diversity and transparency for ecc
play

Diversity and Transparency for ECC Jean-Pierre Flori, Jrme Plt, - PowerPoint PPT Presentation

Jun 22, 2023 •313 likes •655 views

Diversity and Transparency for ECC Jean-Pierre Flori, Jrme Plt, Jean-Ren Reinhard, and Martin Eker ANSSI and NCSA/SW June 11, 2015 J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 1 / 32 I Standardization J.-P.

  1. Diversity and Transparency for ECC Jean-Pierre Flori, Jérôme Plût, Jean-René Reinhard, and Martin Ekerå ANSSI and NCSA/SW June 11, 2015 J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 1 / 32

  2. I – Standardization J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 2 / 32

  3. Standardization Need for standardization? In general, the group of rational points of an elliptic curve behaves as a “generic group”: the DLOG problem has exponential complexity, provided: The curve cardinality includes a large prime factor q . Solution: use curves with (almost) prime cardinality. The DLOG problem can not be transferred into weaker groups. Solution: avoid weak curves. Applying these solutions is computationally expensive : curves can not be generated on demand. J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 3 / 32

  4. Standardization Standardized curves Year Curves Sizes 2000 NIST 192, 224, 256, 384, 521 2005 Brainpool 160, 192, 224, 256, 320, 384, 512 2010 OSCCA 256 2011 ANSSI 256 Plus a few academic propositions (Curve25519/41417, NUMS, Ed448-Goldilocks, . . . ). J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 4 / 32

  5. Standardization Need for a second round? The first curves were standardized in years 2000 when: it was possible to find curves with prime cardinality (SEA algorithm); weak classes of curves were identified. We think that these curves are still secure. . . . . . but new concerns emerged since then: what about the generation process? (is there some hidden secret vulnerability?) what about side-channel attacks? what about scientific progess in related domains (e.g. DLOG in finite fields)? It is a good time to standardize new curves. J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 5 / 32

  6. II – Security J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 6 / 32

  7. Security Five classes of criteria 1 The DLOG problem should be hard. 2 Implementations should be safe (e.g. resist side-channel attacks ). 3 The curve should exhibit no particularities . 4 Implementations can be optimized . 5 (The curve exhibits interesting properties.) Tradeoffs Some conditions are incompatible : this is a good reason to standardize different (families of ) curves. Base field We only deal with prime base fields as we think that extension fields introduce more vulnerabilities without valuable properties. J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 7 / 32

  8. Security DLOG problem difficulty DLOG problem difficulty √ Large prime subgroup : Attacks with complexity O ( q ) exist where q is the largest prime factor of N . It is mandatory that: 1 q ≈ N ( P ≈ log p , costly). At best q = N ( no complete addition law! ). Weak curves : For some curves the DLOG problem can be transferred into a weaker finite field. It is mandatory that: ∆ = 0 ( P ≈ 1, free); N = p ( P ≈ 1, free); the embedding degree must be large ( P ≈ 1, costly). J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 8 / 32

  9. Security Safe implementation Safe implementation Even though the DLOG problem is hard on the curve, implementations might leak information. Example: scalar multiplication using naive “double-and-add” algorithm. D A D D D A D A 1 0 0 1 1 J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 9 / 32

  10. Security Safe implementation Classical countermeasures Against simple attacks: avoid branching depending on secret elements. “double-and-add” always; Montgomery ladder. Against differential attacks: avoid using secrets elements repeatedly. secret masking ; curve masking ; point masking . This is not enough: information can still leak ! J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 10 / 32

  11. Security Safe implementation Further countermeasures Masking inefficiency Avoid base field with special prime cardinality ( no fast reduction! ). Exceptional cases Use a curve with a complete addition law ( no prime cardinality! ). Special points Ensure no points with a zero coordinate exist ( no complete addition law! ). J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 11 / 32

  12. Security Safe implementation Misbehavior resistance Subgroup attacks Ensure no small subgroups exist ( P = 1 if N is prime, no complete addition law! ). Twist attacks 1 Use a twist with prime cardinality ( P ≈ log p , does not leverage all checks! ). J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 12 / 32

  13. Security Genericity Resist attacks to come? What if we don’t know all classes of weak curves? Avoid producing too “ special ” curves! Verify properties satisfied with P ≈ 1 in the sense of the DLOG problem difficulty. In particular, some numbers attached to the curve should be “ large enough ”. The curve should look generic . J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 13 / 32

  14. Security Genericity Numbers attached to a curve Discriminant of the endomorphism ring In general, the discriminant satisfies | D E | ≈ p ; therefore, | D E | ≥ √ p √ with P ≈ 1 − O ( 1 / p ) ( no pairings, no fast endomorphism! ). Class number friability In general, the class number h E has at least a prime divisor ≥ ( log p ) O ( 1 ) . Embedding degree √ The embedding degree is ≥ p 1 / 4 with P ≥ 1 − 1 / p ( no pairings! ). J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 14 / 32

  15. Security Genericity Numbers attached to a curve (II) Twist cardinality In general, the twist cardinality N 1 has at least a prime divisor ≥ ( log p ) O ( 1 ) . DLOG in the base field The base field cardinality p should be pseudo-random ( no fast reduction! ). √ p − 1 has a prime divisor ≥ ( log p ) 2 with P ≥ 1 − 1 / p . J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 15 / 32

  16. Security Genericity Summary NIST Brainpool ANSSI OSCCA N prime . . . . p ordinary . . . Complete law Twist secure Generic . . . NUMS Curve25519/41417 Ed448-Goldilocks N prime p ordinary Complete law . . . Twist secure . . . Generic J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 16 / 32

  17. Security Optimized implementation Optimized implementation Curves with N < p points (half of them). Fast computation of square roots ( p = 3 ( mod 4 ) ). Fast modular reduction (special primes, inefficient masking! ). Small coefficients for the curve equation ( no genericity! ). Specific system of coordinates (some entail no prime cardinality! ). J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 17 / 32

  18. Security Diversity Different criteria for different uses The aforementioned criteria are conflicting . In particular, tradeoffs to be made between genericity/speed. . . . . . but also between optimization/side-channel security. Only the first class of criteria is mandatory to ensure the DLOG problem difficulty . The other classes of criteria mostly affect speed and ease of implementation. Use (and standardize) different (families of ) curves! J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 18 / 32

  19. Security Diversity Real zoo Weierstrass Edwards J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 19 / 32

  20. Security Diversity Real zoo (II) Jacobi Hess J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 20 / 32

  21. Security Diversity Finite field zoo Frog Cockroach J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 21 / 32

  22. Security Diversity Finite field zoo (II) Walrus Bunny J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 22 / 32

  23. III – Transparency J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 23 / 32

  24. Transparency Certificates for elliptic curves Architecture Provide curves fulfilling a selection of criteria . . . . . . together with a certificate for faster verification of: the number of points, the discriminant and class number properties, the embedding degree. A deterministic algorithm to sample curves. . . . . . and producing a certificate : Completely reproducible generation process. Either pseudo-random (for genericity) or by enumeration of increasing values (for efficiency). Certify every step, including rejected curves. J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 24 / 32

  25. Transparency Certificates for elliptic curves Cardinality of curves Prime order Certificate : ( G , q , Π) where G = 0 is s.t. q · G = 0 with q ≥ p − 2 √ p + 1, and Π a primality proof for q . Size and verification in O ( log 2 p ) , generally only generated once. Composite order √ p − 1 ) 2 , Certificate : ( P , n , c ) , where P = 0 is s.t. n · P = 0 with n < 2 ( and c a composition witness for n . Size in O ( log p ) , generation and verification in O ( log 2 p ) . More efficient verification using early-abort SEA information about small torsion points. J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 25 / 32

  26. Transparency Generation process Example Sampling function from the seed s : p = smallest prime ≥ s ; g = smallest generator of F × p ; equations of the form y 2 = x 3 − 3 x + b , b = g , g 2 , ... . Conditions : N et N 1 prime; ∆ = 0, N , N 1 = p , p + 1; embedding degrees of E , E 1 at least p 1 / 4 ; class number ≥ p 1 / 4 . J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 26 / 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fundamentals of Diversity Reception What is diversity? Diversity is a technique to combine

Fundamentals of Diversity Reception What is diversity? Diversity is a technique to combine

Fundamentals of Diversity Reception What is diversity? Diversity is a technique to combine several copies of the same message received over different channels. Why diversity? To improve link performance Methods for obtaining multiple replicas

738 views • 17 slides
1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No

1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No

Politics and Information: Discussion Notes 1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No democratic society worthy of the name can govern itself without transparency and information. Onthecommons.org

461 views • 5 slides
Outline A brief tour of practice diversity Its everywhere you look! Is practice diversity

Outline A brief tour of practice diversity Its everywhere you look! Is practice diversity

5/30/2014 I think Medicine has Practice diversity: What does it mean when everybody does it differently? 1. Too much practice diversity 2. Just enough practice diversity 3. Not enough practice diversity Avery Tung, M.D. FCCM Quality Chief

816 views • 24 slides
Transparency initiatives and the TGA Dr Peter Papathanasiou Transparency &amp; Advisory

Transparency initiatives and the TGA Dr Peter Papathanasiou Transparency &amp; Advisory

Transparency initiatives and the TGA Dr Peter Papathanasiou Transparency &amp; Advisory Management Section Prescription Medicines Authorisation Branch Market Authorisation Division, TGA ARCS Scientific Congress Canberra 2016 Two transparency

652 views • 36 slides
www.transparencyindia.org Transparency International India Transparency International-India

www.transparencyindia.org Transparency International India Transparency International-India

www.transparencyindia.org Transparency International India Transparency International-India is the accredited Indian National Chapter of Transparency International. It was established in 1997. Transparency International India endeavors

603 views • 45 slides
Dissecting Diversity towards a conceptual framework for realizing diversity in

Dissecting Diversity towards a conceptual framework for realizing diversity in

Dissecting Diversity towards a conceptual framework for realizing diversity in recommendations Prof. Dr. Natali Helberger, Institute for Information Law Bozen, 29 February 2018 Central questions What is diversity? Do people encounter

521 views • 38 slides
Transparency GEF Secretariat Background Paris Agreement, Transparency, and CBIT Paris Agreement

Transparency GEF Secretariat Background Paris Agreement, Transparency, and CBIT Paris Agreement

Capacity-building Initiative for Transparency GEF Secretariat Background Paris Agreement, Transparency, and CBIT Paris Agreement Article 13: Transparency To build mutual trust and confidence and to promote effective implementation

643 views • 15 slides
Fiscal Transparency and Accountability Overview Importance of Institutional Transparency

Fiscal Transparency and Accountability Overview Importance of Institutional Transparency

September 28, 2017 Alex Hathaway Center for State and Local Finance Fiscal Transparency and Accountability Overview Importance of Institutional Transparency Review of the Literature Methodology Volcker Alliance questions

343 views • 16 slides
NUCLEAR TRANSPARENCY WATCH Prevent and anticipate through transparency and participation

NUCLEAR TRANSPARENCY WATCH Prevent and anticipate through transparency and participation

NUCLEAR TRANSPARENCY WATCH Prevent and anticipate through transparency and participation Activities of NTW Workshop on Environmental Mapping: Mobilising Trust in Measurements and Engaging Scientific Citizenry Nadja Zeleznik nzeleznik@rec.org

338 views • 30 slides
Which Bio-Diversity Indices Fuzzy Logic Justifies . . . Bio-Diversity of . . . Are Most Adequate

Which Bio-Diversity Indices Fuzzy Logic Justifies . . . Bio-Diversity of . . . Are Most Adequate

Gauging Bio-Diversity . . . Why These Measures? An Intuitive Meaning . . . Which Bio-Diversity Indices Fuzzy Logic Justifies . . . Bio-Diversity of . . . Are Most Adequate Localness Property Possibility of Scaling Olga Kosheleva 1 , Craig

694 views • 21 slides
Breaking down data silos for improved insight a data transparency perspective Transparency

Breaking down data silos for improved insight a data transparency perspective Transparency

Breaking down data silos for improved insight a data transparency perspective Transparency an organisational view Transparency is all about the release of information by institutions or companies that is relevant for the evaluation of

883 views • 32 slides
Diversity Initiative October 21, 2019 Diversity Committee The Diversity Committee consisted

Diversity Initiative October 21, 2019 Diversity Committee The Diversity Committee consisted

Diversity Initiative October 21, 2019 Diversity Committee The Diversity Committee consisted of 17 members during the 2018-19 school year. The group continues to discuss the recruitment and retention of minority staff members, as well as,

592 views • 20 slides
Diversity Initiative September 17, 2018 Diversity Committee The Diversity Committee consisted of

Diversity Initiative September 17, 2018 Diversity Committee The Diversity Committee consisted of

Diversity Initiative September 17, 2018 Diversity Committee The Diversity Committee consisted of 16 members during the 2017-18 school year. Expanded its purpose beyond the recruitment and retention of minority staff members

350 views • 20 slides
transparency: Opportunities of the Fisheries Transparency Initiative (FiTI) 16 Session COFI

transparency: Opportunities of the Fisheries Transparency Initiative (FiTI) 16 Session COFI

Driving change in fisheries trade through transparency: Opportunities of the Fisheries Transparency Initiative (FiTI) 16 Session COFI Sub-Committee on Fish trade / Busan, 6 September 2017 The necessity of transparency in fisheries International

346 views • 15 slides
Why Are We Here? The combination of ownership diversity and technology diversity is

Why Are We Here? The combination of ownership diversity and technology diversity is

GIBSON: Global IP-Based Service-Oriented Network Ping Pan, Tom Nolle S eptember 2006, Oslo Meeting Why Are We Here? The combination of ownership diversity and technology diversity is reflected in a more complex set of management

711 views • 14 slides
www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013

www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013

1 www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013 NZ's National Integrity System Assessment The Treasury Friday 14 th March 2014 1:30pm- 3:00pm liz.brown@paradise.net.nz mpetrie@esg.co.nz

947 views • 45 slides
Driving Competitiveness in Small Capital and Portfolio Projects Year: Date: Location: 49

Driving Competitiveness in Small Capital and Portfolio Projects Year: Date: Location: 49

Theme: Doing More with Less: A Roadmap to Capital Efficiency Driving Competitiveness in Small Capital and Portfolio Projects Year: Date: Location: 49 2017 Sept. 6-9 Boca Raton, FL Driving Competitiveness in Small Capital and

384 views • 12 slides
ECC Excels ECCs Strategic Plan Access Success Completion Strategic Plan Focus Areas

ECC Excels ECCs Strategic Plan Access Success Completion Strategic Plan Focus Areas

8/22/2016 ECC Excels ECCs Strategic Plan Access Success Completion Strategic Plan Focus Areas Operations Engagement 1 8/22/2016 1. Enrollment: Moderate increase of 1.75% annually starting in 2017 2018 (flat enrollment in 2016 2017)

302 views • 4 slides
Emergency Preparedness and Management Arizona Department of Transportation Courtney Perrier

Emergency Preparedness and Management Arizona Department of Transportation Courtney Perrier

Emergency Preparedness and Management Arizona Department of Transportation Courtney Perrier Bear CHMM, MSTech April 23, 2014 1 The Team Intermodal Transportation Division Emergency Manager Courtney Perrier Bear 602-712-2988

316 views • 10 slides
Planning for Post High School CLASS OF 2018 CLASS OF 2018: Preparing For Life After DCC

Planning for Post High School CLASS OF 2018 CLASS OF 2018: Preparing For Life After DCC

Senior Planning for Post High School CLASS OF 2018 CLASS OF 2018: Preparing For Life After DCC STAY IN TOUCH Facebook Group: DCC HIGH SCHOOL COUNSELING We are here to HELP! Laurie Derickson Sandra Breeden College &amp; Career

928 views • 39 slides
SCHEMATIC DESIGN PRESENTATION ALIEF INDEPENDENT SCHOOL DISTRICT NEW EARLY CHILDHOOD CENTER

SCHEMATIC DESIGN PRESENTATION ALIEF INDEPENDENT SCHOOL DISTRICT NEW EARLY CHILDHOOD CENTER

ALIEF INDEPENDENT SCHOOL DISTRICT NEW EARLY CHILDHOOD CENTER February 11, 2020 SCHEMATIC DESIGN PRESENTATION ALIEF INDEPENDENT SCHOOL DISTRICT NEW EARLY CHILDHOOD CENTER PROCESS NEW EARLY CHILDHOOD CENTER NOT FOR REGULATORY APPROVAL,

597 views • 13 slides
ECC MP Testing Kick-Off November 17, 2016 1 Agenda ECC and RR Overview Market

ECC MP Testing Kick-Off November 17, 2016 1 Agenda ECC and RR Overview Market

ECC MP Testing Kick-Off November 17, 2016 1 Agenda ECC and RR Overview Market Participant Testing Testing Timeline Test cases and Scenarios Expectations Reference Material Questions 2 ECC and RR Overview Enhanced

376 views • 15 slides
Dates: es: July 18-21, 2019 FYI ECC will cover the registration cost for all of our ECC

Dates: es: July 18-21, 2019 FYI ECC will cover the registration cost for all of our ECC

CRU 19 CONNECTION WEEKEND You are invited to attend Cru 19 Connection Weekend - to join Coaches, volunteers, faculty, ambassadors, pastors, ministry leaders and others who have a heart to see the world radically impacted by partnership in the

615 views • 29 slides
ADULT EDUCATION Inspiring Life Long Learning and Career Advancement April 15, 2019 Presented by:

ADULT EDUCATION Inspiring Life Long Learning and Career Advancement April 15, 2019 Presented by:

ADULT EDUCATION Inspiring Life Long Learning and Career Advancement April 15, 2019 Presented by: Jose Anaya, Dean of Community Advancement Adriana Estrada, Director of Career Technical Education Board of Trustees Agenda/Adult Education

141 views • 11 slides

More recommend