hig igh performance and lo low power applications
play

hig igh-performance and lo low-power applications Real World - PowerPoint PPT Presentation

Jun 09, 2023 •257 likes •861 views

Four -based cryptography for hig igh-performance and lo low-power applications Real World Cryptography Conference 2017 January 4-6, New York, USA Patrick Longa Microsoft Research Next-generation elliptic curves New IETF Standards

  1. Four ℚ -based cryptography for hig igh-performance and lo low-power applications Real World Cryptography Conference 2017 January 4-6, New York, USA Patrick Longa Microsoft Research

  2. Next-generation elliptic curves New IETF Standards • The Crypto Forum Research Group (CFRG) selected two elliptic curves: Bernstein’s Curve25519 and Hamburg’s Ed448 -Goldilocks • RFC 7748: “Elliptic Curves for Security” (published on January 2016) • Curve details; generation • DH key exchange for both curves • Ongoing work: signature scheme • draft-irtf-cfrg-eddsa- 08, “Edwards -curve Digital Signature Algorithm (EdDSA )” 1/23

  3. Next-generation elliptic curves Farrel-Moriarity-Melkinov-Paterson [NIST ECC Workshop 2015]: “… the real motivation for work in CFRG is the better performance and side - channel resistance of new curves developed by academic cryptographers over the last decade.” Plus some additional requirements such as: • Rigidity in curve generation process. • Support for existing cryptographic algorithms. 2/23

  4. Next-generation elliptic curves Farrel-Moriarity-Melkinov-Paterson [NIST ECC Workshop 2015]: “… the real motivation for work in CFRG is the better performance and side - channel resistance of new curves developed by academic cryptographers over the last decade.” Plus some additional requirements such as: • Rigidity in curve generation process. • Support for existing cryptographic algorithms. 2/23

  5. State-of-the-art ECC: Four ℚ [Costello-L, ASIACRYPT 2015] • CM endomorphism [GLV01] and Frobenius ( ℚ -curve) endomorphism [GLS09, Smi16, GI13] Four ℚ • Edwards form [Edw07] using efficient Edwards coordinates [BBJ+08, HCW+08] • Arithmetic over the Mersenne prime 𝑞 = 2 127 − 1 Features: • Support for secure implementations and top performance. • Uniqueness: only curve at the 128-bit security level with properties above. 3/23

  6. State-of-the-art ECC: Four ℚ [Costello-L, ASIACRYPT 2015] • CM endomorphism [GLV01] and Frobenius ( ℚ -curve) endomorphism [GLS09, Smi16, GI13] Four ℚ • Edwards form [Edw07] using efficient Edwards coordinates [BBJ+08, HCW+08] • Arithmetic over the Mersenne prime 𝑞 = 2 127 − 1 Features: • Support for secure implementations and top performance. • Uniqueness: only curve at the 128-bit security level with properties above. 3/23

  7. State-of-the-art ECC: Four ℚ [Costello-L, ASIACRYPT 2015] Speed (in thousands of cycles) to compute variable-base scalar multiplication on different computer classes. Four ℚ Platform Curve25519 Speedup ratio Intel Haswell processor, desktop class 56 162 2.9x ARM Cortex-A15, smartphone class 132 315 2.4x ARM Cortex-M4, microcontroller class 531 1,424 2.7x 4/23

  8. State-of-the-art ECC: Four ℚ [Costello-L, ASIACRYPT 2015] Speed (in thousands of cycles) to compute variable-base scalar multiplication on different computer classes. Four ℚ Platform Curve25519 Speedup ratio Intel Haswell processor, desktop class 56 162 2.9x ARM Cortex-A15, smartphone class 132 315 2.4x ARM Cortex-M4, microcontroller class 531 1,424 2.7x 4/23

  9. State-of-the-art ECC: Four ℚ [Costello-L, ASIACRYPT 2015] 𝐹/𝔾 𝑞 2 : −𝑦 2 + 𝑧 2 = 1 + 𝑒𝑦 2 𝑧 2 𝑒 = 125317048443780598345676279555970305165𝑗 + 4205857648805777768770 , 𝑞 = 2 127 − 1, 𝑗 2 = −1 , #𝐹 = 392 ∙ 𝑂 , where 𝑂 is a 246 -bit prime. 5/23

  10. State-of-the-art ECC: Four ℚ (Costello-L, ASIACRYPT 2015) 𝐹/𝔾 𝑞 2 : −𝑦 2 + 𝑧 2 = 1 + 𝑒𝑦 2 𝑧 2 𝑒 = 125317048443780598345676279555970305165𝑗 + 4205857648805777768770 , 𝑞 = 2 127 − 1, 𝑗 2 = −1 , #𝐹 = 392 ∙ 𝑂 , where 𝑂 is a 246 -bit prime. • Fastest (large char) ECC addition laws are complete on 𝐹 • 𝐹 is equipped with two endomorphisms: • 𝐹 is a degree-2 ℚ -curve: endomorphism 𝜔 • 𝐹 has CM by order of 𝐸 = −40 : endomorphism 𝜚 5/23

  11. State-of-the-art ECC: Four ℚ (Costello-L, ASIACRYPT 2015) 𝐹/𝔾 𝑞 2 : −𝑦 2 + 𝑧 2 = 1 + 𝑒𝑦 2 𝑧 2 𝑒 = 125317048443780598345676279555970305165𝑗 + 4205857648805777768770 , 𝑞 = 2 127 − 1, 𝑗 2 = −1 , #𝐹 = 392 ∙ 𝑂 , where 𝑂 is a 246 -bit prime. • Fastest (large char) ECC addition laws are complete on 𝐹 • 𝐹 is equipped with two endomorphisms: • 𝐹 is a degree-2 ℚ -curve: endomorphism 𝜔 • 𝐹 has CM by order of 𝐸 = −40 : endomorphism 𝜚 • 𝜔 𝑄 = 𝜇 𝜔 𝑄 and 𝜚 𝑄 = 𝜇 𝜚 𝑄 for all 𝑄 ∈ 𝐹[𝑂] and 𝑛 ∈ [0, 2 256 ) 𝑛 ↦ 𝑏 1 , 𝑏 2 , 𝑏 3 , 𝑏 4 𝑛 𝑄 = 𝑏 1 𝑄 + 𝑏 2 𝜚 𝑄 + 𝑏 3 𝜔 𝑄 + 𝑏 4 𝜔(𝜚 𝑄 ) 5/23

  12. Optimal 4-Way Scalar Decompositions 𝑛 ↦ 𝑏 1 , 𝑏 2 , 𝑏 3 , 𝑏 4 2 256 , decomposition yields four 𝑏 𝑗 ∈ [0, 2 64 with 𝑏 1 odd. ۧ Proposition: for all 𝑛 ∈ [0, ൿ 𝑛 = 42453556751700041597675664513313229052985088397396902723728803518727612539248 𝑏 1 = 13045455764875651153 𝑄 𝜚 𝑄 𝑏 2 = 9751504369311420685 𝜔 𝑄 𝑏 3 = 5603607414148260372 𝜔 𝜚 𝑄 𝑏 4 = 8360175734463666813 6/23

  13. Optimal 4-Way Scalar Decompositions 𝑛 ↦ 𝑏 1 , 𝑏 2 , 𝑏 3 , 𝑏 4 2 256 , decomposition yields four 𝑏 𝑗 ∈ [0, 2 64 with 𝑏 1 odd. ۧ Proposition: for all 𝑛 ∈ [0, ൿ 𝑛 = 42453556751700041597675664513313229052985088397396902723728803518727612539248 𝑏 1 = 13045455764875651153 𝑄 𝜚 𝑄 𝑏 2 = 9751504369311420685 𝜔 𝑄 𝑏 3 = 5603607414148260372 𝜔 𝜚 𝑄 𝑏 4 = 8360175734463666813 6/23

  14. Multi-Scalar Recoding Step 1: recode 𝑏 1 to signed non-zero representation Step 2: recode 𝑏 2 , 𝑏 3 and 𝑏 4 by “sign - aligning” columns 𝑏 1 = 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1 𝑏 2 = 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0, 1 𝑏 3 = 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0 𝑏 4 = 0, 0, 1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 1, 1, 0, 1 𝑏 1 = 1, ത 1, 1, ത 1, 1, 1, ത 1, 1, ത 1, 1, ത 1, ത 1, ത 1, ത 1, 1, ത 1, 1, ത 1, 1, 1, ത 1, ത 1, ത 1, 1, ത 1, ത 1, 1, 1, 1, ത 1, ത 1, 1, 1, ത 1, ത 1, 1, 1, 1, 1, 1, 1, ത 1, ത 1, 1, 1, 1, 1, 1, ത 1, ത 1, ത 1, ത 1, 1, ത 1, 1, ത 1, ത 1, ത 1, ത 1, 1, ത 1, 1, ത 1, ത 1, ത 1 𝑏 2 = 1, ത 1, 0, 0, 0, 1, 0, 0, ത 1, 1, 0, ത 1, ത 1, 0, 1, 0, 0, 0, 1, 1, ത 1, 0, ത 1, 1, 0, ത 1, 0, 0, 1, 0, ത 1, 1, 1, 0, ത 1, 1, 0, 0, 1, 1, 1, ത 1, ത 1, 1, 1, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1, ത 1, ത 1, 0, 0, 1, ത 1, 0, 0, ത 1, ത 1 𝑏 3 = 0, 0, 1, 0, 1, 0, ത 1, 1, 0, 0, ത 1, 0, 0, 0, 1, 0, 0, 0, 0, 1, ത 1, ത 1, ത 1, 0, ത 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, ത 1, 0, ത 1, 0, 0, 1, ത 1, 0, 0, 0, 1, ത 1, 1, ത 1, 0, 0 𝑏 4 = 1, ത 1, 0, ത 1, 1, 1, ത 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, ത 1, 0, 0, 0, 0, ത 1, 0, 0, 1, ത 1, 0, 1, 0, ത 1, ത 1, 0, 1, 0, 0, 0, 1, ത 1, 0, 0, 0, 1, 1, 1, ത 1, ത 1, ത 1, ത 1, 0, ത 1, 1, 0, ത 1, ത 1, 0, 0, 0, 0, 0, ത 1, ത 1 7/23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Arithmetic operators on GF ( 2 m ) for cryptographic applications: performance - power

Arithmetic operators on GF ( 2 m ) for cryptographic applications: performance - power

Introduction Arithmetic in GF ( 2 m ) Summary - results, comments, future prospects Arithmetic operators on GF ( 2 m ) for cryptographic applications: performance - power consumption - security tradeoffs Danuta Pamua 17th December 2012

695 views • 32 slides
Energy-performance tradeoffs for HPC applications on low power processors E. Calore 1 . Schifano 1

Energy-performance tradeoffs for HPC applications on low power processors E. Calore 1 . Schifano 1

Energy-performance tradeoffs for HPC applications on low power processors E. Calore 1 . Schifano 1 R. Tripiccione 1 S. F 1 INFN Ferrara and Universit degli Studi di Ferrara, Italy UnConventional High Performance Computing 2015 Euro-Par

481 views • 47 slides
Analyzing Performance of QtQuick Applications Thomas McGuire KDAB thomas@kdab.com Performance:

Analyzing Performance of QtQuick Applications Thomas McGuire KDAB thomas@kdab.com Performance:

Analyzing Performance of QtQuick Applications Thomas McGuire KDAB thomas@kdab.com Performance: Multiple Aspects Startup Duration Smooth Rendering / Frames per Second Responsiveness Boot Duration Power Usage Memory Usage

546 views • 39 slides
Power/Performance Issues on Interconnection Network (IN) Is interconnect power problem?

Power/Performance Issues on Interconnection Network (IN) Is interconnect power problem?

NsimPower: Interconnect Simulator for Power and Performance Prediction Koji Inoue Kyushu University, Japan 1 Power/Performance Issues on Interconnection Network (IN) Is interconnect power problem? Roughly 10 to 30 % of

381 views • 10 slides
Performance Questions How to characterize the performance of applications and systems?

Performance Questions How to characterize the performance of applications and systems?

Performance Questions How to characterize the performance of applications and systems? Users requirements in performance and cost? How about performance measurement? How will system perform when having more resources or How will

262 views • 15 slides
Si CMOS for RF Power Applications J. A. del Alamo MIT Workshop on Advanced Technologies for

Si CMOS for RF Power Applications J. A. del Alamo MIT Workshop on Advanced Technologies for

Si CMOS for RF Power Applications J. A. del Alamo MIT Workshop on Advanced Technologies for Next Generation of RFIC 2005 RFIC Symposium June 12, 2005 Sponsors: DARPA, IBM, SRC RF power applications Power vs. frequency GaAs HEMT 50 InP

699 views • 42 slides
LOW-POWER HIGH-PERFORMANCE ASYNCHRONOUS GENERAL PURPOSE ARMv7 PROCESSOR FOR MULTI-CORE

LOW-POWER HIGH-PERFORMANCE ASYNCHRONOUS GENERAL PURPOSE ARMv7 PROCESSOR FOR MULTI-CORE

LOW-POWER HIGH-PERFORMANCE ASYNCHRONOUS GENERAL PURPOSE ARMv7 PROCESSOR FOR MULTI-CORE APPLICATIONS 13 th International Forum on Embedded MPSoC and Multicore July 15-19 th 2013, Otsu, Japan Octasic Inc, Montral, Canada Michel Laurence

680 views • 52 slides
Analog Power Inc. Analog Power Target Markets & Applications Consumer Electronics

Analog Power Inc. Analog Power Target Markets & Applications Consumer Electronics

Analog Power Inc. Analog Power Target Markets & Applications Consumer Electronics Communication, PoE Notebook Computers Mobile Phone Handset Desktop/Servers HDDs, Data Storage Battery Packs & Chargers LCD

513 views • 16 slides
6/24/2013 WHAT IS THIS TALK ABOUT ? Study of power and energy profile of different

6/24/2013 WHAT IS THIS TALK ABOUT ? Study of power and energy profile of different

6/24/2013 WHAT IS THIS TALK ABOUT ? Study of power and energy profile of different optimization ANALYZING OPTIMIZATION techniques used in heterogeneous applications TECHNIQUES FOR POWER Evaluation of power/performance of such

97 views • 7 slides
Unparalleled Power Performance Confidential Information 1 Broadest Portfolio of Low Power

Unparalleled Power Performance Confidential Information 1 Broadest Portfolio of Low Power

Unparalleled Power Performance Confidential Information 1 Broadest Portfolio of Low Power Differentiated IP Unparalleled Power Performance Confidential Information 2 Corporate Background Focused on differentiated low power mixed-signal IP

125 views • 11 slides
Innovative Power Control for Ultra Low-Power and High- Ultra Low Power and High Performance

Innovative Power Control for Ultra Low-Power and High- Ultra Low Power and High Performance

Innovative Power Control for Ultra Low-Power and High- Ultra Low Power and High Performance System LSIs Hiroshi Nakamura (Univ. of Tokyo) Hideharu Amano (Keio Univ.) Masaaki Kondo (Univ. of Electro-Communications) Mitaro Namiki (Tokyo

369 views • 22 slides
Binding Performance and Power of Dense Linear Algebra Operations Maria Barreda, Manuel F. Dolz,

Binding Performance and Power of Dense Linear Algebra Operations Maria Barreda, Manuel F. Dolz,

10th IEEE International Symposium on Parallel and Distributed Processing with Applications Binding Performance and Power of Dense Linear Algebra Operations Maria Barreda, Manuel F. Dolz, Rafael Mayo, Enrique S. Quintana-Ort , Ruym an

522 views • 27 slides
Performance, Power CS301 Prof Szajda Performance Metrics (How do we compare two machines?)

Performance, Power CS301 Prof Szajda Performance Metrics (How do we compare two machines?)

Performance, Power CS301 Prof Szajda Performance Metrics (How do we compare two machines?) What to Measure? Which airplane has the best performance? 3 Performance One size does not fit all Depends on application domain

653 views • 36 slides
MRT9 Specifications Features Feat es Performance Performance Engine Power with

MRT9 Specifications Features Feat es Performance Performance Engine Power with

MRT9 Specifications Features Feat es Performance Performance Engine Power with 19mm restrictor Yamaha YZF-600R, 4 cylinder, 600cc 100 bhp at the flywheel Garrett GT-12 Turbocharger E-85 Bio-ethanol fuel

308 views • 4 slides
Decision Support for Solar Power Deployment: Geospatial Applications Green Power Labs: About Us

Decision Support for Solar Power Deployment: Geospatial Applications Green Power Labs: About Us

Decision Support for Solar Power Deployment: Geospatial Applications Green Power Labs: About Us Green Power Labs is a company of solar resource experts and solar engineers Founded in 2003; o ffi ces in Halifax (Canada), San Jose

207 views • 18 slides
POWER FACTOR CORRECTION POWER FACTOR CORRECTION Design considerations for optimizing performance

POWER FACTOR CORRECTION POWER FACTOR CORRECTION Design considerations for optimizing performance

POWER FACTOR CORRECTION POWER FACTOR CORRECTION Design considerations for optimizing performance & cost of continuous mode boost PFC circuits by Supratim Basu,Tore.M.Undeland All rectified ac sine wave voltages with capacitive filtering

447 views • 23 slides
Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P

Public Key Encryption Systems The encrypter and decrypter have different keys C = E(K E ,P) P = D(K D ,C) Often, works the other way, too Lecture 4 Page 1 CS 236 Online History of Public Key Cryptography Invented by Diffie and

618 views • 24 slides
DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA Coin flipping over the phone RSA Signatures allow you to recover the message from the signature; ElGamal signatures dont ElGamal Sig

410 views • 14 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g m m g ma g ma g n n g b b g nb g nb g ma g ma , g nb g nb Eike Ritter Cryptography 2014/15 106

417 views • 9 slides
Multivariate Cryptography Part 3: HFE (Hidden Field Equations) Albrecht Petzoldt PQCrypto Summer

Multivariate Cryptography Part 3: HFE (Hidden Field Equations) Albrecht Petzoldt PQCrypto Summer

Multivariate Cryptography Part 3: HFE (Hidden Field Equations) Albrecht Petzoldt PQCrypto Summer School 2017 Eindhoven, Netherlands Friday, 23.06.2017 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 1 / 53 Reminder:

831 views • 55 slides
Cryptography: RSA and Factoring; Digital Signatures; Ssh Greg Plaxton Theory in Programming

Cryptography: RSA and Factoring; Digital Signatures; Ssh Greg Plaxton Theory in Programming

Cryptography: RSA and Factoring; Digital Signatures; Ssh Greg Plaxton Theory in Programming Practice, Fall 2005 Department of Computer Science University of Texas at Austin The Hardness of Breaking RSA One approach to breaking RSA is to

274 views • 15 slides
Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher

Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher

Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings Xiu Xu 3,4,5 Christopher Leonardi 1 Anzo Teh 1 David Jao 1,2 Kunpeng Wang 3,4,5 Wei Yu 3,4,5 Reza Azarderakhsh 6 [1] Department of Combinatorics and Optimization, University of

911 views • 72 slides
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical

Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set G with a binary operation defined

483 views • 29 slides
The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion University Credit for some slides: Melissa Chase and Picnic team Post-Quantum Cryptography Large-scale quantum computer could efficiently factor large

533 views • 34 slides

More recommend