elliptic curve cryptography and security of embedded
play

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. - PowerPoint PPT Presentation

Sep 06, 2022 •270 likes •1.72k views

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Math ematiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1

  1. Refined Algorithms Non-Adjacent Form (NAF) Signed representation minimizing the number of non-zero digits (1/3 vs 1/2). Hence minimize the number of additions. Sliding window algorithms Precompute 3 P , 5 P ,... to process several scalar bits at a time. Can be combined with the NAF method. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 14 / 64

  2. Refined Algorithms Non-Adjacent Form (NAF) Signed representation minimizing the number of non-zero digits (1/3 vs 1/2). Hence minimize the number of additions. Sliding window algorithms Precompute 3 P , 5 P ,... to process several scalar bits at a time. Can be combined with the NAF method. Co-Z Addition Euclidean Addition Chains [Meloni, WAIFI 2007] Co-Z binary ladder [Goundar, Joye & Miyaji, CHES 2010] V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 14 / 64

  3. Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 14 / 64

  4. Side-Channel Analysis Framework Secret key Inputs Cryptographic operation Outputs

  5. Side-Channel Analysis Framework Secret key Inputs Cryptographic leakages operation Device Outputs

  6. Side-Channel Analysis Framework Secret key Inputs Cryptographic leakages operation Measurements Device Outputs

  7. Side-Channel Analysis Framework Secret key Inputs Cryptographic leakages operation Model & Measurements assumptions Device Outputs

  8. Side-Channel Analysis Framework Secret key Inputs Cryptographic leakages operation Model & Measurements assumptions Device Information on Outputs secret key V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 15 / 64

  9. Simple Side-Channel Analysis (SSCA) Left-to-right square & multiply Side-channel leakage: power, EM, etc. The whole exponent may be recovered using a single trace. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 16 / 64

  10. Regular Exponentiation Left-to-right algorithms Square & multiply: . . . V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 17 / 64

  11. Regular Exponentiation Left-to-right algorithms Square & multiply: . . . Square & multiply always: . . . V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 17 / 64

  12. Regular Exponentiation Left-to-right algorithms Square & multiply: . . . Square & multiply always: . . . Montgomery ladder: . . . V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 17 / 64

  13. Regular Exponentiation Algorithms Left-to-right Right-to-left “Montgomery ladder” “Joye ladder” Input: m , n , d ∈ N Input: m , n , d ∈ N Output: m d mod n Output: m d mod n 1: R 0 ← 1 1: R 0 ← 1 2: R 1 ← m 2: R 1 ← m 3: for i = ℓ − 1 to 0 do 3: for i = 0 to ℓ − 1 do 2 mod n R 1 − d i ← R 0 × R 1 mod n 4: R 1 − d i ← R 1 − d i 4: 2 mod n R 1 − d i ← R 1 − d i × R d i mod n R d i ← R d i 5: 5: 6: return R 0 6: return R 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 18 / 64

  14. Regular Scalar Multiplication Left-to-right algorithms Double & add: . . . V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 19 / 64

  15. Regular Scalar Multiplication Left-to-right algorithms Double & add: . . . Double & add always: . . . V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 19 / 64

  16. Regular Scalar Multiplication Left-to-right algorithms Double & add: . . . Double & add always: . . . Montgomery ladders: . . . V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 19 / 64

  17. Regular Scalar Multiplication Algorithms Left-to-right Right-to-left “Montgomery ladder” “Joye ladder” Input: P ∈ E ( K ) , d ∈ N Input: P ∈ E ( K ) , d ∈ N Output: dP Output: dP 1: R 0 ← O 1: R 0 ← O 2: R 1 ← P 2: R 1 ← P 3: for i = ℓ − 1 to 0 do 3: for i = 0 to ℓ − 1 do R 1 − d i ← R 0 + R 1 R 1 − d i ← 2 R 1 − d i 4: 4: R d i ← 2 R d i R 1 − d i ← R 1 − d i + R d i 5: 5: 6: return R 0 6: return R 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 20 / 64

  18. Regular Atomic Exponentiation Square & multiply: . . . V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 21 / 64

  19. Regular Atomic Exponentiation Square & multiply: . . . Atomic multiply always: . . . V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 21 / 64

  20. Regular Atomic Scalar Multiplication Double & add: . . . V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 22 / 64

  21. Regular Atomic Scalar Multiplication Double & add: . . . Atomic add always (with a unified group addition): . . . V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 22 / 64

  22. Regular Atomic Scalar Multiplication Double & add: . . . Atomic add always (with a unified group addition): . . . Atomic scalar multiplication using a smaller pattern: . . . . . . Dbl. Dbl. Add. Dbl. Add. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 22 / 64

  23. ③ Leakage on Manipulated Data V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 23 / 64

  24. ③ Leakage on Manipulated Data Noise is generally too high to exploit this leakage directly � V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 23 / 64

  25. Leakage on Manipulated Data Noise is generally too high to exploit this leakage directly � ③ Many acquisitions are used to reduce noise influence V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 23 / 64

  26. ③ Differential Analysis Principle Measure N times a side-channel leakage with different data involved and consider the traces T 1 T 1 , T 2 ,..., T n . t t + ω T 2 . t t + ω . . T N t t + ω V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 24 / 64

  27. ③ Differential Analysis Principle Measure N times a side-channel leakage with different data involved and consider the traces T 1 T 1 , T 2 ,..., T n . ◮ align vertically the traces on t t + ω the targeted operation using T 2 signal processing tools . t t + ω . . T N t t + ω V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 24 / 64

  28. ③ Differential Analysis Principle Measure N times a side-channel leakage with different data involved and consider the traces T 1 T 1 , T 2 ,..., T n . ◮ align vertically the traces on t t + ω the targeted operation using T 2 signal processing tools . t t + ω . ◮ perform statistical treatment . between traces, known inputs or outputs and a guess on a T N few key bits t t + ω V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 24 / 64

  29. Differential Analysis Principle Measure N times a side-channel leakage with different data involved and consider the traces T 1 T 1 , T 2 ,..., T n . ◮ align vertically the traces on t t + ω the targeted operation using T 2 signal processing tools . t t + ω . ◮ perform statistical treatment . between traces, known inputs or outputs and a guess on a T N few key bits t t + ω ③ Validate the guess or not V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 24 / 64

  30. Differential Side-Channel Analysis Original method introduced in [Kocher, Jaffe & Jun, CRYPTO’99] ◮ Hamming weight leakage model ◮ Difference of means as a distinguisher V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 25 / 64

  31. Differential Side-Channel Analysis Original method introduced in [Kocher, Jaffe & Jun, CRYPTO’99] ◮ Hamming weight leakage model ◮ Difference of means as a distinguisher Correlation analysis introduced in [Brier, Clavier & Olivier, CHES 2004] ◮ Hamming weight/distance leakage model ◮ Pearson correlation factor as a distinguisher V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 25 / 64

  32. Countermeasures for RSA Exponentiation ◮ Exponent blinding d ′ = d + r ( p − 1 )( q − 1 ) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 26 / 64

  33. Countermeasures for RSA Exponentiation ◮ Exponent blinding d ′ = d + r ( p − 1 )( q − 1 ) ◮ Message/ciphertext additive blinding m ′ = m + rn mod cn , r < c V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 26 / 64

  34. Countermeasures for RSA Exponentiation ◮ Exponent blinding d ′ = d + r ( p − 1 )( q − 1 ) ◮ Message/ciphertext additive blinding m ′ = m + rn mod cn , r < c ◮ Message/ciphertext multiplicative blinding m ′ = r e m mod n , result recovered as r − 1 ( m ′ ) d mod n V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 26 / 64

  35. Countermeasures for Scalar Multiplication From [Coron, CHES’99]: ◮ Scalar blinding d ′ = d + r # E ( F p ) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 27 / 64

  36. Countermeasures for Scalar Multiplication From [Coron, CHES’99]: ◮ Scalar blinding d ′ = d + r # E ( F p ) ◮ Base point projective coordinates blinding ( r 2 X : r 3 Y : rZ ) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 27 / 64

  37. Countermeasures for Scalar Multiplication From [Coron, CHES’99]: ◮ Scalar blinding d ′ = d + r # E ( F p ) ◮ Base point projective coordinates blinding ( r 2 X : r 3 Y : rZ ) ◮ Input point blinding Q = d ( P + R ) , result recovered as Q − S with S = dR V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 27 / 64

  38. Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 27 / 64

  39. Our Contribution ◮ New atomic pattern for right-to-left scalar multiplication implementation ◮ Fastest implementation for standard curves considering addition cost A / M ≥ 0 . 1 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 28 / 64

  40. Our Contribution ◮ New atomic pattern for right-to-left scalar multiplication implementation ◮ Fastest implementation for standard curves considering addition cost A / M ≥ 0 . 1 Theoretical comparison ( S / M = 0 . 8, A / M = 0 . 2) Previous right-to-left NAF atomic scalar multiplication: - 20 % ( M /bit) Best previous scalar multiplication (Co- Z Montgomery ladder ( X : Z ) -only): - 3.6 % ( M /bit) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 28 / 64

  41. Atomic Right-to-Left Scalar Multiplication Mixed coordinates  ◮ Multiplication ◮ Addition  �  ◮ Negation  ◮ Addition Operations expression using the atomic pattern Addition : [11M+5S] ���������������� Doubling : [3M+5S] �������� V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 29 / 64

  42. Atomic Right-to-Left Scalar Multiplication Mixed coordinates   ◮ Multiplication ◮ Squaring ◮ Addition ◮ Addition   � �   ◮ Negation ◮ Negation   ◮ Addition ◮ Addition Operations expression using the atomic pattern Addition : [11M+5S] ���������������� Doubling : [3M+5S] �������� V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 29 / 64

  43. Atomic Right-to-Left Scalar Multiplication Mixed coordinates   ◮ Multiplication ◮ Squaring ◮ Addition ◮ Addition   � �   ◮ Negation ◮ Negation   ◮ Addition ◮ Addition Operations expression using the atomic pattern Addition : [11M+5S] ���������������� Doubling : [3M+5S] �������� V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 29 / 64

  44. Atomic Right-to-Left Scalar Multiplication Mixed coordinates   ◮ Multiplication ◮ Squaring ◮ Addition ◮ Addition   � �   ◮ Negation ◮ Negation   ◮ Addition ◮ Addition Operations expression using the atomic pattern Addition : [11M+5S] �������� �������� Doubling : [3M+5S] �������� Extended pattern : �������� V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 29 / 64

  45. Atomic Right-to-Left Scalar Multiplication ◮ Sq. ◮ Add. ◮ Neg. ◮ Add. ◮ Mult. ◮ Add. ◮ Neg. ◮ Add. ◮ Mult. ◮ Add. ◮ Neg. ◮ Add. ◮ Mult. ◮ Add. ◮ Neg. ◮ Add. ◮ Sq. ◮ Add. ◮ Neg. ◮ Add. ◮ Mult. ◮ Add. ◮ Neg. ◮ Add. ◮ Mult. ◮ Add. ◮ Neg. ◮ Add. ◮ Mult. ◮ Add. ◮ Neg. ◮ Add. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 30 / 64

  46. Atomic Right-to-Left Scalar Multiplication Add. 1 Add. 2  R 1 ← Z 22  R 6 ← R 42 ◮ Sq. ◮ Add. ⋆ ⋆     ◮ Neg. ⋆ ⋆     ⋆ ◮ Add. ⋆     R 5 ← Z 1 · Z 2 ◮ Mult. R 2 ← X 1 · R 1     ⋆ ◮ Add. ⋆     ⋆ ◮ Neg. ⋆     ⋆ ◮ Add. ⋆     Z 3 ← R 5 · R 4 ◮ Mult. R 1 ← R 1 · Z 2     ⋆ ◮ Add. ⋆     ⋆ ◮ Neg. ⋆     ⋆ ◮ Add. ⋆     R 2 ← R 2 · R 6 ◮ Mult. R 3 ← Y 1 · R 1     ⋆ ◮ Add. ⋆     R 1 ← − R 1 ◮ Neg. ⋆     ⋆ ◮ Add.  ⋆    R 1 ← Z 12 R 5 ← R 12 ◮ Sq.     ◮ Add.   ⋆ ⋆   ◮ Neg.   R 3 ← − R 3 ⋆   ◮ Add.   ⋆ ⋆   ◮ Mult.   R 4 ← R 1 · X 2 R 4 ← R 4 · R 6   ◮ Add.   ⋆ R 6 ← R 5 + R 4   ◮ Neg.   R 4 ← − R 4 R 2 ← − R 2   ◮ Add.   R 4 ← R 2 + R 4 R 6 ← R 6 + R 2   ◮ Mult.   R 1 ← Z 1 · R 1 R 3 ← R 3 · R 4   ◮ Add.   ⋆ X 3 ← R 2 + R 6   ◮ Neg.   ⋆ ⋆   ◮ Add.  ⋆  R 2 ← X 3 + R 2   ◮ Mult.  R 1 ← R 1 · Y 2  R 1 ← R 1 · R 2   ◮ Add.  ⋆  Y 3 ← R 3 + R 1   ◮ Neg.  R 1 ← − R 1  ⋆ ◮ Add. R 1 ← R 3 + R 1 ⋆ V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 30 / 64

  47. Atomic Right-to-Left Scalar Multiplication Add. 1 Add. 2 Dbl.  R 1 ← Z 22  R 6 ← R 42  R 1 ← X 12 ◮ Sq. ◮ Add. ⋆ ⋆ R 2 ← Y 1 + Y 1       ◮ Neg. ⋆ ⋆ ⋆       ⋆ ⋆ ◮ Add. ⋆       R 5 ← Z 1 · Z 2 Z 2 ← R 2 · Z 1 ◮ Mult. R 2 ← X 1 · R 1       ⋆ R 4 ← R 1 + R 1 ◮ Add. ⋆       ⋆ ⋆ ◮ Neg. ⋆       ⋆ ⋆ ◮ Add. ⋆       Z 3 ← R 5 · R 4 R 3 ← R 2 · Y 1 ◮ Mult. R 1 ← R 1 · Z 2       ⋆ R 6 ← R 3 + R 3 ◮ Add. ⋆       ⋆ ◮ Neg. ⋆ ⋆       ⋆ ⋆ ◮ Add. ⋆       R 2 ← R 2 · R 6 R 2 ← R 6 · R 3 ◮ Mult. R 3 ← Y 1 · R 1       ⋆ ◮ Add. ⋆ R 1 ← R 4 + R 1       R 1 ← − R 1 ◮ Neg. ⋆ ⋆       ⋆ R 1 ← R 1 + W 1 ◮ Add.  ⋆      R 1 ← Z 12 R 5 ← R 12 R 3 ← R 12 ◮ Sq.       ◮ Add.   ⋆  ⋆ ⋆    ◮ Neg.   R 3 ← − R 3  ⋆ ⋆    ◮ Add.    ⋆ ⋆ ⋆    ◮ Mult.    R 4 ← R 1 · X 2 R 4 ← R 4 · R 6 R 4 ← R 6 · X 1    ◮ Add.    ⋆ R 6 ← R 5 + R 4 R 5 ← W 1 + W 1    ◮ Neg.    R 4 ← − R 4 R 2 ← − R 2 R 4 ← − R 4    ◮ Add.    R 4 ← R 2 + R 4 R 6 ← R 6 + R 2 R 3 ← R 3 + R 4    ◮ Mult.    R 1 ← Z 1 · R 1 R 3 ← R 3 · R 4 W 2 ← R 2 · R 5    ◮ Add.    ⋆ X 3 ← R 2 + R 6 X 2 ← R 3 + R 4    ◮ Neg.    ⋆ ⋆ R 2 ← − R 2    ◮ Add.  ⋆   R 2 ← X 3 + R 2 R 6 ← R 4 + X 2    ◮ Mult.  R 1 ← R 1 · Y 2   R 1 ← R 1 · R 2 R 4 ← R 6 · R 1    ◮ Add.  ⋆   Y 3 ← R 3 + R 1 ⋆    ◮ Neg.  R 1 ← − R 1   ⋆ R 4 ← − R 4 ◮ Add. R 1 ← R 3 + R 1 ⋆ Y 2 ← R 4 + R 2 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 30 / 64

  48. Atomic Right-to-Left Scalar Multiplication Add. 1 Add. 2 Dbl.  R 1 ← Z 22  R 6 ← R 42  R 1 ← X 12 ◮ Sq. ◮ Add. ⋆ ⋆ R 2 ← Y 1 + Y 1       ◮ Neg. ⋆ ⋆ ⋆       ⋆ ⋆ ◮ Add. ⋆       R 5 ← Z 1 · Z 2 Z 2 ← R 2 · Z 1 ◮ Mult. R 2 ← X 1 · R 1       ⋆ R 4 ← R 1 + R 1 ◮ Add. ⋆       ⋆ ⋆ ◮ Neg. ⋆       ⋆ ⋆ ◮ Add. ⋆       Z 3 ← R 5 · R 4 R 3 ← R 2 · Y 1 ◮ Mult. R 1 ← R 1 · Z 2       ⋆ R 6 ← R 3 + R 3 ◮ Add. ⋆       ⋆ ◮ Neg. ⋆ ⋆       ⋆ ⋆ ◮ Add. ⋆       R 2 ← R 2 · R 6 R 2 ← R 6 · R 3 ◮ Mult. R 3 ← Y 1 · R 1       ⋆ ◮ Add. ⋆ R 1 ← R 4 + R 1       R 1 ← − R 1 ◮ Neg. ⋆ ⋆       ⋆ R 1 ← R 1 + W 1 ◮ Add.  ⋆      R 1 ← Z 12 R 5 ← R 12 R 3 ← R 12 ◮ Sq.       ◮ Add.   ⋆  ⋆ ⋆    ◮ Neg.   R 3 ← − R 3  ⋆ ⋆    ◮ Add.    ⋆ ⋆ ⋆    ◮ Mult.    R 4 ← R 1 · X 2 R 4 ← R 4 · R 6 R 4 ← R 6 · X 1    ◮ Add.    ⋆ R 6 ← R 5 + R 4 R 5 ← W 1 + W 1    ◮ Neg.    R 4 ← − R 4 R 2 ← − R 2 R 4 ← − R 4    ◮ Add.    R 4 ← R 2 + R 4 R 6 ← R 6 + R 2 R 3 ← R 3 + R 4    ◮ Mult.    R 1 ← Z 1 · R 1 R 3 ← R 3 · R 4 W 2 ← R 2 · R 5    ◮ Add.    ⋆ X 3 ← R 2 + R 6 X 2 ← R 3 + R 4    ◮ Neg.    ⋆ ⋆ R 2 ← − R 2    ◮ Add.  ⋆   R 2 ← X 3 + R 2 R 6 ← R 4 + X 2    ◮ Mult.  R 1 ← R 1 · Y 2   R 1 ← R 1 · R 2 R 4 ← R 6 · R 1    ◮ Add.  ⋆   Y 3 ← R 3 + R 1 ⋆    ◮ Neg.  R 1 ← − R 1   ⋆ R 4 ← − R 4 ◮ Add. R 1 ← R 3 + R 1 ⋆ Y 2 ← R 4 + R 2 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 30 / 64

  49. Atomic Right-to-Left Scalar Multiplication Add. 1 Add. 2 Dbl.  R 1 ← Z 22  R 6 ← R 42  R 1 ← X 12 ◮ Sq. ◮ Add. ⋆ ⋆ R 2 ← Y 1 + Y 1                   R 5 ← Z 1 · Z 2 Z 2 ← R 2 · Z 1 ◮ Mult. R 2 ← X 1 · R 1       ⋆ R 4 ← R 1 + R 1 ◮ Add. ⋆                   Z 3 ← R 5 · R 4 R 3 ← R 2 · Y 1 ◮ Mult. R 1 ← R 1 · Z 2       ⋆ R 6 ← R 3 + R 3 ◮ Add. ⋆                   R 2 ← R 2 · R 6 R 2 ← R 6 · R 3 ◮ Mult. R 3 ← Y 1 · R 1       ⋆ ◮ Add. ⋆ R 1 ← R 4 + R 1       R 1 ← − R 1 ◮ Neg. ⋆ ⋆       ⋆ R 1 ← R 1 + W 1 ◮ Add.  ⋆      R 1 ← Z 12 R 5 ← R 12 R 3 ← R 12 ◮ Sq.             ◮ Neg.   R 3 ← − R 3  ⋆ ⋆          ◮ Mult.    R 4 ← R 1 · X 2 R 4 ← R 4 · R 6 R 4 ← R 6 · X 1    ◮ Add.    ⋆ R 6 ← R 5 + R 4 R 5 ← W 1 + W 1    ◮ Neg.    R 4 ← − R 4 R 2 ← − R 2 R 4 ← − R 4    ◮ Add.    R 4 ← R 2 + R 4 R 6 ← R 6 + R 2 R 3 ← R 3 + R 4    ◮ Mult.    R 1 ← Z 1 · R 1 R 3 ← R 3 · R 4 W 2 ← R 2 · R 5    ◮ Add.    ⋆ X 3 ← R 2 + R 6 X 2 ← R 3 + R 4    ◮ Neg.    ⋆ ⋆ R 2 ← − R 2    ◮ Add.  ⋆   R 2 ← X 3 + R 2 R 6 ← R 4 + X 2    ◮ Mult.  R 1 ← R 1 · Y 2   R 1 ← R 1 · R 2 R 4 ← R 6 · R 1    ◮ Add.  ⋆   Y 3 ← R 3 + R 1 ⋆    ◮ Neg.  R 1 ← − R 1   ⋆ R 4 ← − R 4 ◮ Add. R 1 ← R 3 + R 1 ⋆ Y 2 ← R 4 + R 2 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 30 / 64

  50. Atomic Right-to-Left Scalar Multiplication Add. 1 Add. 2 Dbl.  R 1 ← Z 22  R 1 ← R 62  R 1 ← X 12 Sq. Add. ⋆ ⋆ R 2 ← Y 1 + Y 1       Mult. R 2 ← Y 1 · Z 2 R 4 ← R 5 · R 1 Z 2 ← R 2 · Z 1       Add. ⋆ ⋆ R 4 ← R 1 + R 1       Mult. R 5 ← Y 2 · Z 1 R 5 ← R 1 · R 6 R 3 ← R 2 · Y 1       Add. ⋆ ⋆ R 6 ← R 3 + R 3       Mult. R 3 ← R 1 · R 2 R 1 ← Z 1 · R 6 R 2 ← R 6 · R 3       Add. ⋆ ⋆ R 1 ← R 4 + R 1       Add. ⋆ ⋆ R 1 ← R 1 + W 1       R 4 ← Z 12 R 6 ← R 22 R 3 ← R 12 Sq.       Mult.  R 2 ← R 5 · R 4  Z 3 ← R 1 · Z 2  R 4 ← R 6 · X 1    Add.  ⋆  R 1 ← R 4 + R 4  R 5 ← W 1 + W 1    Sub.  R 2 ← R 2 − R 3  R 6 ← R 6 − R 1  R 3 ← R 3 − R 4    Mult.  R 5 ← R 1 · X 1  R 1 ← R 5 · R 3  W 2 ← R 2 · R 5    Sub.  ⋆  X 3 ← R 6 − R 5  X 2 ← R 3 − R 4    Sub.  ⋆  R 4 ← R 4 − X 3  R 6 ← R 4 − X 2    Mult.  R 6 ← X 2 · R 4  R 3 ← R 4 · R 2  R 4 ← R 6 · R 1 Sub. R 6 ← R 6 − R 5 Y 3 ← R 3 − R 1 Y 2 ← R 4 − R 2 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 31 / 64

  51. Atomic Right-to-Left Scalar Multiplication Add. 1 Add. 2 Dbl.  R 1 ← Z 22  R 1 ← R 62  R 1 ← X 12 Sq. Add. ⋆ ⋆ R 2 ← Y 1 + Y 1       Mult. R 2 ← Y 1 · Z 2 R 4 ← R 5 · R 1 Z 2 ← R 2 · Z 1       Add. ⋆ ⋆ R 4 ← R 1 + R 1       Mult. R 5 ← Y 2 · Z 1 R 5 ← R 1 · R 6 R 3 ← R 2 · Y 1       Add. ⋆ ⋆ R 6 ← R 3 + R 3       Mult. R 3 ← R 1 · R 2 R 1 ← Z 1 · R 6 R 2 ← R 6 · R 3       Add. ⋆ ⋆ R 1 ← R 4 + R 1       Add. ⋆ ⋆ R 1 ← R 1 + W 1       R 4 ← Z 12 R 6 ← R 22 R 3 ← R 12 Sq.       Mult.  R 2 ← R 5 · R 4  Z 3 ← R 1 · Z 2  R 4 ← R 6 · X 1    Add.  ⋆  R 1 ← R 4 + R 4  R 5 ← W 1 + W 1    Sub.  R 2 ← R 2 − R 3  R 6 ← R 6 − R 1  R 3 ← R 3 − R 4    Mult.  R 5 ← R 1 · X 1  R 1 ← R 5 · R 3  W 2 ← R 2 · R 5    Sub.  ⋆  X 3 ← R 6 − R 5  X 2 ← R 3 − R 4    Sub.  ⋆  R 4 ← R 4 − X 3  R 6 ← R 4 − X 2    Mult.  R 6 ← X 2 · R 4  R 3 ← R 4 · R 2  R 4 ← R 6 · R 1 Sub. R 6 ← R 6 − R 5 Y 3 ← R 3 − R 1 Y 2 ← R 4 − R 2 8 multiplications → 6 multiplications + 2 squarings V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 31 / 64

  52. Atomic Right-to-Left Scalar Multiplication Add. 1 Add. 2 Dbl.  R 1 ← Z 22  R 1 ← R 62  R 1 ← X 12 Sq. Add. ⋆ ⋆ R 2 ← Y 1 + Y 1       Mult. R 2 ← Y 1 · Z 2 R 4 ← R 5 · R 1 Z 2 ← R 2 · Z 1       Add. ⋆ ⋆ R 4 ← R 1 + R 1       Mult. R 5 ← Y 2 · Z 1 R 5 ← R 1 · R 6 R 3 ← R 2 · Y 1       Add. ⋆ ⋆ R 6 ← R 3 + R 3       Mult. R 3 ← R 1 · R 2 R 1 ← Z 1 · R 6 R 2 ← R 6 · R 3       Add. ⋆ ⋆ R 1 ← R 4 + R 1       Add. ⋆ ⋆ R 1 ← R 1 + W 1       R 4 ← Z 12 R 6 ← R 22 R 3 ← R 12 Sq.       Mult.  R 2 ← R 5 · R 4  Z 3 ← R 1 · Z 2  R 4 ← R 6 · X 1    Add.  ⋆  R 1 ← R 4 + R 4  R 5 ← W 1 + W 1    Sub.  R 2 ← R 2 − R 3  R 6 ← R 6 − R 1  R 3 ← R 3 − R 4    Mult.  R 5 ← R 1 · X 1  R 1 ← R 5 · R 3  W 2 ← R 2 · R 5    Sub.  ⋆  X 3 ← R 6 − R 5  X 2 ← R 3 − R 4    Sub.  ⋆  R 4 ← R 4 − X 3  R 6 ← R 4 − X 2    Mult.  R 6 ← X 2 · R 4  R 3 ← R 4 · R 2  R 4 ← R 6 · R 1 Sub. R 6 ← R 6 − R 5 Y 3 ← R 3 − R 1 Y 2 ← R 4 − R 2 8 multiplications → 6 multiplications + 2 squarings 16 additions → 6 additions + 4 subtractions V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 31 / 64

  53. Atomic Right-to-Left Scalar Multiplication Add. 1 Add. 2 Dbl.  R 1 ← Z 22  R 1 ← R 62  R 1 ← X 12 Sq. Add. ⋆ ⋆ R 2 ← Y 1 + Y 1       Mult. R 2 ← Y 1 · Z 2 R 4 ← R 5 · R 1 Z 2 ← R 2 · Z 1       Add. ⋆ ⋆ R 4 ← R 1 + R 1       Mult. R 5 ← Y 2 · Z 1 R 5 ← R 1 · R 6 R 3 ← R 2 · Y 1       Add. ⋆ ⋆ R 6 ← R 3 + R 3       Mult. R 3 ← R 1 · R 2 R 1 ← Z 1 · R 6 R 2 ← R 6 · R 3       Add. ⋆ ⋆ R 1 ← R 4 + R 1       Add. ⋆ ⋆ R 1 ← R 1 + W 1       R 4 ← Z 12 R 6 ← R 22 R 3 ← R 12 Sq.       Mult.  R 2 ← R 5 · R 4  Z 3 ← R 1 · Z 2  R 4 ← R 6 · X 1    Add.  ⋆  R 1 ← R 4 + R 4  R 5 ← W 1 + W 1    Sub.  R 2 ← R 2 − R 3  R 6 ← R 6 − R 1  R 3 ← R 3 − R 4    Mult.  R 5 ← R 1 · X 1  R 1 ← R 5 · R 3  W 2 ← R 2 · R 5    Sub.  ⋆  X 3 ← R 6 − R 5  X 2 ← R 3 − R 4    Sub.  ⋆  R 4 ← R 4 − X 3  R 6 ← R 4 − X 2    Mult.  R 6 ← X 2 · R 4  R 3 ← R 4 · R 2  R 4 ← R 6 · R 1 Sub. R 6 ← R 6 − R 5 Y 3 ← R 3 − R 1 Y 2 ← R 4 − R 2 8 multiplications → 6 multiplications + 2 squarings 16 additions → 6 additions + 4 subtractions 8 negations → 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 31 / 64

  54. Implementation 192 bits ECDSA @ 30 MHz (CPU) & 50 MHz (CC) Original : 35 ms, Improved : 30 ms (- 14.5 %) Comparable RAM ( ≈ 500 Bytes) and Code size ( ≈ 3 KB) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 32 / 64

  55. Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 32 / 64

  56. Our Contribution ◮ New atomic algorithms using squarings only ◮ Immune to attacks distinguishing squarings from multiplications ◮ Better efficiency than regular ladders ◮ Exponentiation algorithms for parallelized squarings with best performances to our knowledge V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 33 / 64

  57. Exponentiation Cost Summary Algorithm Cost / bit S / M = 1 S / M = . 8 # reg Square & multiply 1 , 2 , 3 0 . 5 M + 1 S 1 . 5 M 1 . 3 M 2 Multiply always 2 , 3 1 . 5 M 1 . 5 M 1 . 5 M 2 1 M + 1 S 1 . 8 M Regular ladders 2 M 2 1 algorithm unprotected towards the SPA 2 algorithm sensitive to S – M discrimination 3 possible sliding window optimization V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 34 / 64

  58. Replacing Multiplications by Squarings x × y = ( x + y ) 2 − x 2 − y 2 (1) 2 � x + y � 2 � x − y � 2 x × y = − (2) 2 2 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 35 / 64

  59. Regular Atomic Exponentiation Square & multiply: . . . Atomic Multiply always: . . . V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 36 / 64

  60. Regular Atomic Exponentiation Square & multiply: . . . Atomic Multiply always: . . . Atomic Square always: . . . V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 36 / 64

  61. Atomic Left-to-Right Algorithm Input: m , n , d ∈ N Output: m d mod n 1: R 0 ← 1 ; R 1 ← m ; R 2 ← 1 2: R 3 ← m 2 / 2 mod n 0 bit j = 0 j = 1 1 bit 3: j ← 0 ; i ← k − 1 4: while i ≥ 0 do R M j , 0 ← R M j , 1 + R M j , 2 mod n 5: 0 bit 1 bit 2 mod n R M j , 3 ← R M j , 3 6: R M j , 4 ← R M j , 5 / 2 mod n 7: R M j , 6 ← R M j , 7 − R M j , 8 mod n 8: j = 3 j = 2 j ← d i ( 1 +( j mod 3 )) 9: i ← i − M j , 9 10: 11: return R 0   1 1 1 0 2 1 1 1 2 1 2 0 1 2 2 2 2 2 3 0   M =   1 1 3 0 0 0 0 2 0 0   3 3 3 0 3 3 1 1 3 1 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 37 / 64

  62. Atomic Right-to-Left Algorithm Input: m , n , d ∈ N Output: m d mod n 1: R 0 ← m ; R 1 ← 1 ; R 2 ← 1 0 bit j = 0 j = 1 2: i ← 0 ; j ← 0 1 bit 3: while i ≤ k − 1 do j ← d i ( 1 +( j mod 3 )) 4: R M j , 0 ← R M j , 1 + R 0 mod n 5: 0 bit 1 bit R M j , 2 ← R M j , 3 / 2 mod n 6: R M j , 4 ← R M j , 5 − R M j , 6 mod n 7: 2 mod n j = 3 j = 2 R M j , 3 ← R M j , 3 8: i ← i + M j , 7 9: 10: return R 1   0 0 2 0 0 0 2 1 2 1 2 2 1 0 1 0   M =   0 2 1 1 0 0 2 0   0 0 0 0 1 2 1 1 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 38 / 64

  63. Cost Comparison Algorithm Cost / bit S / M = 1 S / M = . 8 # reg Square & multiply 1 , 2 , 3 0 . 5 M + 1 S 1 . 5 M 1 . 3 M 2 Multiply always 2 , 3 1 . 5 M 1 . 5 M 1 . 5 M 2 Regular ladder 1 M + 1 S 2 M 1 . 8 M 2 L.-to-r. square always 3 2 S 2 M 1 . 6M 4 R.-to-l. square always 3 2 S 2 M 1 . 6M 3 → 11 % speed-up over Montgomery ladder 1 algorithm unprotected towards the SPA 2 algorithm sensitive to S – M discrimination 3 possible sliding window optimization V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 39 / 64

  64. Implementation AT90SC chip @ 30MHz with AdvX arithmetic coprocessor: Algorithm Key len. (b) Code (B) RAM (B) Timing (ms) 512 360 128 30 Mont. ladder 1024 360 256 200 2048 360 512 1840 512 510 192 28 Square Always 1024 510 384 190 2048 510 768 1740 → 5 % practical speed-up obtained in practice V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 40 / 64

  65. Parallelization Motivation: ◮ Many devices are equipped with multi-core processors ◮ Parallelized Montgomery ladder : 1 M / bit ◮ Squarings are independent in equations (1) and (2) V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 41 / 64

  66. Parallelization Motivation: ◮ Many devices are equipped with multi-core processors ◮ Parallelized Montgomery ladder : 1 M / bit ◮ Squarings are independent in equations (1) and (2) We study how to optimize square always algorithms if two parallel squarings are available using space/time trade-offs. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 41 / 64

  67. Cost Summary We demonstrate that the cost of our parallelized algorithm using λ extra registers tends to: � � 1 1 + S 4 λ + 2 Algorithm General cost S / M = 1 S / M = 0 . 8 Parallel Montgomery ladder 1 M 1 M 1 M Parallel square always λ = 1 7 S / 6 1 . 17 M 0 . 93M Parallel square always λ = 2 11 S / 10 1 . 10 M 0 . 88M Parallel square always λ = 3 15 S / 14 1 . 07 M 0 . 86M . . . . . . . . . . . . Parallel square always λ → ∞ 0 . 8M 1 S 1 M V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 42 / 64

  68. Outline Introduction RSA and Elliptic Curve Cryptography Scalar Multiplication Implementation Side-Channel Analysis Improved Atomic Pattern for Scalar Multiplication Square Always Exponentiation Horizontal Correlation Analysis Long-Integer Multiplication Blinding and Shuffling Collision-Correlation Analysis on AES Conclusion V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 42 / 64

  69. Our Contribution ◮ New differential analysis on exponentiation using a single trace ◮ Any exponentiation algorithm can be subject to this attack ◮ Circumvent the exponent blinding countermeasure ◮ Require the knowledge of underlying modular multiplication implementation V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 43 / 64

  70. Modular Multiplication Implementation Schoolbook long-integer multiplication x × y in base b with x , y < b k Input: x = ( x k − 1 x k − 2 ... x 0 ) b , y = ( y k − 1 y k − 2 ... y 0 ) b Output: x × y Uses: w = ( w 2 k − 1 w 2 k − 2 ... w 0 ) 1: w ← ( 00 ... 0 ) 2: for i = 0 to k − 1 do 3: c ← 0 4: for j = 0 to k − 1 do ( uv ) b ← w i + j + x i × y j + c 5: w i + j ← v 6: c ← u 7: 8: w i + k ← c 9: return w V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 44 / 64

  71. Modular Multiplication Implementation Rows and columns x k − 1 . . . x 2 x 1 x 0 × y k − 1 . . . y 2 y 1 y 0 + x 0 y k − 1 . . . x 0 y 2 x 0 y 1 x 0 y 0 + x 1 y k − 1 x 1 y k − 2 . . . x 1 y 1 x 1 y 0 + x 2 y k − 1 x 2 y k − 2 x 2 y k − 3 . . . x 2 y 0 . ... . . + x k − 2 y k − 1 . . . x k − 2 y 2 x k − 2 y 1 x k − 2 y 0 + x k − 1 y k − 1 x k − 1 y k − 2 . . . x k − 1 y 1 x k − 1 y 0 w 2 k − 1 w 2 k − 2 w 2 k − 3 . . . w 2 w 1 w 0 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 45 / 64

  72. Horizontal Correlation Analysis Vertical: Horizontal: . . . . . . . . . . . . . . . . . . . . . • Uses k 2 segments from a single • Uses N segments from different traces. trace. V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 46 / 64

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago &amp; energy (gas

1.07k views • 76 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Twenty-Three Years of Elliptic Curve Cryptography Alfred Menezes University of Waterloo September 3 2008 1 Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The serpentine course of a paradigm

300 views • 18 slides
Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven 22 April 2008 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

491 views • 32 slides
Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July 23, 2014 1 / 12 Elliptic-curve cryptography: signatures and key exchange Given: some elliptic curve E , point P on E of known order . Key

885 views • 16 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March 21 st , 2016 1/13 A Brief Introduction to Elliptic Curve Cryptography Elliptic Curve 2/13 A

385 views • 13 slides
Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic Implementations group: eindhoven.cr.yp.to working closely with the Coding Theory and Cryptology group: www.win.tue.nl/cc/ Next-generation elliptic-curve

456 views • 18 slides
Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S.

Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S.

Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S. Miller IDA Center for Communications Research Princeton, NJ 08540 USA 24 May, 2007 Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May,

1.08k views • 69 slides
Bitcoin II &amp; Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II &amp; Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II &amp; Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview Bitcoin Transactions Elliptic Curve Cryptography Introduction Arithmetics Signature Bitcoin, the protocol A blockchain Each

992 views • 52 slides
Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May

Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May

Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May 19, 2017 university-logo-isi Rana Barua Introduction to Elliptic Curve Cryptography ElGamal Public Key Cryptosystem, 1984 Key Generation: Choose

417 views • 16 slides
elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 11, 2018 ibenik , Croatia Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4:

1.38k views • 48 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 2, Oct. 27, 2010 Cryptography Oct. 27, 2010 KTH DD2395 Sonja Buchegger 1 Questionnaire Results Prior

602 views • 42 slides
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/DD2395/dasak10/ Spring 2010 Sonja Buchegger buc@kth.se Lecture 2, Jan. 20, 2010 Cryptography Scope of Computer Security Jan. 20, 2010 KTH DD2395 Sonja Buchegger 2

469 views • 45 slides
Embedding Crypto in SoCs: Threats and Protections Arnaud Tisserand CNRS, Lab-STICC laboratory

Embedding Crypto in SoCs: Threats and Protections Arnaud Tisserand CNRS, Lab-STICC laboratory

Embedding Crypto in SoCs: Threats and Protections Arnaud Tisserand CNRS, Lab-STICC laboratory GDR SoC17, Bordeaux Summary Introduction &amp; Cryptographic Background Side Channel Attacks Fault Injection Attacks Protections

1.87k views • 166 slides
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem CRT-RSA CRT-RSA having Low Hamming

403 views • 25 slides
Information Systems Security Dr. Ayman Abdel-Hamid College of Computing and Information

Information Systems Security Dr. Ayman Abdel-Hamid College of Computing and Information

Information Systems Security Dr. Ayman Abdel-Hamid College of Computing and Information Technology Arab Academy for Science &amp; Technology and Maritime Transport Chapter 9 Public-Key Cryptography and RSA ISS Dr. Ayman Abdel-Hamid 1

5.21k views • 19 slides
Encrypting Communication Review Extended Euclids Algorithm Extended Euclids Algorithm :

Encrypting Communication Review Extended Euclids Algorithm Extended Euclids Algorithm :

Encrypting Communication Review Extended Euclids Algorithm Extended Euclids Algorithm : If b = 0, then egcd( a , 0 ) = ( a , 1 , 0 ) . Z / m Z = { 0 , 1 ,..., m 1 } with operations of addition and multiplication modulo m .

506 views • 4 slides
Device Independent Quantum Key Distribution using Three-Party Pseudo-Telepathy Jyotirmoy Basak,

Device Independent Quantum Key Distribution using Three-Party Pseudo-Telepathy Jyotirmoy Basak,

Device Independent Quantum Key Distribution using Three-Party Pseudo-Telepathy Jyotirmoy Basak, Arpita Maitra and Subhamoy Maitra Indian Statistical Institute &amp; C R Rao AIMSCS December 18, 2019 Device Independent Quantum Key Distribution

536 views • 28 slides
The RSA Cryptosystem February 27, 2008 Introducing PS4: RSA encryption Problem set 4 is about

The RSA Cryptosystem February 27, 2008 Introducing PS4: RSA encryption Problem set 4 is about

The RSA Cryptosystem February 27, 2008 Introducing PS4: RSA encryption Problem set 4 is about implementing a famous public key cryptosystem, RSA. Administrative Details: Posted by tomorrow. Due Friday March 7, at Noon. My office hours will be

610 views • 23 slides

More recommend