new speed records 640838 pentium m cycles for point
play

New speed records 640838 Pentium M cycles for point multiplication - PowerPoint PPT Presentation

Aug 29, 2022 •366 likes •850 views

New speed records 640838 Pentium M cycles for point multiplication to compute a 32-byte secret shared by Dan and Tanja, D. J. Bernstein given Dans 32-byte secret key and Tanjas 32-byte public key . 2 128 cycles. All known

  1. � New speed records 640838 Pentium M cycles for point multiplication to compute a 32-byte secret shared by Dan and Tanja, D. J. Bernstein given Dan’s 32-byte secret key and Tanja’s 32-byte public key . 2 128 cycles. All known attacks: This is the new speed record for high-security Diffie-Hellman. Thanks to: Encrypt and authenticate messages University of Illinois at Chicago using hash of shared secret as key. NSF CCR–9983950 Diffie-Hellman is the bottleneck Alfred P. Sloan Foundation if total message length is short.

  2. ✂ ✂ ✂ ✂ ✂ ✁ � ✂ ✁ ✄ ✁ ✁ � ✂ ✂ ✁ ✄ � ✄ � � rds 640838 Pentium M cycles 640838 Pentium M multiplication to compute a 32-byte secret to compute � -coordinate shared by Dan and Tanja, multiple of ( ✂ ) given Dan’s 32-byte secret key given 0 ✁ 1 2 254 + 8 0 and Tanja’s 32-byte public key . ✁ 1 2 128 cycles. All known attacks: Curve25519 is the 2 = � 3 + 486662 This is the new speed record mod the prime 2 255 for high-security Diffie-Hellman. 624786 Athlon (622) Encrypt and authenticate messages 832457 Pentium II Illinois at Chicago using hash of shared secret as key. 957904 Pentium 4 CCR–9983950 Diffie-Hellman is the bottleneck I anticipate similar Foundation if total message length is short. for UltraSPARC, P

  3. ✂ ✁ ✂ ✁ ✂ ✂ ✄ � ✂ ✁ ✂ ✂ ✄ � � ✄ ✂ 640838 Pentium M cycles 640838 Pentium M (695) cycles � th to compute a 32-byte secret to compute � -coordinate of shared by Dan and Tanja, multiple of ( ✂ ) on Curve25519, ✁ 2 256 given Dan’s 32-byte secret key given 0 ✁ 1 1 and 2 254 + 8 0 ✁ 2 251 and Tanja’s 32-byte public key . ✁ 1 1 . 2 128 cycles. All known attacks: Curve25519 is the elliptic curve 2 = � 3 + 486662 � 2 + This is the new speed record mod the prime 2 255 19. for high-security Diffie-Hellman. 624786 Athlon (622) cycles; Encrypt and authenticate messages 832457 Pentium III (686) cycles; using hash of shared secret as key. 957904 Pentium 4 (f12) cycles. Diffie-Hellman is the bottleneck I anticipate similar cycle counts if total message length is short. for UltraSPARC, PowerPC, etc.

  4. ✁ ✂ ✂ ✂ ✁ ✂ ✄ � ✄ ✂ ✂ ✂ ✄ ✄ ✄ � � ✂ ✁ M cycles 640838 Pentium M (695) cycles Immune to timing � th 32-byte secret to compute � -coordinate of including cache-timing and Tanja, multiple of ( ✂ ) on Curve25519, including hyperthreading ✁ 2 256 yte secret key given 0 ✁ 1 1 and No data-dependent 2 254 + 8 0 ✁ 2 251 yte public key . ✁ 1 1 . no data-dependent 2 128 cycles. attacks: Curve25519 is the elliptic curve Software is in public 2 = � 3 + 486662 � 2 + 16 kilobytes when speed record mod the prime 2 255 19. cr.yp.to/ecdh.html Diffie-Hellman. 624786 Athlon (622) cycles; No known patent p authenticate messages 832457 Pentium III (686) cycles; shared secret as key. For comparison, Bro 957904 Pentium 4 (f12) cycles. the bottleneck much smaller prime, I anticipate similar cycle counts length is short. 780000 PII cycles; for UltraSPARC, PowerPC, etc. no timing-attack p

  5. ✂ ✄ ✄ ✂ ✂ ✂ ✁ ✁ ✄ ✂ � ✂ ✂ ✁ ✄ � ✂ ✄ 640838 Pentium M (695) cycles Immune to timing attacks, � th to compute � -coordinate of including cache-timing attacks, multiple of ( ✂ ) on Curve25519, including hyperthreading attacks. ✁ 2 256 given 0 ✁ 1 1 and No data-dependent branches; 2 254 + 8 0 ✁ 2 251 ✁ 1 1 . no data-dependent indexing. Curve25519 is the elliptic curve Software is in public domain. 2 = � 3 + 486662 � 2 + 16 kilobytes when compiled. mod the prime 2 255 19. cr.yp.to/ecdh.html 624786 Athlon (622) cycles; No known patent problems. 832457 Pentium III (686) cycles; For comparison, Brown et al.: 957904 Pentium 4 (f12) cycles. much smaller prime, 2 192 2 64 1; I anticipate similar cycle counts 780000 PII cycles; given; for UltraSPARC, PowerPC, etc. no timing-attack protection.

  6. � ✄ � ✄ ✄ � ✂ ✂ ✂ ✁ ✂ � ✄ ✂ ✂ ✂ ✁ ✁ ✄ ✂ ✂ ✁ M (695) cycles Immune to timing attacks, Where are the cycles � th ordinate of including cache-timing attacks, Focus today on Pentium ✂ ) on Curve25519, including hyperthreading attacks. Fastest arithmetic ✁ 2 256 1 and No data-dependent branches; uses floating-point ✁ 2 251 ✁ 1 1 . no data-dependent indexing. fp adds, fp subs, fp the elliptic curve Software is in public domain. � 2 + Each Pentium M cycle 486662 16 kilobytes when compiled. 1 fp op. 255 19. cr.yp.to/ecdh.html Point multiplication: (622) cycles; No known patent problems. 589825 fp ops; 0 III (686) cycles; For comparison, Brown et al.: 4 (f12) cycles. Understand cycle counts much smaller prime, 2 192 2 64 1; similar cycle counts by simply counting 780000 PII cycles; given; ARC, PowerPC, etc. no timing-attack protection.

  7. ✄ ✄ Immune to timing attacks, Where are the cycles going? including cache-timing attacks, Focus today on Pentium M. including hyperthreading attacks. Fastest arithmetic on Pentium M No data-dependent branches; uses floating-point operations: no data-dependent indexing. fp adds, fp subs, fp mults. Software is in public domain. Each Pentium M cycle does 16 kilobytes when compiled. 1 fp op. cr.yp.to/ecdh.html Point multiplication: 640838 cycles. No known patent problems. 589825 fp ops; 0 ✂ 92 per cycle. For comparison, Brown et al.: Understand cycle counts fairly well much smaller prime, 2 192 2 64 1; by simply counting fp ops. 780000 PII cycles; given; no timing-attack protection.

  8. ✄ ✄ � � ✄ timing attacks, Where are the cycles going? Avoiding all time va cache-timing attacks, to stop timing attacks: Focus today on Pentium M. erthreading attacks. 1. For 0 ✁ 1 , compute Fastest arithmetic on Pentium M endent branches; as � [1] + (1 ) uses floating-point operations: endent indexing. Avoids data-dependent fp adds, fp subs, fp mults. public domain. Costs 36210 fp ops Each Pentium M cycle does when compiled. 2. Compute final recip 1 fp op. cr.yp.to/ecdh.html by Fermat, not extended Point multiplication: 640838 cycles. patent problems. Avoids data-dependent 589825 fp ops; 0 ✂ 92 per cycle. Brown et al.: 3. Don’t branch fo Understand cycle counts fairly well rime, 2 192 2 64 1; Allow non-least remainders. by simply counting fp ops. cycles; given; No cost—this saves protection.

  9. ✄ Where are the cycles going? Avoiding all time variability to stop timing attacks: Focus today on Pentium M. 1. For 0 ✁ 1 , compute � [ ] Fastest arithmetic on Pentium M as � [1] + (1 ) � [0] or similar. uses floating-point operations: Avoids data-dependent indexing. fp adds, fp subs, fp mults. Costs 36210 fp ops (6%). Each Pentium M cycle does 2. Compute final reciprocal 1 fp op. by Fermat, not extended Euclid. Point multiplication: 640838 cycles. Avoids data-dependent branching. 589825 fp ops; 0 ✂ 92 per cycle. 3. Don’t branch for remainders. Understand cycle counts fairly well Allow non-least remainders. by simply counting fp ops. No cost—this saves time!

  10. � ✄ ✄ cycles going? Avoiding all time variability Main loop: 545700 to stop timing attacks: 2140 times 255 iterations. Pentium M. 1. For 0 ✁ 1 , compute � [ ] Reciprocal: 43821 rithmetic on Pentium M as � [1] + (1 ) � [0] or similar. 41148 = 254 � 162 oint operations: Avoids data-dependent indexing. 2673 = 11 � 243 for subs, fp mults. Costs 36210 fp ops (6%). Additional work: 304 cycle does 2. Compute final reciprocal Inside one main-loop by Fermat, not extended Euclid. 80 = 8 � 10 for 8 adds/subs; multiplication: 640838 cycles. Avoids data-dependent branching. 55 for mult by 121665; 0 ✂ 92 per cycle. 3. Don’t branch for remainders. 648 = 4 � 162 for 4 cycle counts fairly well Allow non-least remainders. 1215 = 5 � 243 for counting fp ops. No cost—this saves time! 142 for � [1] + (1

  11. ✄ ✄ Avoiding all time variability Main loop: 545700 fp ops (92.5%). to stop timing attacks: 2140 times 255 iterations. 1. For 0 ✁ 1 , compute � [ ] Reciprocal: 43821 fp ops (7.4%). as � [1] + (1 ) � [0] or similar. 41148 = 254 � 162 for 254 squarings; Avoids data-dependent indexing. 2673 = 11 � 243 for 11 more mults. Costs 36210 fp ops (6%). Additional work: 304 fp ops. 2. Compute final reciprocal Inside one main-loop iteration: by Fermat, not extended Euclid. 80 = 8 � 10 for 8 adds/subs; Avoids data-dependent branching. 55 for mult by 121665; 3. Don’t branch for remainders. 648 = 4 � 162 for 4 squarings; Allow non-least remainders. 1215 = 5 � 243 for 5 more mults; No cost—this saves time! 142 for � [1] + (1 ) � [0] etc.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D. J. Bernstein Real-world cost measures: Pentium cycles, Athlon cycles, Thanks to: etc. for generating keys, signing, University of Illinois at

541 views • 35 slides
Q: According to Intel, the Pentium conforms to the IEEE standards 754 and 854 for floating point

Q: According to Intel, the Pentium conforms to the IEEE standards 754 and 854 for floating point

Q: According to Intel, the Pentium conforms to the IEEE standards 754 and 854 for floating point arithmetic. If you fly in aircraft designed using a Pentium, what is the correct pronunciation of "IEEE"? A:

517 views • 20 slides
Understanding CPU Caches Ulrich Drepper Introduction Discrepancy main CPU and main memory speed

Understanding CPU Caches Ulrich Drepper Introduction Discrepancy main CPU and main memory speed

Understanding CPU Caches Ulrich Drepper Introduction Discrepancy main CPU and main memory speed Intel lists for Pentium M nowadays: ~240 cycles to access main memory The gap is widening Faster memory is too expensive The Solution

343 views • 18 slides
1 CPI Cycles per Instruction Instruction Classes We can have different CPIs for different

1 CPI Cycles per Instruction Instruction Classes We can have different CPIs for different

Performance Introduction Many factors impact performance: Technology: basic circuit speed (clock speed, usually in MHz, now in GHz - billions of cycles per second) process technology (# of transistors per chip) Organization:

138 views • 3 slides
DLX Floating Point Extend MIPS Pipeline to Floating Point Operations Functional units

DLX Floating Point Extend MIPS Pipeline to Floating Point Operations Functional units

DLX Floating Point Extend MIPS Pipeline to Floating Point Operations Functional units more complex than simple integer ALU Require several clock cycles for a FP arithmetic operation Add: 4 cycles, Multiply: 7 cycles, Divide: 25

377 views • 22 slides
The Pentium Processor Chapter 7 S. Dandamudi Outline Pentium family history Protected

The Pentium Processor Chapter 7 S. Dandamudi Outline Pentium family history Protected

The Pentium Processor Chapter 7 S. Dandamudi Outline Pentium family history Protected mode memory architecture Pentium processor details Segment registers Pentium registers Segment descriptors Data Segment

910 views • 41 slides
POWERED STARTUPS Speed@BDD Presentation July 2017 SPEED@BDD IN A NUTSHELL Speed@BDD is a

POWERED STARTUPS Speed@BDD Presentation July 2017 SPEED@BDD IN A NUTSHELL Speed@BDD is a

ROCKET POWERED STARTUPS Speed@BDD Presentation July 2017 SPEED@BDD IN A NUTSHELL Speed@BDD is a Lebanese-grown startup accelerator software 2 acceleration 10 startups 3-month 10% equity idea & early cycles per year per cycle

417 views • 4 slides
Performance What do we mean by Performance? We must take many different factors into account:

Performance What do we mean by Performance? We must take many different factors into account:

Performance What do we mean by Performance? We must take many different factors into account: Technology basic circuit speed (clock speed, usually in MHz: millions of cycles per second, now in GHz: billions of cycles per sec.)

188 views • 7 slides
Pentium 4 Deeply pipelined processor supporting multiple issue with speculation and

Pentium 4 Deeply pipelined processor supporting multiple issue with speculation and

Pentium 4 Deeply pipelined processor supporting multiple issue with speculation and multi-threading 2004 version: 31 clock cycles from fetch to retire, 3.2 GHZ clock rate (deep pipeline allows higher clock rate) Front end decoder

692 views • 22 slides
ECM speed records on CPU and GPU D. J. Bernstein University of Illinois at Chicago NSF

ECM speed records on CPU and GPU D. J. Bernstein University of Illinois at Chicago NSF

ECM speed records on CPU and GPU D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 New EECM web site: http://eecm.cr.yp.to Joint work with: 1 2 3 Tanja Lange 1 Peter Birkner 1 Christiane Peters 2 3 Chen-Mou Cheng 2 3

470 views • 29 slides
Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J.

Efficient implementation of Objectives code-based cryptography Set new speed records D. J. Bernstein for public-key cryptography. University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

868 views • 73 slides
Four Q on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime

Four Q on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime

Four Q on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime Characteristic Fields K. Jrvinen 1 , A. Miele 2 , R. Azarderakhsh 3 , and P . Longa 4 1 Aalto University 2 Intel Corporation 3 Rochester Institute of

831 views • 81 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

746 views • 73 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work

969 views • 94 slides
medical records to uncover missed diagnosis: The SPEED-EXTRACT Study Aldo F Saavedra, Richard

medical records to uncover missed diagnosis: The SPEED-EXTRACT Study Aldo F Saavedra, Richard

Applying machine learning to electronic medical records to uncover missed diagnosis: The SPEED-EXTRACT Study Aldo F Saavedra, Richard Morris, Charmaine Tam, Janice Gullick, Stephen T Vernon, Jonathan Morris, David Brieger Centre for

454 views • 18 slides
Scalable Concurrent Hash Tables via Relativistic Programming Josh Triplett April 29, 2010 Speed

Scalable Concurrent Hash Tables via Relativistic Programming Josh Triplett April 29, 2010 Speed

Scalable Concurrent Hash Tables via Relativistic Programming Josh Triplett April 29, 2010 Speed of data < Speed of light Speed of light: 3e8 meters/second Processor speed: 3 GHz, 3e9 cycles/second 0.1 meters/cycle (4 inches/cycle)

619 views • 34 slides
Disability Services and COVID-19 webinar Friday 11 th September 2020, 10:00am 11:00am (AEDST)

Disability Services and COVID-19 webinar Friday 11 th September 2020, 10:00am 11:00am (AEDST)

NDS: Safer and Stronger Disability Services and COVID-19 webinar Friday 11 th September 2020, 10:00am 11:00am (AEDST) Welcome and Introductions Sarah Fordyce Victorian State Manager (Acting), NDS Agenda DHHS update James

491 views • 37 slides
Extracting programs from proofs Helmut Schwichtenberg Mathematisches Institut, LMU, M unchen

Extracting programs from proofs Helmut Schwichtenberg Mathematisches Institut, LMU, M unchen

Extracting programs from proofs Helmut Schwichtenberg Mathematisches Institut, LMU, M unchen JAIST, 7. March 2014 1 / 41 Overview Parsing balanced lists of parentheses Informal proof Discussion of the extracted term

1.09k views • 41 slides
Signature Biometrics Prof. Julian FIERREZ Universidad Autonoma de Madrid - SPAIN

Signature Biometrics Prof. Julian FIERREZ Universidad Autonoma de Madrid - SPAIN

29/01/2018 Signature Biometrics Prof. Julian FIERREZ Universidad Autonoma de Madrid - SPAIN http://atvs.ii.uam.es/fierrez Julian Fierrez Winter School on Biometrics, Shenzhen, CHINA Jan. 2018 Slide 1 / 65 Funding Acknowledgements

475 views • 33 slides
Do Do NO NOT m measure co correlat ated observables, , but tr train ain an an Artif

Do Do NO NOT m measure co correlat ated observables, , but tr train ain an an Artif

Do Do NO NOT m measure co correlat ated observables, , but tr train ain an an Artif tific icial ial In Intellig elligenc ence e to pr predic edict them them Boram Yoon Los Alamos National Laboratory Lattice 2018, East Lansing,

479 views • 26 slides
Assembly Language Programming 64-bit environments Zbigniew Jurkiewicz, Instytut Informatyki UW

Assembly Language Programming 64-bit environments Zbigniew Jurkiewicz, Instytut Informatyki UW

Assembly Language Programming 64-bit environments Zbigniew Jurkiewicz, Instytut Informatyki UW October 17, 2017 Zbigniew Jurkiewicz, Instytut Informatyki UW Assembly Language Programming 64-bit environments Some recent history Intel together

519 views • 18 slides
Spending Yvonne Jonk, PhD Geographic Variation Why are re we we conce cerned rned abo bout

Spending Yvonne Jonk, PhD Geographic Variation Why are re we we conce cerned rned abo bout

Geographic Variation in Medicare Spending Yvonne Jonk, PhD Geographic Variation Why are re we we conce cerned rned abo bout geograph raphic ic vari riati ation on in Medi dicare care spe pendi ding? g? Does increased spending

400 views • 16 slides
Marylands All-Payer Model Progression April 18, 2016 CMS and National Strategy-- Change

Marylands All-Payer Model Progression April 18, 2016 CMS and National Strategy-- Change

Marylands All-Payer Model Progression April 18, 2016 CMS and National Strategy-- Change Provider Payment Structures, Delivery of Care and Distribution of Information Description Focus Areas Increase linkage of payments to value

248 views • 21 slides
The Performance of the US Health Care System: Whats Right, Whats Wrong and What (If

The Performance of the US Health Care System: Whats Right, Whats Wrong and What (If

The Performance of the US Health Care System: Whats Right, Whats Wrong and What (If Anything) Can Fix It? Robert Town University of Texas-Austin / NBER October 10, 2019 Goal of the Talk Well-known that the US health care system

495 views • 45 slides

More recommend