ecc optimization on sandy bridge
play

ECC optimization on Sandy Bridge The cost of cofactor h = 1 Daan - PowerPoint PPT Presentation

Oct 29, 2023 •182 likes •1.07k views

ECC optimization on Sandy Bridge The cost of cofactor h = 1 Daan Sprenkels hello@dsprenkels.com Radboud University Nijmegen 1 April 2019 Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 1 / 30 Outline Introduction

  1. ECC optimization on Sandy Bridge The cost of cofactor h = 1 Daan Sprenkels hello@dsprenkels.com Radboud University Nijmegen 1 April 2019 Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 1 / 30

  2. Outline Introduction Preliminaries Cofactor security ECC implementation Results Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 2 / 30

  3. Outline Introduction Preliminaries Cofactor security ECC implementation Results Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 2 / 30

  4. Elliptic curves E : y 2 = x 3 + ax + b Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 3 / 30

  5. Elliptic curves E : y 2 = x 3 + ax + b 4 2 0 y − 2 − 4 − 4 − 2 0 2 4 x Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 3 / 30

  6. Elliptic curves: addition E : y 2 = x 3 + ax + b 4 − R Q 2 P 0 y − 2 R − 4 − 4 − 2 0 2 4 x Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 3 / 30

  7. Elliptic curves: doubling E : y 2 = x 3 + ax + b 4 − R P 2 0 y − 2 R − 4 − 4 − 2 0 2 4 x Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 3 / 30

  8. Elliptic curves ◮ Coordinates include the point at infinity O ◮ Define P + O = P Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 4 / 30

  9. Elliptic curves ◮ Coordinates include the point at infinity O ◮ Define P + O = P ◮ Curve equation: E : y 2 = x 3 + ax + b Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 4 / 30

  10. Elliptic curves ◮ Coordinates include the point at infinity O ◮ Define P + O = P ◮ Curve equation: E : y 2 = x 3 + ax + b ◮ Coordinates are defined over a field F q ◮ I.e. integers modulo q Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 4 / 30

  11. Elliptic curves: actually E : y 2 = x 3 − 3 x + 1 defined over F 11 5 4 3 2 1 0 y − 1 − 2 − 3 − 4 − 5 0 1 2 3 4 5 6 7 8 9 10 11 x Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 5 / 30

  12. Elliptic curves: actual addition E : y 2 = x 3 − 3 x + 1 defined over F 11 5 R 4 3 Q 2 1 0 y − 1 P − 2 − 3 − 4 − R − 5 0 1 2 3 4 5 6 7 8 9 10 11 x Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 5 / 30

  13. Group arithmetic ◮ We can do arithmetic with these rules! :) ◮ Addition: P + Q ◮ Subtraction: P − Q ◮ Neutral element: O , i.e. “zero” Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 6 / 30

  14. Group arithmetic ◮ We can do arithmetic with these rules! :) ◮ Addition: P + Q ◮ Subtraction: P − Q ◮ Neutral element: O , i.e. “zero” ◮ Scalar multiplication: [ k ] P = P + P + ... + P � �� � k times Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 6 / 30

  15. Group arithmetic ◮ We can do arithmetic with these rules! :) ◮ Addition: P + Q ◮ Subtraction: P − Q ◮ Neutral element: O , i.e. “zero” ◮ Scalar multiplication: [ k ] P = P + P + ... + P � �� � k times ◮ Discrete log problem: given P , Q where [ k ] P = Q , hard to find k Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 6 / 30

  16. Elliptic curves are cyclic ◮ Points form a cycle: O + P + P + P + P → ... + P + P − − → P − − → [2] P − − → [3] P − − − − → [ n − 1] P − − → O Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 7 / 30

  17. Elliptic curves are cyclic ◮ Points form a cycle: O + P + P + P + P → ... + P + P − − → P − − → [2] P − − → [3] P − − − − → [ n − 1] P − − → O � �� � n steps ◮ The order n should contain a large prime factor ◮ Only one cycle if n is prime Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 7 / 30

  18. Cofactors ◮ If n is not a prime Then n = h · ℓ ◮ I.e. small loops are possible: + T 4 + T 4 + T 4 + T 4 E.g. if 4 | n , then there is a point T 4 : O − − → T 4 − − → [2] T 4 − − → [3] T 4 − − → O � �� � only 4 steps! Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 8 / 30

  19. Cofactors ◮ If n is not a prime Then n = h · ℓ ◮ I.e. small loops are possible: + T 4 + T 4 + T 4 + T 4 E.g. if 4 | n , then there is a point T 4 : O − − → T 4 − − → [2] T 4 − − → [3] T 4 − − → O � �� � only 4 steps! ◮ h is called the cofactor Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 8 / 30

  20. Cofactors ◮ If n is not a prime Then n = h · ℓ ◮ I.e. small loops are possible: + T 4 + T 4 + T 4 + T 4 E.g. if 4 | n , then there is a point T 4 : O − − → T 4 − − → [2] T 4 − − → [3] T 4 − − → O � �� � only 4 steps! ◮ h is called the cofactor ◮ This property is often harmless Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 8 / 30

  21. Cofactors ◮ If n is not a prime Then n = h · ℓ ◮ I.e. small loops are possible: + T 4 + T 4 + T 4 + T 4 E.g. if 4 | n , then there is a point T 4 : O − − → T 4 − − → [2] T 4 − − → [3] T 4 − − → O � �� � only 4 steps! ◮ h is called the cofactor ◮ This property is often harmless ◮ I.e. sometimes it’s the opposite of harmless Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 8 / 30

  22. A brief history... ◮ 1999: elliptic curves popularized Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 9 / 30

  23. A brief history... ◮ 1999: elliptic curves popularized ◮ 2006: Curve25519 published by Bernstein ◮ “Safe” for implementors Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 9 / 30

  24. A brief history... ◮ 1999: elliptic curves popularized ◮ 2006: Curve25519 published by Bernstein ◮ “Safe” for implementors ◮ Super fast Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 9 / 30

  25. A brief history... ◮ 1999: elliptic curves popularized ◮ 2006: Curve25519 published by Bernstein ◮ “Safe” for implementors ◮ Super fast ◮ Has cofactor h = 8 Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 9 / 30

  26. A brief history... ◮ 1999: elliptic curves popularized ◮ 2006: Curve25519 published by Bernstein ◮ “Safe” for implementors ◮ Super fast ◮ Has cofactor h = 8 ◮ 2014: Monero cryptocurrency ◮ Uses Curve25519 Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 9 / 30

  27. A brief history... ◮ 1999: elliptic curves popularized ◮ 2006: Curve25519 published by Bernstein ◮ “Safe” for implementors ◮ Super fast ◮ Has cofactor h = 8 ◮ 2014: Monero cryptocurrency ◮ Uses Curve25519 ◮ 2017: vulnerability in Monero found ◮ Allowed anyone to create coins out of thin air Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 9 / 30

  28. The Monero vulnerability ◮ Transaction involves a ring signature Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 10 / 30

  29. The Monero vulnerability ◮ Transaction involves a ring signature ◮ Double-spending is prevented by a key image I Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 10 / 30

  30. The Monero vulnerability ◮ Transaction involves a ring signature ◮ Double-spending is prevented by a key image I ◮ I binds the transaction to signer’s public key P Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 10 / 30

  31. The Monero vulnerability ◮ Transaction involves a ring signature ◮ Double-spending is prevented by a key image I ◮ I binds the transaction to signer’s public key P ◮ Binding is in zero-knowledge Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 10 / 30

  32. The Monero vulnerability ◮ Transaction involves a ring signature ◮ Double-spending is prevented by a key image I ◮ I binds the transaction to signer’s public key P ◮ Binding is in zero-knowledge ◮ Key image I should be unique Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 10 / 30

  33. Monero transactions ◮ Have generators G 1 , G 2 ; private key x ; public key P ; key image I . ◮ sign x ( m ) ◮ Sign m with private key x ◮ Choose commitment u ∈ R h Z ℓ ◮ Compute a 2 = [ u ] G 2 ; c = H ( m , a 1 , a 2 ); r = u + cx ◮ Output signature s = ( a 1 , a 2 , r ) Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 11 / 30

  34. Monero transactions ◮ Have generators G 1 , G 2 ; private key x ; public key P ; key image I . ◮ sign x ( m ) ◮ Sign m with private key x ◮ Choose commitment u ∈ R h Z ℓ ◮ Compute a 2 = [ u ] G 2 ; c = H ( m , a 1 , a 2 ); r = u + cx ◮ Output signature s = ( a 1 , a 2 , r ) ◮ verify P , I ( m , s ) ? ◮ [ r ] G 1 = a 1 + [ c ] P ? ◮ [ r ] G 2 = a 2 + [ c ] I ◮ I unique? Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 11 / 30

  35. Attacking Monero signatures ◮ Challenge. Find some signature+keypair a 2 , c , r , and I , s.t. [ r ] G 2 = a 2 + [ c ] I = a 2 + [ c ] I ′ , where I � = I ′ . Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 12 / 30

  36. Attacking Monero signatures ◮ Challenge. Find some signature+keypair a 2 , c , r , and I , s.t. [ r ] G 2 = a 2 + [ c ] I = a 2 + [ c ] I ′ , where I � = I ′ . ◮ Solution. Choose I ′ = I + T α , where α | c and [ α ] T α = O . Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 12 / 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MagentoPerformance and Optimization ChrisWells CEO - Nexcess The Ambassador Bridge USA/Canada

MagentoPerformance and Optimization ChrisWells CEO - Nexcess The Ambassador Bridge USA/Canada

Laying the Foundation for MagentoPerformance and Optimization ChrisWells CEO - Nexcess The Ambassador Bridge USA/Canada The Ambassador Bridge USA/Canada Todays Topics A note on permissions Common pitfalls L AMP L AMP L AMP

553 views • 37 slides
Creating Safer Schools & Communities WHO is Sandy Hook Promise Sandy Hook Promise (SHP) is a

Creating Safer Schools & Communities WHO is Sandy Hook Promise Sandy Hook Promise (SHP) is a

Creating Safer Schools & Communities WHO is Sandy Hook Promise Sandy Hook Promise (SHP) is a nonprofit Timothy Makris Executive Director organization led by several family members who lost loved ones at the Sandy Hook Elementary

340 views • 22 slides
Port of New York and New Jersey Post Sandy Approach to Resiliency AAPA - Energy &

Port of New York and New Jersey Post Sandy Approach to Resiliency AAPA - Energy &

Port of New York and New Jersey Post Sandy Approach to Resiliency AAPA - Energy & Environment Seminar September 12, 2018 Our Port Facilities Sandy Re-Cap Sandy Sandy - Storm Surge Map Map Source: WNYC -

399 views • 28 slides
5 th Street SE Bridge Overview Bridge is functionally obsolete New bridge funded with

5 th Street SE Bridge Overview Bridge is functionally obsolete New bridge funded with

5 th Street SE Bridge Overview Bridge is functionally obsolete New bridge funded with federal money Layout was approved 2017 MnDOT hosted several visual quality workshops where community members were able to select bridge

530 views • 13 slides
Sandy Skoglund By: Emma, Allie, Tibayan ART120 Photorealism Bio - Sandy Skoglund was born in

Sandy Skoglund By: Emma, Allie, Tibayan ART120 Photorealism Bio - Sandy Skoglund was born in

Sandy Skoglund By: Emma, Allie, Tibayan ART120 Photorealism Bio - Sandy Skoglund was born in 1946 in Quincy, MA. - She went to Smith College for her BFA and eventually got a MFA from the University of Iowa. - She became a Professor at the

402 views • 18 slides
Sandy Landsberg Sandy.Landsberg@science.doe.gov Presented to IFIP Working Conference on

Sandy Landsberg Sandy.Landsberg@science.doe.gov Presented to IFIP Working Conference on

DOE Office of Science Advanced Scientific Computing Research Applied Mathematics Program Sandy Landsberg Sandy.Landsberg@science.doe.gov Presented to IFIP Working Conference on Uncertainty Quantification in Scientific Computing August 1, 2011

726 views • 21 slides
Bridge How Bridge Can Benefit Your School and Your Students Benefits of Playing Bridge Benefit

Bridge How Bridge Can Benefit Your School and Your Students Benefits of Playing Bridge Benefit

Bridge How Bridge Can Benefit Your School and Your Students Benefits of Playing Bridge Benefit to Administrators Improvement in Standardized Test Scores Promote STEM Education Goals Students Learn Cooperation and Communication

531 views • 14 slides
Bridge Rehabilitation/Replacement Needs Redbud Trail Bridge Barton Springs Road Bridge Presentation

Bridge Rehabilitation/Replacement Needs Redbud Trail Bridge Barton Springs Road Bridge Presentation

Bridge Rehabilitation/Replacement Needs Redbud Trail Bridge Barton Springs Road Bridge Presentation to Mobility Committee April 2015 PWD Bridge Program City of Austin has 447 rated bridges. Goal is to maintain all bridges in

623 views • 22 slides
SR 73 Loudon County Bridge SR73 Bridge History Several alternates were studied q TVA expressed

SR 73 Loudon County Bridge SR73 Bridge History Several alternates were studied q TVA expressed

SR 73 Loudon County Bridge SR73 Bridge History Several alternates were studied q TVA expressed a desire not to replace or widen the existng q bridge on the dam the bridge hampers access requires stopping and controlling trafc maintenance

966 views • 10 slides
Making New York City Hurricane Sandy Proof Presented by Michael Grant, Tony Mizutani, Daniel

Making New York City Hurricane Sandy Proof Presented by Michael Grant, Tony Mizutani, Daniel

Making New York City Hurricane Sandy Proof Presented by Michael Grant, Tony Mizutani, Daniel Smith, David Mashkevich, and Emily Nemecek History of Hurricanes Saffir-Simpson Scale Tracking Hurricane Sandy Hurricane Sandy Damages 7.5

323 views • 20 slides
Sandy Valley Local Schools Two Options for Sandy Valleys Reset/Restart Plan u Option 1: u

Sandy Valley Local Schools Two Options for Sandy Valleys Reset/Restart Plan u Option 1: u

Sandy Valley Local Schools Two Options for Sandy Valleys Reset/Restart Plan u Option 1: u Option 2: ALL IN ONLINE LEARNING Students at Students have Sandy Valley access to All Day, Everyday curriculum online ALL IN PLAN: All Students,

95 views • 8 slides
Meaningful Access: Bridge Project Jorge Rivera, Project Lead (MLS) | Bridge Project, Planning

Meaningful Access: Bridge Project Jorge Rivera, Project Lead (MLS) | Bridge Project, Planning

Meaningful Access: Bridge Project Jorge Rivera, Project Lead (MLS) | Bridge Project, Planning Department , Toronto Public Library Kristian Roberts, Partner, Nordicity Jan 31, 2020 What is Bridge? The Bridge Technology Services Assessment Toolkit

285 views • 28 slides
Intel Core i7 Memory Hierarchy Amanda Adkins, Brett Ammeson, James Anouna, Tony Garside, Lukas

Intel Core i7 Memory Hierarchy Amanda Adkins, Brett Ammeson, James Anouna, Tony Garside, Lukas

Intel Core i7 Memory Hierarchy Amanda Adkins, Brett Ammeson, James Anouna, Tony Garside, Lukas Hunker, Sam Mailand Intel i7 Timeline 2011 2013 2015 Nehalem Ivy Bridge Broadwell Sandy Haswell Skylake Bridge 2008 2012

420 views • 40 slides
Indi diana na Bridge L Load R Rating Jeremy Hunter INDOT Bridge Design Manager Indiana

Indi diana na Bridge L Load R Rating Jeremy Hunter INDOT Bridge Design Manager Indiana

Indi diana na Bridge L Load R Rating Jeremy Hunter INDOT Bridge Design Manager Indiana Bridge Load Rating Requirements AASHTO Manual For Bridge Evaluation 2 nd Edition Defines requirements for: Bridge Records Bridge Management

360 views • 9 slides
Hurricane Sandy Alex Amparo Deputy Assistant Administrator Recovery Directorate 1

Hurricane Sandy Alex Amparo Deputy Assistant Administrator Recovery Directorate 1

Hurricane Sandy Alex Amparo Deputy Assistant Administrator Recovery Directorate 1 Presenters Name June 17, 2003 Hurricane Sandy At a Glance 2 nd largest Atlantic storm on record Impacted the most densely populated area of

359 views • 15 slides
Sandy Burke BSN RN CWCN Deb Perry MS RN Olmsted Medical Center Rochester, MN Deb Perry MS,

Sandy Burke BSN RN CWCN Deb Perry MS RN Olmsted Medical Center Rochester, MN Deb Perry MS,

Sandy Burke BSN RN CWCN Deb Perry MS RN Olmsted Medical Center Rochester, MN Deb Perry MS, RN Sandy Burke BSN, RN, CWCN Sandy has loved and participated in wound care for 20 years Deb has a passion for wound care starting with her 26

905 views • 68 slides
EVENT REPORT TEMPLATE (Annex H to Quality Control and Monitoring Manual) This template has to be

EVENT REPORT TEMPLATE (Annex H to Quality Control and Monitoring Manual) This template has to be

EVENT REPORT TEMPLATE (Annex H to Quality Control and Monitoring Manual) This template has to be filled by project partners (organisers) for all IF4TM events (except SC meetings). Furthermore, this template can be used to inform colleagues and

434 views • 4 slides
ECC-Net involvement in Air Passenger Rights Bianca Schulz, ECC France Stakeholder conference on

ECC-Net involvement in Air Passenger Rights Bianca Schulz, ECC France Stakeholder conference on

ECC-Net involvement in Air Passenger Rights Bianca Schulz, ECC France Stakeholder conference on Air Passenger Rights, Brussels, 30 May 2012

432 views • 24 slides
Preschool Development Grant Birth through Five Strategic Planning Implementation January 29 th ,

Preschool Development Grant Birth through Five Strategic Planning Implementation January 29 th ,

Preschool Development Grant Birth through Five Strategic Planning Implementation January 29 th , 2020 DRAFT Process: Goals for Today January 29 10:55-11:05 Remind ourselves of where we are in the process and where we are heading Design for

417 views • 9 slides
Dual Credit Programs RODRIGO LOPEZ ASSISTANT DEAN OF SCHOOL PARTNERSHIPS ROLOPEZ@ELGIN.EDU

Dual Credit Programs RODRIGO LOPEZ ASSISTANT DEAN OF SCHOOL PARTNERSHIPS ROLOPEZ@ELGIN.EDU

November 1, 2018 Elgin Community College Dual Credit Programs RODRIGO LOPEZ ASSISTANT DEAN OF SCHOOL PARTNERSHIPS ROLOPEZ@ELGIN.EDU GINNY WOLAK DUAL CREDIT COORDINATOR VWOLAK@ELGIN.EDU November 1, 2018 EARLY COLLEGE CREDIT DUAL CREDIT

511 views • 20 slides
Be part rt of t the e sponsorin oring g crew ECC C 2015 Ke Key Facts ts Jens Wilkens, the

Be part rt of t the e sponsorin oring g crew ECC C 2015 Ke Key Facts ts Jens Wilkens, the

En Engin ginee eerin ring g Chal allen lenge ge Cup up 20 2015 Be part rt of t the e sponsorin oring g crew ECC C 2015 Ke Key Facts ts Jens Wilkens, the Commodore for ECC 2015 and his team ( Aad Veth, Dieter Krner, Christian

221 views • 7 slides
2017 Co Comprehensiv ive M Master Pla lan & & ECC Comp mpto ton Cen ente ter Sel

2017 Co Comprehensiv ive M Master Pla lan & & ECC Comp mpto ton Cen ente ter Sel

2017 Co Comprehensiv ive M Master Pla lan & & ECC Comp mpto ton Cen ente ter Sel Self-Ev Evaluati ation Rep epor ort Kei Keith C Curry E rry Ed.D. Provost Prov El El Ca Camino Co College Co Compton Ce Cente ter 1

356 views • 17 slides
Retail Loss Information in Mail Theft Investigations A private public partnership benefiting the

Retail Loss Information in Mail Theft Investigations A private public partnership benefiting the

Retail Loss Information in Mail Theft Investigations A private public partnership benefiting the consumer. The OI e OIG Office ice of Inves estig igati tions ons OIs structure is designed to cover postal program vulnerabilities

256 views • 23 slides
Mini Competition Market Engagement Key Learnings Presentation of the key learnings from the

Mini Competition Market Engagement Key Learnings Presentation of the key learnings from the

Live at Home Framework Mini Competition Market Engagement Key Learnings Presentation of the key learnings from the market engagement for the mini competition pathfinder within the LAH Framework. Presenter: Sarah Collins Date 12 th December

229 views • 20 slides

More recommend