high speed cryptography daniel j bernstein university of
play

High-speed cryptography Daniel J. Bernstein University of Illinois - PDF document

Jan 01, 2024 •905 likes •1.36k views

1 High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven with some slides from: Tanja Lange Technische Universiteit Eindhoven 2 Do we care about speed? Almost all software is

  1. 1 High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven with some slides from: Tanja Lange Technische Universiteit Eindhoven

  2. 2 Do we care about speed? Almost all software is much slower than it could be. Is software applied to much data? Usually not. Usually the wasted CPU time is negligible. But crypto software should be applied to all communication. Crypto that’s too slow ⇒ fewer users ⇒ fewer cryptanalysts ⇒ less attractive for everybody.

  3. 3 Implementors pursue speed e.g. Variable-length-big-integer arithmetic library inside OpenSSL consumes 50000 lines of code. Includes 38 asm implementations optimized for various CPUs.

  4. 3 Implementors pursue speed e.g. Variable-length-big-integer arithmetic library inside OpenSSL consumes 50000 lines of code. Includes 38 asm implementations optimized for various CPUs. e.g. ECDSA verification computes ( S − 1 H ( M )) B + ( S − 1 R ) A . OpenSSL has complicated code for fast computation of S − 1 . Much simpler code would make verification considerably slower.

  5. 4 Applications pursue speed e.g. Latest “DNSSEC operational practices” recommendation (2012) says “No one has broken a regular 1024-bit [RSA] key : : : it is estimated that most zones can safely use 1024-bit keys for at least the next ten years : : : Signing and verifying with a 2048- bit key takes longer than with a 1024-bit key : : : public operations (such as verification) are about four times slower.”

  6. 5 DNSSEC key sizes, 2016.11.28: 2048-bit DNSSEC master key controlled by U.S.

  7. � 5 DNSSEC key sizes, 2016.11.28: 2048-bit DNSSEC master key controlled by U.S. signature 2048-bit “zone-signing key”

  8. � � 5 DNSSEC key sizes, 2016.11.28: 2048-bit DNSSEC master key controlled by U.S. signature 2048-bit “zone-signing key” signature 2048-bit .org master key

  9. � � � 5 DNSSEC key sizes, 2016.11.28: 2048-bit DNSSEC master key controlled by U.S. signature 2048-bit “zone-signing key” signature 2048-bit .org master key signature 1024-bit “zone-signing key”

  10. � � � � 5 DNSSEC key sizes, 2016.11.28: 2048-bit DNSSEC master key controlled by U.S. signature 2048-bit “zone-signing key” signature 2048-bit .org master key signature 1024-bit “zone-signing key” signatures a few *.org sites

  11. 6 2011 Weimerskirch survey of security for car communication: “V2V safety applications will broadcast 10 messages per second, and a vehicle will receive 1,000 or more messages per second. There are two approaches available to process such a high amount of messages: (1) only messages that might impose an actual impact to a vehicle are processed, or (2) dedicated security hardware to process all messages is applied.”

  12. 7 2014 Ghoreishizadeh–Yalcin– Pullini–Micheli–Burleson–Carrara “A lightweight cryptographic system for implantable biosensors”: “This design uses the recently standardized SHA-3 Keccak secure hash function implemented in an authenticated encryption mode : : : By selecting the newly standardized Keccak scheme, we benefit from the large amount of analysis and testing performed during the standardization process. : : :

  13. 8 we have used the same number of rounds for all in order to guarantee the security claim of the Keccak proposal.

  14. 8 we have used the same number of rounds for all in order to guarantee the security claim of the Keccak proposal. However, instead of using the standard sizes for bitrate and capacity, we reduced the overall state size in order to achieve a compact implementation with a security level that would not have been possible at this cost with any other authenticated encryption scheme. The data block size and state size are selected as 4 and 100 bits, respectively.”

  15. 9 Standards pursue speed e.g. NIST’s final AES report: “Security was the most important factor in the evaluation : : : Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” (Emphasis added.) So why didn’t Serpent win?

  16. 9 Standards pursue speed e.g. NIST’s final AES report: “Security was the most important factor in the evaluation : : : Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” (Emphasis added.) So why didn’t Serpent win? Maybe side-channel security?

  17. 10 “The operations used by Serpent are among the easiest to defend against timing and power attacks.”

  18. 10 “The operations used by Serpent are among the easiest to defend against timing and power attacks.” Hardware speed: “Serpent is well suited to restricted-space environments : : : Fully pipelined implementations of Serpent offer the highest throughput of any of the finalists for non-feedback modes. : : : Efficiency is generally very good, and Serpent’s speed is independent of key size.”

  19. 10 “The operations used by Serpent are among the easiest to defend against timing and power attacks.” Hardware speed: “Serpent is well suited to restricted-space environments : : : Fully pipelined implementations of Serpent offer the highest throughput of any of the finalists for non-feedback modes. : : : Efficiency is generally very good, and Serpent’s speed is independent of key size.” Great! Why didn’t Serpent win?

  20. 11 Aha: Software speed!

  21. 11 Aha: Software speed! “Serpent is generally the slowest of the finalists in software speed for encryption and decryption. : : : Serpent provides consistently low-end performance.”

  22. 11 Aha: Software speed! “Serpent is generally the slowest of the finalists in software speed for encryption and decryption. : : : Serpent provides consistently low-end performance.” Conclusion: “NIST judged Rijndael to be the best overall algorithm for the AES. Rijndael appears to be consistently a very good performer in both hardware and software [and offers good key agility, low memory, easy defense, fast defense, flexibility, parallelism].”

  23. 12 Want fast and secure Bad examples: The pursuit of speed damages security. e.g. using 1024-bit RSA. e.g. using 100-bit “SHA-3”. e.g. skipping verification.

  24. 12 Want fast and secure Bad examples: The pursuit of speed damages security. e.g. using 1024-bit RSA. e.g. using 100-bit “SHA-3”. e.g. skipping verification. Good examples: Obtain better speed without damaging security. If security level was too low, scale up: better security for the same performance.

  25. 13 Success story: ECC. Extensive work on speed of ECC at a high security level ⇒ modern ECC is fast enough for practically all applications. Requires serious analysis and optimization of algorithms. Not just “polynomial time”; not just “quadratic time”.

  26. 13 Success story: ECC. Extensive work on speed of ECC at a high security level ⇒ modern ECC is fast enough for practically all applications. Requires serious analysis and optimization of algorithms. Not just “polynomial time”; not just “quadratic time”. RSA and Rabin–Williams are even faster for signature verification, but slower for keygen, signing, sending keys, sending sigs.

  27. 14 Some signature-system history 1985 ElGamal: F ∗ p signatures. 1990 Schnorr: ElGamal plus various improvements. Patented until 2008. 1991 DSA, announced by NIST, later credited to NSA: ElGamal with one Schnorr improvement. 1999 ECDSA: replacing F ∗ p in DSA with an elliptic-curve group. 2011 EdDSA (e.g., Ed25519): Schnorr plus more improvements.

  28. 15 ElGamal verification: ( R; S ) is signature of M if B H ( M ) ≡ A R R S (mod p ) and R; S ∈ { 0 ; 1 ; : : : ; p − 2 } . Here p is standard prime, B is standard base, A is signer’s public key, H ( M ) is hash of message. Secret key: random a . Public key: A = B a mod p . To sign M : generate random r , compute R = B r mod p , S = r − 1 ( H ( M ) − aR ) mod p − 1.

  29. 16 Hash the exponent Tweak: ( R; S ) is signature of M if B H ( M ) ≡ A H ( R ) R S (mod p ) and R; S ∈ { 0 ; 1 ; : : : ; p − 2 } . Signer: as before except S = r − 1 ( H ( M ) − aH ( R )) mod p − 1. Speed impact: negligible. Hashing R is very fast. Security impact: seems to be serious obstacle to any attack strategy that relies on choosing a particular A exponent.

  30. 17 Prime-order subgroup Choose B to have order q for standard prime divisor q of p − 1. e.g. take 3000-bit p , 256-bit q . Again verify B H ( M ) ≡ A H ( R ) R S . ECC: H ( M ) B = H ( R ) A + SR . Signer: same except now S = r − 1 ( H ( M ) − aH ( R )) mod q . Simpler security analysis. Speed advantage: Smaller S (when q is smaller than p − 1). Less time to transmit signature.

  31. 18 Two scalars Verify B H ( R ) − 1 H ( M ) = AR H ( R ) − 1 S . ECC: ( H ( R ) − 1 H ( M )) B = A + ( H ( R ) − 1 S ) R . Safe to assume that nobody will ever find H ( R ) divisible by q . No security loss: if B H ( R ) − 1 H ( M ) = AR H ( R ) − 1 S then B H ( M ) = A H ( R ) R S . Speed advantage: fewer scalars, outweighing cost of H ( R ) − 1 .

  32. 19 Precomputing quotient Notation: S = H ( R ) − 1 S . Send ( R; S ) instead of ( R; S ) as signature: i.e., S computed by signer instead of verifier. Verify B H ( R ) − 1 H ( M ) = AR S . ECC: ( H ( R ) − 1 H ( M )) B = A + SR . Signer computes S = r − 1 ( H ( R ) − 1 H ( M ) − a ) mod q .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is

1 2 High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is University of Illinois at Chicago & much slower than it could be. Technische Universiteit Eindhoven Is software applied to much data? with

1.17k views • 115 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides
High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University of Illinois at Chicago Professor, Cryptographic Implementations, Technische Universiteit Eindhoven Tanja Lange Professor, Coding and Cryptology,

288 views • 17 slides
High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago & algorithm designers Technische Universiteit Eindhoven Unbroken

1.49k views • 145 slides
High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago,

High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago,

High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven Picture credits: geeky-gadgets.com ; Star Trek The Internet of Things Andrew Myers, Stanford Report, 2011.02.11:

543 views • 36 slides
High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce elliptic-curve formulas cryptographic security levels or give up on cryptography. Daniel J. Bernstein University of Illinois at Chicago & Example 1

1.55k views • 138 slides
High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363 more elliptic-curve formulas; uses Weierstrass curves field arithmetic in Jacobian coordinates Daniel J. Bernstein to provide the fastest

2.15k views • 187 slides
High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes

924 views • 61 slides
High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes an SMTP connection, sends

617 views • 40 slides
Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago; Ruhr University Bochum & Technische Universiteit Eindhoven 12 September 2020 Cryptography Sender Receiver Alice Bob Tsai

760 views • 48 slides
Speed, speed, speed $1000 TCR hashing competition D. J. Bernstein Crowley: I have a problem

Speed, speed, speed $1000 TCR hashing competition D. J. Bernstein Crowley: I have a problem

1 2 Speed, speed, speed $1000 TCR hashing competition D. J. Bernstein Crowley: I have a problem where I need to make some University of Illinois at Chicago; cryptography faster, and Im Ruhr University Bochum setting up a $1000

573 views • 55 slides
Cryptography worst practices Daniel J. Bernstein University of Illinois at Chicago

Cryptography worst practices Daniel J. Bernstein University of Illinois at Chicago

Cryptography worst practices Daniel J. Bernstein University of Illinois at Chicago http://cr.yp.to/talks.html #2012.03.08-1 Alice and Bob are communicating. Eve is eavesdropping. What cryptography promises to Alice and Bob: Confidentiality

1.12k views • 108 slides
Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago

Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago & Ruhr University Bochum & Technische Universiteit Eindhoven 10 June 2019 Cryptography Motivation #1: Communication channels are spying

1.17k views • 91 slides
The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many contributors libpqcrypto.org Daniel J. Bernstein Context libpqcrypto.org Daniel J. Bernstein Redesigning crypto for security New requirements for

541 views • 51 slides
Post-quantum cryptography Daniel J. Bernstein University of Illinois at Chicago; Ruhr University

Post-quantum cryptography Daniel J. Bernstein University of Illinois at Chicago; Ruhr University

Post-quantum cryptography Daniel J. Bernstein University of Illinois at Chicago; Ruhr University Bochum Wikipedia: Hoover became a controversial figure as evidence of his secretive abuses of power began to surface. He was found to have

1.21k views • 103 slides
High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J. Bernstein University of Illinois at Chicago wget -m -k -I / \ secspider.cs.ucla.edu cd secspider.cs.ucla.edu awk /GREEN.*GREEN.*GREEN.*Yes/

1.48k views • 94 slides
Zone based verification of timed automata revisited B. Srivathsan Joint work with F. Herbreteau

Zone based verification of timed automata revisited B. Srivathsan Joint work with F. Herbreteau

Zone based verification of timed automata revisited B. Srivathsan Joint work with F. Herbreteau and I. Walukiewicz LaBRI, Universit e de Bordeaux 1 Groupe de Travail Mod elisation et V erification LIF, Marseille - November 2011 Zone

1.51k views • 127 slides
The 3rd Strangeness Workshop Warsaw 22-23 April 2016 Two identical pions correlations at small

The 3rd Strangeness Workshop Warsaw 22-23 April 2016 Two identical pions correlations at small

The 3rd Strangeness Workshop Warsaw 22-23 April 2016 Two identical pions correlations at small relative momenta in Two identical pions correlations at small relative momenta in collisions of Al+Al and Ni+Ni at 1.9A GeV collisions of Al+Al and

325 views • 16 slides
From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gatan Leurent Thomas

From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gatan Leurent Thomas

Introduction SHA-1 Cryptanalysis New chosen-prefjx collision techniques Conclusion From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gatan Leurent Thomas Peyrin Inria, France NTU, Singapour Eurocrypt 2019 Gatan

935 views • 37 slides
Cha pte r 15: Phe no me na he re a c tio n A(a q ) + B(a q ) C(a q ) wa s studie d a t two

Cha pte r 15: Phe no me na he re a c tio n A(a q ) + B(a q ) C(a q ) wa s studie d a t two

Cha pte r 15: Phe no me na he re a c tio n A(a q ) + B(a q ) C(a q ) wa s studie d a t two diffe re nt Phe no me na : T te mpe ra ture s (298 K a nd 350 K ). F o r e a c h te mpe ra ture the re a c tio n wa s sta rte d b y putting

450 views • 40 slides
A Trusted System DANIEL THORPE CETABC - MAY 2016 The mind is for having ideas, not for holding

A Trusted System DANIEL THORPE CETABC - MAY 2016 The mind is for having ideas, not for holding

GTD ONE A Trusted System DANIEL THORPE CETABC - MAY 2016 The mind is for having ideas, not for holding them. DAVID ALLEN: GETTING THINGS DONE Building A Trusted System Write Everything Down You need five To Do lists: Inbox

500 views • 27 slides
Extraction of tiled top-down irregular pyramids from large images Romain Goffe 1 Guillaume Damiand

Extraction of tiled top-down irregular pyramids from large images Romain Goffe 1 Guillaume Damiand

Extraction of tiled top-down irregular pyramids from large images Romain Goffe 1 Guillaume Damiand 2 Luc Brun 3 1 SIC-XLIM, Universit e de Poitiers, CNRS, UMR6172, B atiment SP2MI, F-86962, Futuroscope Chasseneuil, France 2 LIRIS,

792 views • 29 slides
Week 06 Lectures 1/102 Recap on Implementing Selection Selection = select * from R where C yields

Week 06 Lectures 1/102 Recap on Implementing Selection Selection = select * from R where C yields

Week 06 Lectures 30/8/18, 10(32 pm Week 06 Lectures 1/102 Recap on Implementing Selection Selection = select * from R where C yields a subset of R tuples satisfying condition C a very important (frequent) operation in relational databases

643 views • 32 slides
EE 721: Types and Functions in VHDL September 9, 2009 1 Overview VHDL views the system being

EE 721: Types and Functions in VHDL September 9, 2009 1 Overview VHDL views the system being

EE 721: Types and Functions in VHDL September 9, 2009 1 Overview VHDL views the system being described as a network of signals and drivers. The signals carry values and the drivers use existing signal values to compute new values for signals.

551 views • 6 slides

More recommend