next generation elliptic curve cryptography ecc
play

Next-generation elliptic-curve cryptography (ECC) Daniel J. - PowerPoint PPT Presentation

Mar 11, 2023 •257 likes •456 views

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic Implementations group: eindhoven.cr.yp.to working closely with the Coding Theory and Cryptology group: www.win.tue.nl/cc/ Next-generation elliptic-curve

  1. Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic Implementations group: eindhoven.cr.yp.to working closely with the Coding Theory and Cryptology group: www.win.tue.nl/cc/ Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  2. Security failures in ECC standards Remote Timing Attacks are Still Practical ⋆ Billy Bob Brumley and Nicola Tuveri Aalto University School of Science, Finland {bbrumley,ntuveri}@tcs.hut.fi Abstract. For over two decades, timing attacks have been an active area of research within applied cryptography. These attacks exploit cryp- tosystem or protocol implementations that do not run in constant time. When implementing an elliptic curve cryptosystem with a goal to pro- vide side-channel resistance, the scalar multiplication routine is a critical component. In such instances, one attractive method often suggested in the literature is Montgomery’s ladder that performs a fixed sequence of curve and field operations. This paper describes a timing attack vulnera- bility in OpenSSL’s ladder implementation for curves over binary fields. We use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, we mount a lattice attack that recovers the private key. Finally, we de- Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  3. More security failures in ECC standards Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  4. The math splits into cases handled differently in software Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  5. The math splits into cases handled differently in software Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  6. . . . or does it? 2007 Bernstein–Lange, for any non-square d : The Edwards addition law � x 1 y 2 + y 1 x 2 , y 1 y 2 − x 1 x 2 � ( x 1 , y 1 ) + ( x 2 , y 2 ) = 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 is a complete addition law on E : x 2 + y 2 = 1 + dx 2 y 2 . Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  7. . . . or does it? 2007 Bernstein–Lange, for any non-square d : The Edwards addition law � x 1 y 2 + y 1 x 2 , y 1 y 2 − x 1 x 2 � ( x 1 , y 1 ) + ( x 2 , y 2 ) = 1 + dx 1 x 2 y 1 y 2 1 − dx 1 x 2 y 1 y 2 is a complete addition law on E : x 2 + y 2 = 1 + dx 2 y 2 . This is one part of next-generation ECC. For more: see 2016 Bernstein–Lange paper “Failures in NIST’s ECC standards”. Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  8. Building next-generation ECC 2005 Bernstein: X25519 encryption scheme using new elliptic curve Curve25519 . Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  9. Building next-generation ECC 2005 Bernstein: X25519 encryption scheme using new elliptic curve Curve25519 . 2011 Bernstein–Duif–Lange–Schwabe–Yang: EdDSA signatures (generalized by 2015 Bernstein–Josefsson–Lange–Schwabe–Yang), and in particular Ed25519 using Curve25519. Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  10. Building next-generation ECC 2005 Bernstein: X25519 encryption scheme using new elliptic curve Curve25519 . 2011 Bernstein–Duif–Lange–Schwabe–Yang: EdDSA signatures (generalized by 2015 Bernstein–Josefsson–Lange–Schwabe–Yang), and in particular Ed25519 using Curve25519. 2006, 2007, 2009, 2011, 2012, 2013, 2014, 2014, 2015, 2015, 2015: Curve25519 implementation papers from 23 authors setting speed records for conservative ECC on many different platforms. Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  11. Building next-generation ECC 2005 Bernstein: X25519 encryption scheme using new elliptic curve Curve25519 . 2011 Bernstein–Duif–Lange–Schwabe–Yang: EdDSA signatures (generalized by 2015 Bernstein–Josefsson–Lange–Schwabe–Yang), and in particular Ed25519 using Curve25519. 2006, 2007, 2009, 2011, 2012, 2013, 2014, 2014, 2015, 2015, 2015: Curve25519 implementation papers from 23 authors setting speed records for conservative ECC on many different platforms. Also: new crypto library, new verification tools, . . . Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  12. Deployment: iOS, Signal, OpenSSH, Tor, QUIC, more Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  13. The Internet standards committees start paying attention Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  14. . . . and delegate to their crypto unit, IRTF CFRG Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  15. CFRG 2014+2015: > 4000 messages, mostly on ECC Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  16. January 2016: RFC with next-gen curves + encryption Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  17. Coming soon: RFC with next-gen signature system Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

  18. Coming soon: standardizing next-gen ECC for TLS Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago & energy (gas

1.07k views • 76 slides
Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May

Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May

Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May 19, 2017 university-logo-isi Rana Barua Introduction to Elliptic Curve Cryptography ElGamal Public Key Cryptosystem, 1984 Key Generation: Choose

417 views • 16 slides
Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Twenty-Three Years of Elliptic Curve Cryptography Alfred Menezes University of Waterloo September 3 2008 1 Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The serpentine course of a paradigm

300 views • 18 slides
Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven 22 April 2008 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

491 views • 32 slides
Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July 23, 2014 1 / 12 Elliptic-curve cryptography: signatures and key exchange Given: some elliptic curve E , point P on E of known order . Key

885 views • 16 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March 21 st , 2016 1/13 A Brief Introduction to Elliptic Curve Cryptography Elliptic Curve 2/13 A

385 views • 13 slides
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Math ematiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1

1.72k views • 143 slides
Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S.

Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S.

Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S. Miller IDA Center for Communications Research Princeton, NJ 08540 USA 24 May, 2007 Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May,

1.08k views • 69 slides
Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview Bitcoin Transactions Elliptic Curve Cryptography Introduction Arithmetics Signature Bitcoin, the protocol A blockchain Each

992 views • 52 slides
elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 11, 2018 ibenik , Croatia Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4:

1.38k views • 48 slides
Should Elliptic Curve Cryptography Really be Deprecated? Connor Adsit cda8519@rit.edu May 13,

Should Elliptic Curve Cryptography Really be Deprecated? Connor Adsit cda8519@rit.edu May 13,

Should Elliptic Curve Cryptography Really be Deprecated? Connor Adsit cda8519@rit.edu May 13, 2016 Objectives Suite B Cryptography The controversial NSA statement A brief history of ECC (and the NSAs involvement) Why would

351 views • 17 slides
Functions of Several Variables A function of several variables is just what it sounds like. It may

Functions of Several Variables A function of several variables is just what it sounds like. It may

Functions of Several Variables A function of several variables is just what it sounds like. It may be viewed in at least three different ways. We will use a function of two variables as an example. z = f ( x, y ) may be viewed as a function of

399 views • 11 slides
The observation of Z c (4025) Landiao Liu ( ) PKU ( ) UCAS (

The observation of Z c (4025) Landiao Liu ( ) PKU ( ) UCAS (

The observation of Z c (4025) Landiao Liu ( ) PKU ( ) UCAS ( ) BESIII Collaboration Outline Introduction The observation of Zc(4025) +/- The observation of Zc(4025) 0 Summary 2 PART 1

850 views • 36 slides
Objets combinatoires en cryptographie et en thorie des codes Sihem Mesnager Universit Paris

Objets combinatoires en cryptographie et en thorie des codes Sihem Mesnager Universit Paris

Objets combinatoires en cryptographie et en thorie des codes Sihem Mesnager Universit Paris VIII et XIII, Dpartement de Mathmatiques LAGA (Laboratoire Analyse, Gomtrie et Applications), quipe MTII (Mathmatiques pour le

1k views • 72 slides
IoT/P2P Project Niels Olof Bouvin 1 The IoT/P2P Project course Form (Very) few lectures (count

IoT/P2P Project Niels Olof Bouvin 1 The IoT/P2P Project course Form (Very) few lectures (count

IoT/P2P Project Niels Olof Bouvin 1 The IoT/P2P Project course Form (Very) few lectures (count em: One) Most of the time spent working on your project Your project is self determined, pending my approval so start thinking about cool

484 views • 24 slides
Please feel free to include these slides in your own material, or modify them as you see fit. If

Please feel free to include these slides in your own material, or modify them as you see fit. If

S OCIAL M EDIA M INING Graph Essentials Dear instructors/users of these slides: Please feel free to include these slides in your own material, or modify them as you see fit. If you decide to incorporate these slides into your presentations,

1.11k views • 107 slides
Advanced Programming Lab 2 Object-Oriented Programming Read the definition of the problem

Advanced Programming Lab 2 Object-Oriented Programming Read the definition of the problem

Advanced Programming Lab 2 Object-Oriented Programming Read the definition of the problem (expressed in natural language) Identify the candidates for the classes . An instance of MDVSP consists of depots , vehicles and clients

313 views • 10 slides
Object Orientation in Ruby SWEN-250 Personal Software Engineering Declaring a Class class Point

Object Orientation in Ruby SWEN-250 Personal Software Engineering Declaring a Class class Point

Object Orientation in Ruby SWEN-250 Personal Software Engineering Declaring a Class class Point . . . end Technically "Point" is a constant (as is any other entity whose name begins with a capital. By default, the

419 views • 10 slides
Lecture #14: OOP Last modified: Mon Feb 27 15:56:12 2017 CS61A: Lecture #14 1 Some Useful

Lecture #14: OOP Last modified: Mon Feb 27 15:56:12 2017 CS61A: Lecture #14 1 Some Useful

Lecture #14: OOP Last modified: Mon Feb 27 15:56:12 2017 CS61A: Lecture #14 1 Some Useful Annotations: @staticmethod We saw annotations earlier, as examples of higher-order functions. For classes, Python defines a few specialized to

426 views • 18 slides

More recommend