security dangers of the nist curves d j bernstein
play

Security dangers of the NIST curves D. J. Bernstein University of - PDF document

May 13, 2023 •107 likes •241 views

Security dangers of the NIST curves D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tanja Lange Technische Universiteit Eindhoven The NIST curves were designed to make DLP

  1. Security dangers of the NIST curves D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tanja Lange Technische Universiteit Eindhoven The NIST curves were designed to make DLP difficult. Or were they?

  2. “ECC Brainpool Standard Curves and Curve Generation version 1.0”, 2005.10.19: “The choice of the seeds from which the curve parameters have been derived is not motivated leaving an essential part of the security analysis open.”

  3. “ECC Brainpool Standard Curves and Curve Generation version 1.0”, 2005.10.19: “The choice of the seeds from which the curve parameters have been derived is not motivated leaving an essential part of the security analysis open.” Bruce Schneier, “NSA surveillance: A guide to staying secure”, The Guardian, 2013.09.06: “Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.”

  4. But that’s not our main point. As far as we know today, NIST-curve DLP is secure.

  5. But that’s not our main point. As far as we know today, NIST-curve DLP is secure. Here’s our main point: NIST-curve ECC is much less secure than NIST-curve DLP.

  6. But that’s not our main point. As far as we know today, NIST-curve DLP is secure. Here’s our main point: NIST-curve ECC is much less secure than NIST-curve DLP. If you use the NIST curves, you’re probably doing it wrong. Your code produces incorrect results for some rare curve points; leaks secret data when the input isn’t a curve point; leaks secret data through cache timing; etc.

  7. These problems are exploitable by attackers. These attacks are against real protocols, not against DLP. DLP is non-interactive; computes ♥P correctly; reveals only ♥P . Real protocols handle attacker-controlled input; have failure cases; reveal timing. Attacker exploits these gaps.

  8. Can NIST-curve ECC be safe? Theoretically, but hard to do; highly fragile; unintelligent use of limited security resources.

  9. Can NIST-curve ECC be safe? Theoretically, but hard to do; highly fragile; unintelligent use of limited security resources. Sensible security engineering: Design curves for ECC security, not just for DLP security.

  10. Can NIST-curve ECC be safe? Theoretically, but hard to do; highly fragile; unintelligent use of limited security resources. Sensible security engineering: Design curves for ECC security, not just for DLP security. Detailed analysis online now (+ white paper coming soon): cr.yp.to/talks/2013.05.31 /slides-dan+tanja -20130531-4x3.pdf

  11. Can NIST-curve ECC be safe? Theoretically, but hard to do; highly fragile; unintelligent use of limited security resources. Sensible security engineering: Design curves for ECC security, not just for DLP security. Detailed analysis online now (+ white paper coming soon): cr.yp.to/talks/2013.05.31 /slides-dan+tanja -20130531-4x3.pdf ✮ Use Curve25519.

  12. Can NIST-curve ECC be safe? Theoretically, but hard to do; highly fragile; unintelligent use of limited security resources. Sensible security engineering: Design curves for ECC security, not just for DLP security. Detailed analysis online now (+ white paper coming soon): cr.yp.to/talks/2013.05.31 /slides-dan+tanja -20130531-4x3.pdf ✮ Use Curve25519. Or ① 2 + ② 2 = 1 + 3617 ① 2 ② 2 mod 2 414 � 17.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927 http://xkcd.com/927 But our goal today isnt unification; its security. We come to bury the standard, not to praise it. Why do people choose

572 views • 31 slides
Verifiably random secure curves Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup

Verifiably random secure curves Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup

Verifiably random secure curves Daniel J. Bernstein Tung Chou Chitchanok Chuengsatiansup Andreas H ulsing Tanja Lange Ruben Niederhagen Christine van Vredendaal May 13, 2014 NSA/NIST FUD The NIST elliptic curves are behind the state of

433 views • 26 slides
Failures in NISTs ECC standards Daniel J. Bernstein, Tanja Lange 2015.12.15 Review of the

Failures in NISTs ECC standards Daniel J. Bernstein, Tanja Lange 2015.12.15 Review of the

Failures in NISTs ECC standards Daniel J. Bernstein, Tanja Lange 2015.12.15 Review of the (prime-field) NIST curves I Presented by NIST in 1999 Curve names: P-192, P-224, P-256, P-384, P-521 Curve is defined over F p where p has

250 views • 22 slides
Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256

Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256

Non-uniform Concrete security: an example cracks in the concrete: What is the best NIST P-256 the power of free precomputation discrete-log attack algorithm? D. J. Bernstein ECDL input: P-256 points P , University of Illinois at

1.13k views • 86 slides
Efficient arithmetic on elliptic curves in large characteristic D. J. Bernstein University of

Efficient arithmetic on elliptic curves in large characteristic D. J. Bernstein University of

Efficient arithmetic on elliptic curves in large characteristic D. J. Bernstein University of Illinois at Chicago Fix a field and an elliptic curve. e.g. NIST P-224: the elliptic curve a 6 over Z =p . y 2 = x 3 3 x + p = 2 224 2 96 + 1

417 views • 23 slides
New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein

New Curves in DNSSEC Ond ej Sur, CZ.NIC SafeCurves(.cr.yp.to) Work by Daniel J. Bernstein and Tanja Lange Difference between security of: Elliptic-Curve Cryptography (ECC) Elliptic-Curve Discrete-Logarithm Problem (ECDLP)

384 views • 6 slides
How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for

How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for

1 How cryptographic benchmarking goes wrong Daniel J. Bernstein Thanks to NIST 60NANB12D261 for funding this work, and for not reviewing these slides in advance. PRESERVE, ending 2015.06.30, was a European project Preparing Secure

491 views • 32 slides
Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69

Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69

1 Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69 submissions in first round, from hundreds of people. (+13 submissions that NIST declared incomplete or improper.) 22 signature-system submissions. 5

1.97k views • 196 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 12.08.2008 joint work with Reza Rezaeian Farashahi, Eindhoven D. J. Bernstein

428 views • 27 slides
Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at Chicago (Joint work with Tanja Lange) Cohen Schoof ECPC Lenstra ECM Miller Bosma Koblitz Goldwasser/Kilian ECC

294 views • 27 slides
Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking

Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking

Faster rho for elliptic curves D. J. Bernstein University of Illinois at Chicago Breaking ECC2K-130, joint work by many authors: ECDL attack in progress against Koblitz curve over F 2 131 using many CPUs, GPUs, FPGAs. Vertically

288 views • 17 slides
NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control

NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control

NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection Mike Powell, Project Cybersecurity Engineer, NIST /NCCoE Jim McCarthy, Energy Sector Federal Lead NIST / NCCoE

616 views • 15 slides
Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of

Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of

Complete addition laws for all elliptic curves over finite fields D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Joint work with: Tanja Lange Technische Universiteit Eindhoven Memories of graduate school Early 1990s,

768 views • 40 slides
Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net

Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net

Twisted Edwards curves D. J. Bernstein ( uic.edu ) Peter Birkner ( tue.nl ) Marc Joye ( thomson.net ) Tanja Lange ( tue.nl ) Christiane Peters ( tue.nl ) Thanks to: NSF ITR0716498 IST2002507932 ECRYPT INRIA Lorraine, LORIA Todays

190 views • 15 slides
Bzier Curves CPSC 453 Fall 2018 Sonny Chan Todays Outline Quadratic Bzier curves

Bzier Curves CPSC 453 Fall 2018 Sonny Chan Todays Outline Quadratic Bzier curves

Bzier Curves CPSC 453 Fall 2018 Sonny Chan Todays Outline Quadratic Bzier curves de Casteljau formulation Bernstein polynomial form Bzier splines Cubic Bzier curves Drawing Bzier curves freeform shape?

687 views • 37 slides
Li Liquid xenon de detector wi with VU VUV-se sensi sitive MP MPPCs for ME fo MEG II

Li Liquid xenon de detector wi with VU VUV-se sensi sitive MP MPPCs for ME fo MEG II

1 Li Liquid xenon de detector wi with VU VUV-se sensi sitive MP MPPCs for ME fo MEG II experi riment SHINJI OGAWA ON BEHALF OF THE MEG II COLLABORATION "LIQUID XENON DETECTOR WITH VUV-SENSITIVE MPPCS FOR MEG II EXPERIMENT",

542 views • 28 slides
UNMIXING TECHNIQUES Introduction Bui 1,4 , Beate Orberger 2,3 , Simon B. Blancher 1 , Ali

UNMIXING TECHNIQUES Introduction Bui 1,4 , Beate Orberger 2,3 , Simon B. Blancher 1 , Ali

MIN INERAL ID IDENTIFICATION USIN ING A NEW HYPERSPECTRAL LIB IBRARY AND SPARSE 1. 3. Results UNMIXING TECHNIQUES Introduction Bui 1,4 , Beate Orberger 2,3 , Simon B. Blancher 1 , Ali Mohammad- Thanh Bui Djafari 4 , Henry Pilliere 5 , Anne

707 views • 11 slides
Autonomous Cars for City Traffic Ral Rojas and the AutoNOMOS Team Freie Universitt Berlin

Autonomous Cars for City Traffic Ral Rojas and the AutoNOMOS Team Freie Universitt Berlin

Autonomous Cars for City Traffic Ral Rojas and the AutoNOMOS Team Freie Universitt Berlin Fachbereich Mathematik und Informatik Dahlem Center for Intelligent Systems Topics Motivation The experimental vehicles Sensors Navigation and

730 views • 53 slides
Reconstruction CSE 576 Ali Farhadi Several slides from Steve Seitz, Larry Zitnick, Lana

Reconstruction CSE 576 Ali Farhadi Several slides from Steve Seitz, Larry Zitnick, Lana

Reconstruction CSE 576 Ali Farhadi Several slides from Steve Seitz, Larry Zitnick, Lana Lazebnik, Carlos Hernndez, George Vogiatzis,Yasutaka Furukawa 3d model Digital copy of real object Allows us to Inspect details

698 views • 59 slides
11/27/2006 Massachusetts Institute of Technology Outline Motivation Example Generalized

11/27/2006 Massachusetts Institute of Technology Outline Motivation Example Generalized

11/27/2006 Massachusetts Institute of Technology Outline Motivation Example Generalized Conflict Learning for Problem Formulation Hybrid Discrete/Linear Optimization The GCD-BB algorithm Empirical Evaluation Conclusion

252 views • 4 slides
The DLP on Elliptic Curves with the same order Marios Magioladitis University of Duisburg-Essen,

The DLP on Elliptic Curves with the same order Marios Magioladitis University of Duisburg-Essen,

The DLP on Elliptic Curves with the same order Marios Magioladitis University of Duisburg-Essen, IEM January 15, 2008 M. Magioladitis (IEM) The DLP on Elliptic Curves January 15, 2008 1 / 9 Aim of the talk Theorem of Tate Let E and E be

363 views • 9 slides
Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David

Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David

Computing optimal pairings on abelian varieties with theta functions 10/02/2011 (Luminy) David Lubicz 1,2 , Damien Robert 3 1 CLAR 2 IRMAR, Universit de Rennes 1 1 LFANT Team, IMB & Inria Bordeaux Sud-Ouest Motivations Millers

313 views • 30 slides
Translating Ontologies from Predicate-based to Frame-based Languages Jos de Bruijn and Stijn

Translating Ontologies from Predicate-based to Frame-based Languages Jos de Bruijn and Stijn

Translating Ontologies from Predicate-based to Frame-based Languages Jos de Bruijn and Stijn Heymans Digital Enterprise Research Institute (DERI) University of Innsbruck, Austria { jos.debruijn,stijn.heymans } @deri.org RuleML 2006 2006-11-10

196 views • 16 slides

More recommend