaScript

CS/COE 1520 pitt.edu/~ach54/cs1520 Advanced JavaScript and ECMAScript ECMAScript and JavaScript ECMAScript is based on JavaScript, and JavaScript is based on ECMAScript ... 2 First of all, what is ECMA? Ecma International

779 views • 55 slides
How to Construct an Ideal Cipher from a Small Set of Public Permutations Rodolphe Lampe and

How to Construct an Ideal Cipher from a Small Set of Public Permutations Rodolphe Lampe and

How to Construct an Ideal Cipher from a Small Set of Public Permutations Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI ASIACRYPT 2013 December 3, 2013 Lampe &amp; Seurin (UVSQ &amp; ANSSI) Ideal Cipher from Public

1.06k views • 92 slides
Partial vs. Total Order a.k.a Polychrony vs. Synchrony Models of Time for Safety Critical Systems

Partial vs. Total Order a.k.a Polychrony vs. Synchrony Models of Time for Safety Critical Systems

Motivation Introduction Concurrency and Multi-Threading Distribution over Asynchronous Network Concluding Remarks Partial vs. Total Order a.k.a Polychrony vs. Synchrony Models of Time for Safety Critical Systems Sandeep K. Shukla FERMAT Lab

548 views • 54 slides
Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi @danielmgmi https://moghimi.org Security Researcher PhD Candidate @ WPI Microarchitectural Attacks Side Channels Breaking Crypto

1.2k views • 71 slides

More recommend