high speed cryptography do we care about speed daniel j
play

High-speed cryptography Do we care about speed? Daniel J. Bernstein - PowerPoint PPT Presentation

Jun 17, 2023 •21 likes •1.17k views

1 2 High-speed cryptography Do we care about speed? Daniel J. Bernstein Almost all software is University of Illinois at Chicago & much slower than it could be. Technische Universiteit Eindhoven Is software applied to much data? with

  1. � 4 5 Applications pursue speed DNSSEC key sizes, 2016.11.28: e.g. Latest “DNSSEC operational 2048-bit DNSSEC master key practices” recommendation controlled by U.S. (2012) says “No one has broken signature a regular 1024-bit [RSA] key : : : 2048-bit “zone-signing key” it is estimated that most zones can safely use 1024-bit keys for at least the next ten years : : : Signing and verifying with a 2048- bit key takes longer than with a 1024-bit key : : : public operations (such as verification) are about four times slower.”

  2. � � 4 5 Applications pursue speed DNSSEC key sizes, 2016.11.28: e.g. Latest “DNSSEC operational 2048-bit DNSSEC master key practices” recommendation controlled by U.S. (2012) says “No one has broken signature a regular 1024-bit [RSA] key : : : 2048-bit “zone-signing key” it is estimated that most zones can safely use 1024-bit keys for signature at least the next ten years : : : 2048-bit .org master key Signing and verifying with a 2048- bit key takes longer than with a 1024-bit key : : : public operations (such as verification) are about four times slower.”

  3. � � � 4 5 Applications pursue speed DNSSEC key sizes, 2016.11.28: e.g. Latest “DNSSEC operational 2048-bit DNSSEC master key practices” recommendation controlled by U.S. (2012) says “No one has broken signature a regular 1024-bit [RSA] key : : : 2048-bit “zone-signing key” it is estimated that most zones can safely use 1024-bit keys for signature at least the next ten years : : : 2048-bit .org master key Signing and verifying with a 2048- bit key takes longer than with a signature 1024-bit key : : : public operations 1024-bit “zone-signing key” (such as verification) are about four times slower.”

  4. � � � � 4 5 Applications pursue speed DNSSEC key sizes, 2016.11.28: e.g. Latest “DNSSEC operational 2048-bit DNSSEC master key practices” recommendation controlled by U.S. (2012) says “No one has broken signature a regular 1024-bit [RSA] key : : : 2048-bit “zone-signing key” it is estimated that most zones can safely use 1024-bit keys for signature at least the next ten years : : : 2048-bit .org master key Signing and verifying with a 2048- bit key takes longer than with a signature 1024-bit key : : : public operations 1024-bit “zone-signing key” (such as verification) are about signatures four times slower.” a few *.org sites

  5. � � � � 4 5 Applications pursue speed DNSSEC key sizes, 2016.11.28: 2011 Weimerskirch security Latest “DNSSEC operational 2048-bit DNSSEC master key ractices” recommendation “V2V safet controlled by U.S. says “No one has broken broadcast signature regular 1024-bit [RSA] key : : : second, and 2048-bit “zone-signing key” estimated that most zones 1,000 or safely use 1024-bit keys for second. signature least the next ten years : : : available 2048-bit .org master key Signing and verifying with a 2048- amount takes longer than with a messages signature 1024-bit key : : : public operations an actual 1024-bit “zone-signing key” as verification) are about are processed, signatures times slower.” security messages a few *.org sites

  6. � � � � 4 5 pursue speed DNSSEC key sizes, 2016.11.28: 2011 Weimerskirch security for car communication: “DNSSEC operational 2048-bit DNSSEC master key recommendation “V2V safety applications controlled by U.S. one has broken broadcast 10 messages signature 1024-bit [RSA] key : : : second, and a vehicle 2048-bit “zone-signing key” that most zones 1,000 or more messages 1024-bit keys for second. There are signature ten years : : : available to process 2048-bit .org master key verifying with a 2048- amount of messages: longer than with a messages that might signature public operations an actual impact to 1024-bit “zone-signing key” verification) are about are processed, or (2) signatures er.” security hardware to messages is applied.” a few *.org sites

  7. � � � � 4 5 DNSSEC key sizes, 2016.11.28: 2011 Weimerskirch survey of security for car communication: erational 2048-bit DNSSEC master key recommendation “V2V safety applications will controlled by U.S. roken broadcast 10 messages per signature ey : : : second, and a vehicle will receive 2048-bit “zone-signing key” zones 1,000 or more messages per ys for second. There are two approaches signature : : : available to process such a high 2048-bit .org master key a 2048- amount of messages: (1) only with a messages that might impose signature erations an actual impact to a vehicle 1024-bit “zone-signing key” about are processed, or (2) dedicated signatures security hardware to process messages is applied.” a few *.org sites

  8. � � � � 5 6 DNSSEC key sizes, 2016.11.28: 2011 Weimerskirch survey of security for car communication: 2048-bit DNSSEC master key “V2V safety applications will controlled by U.S. broadcast 10 messages per signature second, and a vehicle will receive 2048-bit “zone-signing key” 1,000 or more messages per second. There are two approaches signature available to process such a high 2048-bit .org master key amount of messages: (1) only messages that might impose signature an actual impact to a vehicle 1024-bit “zone-signing key” are processed, or (2) dedicated signatures security hardware to process all messages is applied.” a few *.org sites

  9. � � � � 5 6 DNSSEC key sizes, 2016.11.28: 2011 Weimerskirch survey of 2014 Gho security for car communication: Pullini–Micheli–Burleson–Ca 2048-bit DNSSEC master key “A lightw “V2V safety applications will controlled by U.S. system fo broadcast 10 messages per signature biosensors”: second, and a vehicle will receive the recently 2048-bit “zone-signing key” 1,000 or more messages per Keccak s second. There are two approaches signature implemented available to process such a high encryption 2048-bit .org master key amount of messages: (1) only the newly messages that might impose signature scheme, an actual impact to a vehicle 1024-bit “zone-signing key” large am are processed, or (2) dedicated testing p signatures security hardware to process all standardization messages is applied.” a few *.org sites

  10. 5 6 sizes, 2016.11.28: 2011 Weimerskirch survey of 2014 Ghoreishizade security for car communication: Pullini–Micheli–Burleson–Ca DNSSEC master key “A lightweight cryptographic “V2V safety applications will by U.S. system for implantable broadcast 10 messages per signature biosensors”: “This second, and a vehicle will receive the recently standa “zone-signing key” 1,000 or more messages per Keccak secure hash second. There are two approaches signature implemented in an available to process such a high encryption mode : master key amount of messages: (1) only the newly standardized messages that might impose signature scheme, we benefit an actual impact to a vehicle “zone-signing key” large amount of analysis are processed, or (2) dedicated testing performed signatures security hardware to process all standardization pro messages is applied.” *.org sites

  11. 5 6 2016.11.28: 2011 Weimerskirch survey of 2014 Ghoreishizadeh–Yalcin– security for car communication: Pullini–Micheli–Burleson–Ca key “A lightweight cryptographic “V2V safety applications will system for implantable broadcast 10 messages per biosensors”: “This design uses second, and a vehicle will receive the recently standardized SHA-3 ey” 1,000 or more messages per Keccak secure hash function second. There are two approaches implemented in an authenticated available to process such a high encryption mode : : : By selecting ey amount of messages: (1) only the newly standardized Keccak messages that might impose scheme, we benefit from the an actual impact to a vehicle ey” large amount of analysis and are processed, or (2) dedicated testing performed during the security hardware to process all standardization process. : : : messages is applied.”

  12. 6 7 2011 Weimerskirch survey of 2014 Ghoreishizadeh–Yalcin– security for car communication: Pullini–Micheli–Burleson–Carrara “A lightweight cryptographic “V2V safety applications will system for implantable broadcast 10 messages per biosensors”: “This design uses second, and a vehicle will receive the recently standardized SHA-3 1,000 or more messages per Keccak secure hash function second. There are two approaches implemented in an authenticated available to process such a high encryption mode : : : By selecting amount of messages: (1) only the newly standardized Keccak messages that might impose scheme, we benefit from the an actual impact to a vehicle large amount of analysis and are processed, or (2) dedicated testing performed during the security hardware to process all standardization process. : : : messages is applied.”

  13. 6 7 eimerskirch survey of 2014 Ghoreishizadeh–Yalcin– we have y for car communication: Pullini–Micheli–Burleson–Carrara of rounds “A lightweight cryptographic guarantee safety applications will system for implantable the Keccak roadcast 10 messages per biosensors”: “This design uses second, and a vehicle will receive the recently standardized SHA-3 or more messages per Keccak secure hash function second. There are two approaches implemented in an authenticated available to process such a high encryption mode : : : By selecting amount of messages: (1) only the newly standardized Keccak messages that might impose scheme, we benefit from the actual impact to a vehicle large amount of analysis and cessed, or (2) dedicated testing performed during the y hardware to process all standardization process. : : : messages is applied.”

  14. 6 7 eimerskirch survey of 2014 Ghoreishizadeh–Yalcin– we have used the same communication: Pullini–Micheli–Burleson–Carrara of rounds for all in “A lightweight cryptographic guarantee the securit applications will system for implantable the Keccak proposal. messages per biosensors”: “This design uses vehicle will receive the recently standardized SHA-3 messages per Keccak secure hash function re two approaches implemented in an authenticated ess such a high encryption mode : : : By selecting messages: (1) only the newly standardized Keccak might impose scheme, we benefit from the t to a vehicle large amount of analysis and r (2) dedicated testing performed during the re to process all standardization process. : : : applied.”

  15. 6 7 of 2014 Ghoreishizadeh–Yalcin– we have used the same numb communication: Pullini–Micheli–Burleson–Carrara of rounds for all in order to “A lightweight cryptographic guarantee the security claim will system for implantable the Keccak proposal. er biosensors”: “This design uses receive the recently standardized SHA-3 er Keccak secure hash function approaches implemented in an authenticated high encryption mode : : : By selecting only the newly standardized Keccak ose scheme, we benefit from the vehicle large amount of analysis and dedicated testing performed during the cess all standardization process. : : :

  16. 7 8 2014 Ghoreishizadeh–Yalcin– we have used the same number Pullini–Micheli–Burleson–Carrara of rounds for all in order to “A lightweight cryptographic guarantee the security claim of system for implantable the Keccak proposal. biosensors”: “This design uses the recently standardized SHA-3 Keccak secure hash function implemented in an authenticated encryption mode : : : By selecting the newly standardized Keccak scheme, we benefit from the large amount of analysis and testing performed during the standardization process. : : :

  17. 7 8 2014 Ghoreishizadeh–Yalcin– we have used the same number Pullini–Micheli–Burleson–Carrara of rounds for all in order to “A lightweight cryptographic guarantee the security claim of system for implantable the Keccak proposal. However, biosensors”: “This design uses instead of using the standard the recently standardized SHA-3 sizes for bitrate and capacity, Keccak secure hash function we reduced the overall state size implemented in an authenticated in order to achieve a compact encryption mode : : : By selecting implementation with a security the newly standardized Keccak level that would not have been scheme, we benefit from the possible at this cost with any large amount of analysis and other authenticated encryption testing performed during the scheme. The data block size and standardization process. : : : state size are selected as 4 and 100 bits, respectively.”

  18. 7 8 Ghoreishizadeh–Yalcin– we have used the same number Standards Pullini–Micheli–Burleson–Carrara of rounds for all in order to e.g. NIST’s lightweight cryptographic guarantee the security claim of “Security for implantable the Keccak proposal. However, factor in biosensors”: “This design uses instead of using the standard Rijndael recently standardized SHA-3 sizes for bitrate and capacity, adequate Keccak secure hash function we reduced the overall state size Serpent implemented in an authenticated in order to achieve a compact high securit encryption mode : : : By selecting implementation with a security newly standardized Keccak level that would not have been (Emphasis scheme, we benefit from the possible at this cost with any So why didn’ mount of analysis and other authenticated encryption performed during the scheme. The data block size and rdization process. : : : state size are selected as 4 and 100 bits, respectively.”

  19. 7 8 ishizadeh–Yalcin– we have used the same number Standards pursue sp Pullini–Micheli–Burleson–Carrara of rounds for all in order to e.g. NIST’s final AES cryptographic guarantee the security claim of “Security was the implantable the Keccak proposal. However, factor in the evaluation This design uses instead of using the standard Rijndael appears to standardized SHA-3 sizes for bitrate and capacity, adequate security hash function we reduced the overall state size Serpent appears to an authenticated in order to achieve a compact high security margin.” : : : By selecting implementation with a security standardized Keccak level that would not have been (Emphasis added.) enefit from the possible at this cost with any So why didn’t Serp analysis and other authenticated encryption rmed during the scheme. The data block size and process. : : : state size are selected as 4 and 100 bits, respectively.”

  20. 7 8 alcin– we have used the same number Standards pursue speed Pullini–Micheli–Burleson–Carrara of rounds for all in order to e.g. NIST’s final AES report: cryptographic guarantee the security claim of “Security was the most impo the Keccak proposal. However, factor in the evaluation : : : uses instead of using the standard Rijndael appears to offer an SHA-3 sizes for bitrate and capacity, adequate security margin. : : function we reduced the overall state size Serpent appears to offer a authenticated in order to achieve a compact high security margin.” selecting implementation with a security Keccak level that would not have been (Emphasis added.) the possible at this cost with any So why didn’t Serpent win? and other authenticated encryption the scheme. The data block size and : : state size are selected as 4 and 100 bits, respectively.”

  21. 8 9 we have used the same number Standards pursue speed of rounds for all in order to e.g. NIST’s final AES report: guarantee the security claim of “Security was the most important the Keccak proposal. However, factor in the evaluation : : : instead of using the standard Rijndael appears to offer an sizes for bitrate and capacity, adequate security margin. : : : we reduced the overall state size Serpent appears to offer a in order to achieve a compact high security margin.” implementation with a security level that would not have been (Emphasis added.) possible at this cost with any So why didn’t Serpent win? other authenticated encryption scheme. The data block size and state size are selected as 4 and 100 bits, respectively.”

  22. 8 9 we have used the same number Standards pursue speed of rounds for all in order to e.g. NIST’s final AES report: guarantee the security claim of “Security was the most important the Keccak proposal. However, factor in the evaluation : : : instead of using the standard Rijndael appears to offer an sizes for bitrate and capacity, adequate security margin. : : : we reduced the overall state size Serpent appears to offer a in order to achieve a compact high security margin.” implementation with a security level that would not have been (Emphasis added.) possible at this cost with any So why didn’t Serpent win? other authenticated encryption scheme. The data block size and Maybe side-channel security? state size are selected as 4 and 100 bits, respectively.”

  23. 8 9 have used the same number Standards pursue speed “The op rounds for all in order to are among e.g. NIST’s final AES report: rantee the security claim of against timing “Security was the most important Keccak proposal. However, factor in the evaluation : : : of using the standard Rijndael appears to offer an for bitrate and capacity, adequate security margin. : : : reduced the overall state size Serpent appears to offer a r to achieve a compact high security margin.” implementation with a security that would not have been (Emphasis added.) ossible at this cost with any So why didn’t Serpent win? authenticated encryption scheme. The data block size and Maybe side-channel security? size are selected as 4 and bits, respectively.”

  24. 8 9 the same number Standards pursue speed “The operations used in order to are among the easiest e.g. NIST’s final AES report: security claim of against timing and “Security was the most important osal. However, factor in the evaluation : : : the standard Rijndael appears to offer an and capacity, adequate security margin. : : : overall state size Serpent appears to offer a achieve a compact high security margin.” with a security not have been (Emphasis added.) cost with any So why didn’t Serpent win? authenticated encryption data block size and Maybe side-channel security? selected as 4 and tively.”

  25. 8 9 number Standards pursue speed “The operations used by Serp to are among the easiest to defend e.g. NIST’s final AES report: claim of against timing and power attacks.” “Security was the most important ever, factor in the evaluation : : : standard Rijndael appears to offer an capacity, adequate security margin. : : : state size Serpent appears to offer a compact high security margin.” security been (Emphasis added.) any So why didn’t Serpent win? encryption size and Maybe side-channel security? and

  26. 9 10 Standards pursue speed “The operations used by Serpent are among the easiest to defend e.g. NIST’s final AES report: against timing and power attacks.” “Security was the most important factor in the evaluation : : : Rijndael appears to offer an adequate security margin. : : : Serpent appears to offer a high security margin.” (Emphasis added.) So why didn’t Serpent win? Maybe side-channel security?

  27. 9 10 Standards pursue speed “The operations used by Serpent are among the easiest to defend e.g. NIST’s final AES report: against timing and power attacks.” “Security was the most important Hardware speed: “Serpent is factor in the evaluation : : : well suited to restricted-space Rijndael appears to offer an environments : : : Fully pipelined adequate security margin. : : : implementations of Serpent offer Serpent appears to offer a the highest throughput of any high security margin.” of the finalists for non-feedback (Emphasis added.) modes. : : : Efficiency is generally very good, and Serpent’s speed is So why didn’t Serpent win? independent of key size.” Maybe side-channel security?

  28. 9 10 Standards pursue speed “The operations used by Serpent are among the easiest to defend e.g. NIST’s final AES report: against timing and power attacks.” “Security was the most important Hardware speed: “Serpent is factor in the evaluation : : : well suited to restricted-space Rijndael appears to offer an environments : : : Fully pipelined adequate security margin. : : : implementations of Serpent offer Serpent appears to offer a the highest throughput of any high security margin.” of the finalists for non-feedback (Emphasis added.) modes. : : : Efficiency is generally very good, and Serpent’s speed is So why didn’t Serpent win? independent of key size.” Maybe side-channel security? Great! Why didn’t Serpent win?

  29. 9 10 Standards pursue speed “The operations used by Serpent Aha: Soft are among the easiest to defend NIST’s final AES report: against timing and power attacks.” Security was the most important Hardware speed: “Serpent is in the evaluation : : : well suited to restricted-space Rijndael appears to offer an environments : : : Fully pipelined adequate security margin. : : : implementations of Serpent offer ent appears to offer a the highest throughput of any security margin.” of the finalists for non-feedback (Emphasis added.) modes. : : : Efficiency is generally very good, and Serpent’s speed is why didn’t Serpent win? independent of key size.” side-channel security? Great! Why didn’t Serpent win?

  30. 9 10 pursue speed “The operations used by Serpent Aha: Software speed! are among the easiest to defend final AES report: against timing and power attacks.” the most important Hardware speed: “Serpent is evaluation : : : well suited to restricted-space to offer an environments : : : Fully pipelined y margin. : : : implementations of Serpent offer to offer a the highest throughput of any rgin.” of the finalists for non-feedback added.) modes. : : : Efficiency is generally very good, and Serpent’s speed is Serpent win? independent of key size.” side-channel security? Great! Why didn’t Serpent win?

  31. 9 10 “The operations used by Serpent Aha: Software speed! are among the easiest to defend rt: against timing and power attacks.” important Hardware speed: “Serpent is : well suited to restricted-space an environments : : : Fully pipelined : : : implementations of Serpent offer the highest throughput of any of the finalists for non-feedback modes. : : : Efficiency is generally very good, and Serpent’s speed is win? independent of key size.” security? Great! Why didn’t Serpent win?

  32. 10 11 “The operations used by Serpent Aha: Software speed! are among the easiest to defend against timing and power attacks.” Hardware speed: “Serpent is well suited to restricted-space environments : : : Fully pipelined implementations of Serpent offer the highest throughput of any of the finalists for non-feedback modes. : : : Efficiency is generally very good, and Serpent’s speed is independent of key size.” Great! Why didn’t Serpent win?

  33. 10 11 “The operations used by Serpent Aha: Software speed! “Serpent are among the easiest to defend is generally the slowest of the against timing and power attacks.” finalists in software speed for encryption and decryption. : : : Hardware speed: “Serpent is Serpent provides consistently well suited to restricted-space low-end performance.” environments : : : Fully pipelined implementations of Serpent offer the highest throughput of any of the finalists for non-feedback modes. : : : Efficiency is generally very good, and Serpent’s speed is independent of key size.” Great! Why didn’t Serpent win?

  34. 10 11 “The operations used by Serpent Aha: Software speed! “Serpent are among the easiest to defend is generally the slowest of the against timing and power attacks.” finalists in software speed for encryption and decryption. : : : Hardware speed: “Serpent is Serpent provides consistently well suited to restricted-space low-end performance.” environments : : : Fully pipelined implementations of Serpent offer Conclusion: “NIST judged the highest throughput of any Rijndael to be the best overall of the finalists for non-feedback algorithm for the AES. Rijndael modes. : : : Efficiency is generally appears to be consistently a very very good, and Serpent’s speed is good performer in both hardware independent of key size.” and software [and offers good key agility, low memory, easy Great! Why didn’t Serpent win? defense, fast defense, flexibility, parallelism].”

  35. 10 11 operations used by Serpent Aha: Software speed! “Serpent Want fast ong the easiest to defend is generally the slowest of the Bad examples: against timing and power attacks.” finalists in software speed for The pursuit encryption and decryption. : : : are speed: “Serpent is damages Serpent provides consistently suited to restricted-space e.g. using low-end performance.” environments : : : Fully pipelined e.g. using implementations of Serpent offer Conclusion: “NIST judged e.g. skipping highest throughput of any Rijndael to be the best overall finalists for non-feedback algorithm for the AES. Rijndael des. : : : Efficiency is generally appears to be consistently a very good, and Serpent’s speed is good performer in both hardware endent of key size.” and software [and offers good key agility, low memory, easy Why didn’t Serpent win? defense, fast defense, flexibility, parallelism].”

  36. 10 11 used by Serpent Aha: Software speed! “Serpent Want fast and secure easiest to defend is generally the slowest of the Bad examples: and power attacks.” finalists in software speed for The pursuit of speed encryption and decryption. : : : eed: “Serpent is damages security. Serpent provides consistently restricted-space e.g. using 1024-bit low-end performance.” : Fully pipelined e.g. using 100-bit “SHA-3”. of Serpent offer Conclusion: “NIST judged e.g. skipping verification. throughput of any Rijndael to be the best overall r non-feedback algorithm for the AES. Rijndael Efficiency is generally appears to be consistently a very Serpent’s speed is good performer in both hardware ey size.” and software [and offers good key agility, low memory, easy didn’t Serpent win? defense, fast defense, flexibility, parallelism].”

  37. 10 11 Serpent Aha: Software speed! “Serpent Want fast and secure defend is generally the slowest of the Bad examples: attacks.” finalists in software speed for The pursuit of speed encryption and decryption. : : : is damages security. Serpent provides consistently restricted-space e.g. using 1024-bit RSA. low-end performance.” elined e.g. using 100-bit “SHA-3”. ent offer Conclusion: “NIST judged e.g. skipping verification. any Rijndael to be the best overall non-feedback algorithm for the AES. Rijndael generally appears to be consistently a very speed is good performer in both hardware and software [and offers good key agility, low memory, easy ent win? defense, fast defense, flexibility, parallelism].”

  38. 11 12 Aha: Software speed! “Serpent Want fast and secure is generally the slowest of the Bad examples: finalists in software speed for The pursuit of speed encryption and decryption. : : : damages security. Serpent provides consistently e.g. using 1024-bit RSA. low-end performance.” e.g. using 100-bit “SHA-3”. Conclusion: “NIST judged e.g. skipping verification. Rijndael to be the best overall algorithm for the AES. Rijndael appears to be consistently a very good performer in both hardware and software [and offers good key agility, low memory, easy defense, fast defense, flexibility, parallelism].”

  39. 11 12 Aha: Software speed! “Serpent Want fast and secure is generally the slowest of the Bad examples: finalists in software speed for The pursuit of speed encryption and decryption. : : : damages security. Serpent provides consistently e.g. using 1024-bit RSA. low-end performance.” e.g. using 100-bit “SHA-3”. Conclusion: “NIST judged e.g. skipping verification. Rijndael to be the best overall Good examples: algorithm for the AES. Rijndael Obtain better speed appears to be consistently a very without damaging security. good performer in both hardware If security level was too low, and software [and offers good scale up: better security key agility, low memory, easy for the same performance. defense, fast defense, flexibility, parallelism].”

  40. 11 12 Software speed! “Serpent Want fast and secure Success generally the slowest of the Bad examples: Extensive finalists in software speed for The pursuit of speed ECC at a encryption and decryption. : : : damages security. ⇒ modern ent provides consistently e.g. using 1024-bit RSA. for practically w-end performance.” e.g. using 100-bit “SHA-3”. Requires Conclusion: “NIST judged e.g. skipping verification. and optimization Rijndael to be the best overall Good examples: Not just rithm for the AES. Rijndael Obtain better speed not just rs to be consistently a very without damaging security. erformer in both hardware If security level was too low, software [and offers good scale up: better security agility, low memory, easy for the same performance. defense, fast defense, flexibility, rallelism].”

  41. 11 12 speed! “Serpent Want fast and secure Success story: ECC. slowest of the Bad examples: Extensive work on are speed for The pursuit of speed ECC at a high securit ecryption. : : : damages security. ⇒ modern ECC is consistently e.g. using 1024-bit RSA. for practically all applications. rmance.” e.g. using 100-bit “SHA-3”. Requires serious analysis “NIST judged e.g. skipping verification. and optimization of the best overall Good examples: Not just “polynomial the AES. Rijndael Obtain better speed not just “quadratic consistently a very without damaging security. in both hardware If security level was too low, [and offers good scale up: better security memory, easy for the same performance. defense, flexibility,

  42. 11 12 “Serpent Want fast and secure Success story: ECC. the Bad examples: Extensive work on speed of for The pursuit of speed ECC at a high security level cryption. : : : damages security. ⇒ modern ECC is fast enough consistently e.g. using 1024-bit RSA. for practically all applications. e.g. using 100-bit “SHA-3”. Requires serious analysis e.g. skipping verification. and optimization of algorithms. overall Good examples: Not just “polynomial time”; Rijndael Obtain better speed not just “quadratic time”. a very without damaging security. rdware If security level was too low, good scale up: better security easy for the same performance. flexibility,

  43. 12 13 Want fast and secure Success story: ECC. Bad examples: Extensive work on speed of The pursuit of speed ECC at a high security level damages security. ⇒ modern ECC is fast enough e.g. using 1024-bit RSA. for practically all applications. e.g. using 100-bit “SHA-3”. Requires serious analysis e.g. skipping verification. and optimization of algorithms. Good examples: Not just “polynomial time”; Obtain better speed not just “quadratic time”. without damaging security. If security level was too low, scale up: better security for the same performance.

  44. 12 13 Want fast and secure Success story: ECC. Bad examples: Extensive work on speed of The pursuit of speed ECC at a high security level damages security. ⇒ modern ECC is fast enough e.g. using 1024-bit RSA. for practically all applications. e.g. using 100-bit “SHA-3”. Requires serious analysis e.g. skipping verification. and optimization of algorithms. Good examples: Not just “polynomial time”; Obtain better speed not just “quadratic time”. without damaging security. RSA and Rabin–Williams are even If security level was too low, faster for signature verification, scale up: better security but slower for keygen, signing, for the same performance. sending keys, sending sigs.

  45. 12 13 fast and secure Success story: ECC. Some signature-syste examples: Extensive work on speed of 1985 ElGamal: pursuit of speed ECC at a high security level 1990 Schno damages security. ⇒ modern ECC is fast enough plus various using 1024-bit RSA. for practically all applications. Patented using 100-bit “SHA-3”. Requires serious analysis 1991 DSA, skipping verification. and optimization of algorithms. later credited examples: Not just “polynomial time”; with one better speed not just “quadratic time”. 1999 ECDSA: without damaging security. RSA and Rabin–Williams are even DSA with security level was too low, faster for signature verification, 2011 EdDSA up: better security but slower for keygen, signing, Schnorr same performance. sending keys, sending sigs.

  46. 12 13 secure Success story: ECC. Some signature-syste 1985 ElGamal: F ∗ Extensive work on speed of p speed ECC at a high security level 1990 Schnorr: ElGamal y. ⇒ modern ECC is fast enough plus various improvements. 1024-bit RSA. for practically all applications. Patented until 2008. 100-bit “SHA-3”. Requires serious analysis 1991 DSA, announce verification. and optimization of algorithms. later credited to NSA: Not just “polynomial time”; with one Schnorr imp eed not just “quadratic time”. 1999 ECDSA: replacing damaging security. RSA and Rabin–Williams are even DSA with an elliptic-curve as too low, faster for signature verification, 2011 EdDSA (e.g., security but slower for keygen, signing, Schnorr plus more erformance. sending keys, sending sigs.

  47. 12 13 Success story: ECC. Some signature-system histo 1985 ElGamal: F ∗ Extensive work on speed of p signatures. ECC at a high security level 1990 Schnorr: ElGamal ⇒ modern ECC is fast enough plus various improvements. for practically all applications. Patented until 2008. “SHA-3”. Requires serious analysis 1991 DSA, announced by NIST, and optimization of algorithms. later credited to NSA: ElGamal Not just “polynomial time”; with one Schnorr improvement. not just “quadratic time”. 1999 ECDSA: replacing F ∗ p in . RSA and Rabin–Williams are even DSA with an elliptic-curve group. w, faster for signature verification, 2011 EdDSA (e.g., Ed25519): but slower for keygen, signing, Schnorr plus more improvements. sending keys, sending sigs.

  48. 13 14 Success story: ECC. Some signature-system history 1985 ElGamal: F ∗ Extensive work on speed of p signatures. ECC at a high security level 1990 Schnorr: ElGamal ⇒ modern ECC is fast enough plus various improvements. for practically all applications. Patented until 2008. Requires serious analysis 1991 DSA, announced by NIST, and optimization of algorithms. later credited to NSA: ElGamal Not just “polynomial time”; with one Schnorr improvement. not just “quadratic time”. 1999 ECDSA: replacing F ∗ p in RSA and Rabin–Williams are even DSA with an elliptic-curve group. faster for signature verification, 2011 EdDSA (e.g., Ed25519): but slower for keygen, signing, Schnorr plus more improvements. sending keys, sending sigs.

  49. 13 14 Success story: ECC. Some signature-system history ElGamal ( R; S ) is 1985 ElGamal: F ∗ Extensive work on speed of p signatures. if B H ( M ) at a high security level 1990 Schnorr: ElGamal and R; S dern ECC is fast enough plus various improvements. ractically all applications. Here p is Patented until 2008. B is standa Requires serious analysis 1991 DSA, announced by NIST, A is signer’s optimization of algorithms. later credited to NSA: ElGamal H ( M ) is just “polynomial time”; with one Schnorr improvement. just “quadratic time”. Secret key: 1999 ECDSA: replacing F ∗ p in Public key: and Rabin–Williams are even DSA with an elliptic-curve group. To sign M for signature verification, compute 2011 EdDSA (e.g., Ed25519): wer for keygen, signing, S = r − 1 Schnorr plus more improvements. sending keys, sending sigs.

  50. 13 14 ECC. Some signature-system history ElGamal verification: ( R; S ) is signature 1985 ElGamal: F ∗ on speed of p signatures. if B H ( M ) ≡ A R R S security level 1990 Schnorr: ElGamal and R; S ∈ { 0 ; 1 ; : is fast enough plus various improvements. all applications. Here p is standard Patented until 2008. B is standard base, analysis 1991 DSA, announced by NIST, A is signer’s public of algorithms. later credited to NSA: ElGamal H ( M ) is hash of message. olynomial time”; with one Schnorr improvement. ratic time”. Secret key: random 1999 ECDSA: replacing F ∗ p in Public key: A = B in–Williams are even DSA with an elliptic-curve group. To sign M : generate signature verification, compute R = B r mo 2011 EdDSA (e.g., Ed25519): eygen, signing, S = r − 1 ( H ( M ) − a Schnorr plus more improvements. sending sigs.

  51. 13 14 Some signature-system history ElGamal verification: ( R; S ) is signature of M 1985 ElGamal: F ∗ of p signatures. if B H ( M ) ≡ A R R S (mod p ) level 1990 Schnorr: ElGamal and R; S ∈ { 0 ; 1 ; : : : ; p − 2 } enough plus various improvements. applications. Here p is standard prime, Patented until 2008. B is standard base, 1991 DSA, announced by NIST, A is signer’s public key, rithms. later credited to NSA: ElGamal H ( M ) is hash of message. time”; with one Schnorr improvement. Secret key: random a . 1999 ECDSA: replacing F ∗ Public key: A = B a mod p . p in are even DSA with an elliptic-curve group. To sign M : generate random verification, compute R = B r mod p , 2011 EdDSA (e.g., Ed25519): signing, S = r − 1 ( H ( M ) − aR ) mod p Schnorr plus more improvements. sigs.

  52. 14 15 Some signature-system history ElGamal verification: ( R; S ) is signature of M 1985 ElGamal: F ∗ p signatures. if B H ( M ) ≡ A R R S (mod p ) 1990 Schnorr: ElGamal and R; S ∈ { 0 ; 1 ; : : : ; p − 2 } . plus various improvements. Here p is standard prime, Patented until 2008. B is standard base, 1991 DSA, announced by NIST, A is signer’s public key, later credited to NSA: ElGamal H ( M ) is hash of message. with one Schnorr improvement. Secret key: random a . 1999 ECDSA: replacing F ∗ Public key: A = B a mod p . p in DSA with an elliptic-curve group. To sign M : generate random r , compute R = B r mod p , 2011 EdDSA (e.g., Ed25519): S = r − 1 ( H ( M ) − aR ) mod p − 1. Schnorr plus more improvements.

  53. 14 15 signature-system history ElGamal verification: Hash the ( R; S ) is signature of M ElGamal: F ∗ p signatures. Tweak: if B H ( M ) ≡ A R R S (mod p ) if B H ( M ) Schnorr: ElGamal and R; S ∈ { 0 ; 1 ; : : : ; p − 2 } . and R; S various improvements. Here p is standard prime, atented until 2008. Signer: as B is standard base, r − 1 ( H ( M DSA, announced by NIST, A is signer’s public key, credited to NSA: ElGamal Speed impact: H ( M ) is hash of message. one Schnorr improvement. Hashing Secret key: random a . ECDSA: replacing F ∗ Public key: A = B a mod p . p in Security with an elliptic-curve group. serious obstacle To sign M : generate random r , compute R = B r mod p , strategy EdDSA (e.g., Ed25519): S = r − 1 ( H ( M ) − aR ) mod p − 1. a particula rr plus more improvements.

  54. 14 15 signature-system history ElGamal verification: Hash the exponent ( R; S ) is signature of M F ∗ p signatures. Tweak: ( R; S ) is signature if B H ( M ) ≡ A R R S (mod p ) if B H ( M ) ≡ A H ( R ) R ElGamal and R; S ∈ { 0 ; 1 ; : : : ; p − 2 } . and R; S ∈ { 0 ; 1 ; : rovements. Here p is standard prime, 2008. Signer: as before except B is standard base, r − 1 ( H ( M ) − aH ( R ounced by NIST, A is signer’s public key, NSA: ElGamal Speed impact: negligible. H ( M ) is hash of message. rr improvement. Hashing R is very Secret key: random a . replacing F ∗ Public key: A = B a mod p . p in Security impact: seems elliptic-curve group. serious obstacle to To sign M : generate random r , compute R = B r mod p , strategy that relies (e.g., Ed25519): S = r − 1 ( H ( M ) − aR ) mod p − 1. a particular A exponent. re improvements.

  55. 14 15 history ElGamal verification: Hash the exponent ( R; S ) is signature of M signatures. Tweak: ( R; S ) is signature of if B H ( M ) ≡ A R R S (mod p ) if B H ( M ) ≡ A H ( R ) R S (mod and R; S ∈ { 0 ; 1 ; : : : ; p − 2 } . and R; S ∈ { 0 ; 1 ; : : : ; p − 2 } rovements. Here p is standard prime, Signer: as before except S = B is standard base, r − 1 ( H ( M ) − aH ( R )) mod p NIST, A is signer’s public key, ElGamal Speed impact: negligible. H ( M ) is hash of message. rovement. Hashing R is very fast. Secret key: random a . Public key: A = B a mod p . in Security impact: seems to b group. serious obstacle to any attack To sign M : generate random r , compute R = B r mod p , strategy that relies on choosing Ed25519): S = r − 1 ( H ( M ) − aR ) mod p − 1. a particular A exponent. ements.

  56. 15 16 ElGamal verification: Hash the exponent ( R; S ) is signature of M Tweak: ( R; S ) is signature of M if B H ( M ) ≡ A R R S (mod p ) if B H ( M ) ≡ A H ( R ) R S (mod p ) and R; S ∈ { 0 ; 1 ; : : : ; p − 2 } . and R; S ∈ { 0 ; 1 ; : : : ; p − 2 } . Here p is standard prime, Signer: as before except S = B is standard base, r − 1 ( H ( M ) − aH ( R )) mod p − 1. A is signer’s public key, Speed impact: negligible. H ( M ) is hash of message. Hashing R is very fast. Secret key: random a . Public key: A = B a mod p . Security impact: seems to be serious obstacle to any attack To sign M : generate random r , compute R = B r mod p , strategy that relies on choosing S = r − 1 ( H ( M ) − aR ) mod p − 1. a particular A exponent.

  57. 15 16 ElGamal verification: Hash the exponent Prime-order is signature of M Tweak: ( R; S ) is signature of M Choose B ) ≡ A R R S (mod p ) if B H ( M ) ≡ A H ( R ) R S (mod p ) standard ; S ∈ { 0 ; 1 ; : : : ; p − 2 } . and R; S ∈ { 0 ; 1 ; : : : ; p − 2 } . e.g. take is standard prime, Signer: as before except S = Again verify standard base, r − 1 ( H ( M ) − aH ( R )) mod p − 1. ECC: H ( signer’s public key, Speed impact: negligible. Signer: same is hash of message. S = r − 1 Hashing R is very fast. key: random a . key: A = B a mod p . Security impact: seems to be Simpler securit serious obstacle to any attack sign M : generate random r , Speed advantage: compute R = B r mod p , strategy that relies on choosing (when q 1 ( H ( M ) − aR ) mod p − 1. a particular A exponent. Less time

  58. 15 16 verification: Hash the exponent Prime-order subgroup signature of M Tweak: ( R; S ) is signature of M Choose B to have S (mod p ) if B H ( M ) ≡ A H ( R ) R S (mod p ) standard prime diviso ; : : : ; p − 2 } . and R; S ∈ { 0 ; 1 ; : : : ; p − 2 } . e.g. take 3000-bit rd prime, Again verify B H ( M Signer: as before except S = base, r − 1 ( H ( M ) − aH ( R )) mod p − 1. ECC: H ( M ) B = H public key, Speed impact: negligible. Signer: same except message. S = r − 1 ( H ( M ) − a Hashing R is very fast. random a . B a mod p . Security impact: seems to be Simpler security analysis. serious obstacle to any attack generate random r , Speed advantage: strategy that relies on choosing mod p , (when q is smaller a particular A exponent. − aR ) mod p − 1. Less time to transmit

  59. 15 16 Hash the exponent Prime-order subgroup Tweak: ( R; S ) is signature of M Choose B to have order q fo p ) if B H ( M ) ≡ A H ( R ) R S (mod p ) standard prime divisor q of p 2 } . and R; S ∈ { 0 ; 1 ; : : : ; p − 2 } . e.g. take 3000-bit p , 256-bit Again verify B H ( M ) ≡ A H ( R ) Signer: as before except S = r − 1 ( H ( M ) − aH ( R )) mod p − 1. ECC: H ( M ) B = H ( R ) A + S Speed impact: negligible. Signer: same except now S = r − 1 ( H ( M ) − aH ( R )) mo Hashing R is very fast. Security impact: seems to be Simpler security analysis. . serious obstacle to any attack random r , Speed advantage: Smaller S strategy that relies on choosing (when q is smaller than p − a particular A exponent. d p − 1. Less time to transmit signature.

  60. 16 17 Hash the exponent Prime-order subgroup Tweak: ( R; S ) is signature of M Choose B to have order q for if B H ( M ) ≡ A H ( R ) R S (mod p ) standard prime divisor q of p − 1. and R; S ∈ { 0 ; 1 ; : : : ; p − 2 } . e.g. take 3000-bit p , 256-bit q . Again verify B H ( M ) ≡ A H ( R ) R S . Signer: as before except S = r − 1 ( H ( M ) − aH ( R )) mod p − 1. ECC: H ( M ) B = H ( R ) A + SR . Speed impact: negligible. Signer: same except now S = r − 1 ( H ( M ) − aH ( R )) mod q . Hashing R is very fast. Security impact: seems to be Simpler security analysis. serious obstacle to any attack Speed advantage: Smaller S strategy that relies on choosing (when q is smaller than p − 1). a particular A exponent. Less time to transmit signature.

  61. 16 17 the exponent Prime-order subgroup Two scala eak: ( R; S ) is signature of M Choose B to have order q for Verify B ) ≡ A H ( R ) R S (mod p ) standard prime divisor q of p − 1. AR ; S ∈ { 0 ; 1 ; : : : ; p − 2 } . e.g. take 3000-bit p , 256-bit q . ECC: ( H A + Again verify B H ( M ) ≡ A H ( R ) R S . Signer: as before except S = ( M ) − aH ( R )) mod p − 1. ECC: H ( M ) B = H ( R ) A + SR . Safe to assume ever find impact: negligible. Signer: same except now S = r − 1 ( H ( M ) − aH ( R )) mod q . Hashing R is very fast. No securit if B H ( R ) Security impact: seems to be Simpler security analysis. then B H obstacle to any attack Speed advantage: Smaller S strategy that relies on choosing Speed advantage: (when q is smaller than p − 1). rticular A exponent. outweigh Less time to transmit signature.

  62. 16 17 onent Prime-order subgroup Two scalars Verify B H ( R ) − 1 H ( M is signature of M Choose B to have order q for AR H ( R ) − 1 S . ) R S (mod p ) standard prime divisor q of p − 1. ECC: ( H ( R ) − 1 H ( M ; : : : ; p − 2 } . e.g. take 3000-bit p , 256-bit q . A + ( H ( R ) − Again verify B H ( M ) ≡ A H ( R ) R S . re except S = ( R )) mod p − 1. ECC: H ( M ) B = H ( R ) A + SR . Safe to assume that ever find H ( R ) divisible negligible. Signer: same except now S = r − 1 ( H ( M ) − aH ( R )) mod q . very fast. No security loss: if B H ( R ) − 1 H ( M ) = seems to be Simpler security analysis. then B H ( M ) = A H ( to any attack Speed advantage: Smaller S relies on choosing Speed advantage: (when q is smaller than p − 1). exponent. outweighing cost of Less time to transmit signature.

  63. 16 17 Prime-order subgroup Two scalars Verify B H ( R ) − 1 H ( M ) = signature of M Choose B to have order q for AR H ( R ) − 1 S . (mod p ) standard prime divisor q of p − 1. ECC: ( H ( R ) − 1 H ( M )) B = 2 } . e.g. take 3000-bit p , 256-bit q . A + ( H ( R ) − 1 S ) R . Again verify B H ( M ) ≡ A H ( R ) R S . = p − 1. ECC: H ( M ) B = H ( R ) A + SR . Safe to assume that nobody ever find H ( R ) divisible by q Signer: same except now S = r − 1 ( H ( M ) − aH ( R )) mod q . No security loss: if B H ( R ) − 1 H ( M ) = AR H ( R ) − 1 be Simpler security analysis. then B H ( M ) = A H ( R ) R S . attack Speed advantage: Smaller S osing Speed advantage: fewer scala (when q is smaller than p − 1). outweighing cost of H ( R ) − 1 Less time to transmit signature.

  64. 17 18 Prime-order subgroup Two scalars Verify B H ( R ) − 1 H ( M ) = Choose B to have order q for AR H ( R ) − 1 S . standard prime divisor q of p − 1. ECC: ( H ( R ) − 1 H ( M )) B = e.g. take 3000-bit p , 256-bit q . A + ( H ( R ) − 1 S ) R . Again verify B H ( M ) ≡ A H ( R ) R S . ECC: H ( M ) B = H ( R ) A + SR . Safe to assume that nobody will ever find H ( R ) divisible by q . Signer: same except now S = r − 1 ( H ( M ) − aH ( R )) mod q . No security loss: if B H ( R ) − 1 H ( M ) = AR H ( R ) − 1 S Simpler security analysis. then B H ( M ) = A H ( R ) R S . Speed advantage: Smaller S Speed advantage: fewer scalars, (when q is smaller than p − 1). outweighing cost of H ( R ) − 1 . Less time to transmit signature.

  65. 17 18 Prime-order subgroup Two scalars Precomputing Verify B H ( R ) − 1 H ( M ) = ose B to have order q for Notation: AR H ( R ) − 1 S . rd prime divisor q of p − 1. Send ( R; ECC: ( H ( R ) − 1 H ( M )) B = take 3000-bit p , 256-bit q . signature: A + ( H ( R ) − 1 S ) R . verify B H ( M ) ≡ A H ( R ) R S . signer instead H ( M ) B = H ( R ) A + SR . Safe to assume that nobody will Verify B ever find H ( R ) divisible by q . Signer: same except now ECC: ( H 1 ( H ( M ) − aH ( R )) mod q . No security loss: Signer computes if B H ( R ) − 1 H ( M ) = AR H ( R ) − 1 S r − 1 ( H ( R Simpler security analysis. then B H ( M ) = A H ( R ) R S . advantage: Smaller S Speed advantage: fewer scalars, q is smaller than p − 1). outweighing cost of H ( R ) − 1 . time to transmit signature.

  66. 17 18 subgroup Two scalars Precomputing quotient Verify B H ( R ) − 1 H ( M ) = have order q for Notation: S = H ( R AR H ( R ) − 1 S . divisor q of p − 1. Send ( R; S ) instead ECC: ( H ( R ) − 1 H ( M )) B = 3000-bit p , 256-bit q . signature: i.e., S computed A + ( H ( R ) − 1 S ) R . M ) ≡ A H ( R ) R S . signer instead of verifier. H ( R ) A + SR . Safe to assume that nobody will Verify B H ( R ) − 1 H ( M ever find H ( R ) divisible by q . ECC: ( H ( R ) − 1 H ( M except now − aH ( R )) mod q . No security loss: Signer computes S if B H ( R ) − 1 H ( M ) = AR H ( R ) − 1 S r − 1 ( H ( R ) − 1 H ( M ) analysis. then B H ( M ) = A H ( R ) R S . advantage: Smaller S Speed advantage: fewer scalars, smaller than p − 1). outweighing cost of H ( R ) − 1 . transmit signature.

  67. 17 18 Two scalars Precomputing quotient Verify B H ( R ) − 1 H ( M ) = Notation: S = H ( R ) − 1 S . for AR H ( R ) − 1 S . of p − 1. Send ( R; S ) instead of ( R; S ECC: ( H ( R ) − 1 H ( M )) B = 256-bit q . signature: i.e., S computed A + ( H ( R ) − 1 S ) R . R ) R S . signer instead of verifier. SR . Safe to assume that nobody will Verify B H ( R ) − 1 H ( M ) = AR S . ever find H ( R ) divisible by q . ECC: ( H ( R ) − 1 H ( M )) B = A mod q . No security loss: Signer computes S = if B H ( R ) − 1 H ( M ) = AR H ( R ) − 1 S r − 1 ( H ( R ) − 1 H ( M ) − a ) mod then B H ( M ) = A H ( R ) R S . S Speed advantage: fewer scalars, − 1). outweighing cost of H ( R ) − 1 . signature.

  68. 18 19 Two scalars Precomputing quotient Verify B H ( R ) − 1 H ( M ) = Notation: S = H ( R ) − 1 S . AR H ( R ) − 1 S . Send ( R; S ) instead of ( R; S ) as ECC: ( H ( R ) − 1 H ( M )) B = signature: i.e., S computed by A + ( H ( R ) − 1 S ) R . signer instead of verifier. Safe to assume that nobody will Verify B H ( R ) − 1 H ( M ) = AR S . ever find H ( R ) divisible by q . ECC: ( H ( R ) − 1 H ( M )) B = A + SR . No security loss: Signer computes S = if B H ( R ) − 1 H ( M ) = AR H ( R ) − 1 S r − 1 ( H ( R ) − 1 H ( M ) − a ) mod q . then B H ( M ) = A H ( R ) R S . Speed advantage: fewer scalars, outweighing cost of H ( R ) − 1 .

  69. 18 19 Two scalars Precomputing quotient Verify B H ( R ) − 1 H ( M ) = Notation: S = H ( R ) − 1 S . AR H ( R ) − 1 S . Send ( R; S ) instead of ( R; S ) as ECC: ( H ( R ) − 1 H ( M )) B = signature: i.e., S computed by A + ( H ( R ) − 1 S ) R . signer instead of verifier. Safe to assume that nobody will Verify B H ( R ) − 1 H ( M ) = AR S . ever find H ( R ) divisible by q . ECC: ( H ( R ) − 1 H ( M )) B = A + SR . No security loss: Signer computes S = if B H ( R ) − 1 H ( M ) = AR H ( R ) − 1 S r − 1 ( H ( R ) − 1 H ( M ) − a ) mod q . then B H ( M ) = A H ( R ) R S . From now on: Rename S as S . Speed advantage: fewer scalars, outweighing cost of H ( R ) − 1 .

  70. 18 19 scalars Precomputing quotient Merge hashes: B H ( R ) − 1 H ( M ) = Notation: S = H ( R ) − 1 S . B H ( R;M ) AR H ( R ) − 1 S . ECC: H ( Send ( R; S ) instead of ( R; S ) as ( H ( R ) − 1 H ( M )) B = signature: i.e., S computed by Speed advantage: A + ( H ( R ) − 1 S ) R . signer instead of verifier. is faster to assume that nobody will Verify B H ( R ) − 1 H ( M ) = AR S . Security find H ( R ) divisible by q . ECC: ( H ( R ) − 1 H ( M )) B = A + SR . attacker urity loss: innocent Signer computes S = ) − 1 H ( M ) = AR H ( R ) − 1 S with H ( M r − 1 ( H ( R ) − 1 H ( M ) − a ) mod q . H ( M ) = A H ( R ) R S . Using H ( From now on: Rename S as S . signs M advantage: fewer scalars, same signature ighing cost of H ( R ) − 1 . Using H (

  71. 18 19 Precomputing quotient Merge hashes: collision ( M ) = B H ( R;M ) = AR S . Notation: S = H ( R ) − 1 S . S . ECC: H ( R; M ) B = Send ( R; S ) instead of ( R; S ) as ( M )) B = signature: i.e., S computed by Speed advantage: ) − 1 S ) R . signer instead of verifier. is faster than H ( R that nobody will Verify B H ( R ) − 1 H ( M ) = AR S . Security advantage: divisible by q . ECC: ( H ( R ) − 1 H ( M )) B = A + SR . attacker somehow innocent M and dangerous Signer computes S = = AR H ( R ) − 1 S with H ( M ) = H ( M r − 1 ( H ( R ) − 1 H ( M ) − a ) mod q . H ( R ) R S . Using H ( R ) − 1 H ( M From now on: Rename S as S . signs M then attack advantage: fewer scalars, same signature for cost of H ( R ) − 1 . Using H ( R; M ): no

  72. 18 19 Precomputing quotient Merge hashes: collision resilience B H ( R;M ) = AR S . Notation: S = H ( R ) − 1 S . ECC: H ( R; M ) B = A + SR . Send ( R; S ) instead of ( R; S ) as signature: i.e., S computed by Speed advantage: H ( R; M ) is faster than H ( R ) − 1 H ( M ). signer instead of verifier. dy will Verify B H ( R ) − 1 H ( M ) = AR S . Security advantage: Imagine q . ECC: ( H ( R ) − 1 H ( M )) B = A + SR . attacker somehow finding innocent M and dangerous M Signer computes S = − 1 S with H ( M ) = H ( M ′ ). r − 1 ( H ( R ) − 1 H ( M ) − a ) mod q . Using H ( R ) − 1 H ( M ): if signer From now on: Rename S as S . signs M then attacker reuses scalars, same signature for M ′ . 1 . Using H ( R; M ): no problem.

  73. 19 20 Precomputing quotient Merge hashes: collision resilience B H ( R;M ) = AR S . Notation: S = H ( R ) − 1 S . ECC: H ( R; M ) B = A + SR . Send ( R; S ) instead of ( R; S ) as signature: i.e., S computed by Speed advantage: H ( R; M ) is faster than H ( R ) − 1 H ( M ). signer instead of verifier. Verify B H ( R ) − 1 H ( M ) = AR S . Security advantage: Imagine ECC: ( H ( R ) − 1 H ( M )) B = A + SR . attacker somehow finding innocent M and dangerous M ′ Signer computes S = with H ( M ) = H ( M ′ ). r − 1 ( H ( R ) − 1 H ( M ) − a ) mod q . Using H ( R ) − 1 H ( M ): if signer From now on: Rename S as S . signs M then attacker reuses same signature for M ′ . Using H ( R; M ): no problem.

  74. 19 20 Precomputing quotient Merge hashes: collision resilience Eliminate B H ( R;M ) = AR S . B S = RA Notation: S = H ( R ) − 1 S . ECC: H ( R; M ) B = A + SR . ECC: SB R; S ) instead of ( R; S ) as signature: i.e., S computed by Speed advantage: H ( R; M ) Signer in is faster than H ( R ) − 1 H ( M ). S = r − 1 instead of verifier. B H ( R ) − 1 H ( M ) = AR S . Security advantage: Imagine Signer in ( H ( R ) − 1 H ( M )) B = A + SR . attacker somehow finding S = r + innocent M and dangerous M ′ computes S = Speed advantage: with H ( M ) = H ( M ′ ). ( R ) − 1 H ( M ) − a ) mod q . Skip all inve Using H ( R ) − 1 H ( M ): if signer now on: Rename S as S . Security signs M then attacker reuses same signature for M ′ . slightly simpler. 2000 Pointcheval–Stern. Using H ( R; M ): no problem.

  75. 19 20 quotient Merge hashes: collision resilience Eliminate divisions B H ( R;M ) = AR S . B S = RA H ( R;M ) . ( R ) − 1 S . ECC: H ( R; M ) B = A + SR . ECC: SB = R + H instead of ( R; S ) as computed by Speed advantage: H ( R; M ) Signer in previous is faster than H ( R ) − 1 H ( M ). S = r − 1 ( H ( R; M ) verifier. ( M ) = AR S . Security advantage: Imagine Signer in this system: ( M )) B = A + SR . attacker somehow finding S = r + H ( R; M ) a innocent M and dangerous M ′ S = Speed advantage: with H ( M ) = H ( M ′ ). ) − a ) mod q . Skip all inversions. Using H ( R ) − 1 H ( M ): if signer Rename S as S . Security analysis is signs M then attacker reuses same signature for M ′ . slightly simpler. See, 2000 Pointcheval–Stern. Using H ( R; M ): no problem.

  76. 19 20 Merge hashes: collision resilience Eliminate divisions B H ( R;M ) = AR S . B S = RA H ( R;M ) . ECC: H ( R; M ) B = A + SR . ECC: SB = R + H ( R; M ) A . ; S ) as computed by Speed advantage: H ( R; M ) Signer in previous system: is faster than H ( R ) − 1 H ( M ). S = r − 1 ( H ( R; M ) − a ) mod S . Security advantage: Imagine Signer in this system: A + SR . attacker somehow finding S = r + H ( R; M ) a mod q . innocent M and dangerous M ′ Speed advantage: with H ( M ) = H ( M ′ ). mod q . Skip all inversions. Using H ( R ) − 1 H ( M ): if signer as S . Security analysis is similar, signs M then attacker reuses same signature for M ′ . slightly simpler. See, e.g., 2000 Pointcheval–Stern. Using H ( R; M ): no problem.

  77. 20 21 Merge hashes: collision resilience Eliminate divisions B H ( R;M ) = AR S . B S = RA H ( R;M ) . ECC: H ( R; M ) B = A + SR . ECC: SB = R + H ( R; M ) A . Speed advantage: H ( R; M ) Signer in previous system: is faster than H ( R ) − 1 H ( M ). S = r − 1 ( H ( R; M ) − a ) mod q . Security advantage: Imagine Signer in this system: attacker somehow finding S = r + H ( R; M ) a mod q . innocent M and dangerous M ′ Speed advantage: with H ( M ) = H ( M ′ ). Skip all inversions. Using H ( R ) − 1 H ( M ): if signer Security analysis is similar, signs M then attacker reuses same signature for M ′ . slightly simpler. See, e.g., 2000 Pointcheval–Stern. Using H ( R; M ): no problem.

  78. 20 21 hashes: collision resilience Eliminate divisions Signature ) = AR S . B S = RA H ( R;M ) . Schnorr H ( R; M ) B = A + SR . ECC: SB = R + H ( R; M ) A . ( H ( R; M advantage: H ( R; M ) Signer in previous system: Given ( h faster than H ( R ) − 1 H ( M ). S = r − 1 ( H ( R; M ) − a ) mod q . recovers checks h Security advantage: Imagine Signer in this system: er somehow finding S = r + H ( R; M ) a mod q . ECC: R cent M and dangerous M ′ Speed advantage: Speed advantage ( M ) = H ( M ′ ). Skip all inversions. when H ( H ( R ) − 1 H ( M ): if signer Security analysis is similar, No securit then attacker reuses signature for M ′ . slightly simpler. See, e.g., anyone can 2000 Pointcheval–Stern. H ( R; M ): no problem.

  79. 20 21 collision resilience Eliminate divisions Signature compression B S = RA H ( R;M ) . . Schnorr signature = A + SR . ECC: SB = R + H ( R; M ) A . ( H ( R; M ) ; S ) instead advantage: H ( R; M ) Signer in previous system: Given ( h; S ): verifier ( R ) − 1 H ( M ). S = r − 1 ( H ( R; M ) − a ) mod q . recovers R = B S =A checks h = H ( R; M ntage: Imagine Signer in this system: w finding S = r + H ( R; M ) a mod q . ECC: R = SB − h dangerous M ′ Speed advantage: Speed advantage sending ( M ′ ). Skip all inversions. when H ( R; M ) is sho ( M ): if signer Security analysis is similar, No security impact: attacker reuses for M ′ . slightly simpler. See, e.g., anyone can compress 2000 Pointcheval–Stern. no problem.

  80. 20 21 resilience Eliminate divisions Signature compression B S = RA H ( R;M ) . Schnorr signature is R . ECC: SB = R + H ( R; M ) A . ( H ( R; M ) ; S ) instead of ( R; ) Signer in previous system: Given ( h; S ): verifier S = r − 1 ( H ( R; M ) − a ) mod q . recovers R = B S =A h , ). checks h = H ( R; M ). Imagine Signer in this system: S = r + H ( R; M ) a mod q . ECC: R = SB − hA . dangerous M ′ Speed advantage: Speed advantage sending sigs Skip all inversions. when H ( R; M ) is shorter than signer Security analysis is similar, No security impact: reuses slightly simpler. See, e.g., anyone can compress sigs. 2000 Pointcheval–Stern. roblem.

  81. 21 22 Eliminate divisions Signature compression B S = RA H ( R;M ) . Schnorr signature is ECC: SB = R + H ( R; M ) A . ( H ( R; M ) ; S ) instead of ( R; S ). Signer in previous system: Given ( h; S ): verifier S = r − 1 ( H ( R; M ) − a ) mod q . recovers R = B S =A h , checks h = H ( R; M ). Signer in this system: S = r + H ( R; M ) a mod q . ECC: R = SB − hA . Speed advantage: Speed advantage sending sigs Skip all inversions. when H ( R; M ) is shorter than R . Security analysis is similar, No security impact: slightly simpler. See, e.g., anyone can compress sigs. 2000 Pointcheval–Stern.

  82. 21 22 Eliminate divisions Signature compression Half-size RA H ( R;M ) . Schnorr signature is Schnorr SB = R + H ( R; M ) A . ( H ( R; M ) ; S ) instead of ( R; S ). e.g., 128 in previous system: Given ( h; S ): verifier Advantage: 1 ( H ( R; M ) − a ) mod q . recovers R = B S =A h , checks h = H ( R; M ). in this system: + H ( R; M ) a mod q . ECC: R = SB − hA . advantage: Speed advantage sending sigs all inversions. when H ( R; M ) is shorter than R . Security analysis is similar, No security impact: slightly simpler. See, e.g., anyone can compress sigs. ointcheval–Stern.

  83. 21 22 divisions Signature compression Half-size H output . Schnorr signature is Schnorr chooses half-size H ( R; M ) A . ( H ( R; M ) ; S ) instead of ( R; S ). e.g., 128 bits instead revious system: Given ( h; S ): verifier Advantage: smaller recovers R = B S =A h , ) − a ) mod q . checks h = H ( R; M ). system: ) a mod q . ECC: R = SB − hA . advantage: Speed advantage sending sigs s. when H ( R; M ) is shorter than R . is similar, No security impact: See, e.g., anyone can compress sigs. ointcheval–Stern.

  84. 21 22 Signature compression Half-size H output Schnorr signature is Schnorr chooses half-size H : A . ( H ( R; M ) ; S ) instead of ( R; S ). e.g., 128 bits instead of 256 Given ( h; S ): verifier Advantage: smaller ( H ( R; M recovers R = B S =A h , mod q . checks h = H ( R; M ). . ECC: R = SB − hA . Speed advantage sending sigs when H ( R; M ) is shorter than R . r, No security impact: anyone can compress sigs.

  85. 22 23 Signature compression Half-size H output Schnorr signature is Schnorr chooses half-size H : ( H ( R; M ) ; S ) instead of ( R; S ). e.g., 128 bits instead of 256 bits. Given ( h; S ): verifier Advantage: smaller ( H ( R; M ) ; S ). recovers R = B S =A h , checks h = H ( R; M ). ECC: R = SB − hA . Speed advantage sending sigs when H ( R; M ) is shorter than R . No security impact: anyone can compress sigs.

  86. 22 23 Signature compression Half-size H output Schnorr signature is Schnorr chooses half-size H : ( H ( R; M ) ; S ) instead of ( R; S ). e.g., 128 bits instead of 256 bits. Given ( h; S ): verifier Advantage: smaller ( H ( R; M ) ; S ). recovers R = B S =A h , Objection: “128-bit hash checks h = H ( R; M ). functions allow collisions!” ECC: R = SB − hA . Speed advantage sending sigs when H ( R; M ) is shorter than R . No security impact: anyone can compress sigs.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

1 High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven with some slides from: Tanja Lange Technische Universiteit Eindhoven 2 Do we care about speed? Almost all software is

1.36k views • 44 slides
High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363

High-speed cryptography, Speed-oriented Jacobian standards part 2: 2000 IEEE Std 1363 more elliptic-curve formulas; uses Weierstrass curves field arithmetic in Jacobian coordinates Daniel J. Bernstein to provide the fastest

2.15k views • 187 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides
High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University

High-speed high-security cryptography on ARMs Daniel J. Bernstein Research Professor, University of Illinois at Chicago Professor, Cryptographic Implementations, Technische Universiteit Eindhoven Tanja Lange Professor, Coding and Cryptology,

288 views • 17 slides
High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working

High-speed cryptography, Cryptographers part 3: more cryptosystems Working systems Daniel J. Bernstein Cryptanalytic University of Illinois at Chicago & algorithm designers Technische Universiteit Eindhoven Unbroken

1.49k views • 145 slides
High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce

High-speed cryptography, Crypto performance problems part 1: often lead users to reduce elliptic-curve formulas cryptographic security levels or give up on cryptography. Daniel J. Bernstein University of Illinois at Chicago & Example 1

1.55k views • 138 slides
Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles

Jasmin: High-Assurance and High-Speed Cryptography Jos Bacelar Almeida Manuel Barbosa Gilles Barthe Arthur Blot Benjamin Grgoire Vincent Laporte Tiago Oliveira Hugo Pacheco Benedick Schmidt Pierre-Yves Strub CCS17 2017-11-02

440 views • 31 slides
Speed, speed, speed $1000 TCR hashing competition D. J. Bernstein Crowley: I have a problem

Speed, speed, speed $1000 TCR hashing competition D. J. Bernstein Crowley: I have a problem

1 2 Speed, speed, speed $1000 TCR hashing competition D. J. Bernstein Crowley: I have a problem where I need to make some University of Illinois at Chicago; cryptography faster, and Im Ruhr University Bochum setting up a $1000

573 views • 55 slides
High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago,

High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago,

High-speed cryptography for mobile devices D. J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven Picture credits: geeky-gadgets.com ; Star Trek The Internet of Things Andrew Myers, Stanford Report, 2011.02.11:

543 views • 36 slides
High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes

924 views • 61 slides
Cedar Rapids RLR & Speed Des Moines RLR & Speed

Cedar Rapids RLR & Speed Des Moines RLR & Speed

Davenport.RLR & Speed Cedar Rapids RLR & Speed Des Moines RLR & Speed Sioux City.. RLR & Speed Muscatine...RLR & Speed Council

248 views • 11 slides
High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J.

High-speed high-security cryptography: encrypting and authenticating the whole Internet D. J. Bernstein University of Illinois at Chicago wget -m -k -I / \ secspider.cs.ucla.edu cd secspider.cs.ucla.edu awk /GREEN.*GREEN.*GREEN.*Yes/

1.48k views • 94 slides
Speed kills 2 but people like speed! 3 Speed Higher speeds are associated with higher

Speed kills 2 but people like speed! 3 Speed Higher speeds are associated with higher

Effects of automated highway speed enforcement: average versus instantaneous speed control 27 th annual ICTCT workshop 16-17 Oct 2014, Karlsruhe - Germany dr. Stijn Daniels, PhD Transportation Research Institute Hasselt University, Belgium

413 views • 9 slides
High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma

Preliminaries FPGA Implementation Results, Comparisons and Conclusions High-Speed Elliptic Curve Cryptography Accelerator for Koblitz Curves Kimmo J arvinen Jorma Skytt a Helsinki University of Technology Department of Signal

528 views • 36 slides
MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL (WEST MIDLANDS CREWE) BILL Monday 19 March 2018 (Afternoon) In Committee Room 5 PRESENT: James Duddridge (Chair) Sandy Martin Mrs Sheryll

954 views • 57 slides
High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing

High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes an SMTP connection, sends

617 views • 40 slides
OpenVMS Security Update OpenVMS Security Update TCSEC C2 Ramp TCSEC C2 Ramp - -> Common

OpenVMS Security Update OpenVMS Security Update TCSEC C2 Ramp TCSEC C2 Ramp - -> Common

Agenda Agenda Security Ratings Security Ratings ITSEC E3 ITSEC E3 C2 & E3 B1 update on C2 & E3 B1 update on V6 V6.2 .2 OpenVMS Security Update OpenVMS Security Update TCSEC C2 Ramp TCSEC C2 Ramp - -> Common >

570 views • 7 slides
1 st look at dE / dx in GArSoft 19 Mar 2019 Leo Bellantoni New art Data Product

1 st look at dE / dx in GArSoft 19 Mar 2019 Leo Bellantoni New art Data Product

1 st look at dE / dx in GArSoft 19 Mar 2019 Leo Bellantoni New art Data Product .../ReconstructionDataProduct/TrackIoniz.* Now ../Reco/tpctrackfit2_module.cc , in the KalmanFit function, will (forward pass only): for (TPCCluster=1 to

486 views • 12 slides
Open-source Public Key Infrastructure (PKI) Simos Xenitellis University of London

Open-source Public Key Infrastructure (PKI) Simos Xenitellis University of London

Open-source Public Key Infrastructure Open-source Public Key Infrastructure (PKI) Simos Xenitellis University of London S.Xenitellis@rhbnc.ac.uk 1 3rd August 2000, LBW2000 Open-source Public Key Infrastructure Agenda We are going to

826 views • 25 slides
Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 2

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 2

Language-based methods for software security Gilles Barthe IMDEA Software, Madrid, Spain Part 2 Transfer rules P [ i ] = push n P [ i ] = binop op i st se ( i ) :: st i k 1 :: k 2 :: st ( k 1 k 2 ) :: st se ( i ) k

1.83k views • 153 slides
a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com

a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com

Java Security: a Ten-Year Retrospective Li Gong Mozilla Online Ltd. lgong@mozilla.com www.mozillaonline.com December 10, 2009 300~ Pages of Meeting Notes 1000~ Meetings in 30 months Why Security Technologies Seldom Make Into Actual

608 views • 21 slides
Bilateral counterparty risk valuation with stochastic dynamical models and application to Credit

Bilateral counterparty risk valuation with stochastic dynamical models and application to Credit

Bilateral counterparty risk valuation with stochastic dynamical models and application to Credit Default Swaps Agostino Capponi California Institute of Technology Division of Engineering and Applied Sciences acapponi@caltech.edu Fields

1.01k views • 72 slides
Navigating Compliance in a CoreOS World Paul Querna | @pquerna CTO, ScaleFT May 10, 2016 Has

Navigating Compliance in a CoreOS World Paul Querna | @pquerna CTO, ScaleFT May 10, 2016 Has

Navigating Compliance in a CoreOS World Paul Querna | @pquerna CTO, ScaleFT May 10, 2016 Has 200+ Page Questionnaires Runs CoreOS Fun! New! Not Fun! Old! Many Standards for Many Purposes

491 views • 33 slides
Java/JVM/JRE Li Gong lgong@mozilla.com Security Seminar Series Computer Lab, Cambridge, UK May

Java/JVM/JRE Li Gong lgong@mozilla.com Security Seminar Series Computer Lab, Cambridge, UK May

Practical Implications of Java/JVM/JRE Li Gong lgong@mozilla.com Security Seminar Series Computer Lab, Cambridge, UK May 04, 2011 Disclaimers via Old Quotes Theorem -- Any problem in computer science can be solved with another level

271 views • 26 slides

More recommend