The first 10 years of Curve25519 Abstract: This paper explains the - - PowerPoint PPT Presentation

1

The first 10 years of Curve25519 Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2005.05.19: Seminar talk; design+software close to done. 2005.09.15: Software online. 2005.09.20: Invited talk at ECC. 2005.11.15: Paper online; submitted to PKC 2006.

2

Abstract: “This paper explains the design and implementation

• f a high-security elliptic-curve-

Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and state-of-the-art timing-attack protection), more than twice as fast as other authors’ results at the same conjectured security level (with

• r without the side benefits).”

1

first 10 years of Curve25519

• J. Bernstein

University of Illinois at Chicago & echnische Universiteit Eindhoven 2005.05.19: Seminar talk; design+software close to done. 2005.09.15: Software online. 2005.09.20: Invited talk at ECC. 2005.11.15: Paper online; submitted to PKC 2006.

2

Abstract: “This paper explains the design and implementation

• f a high-security elliptic-curve-

Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and state-of-the-art timing-attack protection), more than twice as fast as other authors’ results at the same conjectured security level (with

• r without the side benefits).”

Elliptic-curve

1

rs of Curve25519 Bernstein Illinois at Chicago & Universiteit Eindhoven Seminar talk; close to done. Software online. Invited talk at ECC. er online; C 2006.

2

Abstract: “This paper explains the design and implementation

• f a high-security elliptic-curve-

Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and state-of-the-art timing-attack protection), more than twice as fast as other authors’ results at the same conjectured security level (with

• r without the side benefits).”

Elliptic-curve comp

1

Curve25519 Chicago & Eindhoven done.

• nline.

at ECC.

2

Abstract: “This paper explains the design and implementation

• f a high-security elliptic-curve-

Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and state-of-the-art timing-attack protection), more than twice as fast as other authors’ results at the same conjectured security level (with

• r without the side benefits).”

Elliptic-curve computations

2

Abstract: “This paper explains the design and implementation

• f a high-security elliptic-curve-

Diffie-Hellman function achieving record-setting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and state-of-the-art timing-attack protection), more than twice as fast as other authors’ results at the same conjectured security level (with

• r without the side benefits).”

3

Elliptic-curve computations

2

Abstract: “This paper explains design and implementation high-security elliptic-curve- Diffie-Hellman function achieving record-setting speeds: 832457 Pentium III cycles several side benefits: ey compression, free key validation, and state-of-the-art timing-attack protection), than twice as fast as other rs’ results at the same conjectured security level (with without the side benefits).”

3

Elliptic-curve computations 1987 (distributed ECM, the

• f factor

1985 Bosma, Kilian, 1986 Chudnovsky elliptic-curve 1985/6 (distributed and indep 1987 (distributed ECC—use to avoid

2

paper explains implementation y elliptic-curve- function rd-setting speeds: entium III cycles side benefits: ression, free key state-of-the-art rotection), as fast as other at the same rity level (with side benefits).”

3

Elliptic-curve computations 1987 (distributed 1984) ECM, the elliptic-curve

• f factoring integers.

1985 Bosma, 1986 Kilian, 1986 Chudnovsky Chudnovsky, 1988 elliptic-curve primalit 1985/6 (distributed and independently 1987 (distributed 1984) ECC—use elliptic curves to avoid index-calculus

2

explains implementation elliptic-curve- eeds: cycles enefits: key state-of-the-art

• ther

same (with enefits).”

3

Elliptic-curve computations 1987 (distributed 1984) Lenstra: ECM, the elliptic-curve metho

• f factoring integers.

1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks.

3

Elliptic-curve computations

4

1987 (distributed 1984) Lenstra: ECM, the elliptic-curve method

• f factoring integers.

1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks.

3

Elliptic-curve computations

4

1987 (distributed 1984) Lenstra: ECM, the elliptic-curve method

• f factoring integers.

1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks. 1986 Chudnovsky–Chudnovsky for ECM+ECPP: ways to rep

• ptimize

3

computations

4

1987 (distributed 1984) Lenstra: ECM, the elliptic-curve method

• f factoring integers.

1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks. 1986 Chudnovsky–Chudnovsky for ECM+ECPP: analyze ways to represent elliptic

• ptimize # field op

3

utations

4

1987 (distributed 1984) Lenstra: ECM, the elliptic-curve method

• f factoring integers.

1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks. 1986 Chudnovsky–Chudnovsky for ECM+ECPP: analyze several ways to represent elliptic curves;

• ptimize # field operations.

4

1987 (distributed 1984) Lenstra: ECM, the elliptic-curve method

• f factoring integers.

1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks.

5

1986 Chudnovsky–Chudnovsky, for ECM+ECPP: analyze several ways to represent elliptic curves;

• ptimize # field operations.

4

1987 (distributed 1984) Lenstra: ECM, the elliptic-curve method

• f factoring integers.

1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks.

5

1986 Chudnovsky–Chudnovsky, for ECM+ECPP: analyze several ways to represent elliptic curves;

• ptimize # field operations.

1987 Montgomery, for ECM: best speed from y2 = x3+Ax2+x, preferably with (A − 2)=4 small.

4

1987 (distributed 1984) Lenstra: ECM, the elliptic-curve method

• f factoring integers.

1985 Bosma, 1986 Goldwasser– Kilian, 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, and independently 1987 (distributed 1984) Koblitz: ECC—use elliptic curves in DH to avoid index-calculus attacks.

5

1986 Chudnovsky–Chudnovsky, for ECM+ECPP: analyze several ways to represent elliptic curves;

• ptimize # field operations.

1987 Montgomery, for ECM: best speed from y2 = x3+Ax2+x, preferably with (A − 2)=4 small. Late 1990s: ANSI/IEEE/NIST standards specify y2 = x3 −3x +b in Jacobian coordinates, citing Chudnovsky–Chudnovsky. Alleged motivation: “the fastest arithmetic on elliptic curves”.

4

(distributed 1984) Lenstra: the elliptic-curve method factoring integers. Bosma, 1986 Goldwasser– 1986 Chudnovsky– Chudnovsky, 1988 Atkin: ECPP, elliptic-curve primality proving. 1985/6 (distributed 1984) Miller, independently (distributed 1984) Koblitz: ECC—use elliptic curves in DH avoid index-calculus attacks.

5

1986 Chudnovsky–Chudnovsky, for ECM+ECPP: analyze several ways to represent elliptic curves;

• ptimize # field operations.

1987 Montgomery, for ECM: best speed from y2 = x3+Ax2+x, preferably with (A − 2)=4 small. Late 1990s: ANSI/IEEE/NIST standards specify y2 = x3 −3x +b in Jacobian coordinates, citing Chudnovsky–Chudnovsky. Alleged motivation: “the fastest arithmetic on elliptic curves”. Did Chudnovsky actually What ab What ab

4

(distributed 1984) Lenstra: elliptic-curve method integers. 1986 Goldwasser– Chudnovsky– 1988 Atkin: ECPP, rimality proving. (distributed 1984) Miller, endently (distributed 1984) Koblitz: elliptic curves in DH index-calculus attacks.

5

1986 Chudnovsky–Chudnovsky, for ECM+ECPP: analyze several ways to represent elliptic curves;

• ptimize # field operations.

1987 Montgomery, for ECM: best speed from y2 = x3+Ax2+x, preferably with (A − 2)=4 small. Late 1990s: ANSI/IEEE/NIST standards specify y2 = x3 −3x +b in Jacobian coordinates, citing Chudnovsky–Chudnovsky. Alleged motivation: “the fastest arithmetic on elliptic curves”. Did Chudnovsky an actually recommend What about Montgomery? What about papers

4

Lenstra: method asser– ECPP, roving. Miller, Koblitz: in DH attacks.

5

1986 Chudnovsky–Chudnovsky, for ECM+ECPP: analyze several ways to represent elliptic curves;

• ptimize # field operations.

1987 Montgomery, for ECM: best speed from y2 = x3+Ax2+x, preferably with (A − 2)=4 small. Late 1990s: ANSI/IEEE/NIST standards specify y2 = x3 −3x +b in Jacobian coordinates, citing Chudnovsky–Chudnovsky. Alleged motivation: “the fastest arithmetic on elliptic curves”. Did Chudnovsky and Chudnovsky actually recommend this? What about Montgomery? What about papers after 1987?

5

1986 Chudnovsky–Chudnovsky, for ECM+ECPP: analyze several ways to represent elliptic curves;

• ptimize # field operations.

1987 Montgomery, for ECM: best speed from y2 = x3+Ax2+x, preferably with (A − 2)=4 small. Late 1990s: ANSI/IEEE/NIST standards specify y2 = x3 −3x +b in Jacobian coordinates, citing Chudnovsky–Chudnovsky. Alleged motivation: “the fastest arithmetic on elliptic curves”.

6

Did Chudnovsky and Chudnovsky actually recommend this? What about Montgomery? What about papers after 1987?

5

1986 Chudnovsky–Chudnovsky, for ECM+ECPP: analyze several ways to represent elliptic curves;

• ptimize # field operations.

1987 Montgomery, for ECM: best speed from y2 = x3+Ax2+x, preferably with (A − 2)=4 small. Late 1990s: ANSI/IEEE/NIST standards specify y2 = x3 −3x +b in Jacobian coordinates, citing Chudnovsky–Chudnovsky. Alleged motivation: “the fastest arithmetic on elliptic curves”.

6

Did Chudnovsky and Chudnovsky actually recommend this? What about Montgomery? What about papers after 1987? Analyze all known options for computing n; P → nP

• n conservative elliptic curves.

Montgomery ladder is the fastest.

5

1986 Chudnovsky–Chudnovsky, for ECM+ECPP: analyze several ways to represent elliptic curves;

• ptimize # field operations.

1987 Montgomery, for ECM: best speed from y2 = x3+Ax2+x, preferably with (A − 2)=4 small. Late 1990s: ANSI/IEEE/NIST standards specify y2 = x3 −3x +b in Jacobian coordinates, citing Chudnovsky–Chudnovsky. Alleged motivation: “the fastest arithmetic on elliptic curves”.

6

Did Chudnovsky and Chudnovsky actually recommend this? What about Montgomery? What about papers after 1987? Analyze all known options for computing n; P → nP

• n conservative elliptic curves.

Montgomery ladder is the fastest. Problem: Elliptic-curve formulas always have exceptional cases. Montgomery derives formulas for generic inputs; for crypto we need algorithms that always work.

5

Chudnovsky–Chudnovsky, CM+ECPP: analyze several to represent elliptic curves;

• ptimize # field operations.

Montgomery, for ECM: speed from y2 = x3+Ax2+x, referably with (A − 2)=4 small. 1990s: ANSI/IEEE/NIST rds specify y2 = x3 −3x +b Jacobian coordinates, Chudnovsky–Chudnovsky. Alleged motivation: “the fastest rithmetic on elliptic curves”.

6

Did Chudnovsky and Chudnovsky actually recommend this? What about Montgomery? What about papers after 1987? Analyze all known options for computing n; P → nP

• n conservative elliptic curves.

Montgomery ladder is the fastest. Problem: Elliptic-curve formulas always have exceptional cases. Montgomery derives formulas for generic inputs; for crypto we need algorithms that always work.

5

Chudnovsky–Chudnovsky, CM+ECPP: analyze several resent elliptic curves;

• perations.

Montgomery, for ECM: y2 = x3+Ax2+x, A − 2)=4 small. ANSI/IEEE/NIST ecify y2 = x3 −3x +b rdinates, Chudnovsky–Chudnovsky. motivation: “the fastest elliptic curves”.

6

Did Chudnovsky and Chudnovsky actually recommend this? What about Montgomery? What about papers after 1987? Analyze all known options for computing n; P → nP

• n conservative elliptic curves.

Montgomery ladder is the fastest. Problem: Elliptic-curve formulas always have exceptional cases. Montgomery derives formulas for generic inputs; for crypto we need algorithms that always work.

5

Chudnovsky–Chudnovsky, several curves; erations. ECM: Ax2+x, small. ANSI/IEEE/NIST −3x +b Chudnovsky–Chudnovsky. fastest curves”.

6

Did Chudnovsky and Chudnovsky actually recommend this? What about Montgomery? What about papers after 1987? Analyze all known options for computing n; P → nP

• n conservative elliptic curves.

Montgomery ladder is the fastest. Problem: Elliptic-curve formulas always have exceptional cases. Montgomery derives formulas for generic inputs; for crypto we need algorithms that always work.

6

Did Chudnovsky and Chudnovsky actually recommend this? What about Montgomery? What about papers after 1987? Analyze all known options for computing n; P → nP

• n conservative elliptic curves.

Montgomery ladder is the fastest. Problem: Elliptic-curve formulas always have exceptional cases. Montgomery derives formulas for generic inputs; for crypto we need algorithms that always work.

7

6

Chudnovsky and Chudnovsky actually recommend this? about Montgomery? about papers after 1987? Analyze all known options

• mputing n; P → nP

conservative elliptic curves. Montgomery ladder is the fastest. Problem: Elliptic-curve formulas have exceptional cases. Montgomery derives formulas for generic inputs; for crypto we need rithms that always work.

7

But wait Crypto 1996 secret branches this leaks

6

and Chudnovsky recommend this? Montgomery? ers after 1987? wn options ; P → nP elliptic curves. ladder is the fastest. Elliptic-curve formulas exceptional cases. derives formulas for for crypto we need always work.

7

But wait, it’s worse! Crypto 1996 Koche secret branches affect this leaks your secret

6

Chudnovsky 1987? curves. fastest. rmulas cases. rmulas for we need rk.

7

But wait, it’s worse! Crypto 1996 Kocher: secret branches affect timing; this leaks your secret key.

7 8

But wait, it’s worse! Crypto 1996 Kocher: secret branches affect timing; this leaks your secret key.

7 8

But wait, it’s worse! Crypto 1996 Kocher: secret branches affect timing; this leaks your secret key. Briefly mentioned by Kocher and by ESORICS 1998 Kelsey– Schneier–Wagner–Hall: secret array indices can affect timing via cache misses. 2002 Page, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: timing attacks on DES.

7 8

But wait, it’s worse! Crypto 1996 Kocher: secret branches affect timing; this leaks your secret key. Briefly mentioned by Kocher and by ESORICS 1998 Kelsey– Schneier–Wagner–Hall: secret array indices can affect timing via cache misses. 2002 Page, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: timing attacks on DES. “Guaranteed” load entire

7 8

But wait, it’s worse! Crypto 1996 Kocher: secret branches affect timing; this leaks your secret key. Briefly mentioned by Kocher and by ESORICS 1998 Kelsey– Schneier–Wagner–Hall: secret array indices can affect timing via cache misses. 2002 Page, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: timing attacks on DES. “Guaranteed” counterme load entire table into

7 8

But wait, it’s worse! Crypto 1996 Kocher: secret branches affect timing; this leaks your secret key. Briefly mentioned by Kocher and by ESORICS 1998 Kelsey– Schneier–Wagner–Hall: secret array indices can affect timing via cache misses. 2002 Page, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: timing attacks on DES. “Guaranteed” countermeasur load entire table into cache.

8

But wait, it’s worse! Crypto 1996 Kocher: secret branches affect timing; this leaks your secret key. Briefly mentioned by Kocher and by ESORICS 1998 Kelsey– Schneier–Wagner–Hall: secret array indices can affect timing via cache misses. 2002 Page, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: timing attacks on DES.

9

“Guaranteed” countermeasure: load entire table into cache.

8

But wait, it’s worse! Crypto 1996 Kocher: secret branches affect timing; this leaks your secret key. Briefly mentioned by Kocher and by ESORICS 1998 Kelsey– Schneier–Wagner–Hall: secret array indices can affect timing via cache misses. 2002 Page, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: timing attacks on DES.

9

“Guaranteed” countermeasure: load entire table into cache. 2004.11/2005.04 Bernstein: Timing attacks on AES. Countermeasure isn’t safe; e.g., secret array indices can affect timing via cache-bank collisions. What is safe: kill all data flow from secrets to array indices.

8

But wait, it’s worse! Crypto 1996 Kocher: secret branches affect timing; this leaks your secret key. Briefly mentioned by Kocher and by ESORICS 1998 Kelsey– Schneier–Wagner–Hall: secret array indices can affect timing via cache misses. 2002 Page, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: timing attacks on DES.

9

“Guaranteed” countermeasure: load entire table into cache. 2004.11/2005.04 Bernstein: Timing attacks on AES. Countermeasure isn’t safe; e.g., secret array indices can affect timing via cache-bank collisions. What is safe: kill all data flow from secrets to array indices. 2013 Bernstein–Schwabe “A word of warning”: Cheaper countermeasure recommended by Intel isn’t safe.

8

ait, it’s worse! 1996 Kocher: branches affect timing; leaks your secret key. mentioned by Kocher ESORICS 1998 Kelsey– Schneier–Wagner–Hall: array indices can affect via cache misses. age, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: attacks on DES.

9

“Guaranteed” countermeasure: load entire table into cache. 2004.11/2005.04 Bernstein: Timing attacks on AES. Countermeasure isn’t safe; e.g., secret array indices can affect timing via cache-bank collisions. What is safe: kill all data flow from secrets to array indices. 2013 Bernstein–Schwabe “A word of warning”: Cheaper countermeasure recommended by Intel isn’t safe. 2016: Op

8

rse! cher: affect timing; secret key. mentioned by Kocher ESORICS 1998 Kelsey– agner–Hall: indices can affect misses. CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi:

• n DES.

9

“Guaranteed” countermeasure: load entire table into cache. 2004.11/2005.04 Bernstein: Timing attacks on AES. Countermeasure isn’t safe; e.g., secret array indices can affect timing via cache-bank collisions. What is safe: kill all data flow from secrets to array indices. 2013 Bernstein–Schwabe “A word of warning”: Cheaper countermeasure recommended by Intel isn’t safe. 2016: OpenSSL didn’t

8

timing; cher Kelsey– affect Tsunoo– auchi:

9

“Guaranteed” countermeasure: load entire table into cache. 2004.11/2005.04 Bernstein: Timing attacks on AES. Countermeasure isn’t safe; e.g., secret array indices can affect timing via cache-bank collisions. What is safe: kill all data flow from secrets to array indices. 2013 Bernstein–Schwabe “A word of warning”: Cheaper countermeasure recommended by Intel isn’t safe. 2016: OpenSSL didn’t listen

9

“Guaranteed” countermeasure: load entire table into cache. 2004.11/2005.04 Bernstein: Timing attacks on AES. Countermeasure isn’t safe; e.g., secret array indices can affect timing via cache-bank collisions. What is safe: kill all data flow from secrets to array indices. 2013 Bernstein–Schwabe “A word of warning”: Cheaper countermeasure recommended by Intel isn’t safe.

10

2016: OpenSSL didn’t listen.

9

ranteed” countermeasure: entire table into cache. 2004.11/2005.04 Bernstein: Timing attacks on AES. Countermeasure isn’t safe; secret array indices can affect via cache-bank collisions. is safe: kill all data flow secrets to array indices. Bernstein–Schwabe rd of warning”: er countermeasure recommended by Intel isn’t safe.

10

2016: OpenSSL didn’t listen. The Curve25519 Avoid “all branches, indices, and with input-dep

9

countermeasure: into cache. Bernstein:

• n AES.

isn’t safe; indices can affect cache-bank collisions. kill all data flow array indices. Bernstein–Schwabe rning”: countermeasure y Intel isn’t safe.

10

2016: OpenSSL didn’t listen. The Curve25519 pap Avoid “all input-dep branches, all input-dep indices, and other with input-dependent

9

asure: cache. Bernstein: safe; can affect collisions. flow indices. isn’t safe.

10

2016: OpenSSL didn’t listen. The Curve25519 paper Avoid “all input-dependent branches, all input-dependent indices, and other instructions with input-dependent timings”.

10

2016: OpenSSL didn’t listen.

11

The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”.

10

2016: OpenSSL didn’t listen.

11

The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y2 = x3 + Ax2 + x where A2 − 4 is not a square. ≈25% of all elliptic curves.

10

2016: OpenSSL didn’t listen.

11

The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y2 = x3 + Ax2 + x where A2 − 4 is not a square. ≈25% of all elliptic curves. Define X0(x; y) = x; X0(∞) = 0. Transmit each point P as X0(P).

10

2016: OpenSSL didn’t listen.

11

The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y2 = x3 + Ax2 + x where A2 − 4 is not a square. ≈25% of all elliptic curves. Define X0(x; y) = x; X0(∞) = 0. Transmit each point P as X0(P). Use the Montgomery ladder without any extra tests.

10

2016: OpenSSL didn’t listen.

11

The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y2 = x3 + Ax2 + x where A2 − 4 is not a square. ≈25% of all elliptic curves. Define X0(x; y) = x; X0(∞) = 0. Transmit each point P as X0(P). Use the Montgomery ladder without any extra tests. Theorem: Output is X0(nP).

10

OpenSSL didn’t listen.

11

The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y2 = x3 + Ax2 + x where A2 − 4 is not a square. ≈25% of all elliptic curves. Define X0(x; y) = x; X0(∞) = 0. Transmit each point P as X0(P). Use the Montgomery ladder without any extra tests. Theorem: Output is X0(nP).

x2,z2,x3,z3 for i in bit = x2,x3 z2,z3 x3,z3 x2,z2 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 z2,z3 return x2*z2^(p-2)

10

didn’t listen.

11

The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y2 = x3 + Ax2 + x where A2 − 4 is not a square. ≈25% of all elliptic curves. Define X0(x; y) = x; X0(∞) = 0. Transmit each point P as X0(P). Use the Montgomery ladder without any extra tests. Theorem: Output is X0(nP).

x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): bit = 1 & (n >> x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2)

10

listen.

11

The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y2 = x3 + Ax2 + x where A2 − 4 is not a square. ≈25% of all elliptic curves. Define X0(x; y) = x; X0(∞) = 0. Transmit each point P as X0(P). Use the Montgomery ladder without any extra tests. Theorem: Output is X0(nP).

x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): bit = 1 & (n >> i) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2)

11

The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y2 = x3 + Ax2 + x where A2 − 4 is not a square. ≈25% of all elliptic curves. Define X0(x; y) = x; X0(∞) = 0. Transmit each point P as X0(P). Use the Montgomery ladder without any extra tests. Theorem: Output is X0(nP).

12

x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): bit = 1 & (n >> i) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2)

11

Curve25519 paper “all input-dependent ranches, all input-dependent array indices, and other instructions input-dependent timings”.

• se a curve y2 = x3 + Ax2 + x

A2 − 4 is not a square.

• f all elliptic curves.

X0(x; y) = x; X0(∞) = 0. ransmit each point P as X0(P). the Montgomery ladder without any extra tests. rem: Output is X0(nP).

12

x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): bit = 1 & (n >> i) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2)

Montgomery depending

11

paper put-dependent input-dependent array

• ther instructions

endent timings”. y2 = x3 + Ax2 + x not a square. elliptic curves. = x; X0(∞) = 0.

• int P as X0(P).

Montgomery ladder extra tests. Output is X0(nP).

12

x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): bit = 1 & (n >> i) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2)

Montgomery has va depending on top bit

11

endent endent array instructions timings”. Ax2 + x square. curves. ) = 0. X0(P). ladder P).

12

x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): bit = 1 & (n >> i) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2)

Montgomery has variable #lo depending on top bit of n.

12

x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): bit = 1 & (n >> i) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2)

13

Montgomery has variable #loops, depending on top bit of n.

12

x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): bit = 1 & (n >> i) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2)

13

Montgomery has variable #loops, depending on top bit of n. Curve25519: Change initialization to allow leading 0 bits. Use constant #loops.

12

x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): bit = 1 & (n >> i) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2)

13

Montgomery has variable #loops, depending on top bit of n. Curve25519: Change initialization to allow leading 0 bits. Use constant #loops. Also define scalars n to never have leading 0 bits, so original Montgomery ladder still takes constant time.

12

x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): bit = 1 & (n >> i) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2)

13

Montgomery has variable #loops, depending on top bit of n. Curve25519: Change initialization to allow leading 0 bits. Use constant #loops. Also define scalars n to never have leading 0 bits, so original Montgomery ladder still takes constant time. Use arithmetic to compute cswap in constant time.

12

x2,z2,x3,z3 = 1,0,x1,1 in reversed(range(255)): 1 & (n >> i) = cswap(x2,x3,bit) = cswap(z2,z3,bit) = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) = ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) = cswap(x2,x3,bit) = cswap(z2,z3,bit) x2*z2^(p-2)

13

Montgomery has variable #loops, depending on top bit of n. Curve25519: Change initialization to allow leading 0 bits. Use constant #loops. Also define scalars n to never have leading 0 bits, so original Montgomery ladder still takes constant time. Use arithmetic to compute cswap in constant time. “Hey, you the input

12

1,0,x1,1 reversed(range(255)): >> i) cswap(x2,x3,bit) cswap(z2,z3,bit) ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) cswap(x2,x3,bit) cswap(z2,z3,bit) x2*z2^(p-2)

13

Montgomery has variable #loops, depending on top bit of n. Curve25519: Change initialization to allow leading 0 bits. Use constant #loops. Also define scalars n to never have leading 0 bits, so original Montgomery ladder still takes constant time. Use arithmetic to compute cswap in constant time. “Hey, you forgot to the input is on the

12

reversed(range(255)): cswap(x2,x3,bit) cswap(z2,z3,bit) ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) cswap(x2,x3,bit) cswap(z2,z3,bit)

13

Montgomery has variable #loops, depending on top bit of n. Curve25519: Change initialization to allow leading 0 bits. Use constant #loops. Also define scalars n to never have leading 0 bits, so original Montgomery ladder still takes constant time. Use arithmetic to compute cswap in constant time. “Hey, you forgot to check that the input is on the curve!”

13

Montgomery has variable #loops, depending on top bit of n. Curve25519: Change initialization to allow leading 0 bits. Use constant #loops. Also define scalars n to never have leading 0 bits, so original Montgomery ladder still takes constant time. Use arithmetic to compute cswap in constant time.

14

“Hey, you forgot to check that the input is on the curve!”

13

Montgomery has variable #loops, depending on top bit of n. Curve25519: Change initialization to allow leading 0 bits. Use constant #loops. Also define scalars n to never have leading 0 bits, so original Montgomery ladder still takes constant time. Use arithmetic to compute cswap in constant time.

14

“Hey, you forgot to check that the input is on the curve!” Conventional wisdom: Important to check; otherwise broken by Crypto 2000 Biehl–Meyer–M¨ uller.

13

Montgomery has variable #loops, depending on top bit of n. Curve25519: Change initialization to allow leading 0 bits. Use constant #loops. Also define scalars n to never have leading 0 bits, so original Montgomery ladder still takes constant time. Use arithmetic to compute cswap in constant time.

14

“Hey, you forgot to check that the input is on the curve!” Conventional wisdom: Important to check; otherwise broken by Crypto 2000 Biehl–Meyer–M¨ uller. ESORICS 2015 Jager–Schwenk– Somorovsky: Successful attacks! Checking is easy to forget.

13

Montgomery has variable #loops, ending on top bit of n. Curve25519: Change initialization w leading 0 bits. constant #loops. define scalars n never have leading 0 bits, riginal Montgomery ladder takes constant time. rithmetic to compute in constant time.

14

“Hey, you forgot to check that the input is on the curve!” Conventional wisdom: Important to check; otherwise broken by Crypto 2000 Biehl–Meyer–M¨ uller. ESORICS 2015 Jager–Schwenk– Somorovsky: Successful attacks! Checking is easy to forget. Curve25519 “free key eliminates No cost no code

13

has variable #loops, top bit of n. Change initialization 0 bits. #loops. rs n leading 0 bits, Montgomery ladder constant time. to compute constant time.

14

“Hey, you forgot to check that the input is on the curve!” Conventional wisdom: Important to check; otherwise broken by Crypto 2000 Biehl–Meyer–M¨ uller. ESORICS 2015 Jager–Schwenk– Somorovsky: Successful attacks! Checking is easy to forget. Curve25519 paper: “free key validation” eliminates these attacks. No cost for checking no code to forget.

13

#loops, . initialization its, ladder

14

“Hey, you forgot to check that the input is on the curve!” Conventional wisdom: Important to check; otherwise broken by Crypto 2000 Biehl–Meyer–M¨ uller. ESORICS 2015 Jager–Schwenk– Somorovsky: Successful attacks! Checking is easy to forget. Curve25519 paper: “free key validation” eliminates these attacks. No cost for checking input; no code to forget.

14

“Hey, you forgot to check that the input is on the curve!” Conventional wisdom: Important to check; otherwise broken by Crypto 2000 Biehl–Meyer–M¨ uller. ESORICS 2015 Jager–Schwenk– Somorovsky: Successful attacks! Checking is easy to forget.

15

Curve25519 paper: “free key validation” eliminates these attacks. No cost for checking input; no code to forget.

14

“Hey, you forgot to check that the input is on the curve!” Conventional wisdom: Important to check; otherwise broken by Crypto 2000 Biehl–Meyer–M¨ uller. ESORICS 2015 Jager–Schwenk– Somorovsky: Successful attacks! Checking is easy to forget.

15

Curve25519 paper: “free key validation” eliminates these attacks. No cost for checking input; no code to forget.

• 1. Montgomery naturally

follows 1986 Miller compression: send only x-coordinate, not (x; y). Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!)

14

“Hey, you forgot to check that the input is on the curve!” Conventional wisdom: Important to check; otherwise broken by Crypto 2000 Biehl–Meyer–M¨ uller. ESORICS 2015 Jager–Schwenk– Somorovsky: Successful attacks! Checking is easy to forget.

15

Curve25519 paper: “free key validation” eliminates these attacks. No cost for checking input; no code to forget.

• 1. Montgomery naturally

follows 1986 Miller compression: send only x-coordinate, not (x; y). Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!)

• 2. Montgomery ladder works

correctly for inputs on twist.

14

“Hey, you forgot to check that the input is on the curve!” Conventional wisdom: Important to check; otherwise broken by Crypto 2000 Biehl–Meyer–M¨ uller. ESORICS 2015 Jager–Schwenk– Somorovsky: Successful attacks! Checking is easy to forget.

15

Curve25519 paper: “free key validation” eliminates these attacks. No cost for checking input; no code to forget.

• 1. Montgomery naturally

follows 1986 Miller compression: send only x-coordinate, not (x; y). Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!)

• 2. Montgomery ladder works

correctly for inputs on twist.

• 3. Choose twist-secure curve.

14

you forgot to check that input is on the curve!” Conventional wisdom: Important check; otherwise broken by 2000 Biehl–Meyer–M¨ uller. ESORICS 2015 Jager–Schwenk– rovsky: Successful attacks! Checking is easy to forget.

15

Curve25519 paper: “free key validation” eliminates these attacks. No cost for checking input; no code to forget.

• 1. Montgomery naturally

follows 1986 Miller compression: send only x-coordinate, not (x; y). Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!)

• 2. Montgomery ladder works

correctly for inputs on twist.

• 3. Choose twist-secure curve.

Longest paper: fast improving from 1999–2004

14

to check that the curve!” wisdom: Important

• therwise broken by

Biehl–Meyer–M¨ uller. Jager–Schwenk– Successful attacks! to forget.

15

Curve25519 paper: “free key validation” eliminates these attacks. No cost for checking input; no code to forget.

• 1. Montgomery naturally

follows 1986 Miller compression: send only x-coordinate, not (x; y). Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!)

• 2. Montgomery ladder works

correctly for inputs on twist.

• 3. Choose twist-secure curve.

Longest section in paper: fast finite-field improving on algorithm from 1999–2004 Bernstein.

14

that

• rtant

by er–M¨ uller. Jager–Schwenk– attacks! t.

15

Curve25519 paper: “free key validation” eliminates these attacks. No cost for checking input; no code to forget.

• 1. Montgomery naturally

follows 1986 Miller compression: send only x-coordinate, not (x; y). Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!)

• 2. Montgomery ladder works

correctly for inputs on twist.

• 3. Choose twist-secure curve.

Longest section in Curve25519 paper: fast finite-field arithm improving on algorithm designs from 1999–2004 Bernstein.

15

Curve25519 paper: “free key validation” eliminates these attacks. No cost for checking input; no code to forget.

• 1. Montgomery naturally

follows 1986 Miller compression: send only x-coordinate, not (x; y). Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!)

• 2. Montgomery ladder works

correctly for inputs on twist.

• 3. Choose twist-secure curve.

16

Longest section in Curve25519 paper: fast finite-field arithmetic, improving on algorithm designs from 1999–2004 Bernstein.

15

Curve25519 paper: “free key validation” eliminates these attacks. No cost for checking input; no code to forget.

• 1. Montgomery naturally

follows 1986 Miller compression: send only x-coordinate, not (x; y). Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!)

• 2. Montgomery ladder works

correctly for inputs on twist.

• 3. Choose twist-secure curve.

16

Longest section in Curve25519 paper: fast finite-field arithmetic, improving on algorithm designs from 1999–2004 Bernstein. Barely mentioned in paper: new programming language.

15

Curve25519 paper: “free key validation” eliminates these attacks. No cost for checking input; no code to forget.

• 1. Montgomery naturally

follows 1986 Miller compression: send only x-coordinate, not (x; y). Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!)

• 2. Montgomery ladder works

correctly for inputs on twist.

• 3. Choose twist-secure curve.

16

Longest section in Curve25519 paper: fast finite-field arithmetic, improving on algorithm designs from 1999–2004 Bernstein. Barely mentioned in paper: new programming language. New prime 2255 − 19. Faster than NIST P-256 prime 2256 − 2224 + 2192 + 296 − 1. “Prime fields also have the virtue of minimizing the number of security concerns for elliptic-curve cryptography.”

15

Curve25519 paper: ey validation” eliminates these attacks. cost for checking input; de to forget. Montgomery naturally ws 1986 Miller compression:

• nly x-coordinate, not (x; y).

input onto “curve” or wist”. (Bonus: 32-byte keys!) Montgomery ladder works rrectly for inputs on twist. Choose twist-secure curve.

16

Longest section in Curve25519 paper: fast finite-field arithmetic, improving on algorithm designs from 1999–2004 Bernstein. Barely mentioned in paper: new programming language. New prime 2255 − 19. Faster than NIST P-256 prime 2256 − 2224 + 2192 + 296 − 1. “Prime fields also have the virtue of minimizing the number of security concerns for elliptic-curve cryptography.” Curve25519 multi-user 1976 Diffie–Hellm 1999 Resc mode”; 2006

15

er: validation” attacks. checking input; rget. naturally Miller compression: rdinate, not (x; y).

• nto “curve” or

(Bonus: 32-byte keys!) ladder works inputs on twist. wist-secure curve.

16

Longest section in Curve25519 paper: fast finite-field arithmetic, improving on algorithm designs from 1999–2004 Bernstein. Barely mentioned in paper: new programming language. New prime 2255 − 19. Faster than NIST P-256 prime 2256 − 2224 + 2192 + 296 − 1. “Prime fields also have the virtue of minimizing the number of security concerns for elliptic-curve cryptography.” Curve25519 paper multi-user DH system. 1976 Diffie–Hellma 1999 Rescorla “static-static mode”; 2006 NIST

15

t; ression: not (x; y).

• r

keys!) rks wist. curve.

16

Longest section in Curve25519 paper: fast finite-field arithmetic, improving on algorithm designs from 1999–2004 Bernstein. Barely mentioned in paper: new programming language. New prime 2255 − 19. Faster than NIST P-256 prime 2256 − 2224 + 2192 + 296 − 1. “Prime fields also have the virtue of minimizing the number of security concerns for elliptic-curve cryptography.” Curve25519 paper specified a multi-user DH system. See 1976 Diffie–Hellman; also, e.g., 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”.

16

Longest section in Curve25519 paper: fast finite-field arithmetic, improving on algorithm designs from 1999–2004 Bernstein. Barely mentioned in paper: new programming language. New prime 2255 − 19. Faster than NIST P-256 prime 2256 − 2224 + 2192 + 296 − 1. “Prime fields also have the virtue of minimizing the number of security concerns for elliptic-curve cryptography.”

17

Curve25519 paper specified a multi-user DH system. See 1976 Diffie–Hellman; also, e.g., 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”.

16

Longest section in Curve25519 paper: fast finite-field arithmetic, improving on algorithm designs from 1999–2004 Bernstein. Barely mentioned in paper: new programming language. New prime 2255 − 19. Faster than NIST P-256 prime 2256 − 2224 + 2192 + 296 − 1. “Prime fields also have the virtue of minimizing the number of security concerns for elliptic-curve cryptography.”

17

Curve25519 paper specified a multi-user DH system. See 1976 Diffie–Hellman; also, e.g., 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. Included security survey:

• Reductions: intolerably loose.
• Known attack ideas: rho etc.
• Multi-user batch attacks.
• Special-purpose hardware:

160-bit ECC is breakable.

• Small-subgroup attacks,

invalid-curve attacks, etc.

16

Longest section in Curve25519 fast finite-field arithmetic, roving on algorithm designs 1999–2004 Bernstein. mentioned in paper: rogramming language. rime 2255 − 19. than NIST P-256 prime 2224 + 2192 + 296 − 1. “Prime fields also have virtue of minimizing the er of security concerns for elliptic-curve cryptography.”

17

Curve25519 paper specified a multi-user DH system. See 1976 Diffie–Hellman; also, e.g., 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. Included security survey:

• Reductions: intolerably loose.
• Known attack ideas: rho etc.
• Multi-user batch attacks.
• Special-purpose hardware:

160-bit ECC is breakable.

• Small-subgroup attacks,

invalid-curve attacks, etc. 2015: Bew

16

in Curve25519 finite-field arithmetic, algorithm designs Bernstein. mentioned in paper: ming language. − 19. NIST P-256 prime

192 + 296 − 1.

also have minimizing the security concerns for cryptography.”

17

Curve25519 paper specified a multi-user DH system. See 1976 Diffie–Hellman; also, e.g., 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. Included security survey:

• Reductions: intolerably loose.
• Known attack ideas: rho etc.
• Multi-user batch attacks.
• Special-purpose hardware:

160-bit ECC is breakable.

• Small-subgroup attacks,

invalid-curve attacks, etc. 2015: Beware batch

16

Curve25519 hmetic, designs Bernstein. er: language. rime 1. the concerns for .”

17

Curve25519 paper specified a multi-user DH system. See 1976 Diffie–Hellman; also, e.g., 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. Included security survey:

• Reductions: intolerably loose.
• Known attack ideas: rho etc.
• Multi-user batch attacks.
• Special-purpose hardware:

160-bit ECC is breakable.

• Small-subgroup attacks,

invalid-curve attacks, etc. 2015: Beware batch attacks.

17

Curve25519 paper specified a multi-user DH system. See 1976 Diffie–Hellman; also, e.g., 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. Included security survey:

• Reductions: intolerably loose.
• Known attack ideas: rho etc.
• Multi-user batch attacks.
• Special-purpose hardware:

160-bit ECC is breakable.

• Small-subgroup attacks,

invalid-curve attacks, etc.

18

2015: Beware batch attacks.

17

Curve25519 paper specified a multi-user DH system. See Diffie–Hellman; also, e.g., Rescorla “static-static de”; 2006 NIST “C(0,2)”. Included security survey: Reductions: intolerably loose. wn attack ideas: rho etc. Multi-user batch attacks. ecial-purpose hardware: 160-bit ECC is breakable. Small-subgroup attacks, invalid-curve attacks, etc.

18

2015: Beware batch attacks. Paper sk attack mo composition multi-user (as in, e.g., “public-k attacks on (the motivation “Reveal” Freire–Hofheinz–Kiltz–P dishonest (as in, e.g., Cash–Kiltz–Shoup); keys as strings e.g., 2000

17

er specified a

• system. See

Diffie–Hellman; also, e.g., “static-static ST “C(0,2)”. survey: intolerably loose. ideas: rho etc. batch attacks.

• se hardware:

breakable. Small-subgroup attacks, attacks, etc.

18

2015: Beware batch attacks. Paper sketched common-sense attack model, including composition with s multi-user secret-k (as in, e.g., 2001 Bernstein “public-key authenticato attacks on secret-k (the motivation given “Reveal” queries in Freire–Hofheinz–Kiltz–P dishonest key registrations (as in, e.g., Eurocrypt Cash–Kiltz–Shoup); keys as strings (allo e.g., 2000 Biehl–Mey

17

ecified a See e.g., “static-static “C(0,2)”. loose. etc. attacks. re: able. etc.

18

2015: Beware batch attacks. Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–M¨ uller).

18

2015: Beware batch attacks.

19

Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–M¨ uller).

18

Beware batch attacks.

19

Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–M¨ uller).

18

batch attacks.

19

Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–M¨ uller).

18

attacks.

19

Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–M¨ uller).

19

Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–M¨ uller).

20

19

sketched common-sense model, including

• sition with subsequent

multi-user secret-key system e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system motivation given for “Reveal” queries in PKC 2013 reire–Hofheinz–Kiltz–Paterson); dishonest key registrations e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); as strings (allows modeling, 2000 Biehl–Meyer–M¨ uller).

20

Email from

It is my that your new Diffie-Hellman records" PKC’06.

19

common-sense including with subsequent t-key system Bernstein enticators”); secret-key system given for in PKC 2013 reire–Hofheinz–Kiltz–Paterson); registrations crypt 2008 Cash–Kiltz–Shoup); (allows modeling, Biehl–Meyer–M¨ uller).

20

Email from program

It is my pleasure that your paper "Curve25519: new Diffie-Hellman records" was accepted PKC’06. Congratulations!

19

common-sense ent system Bernstein rs”); m 2013 aterson); 2008 deling, ¨ uller).

20

Email from program chairs:

It is my pleasure to inform that your paper "Curve25519: new Diffie-Hellman speed records" was accepted to PKC’06. Congratulations!

20 21

Email from program chairs:

It is my pleasure to inform you that your paper "Curve25519: new Diffie-Hellman speed records" was accepted to PKC’06. Congratulations!

20 21

Email from program chairs:

It is my pleasure to inform you that your paper "Curve25519: new Diffie-Hellman speed records" was accepted to PKC’06. Congratulations! Below please find the reviewers’ comments on your paper "Curve25519: new Diffie- Hellman speed records" that was submitted to PKC 2006.

20 21

Email from program chairs:

It is my pleasure to inform you that your paper "Curve25519: new Diffie-Hellman speed records" was accepted to PKC’06. Congratulations! Below please find the reviewers’ comments on your paper "Curve25519: new Diffie- Hellman speed records" that was submitted to PKC 2006.

Reviewer

While I this is I think "real" research I don’t correctness the appropriateness paper to

So engineering

20 21

Email from program chairs:

It is my pleasure to inform you that your paper "Curve25519: new Diffie-Hellman speed records" was accepted to PKC’06. Congratulations! Below please find the reviewers’ comments on your paper "Curve25519: new Diffie- Hellman speed records" that was submitted to PKC 2006.

Reviewer #1:

While I think (frankly) this is a nice engineering I think that this "real" research paper. I don’t question correctness but I the appropriateness paper to the conference.

So engineering isn’t

20 21

Email from program chairs:

It is my pleasure to inform you that your paper "Curve25519: new Diffie-Hellman speed records" was accepted to PKC’06. Congratulations! Below please find the reviewers’ comments on your paper "Curve25519: new Diffie- Hellman speed records" that was submitted to PKC 2006.

Reviewer #1:

While I think (frankly) that this is a nice engineering I think that this is not "real" research paper. I don’t question the correctness but I question the appropriateness of the paper to the conference.

So engineering isn’t research?

21

Email from program chairs:

It is my pleasure to inform you that your paper "Curve25519: new Diffie-Hellman speed records" was accepted to PKC’06. Congratulations! Below please find the reviewers’ comments on your paper "Curve25519: new Diffie- Hellman speed records" that was submitted to PKC 2006.

22

Reviewer #1:

While I think (frankly) that this is a nice engineering work, I think that this is not a "real" research paper. I don’t question the correctness but I question the appropriateness of the paper to the conference.

So engineering isn’t research?

21

from program chairs:

my pleasure to inform you your paper "Curve25519: Diffie-Hellman speed records" was accepted to Congratulations! please find the reviewers’ comments on your paper "Curve25519: new Diffie- speed records" was submitted to PKC 2006.

22

Reviewer #1:

While I think (frankly) that this is a nice engineering work, I think that this is not a "real" research paper. I don’t question the correctness but I question the appropriateness of the paper to the conference.

So engineering isn’t research? Reviewer

... benefits against apparrent and very On the negative does not nor does things rigorously "conjecture" throughout). a considerable achievement.

21

rogram chairs:

pleasure to inform you "Curve25519: Diffie-Hellman speed accepted to Congratulations! find the reviewers’ paper Diffie- records" submitted to PKC 2006.

22

Reviewer #1:

While I think (frankly) that this is a nice engineering work, I think that this is not a "real" research paper. I don’t question the correctness but I question the appropriateness of the paper to the conference.

So engineering isn’t research? Reviewer #2:

... benefits including against timing attacks, apparrent patent and very good speed. On the negative side, does not introduce nor does it attempt things rigorously "conjecture" is used throughout). It is a considerable engineering achievement.

21

chairs:

inform you "Curve25519: reviewers’ PKC 2006.

22

Reviewer #1:

While I think (frankly) that this is a nice engineering work, I think that this is not a "real" research paper. I don’t question the correctness but I question the appropriateness of the paper to the conference.

So engineering isn’t research? Reviewer #2:

... benefits including protection against timing attacks, no apparrent patent infringements, and very good speed. ... On the negative side, the does not introduce novel nor does it attempt to prove things rigorously (the word "conjecture" is used repeatedly throughout). It is principally a considerable engineering achievement.

22

Reviewer #1:

While I think (frankly) that this is a nice engineering work, I think that this is not a "real" research paper. I don’t question the correctness but I question the appropriateness of the paper to the conference.

So engineering isn’t research?

23

Reviewer #2:

... benefits including protection against timing attacks, no apparrent patent infringements, and very good speed. ... On the negative side, the paper does not introduce novel ideas, nor does it attempt to prove things rigorously (the word "conjecture" is used repeatedly throughout). It is principally a considerable engineering achievement.

22

er #1:

think (frankly) that a nice engineering work, that this is not a research paper. question the correctness but I question appropriateness of the to the conference.

engineering isn’t research?

23

Reviewer #2:

... benefits including protection against timing attacks, no apparrent patent infringements, and very good speed. ... On the negative side, the paper does not introduce novel ideas, nor does it attempt to prove things rigorously (the word "conjecture" is used repeatedly throughout). It is principally a considerable engineering achievement.

e.g. “Breaking function—fo the shared public ke extremely attack is performing

• n a typical
• cipher. :

have ord a marginally same conject but this extra speed

22

(frankly) that engineering work, this is not a paper. the I question appropriateness of the conference.

isn’t research?

23

Reviewer #2:

... benefits including protection against timing attacks, no apparrent patent infringements, and very good speed. ... On the negative side, the paper does not introduce novel ideas, nor does it attempt to prove things rigorously (the word "conjecture" is used repeatedly throughout). It is principally a considerable engineering achievement.

e.g. “Breaking the function—for example, the shared secret from public keys—is conjectured extremely difficult. attack is more exp performing a brute-fo

• n a typical 128-bit
• cipher. : : : Curves

have order divisible a marginally larger same conjectured securit but this is outweighed extra speed of curve

22

that engineering work, a question the

rch?

23

Reviewer #2:

... benefits including protection against timing attacks, no apparrent patent infringements, and very good speed. ... On the negative side, the paper does not introduce novel ideas, nor does it attempt to prove things rigorously (the word "conjecture" is used repeatedly throughout). It is principally a considerable engineering achievement.

e.g. “Breaking the Curve25519 function—for example, computing the shared secret from the tw public keys—is conjectured to extremely difficult. Every kno attack is more expensive than performing a brute-force search

• n a typical 128-bit secret-key
• cipher. : : : Curves of this shap

have order divisible by 4, requiring a marginally larger prime for same conjectured security level, but this is outweighed by the extra speed of curve operations.”

23

Reviewer #2:

... benefits including protection against timing attacks, no apparrent patent infringements, and very good speed. ... On the negative side, the paper does not introduce novel ideas, nor does it attempt to prove things rigorously (the word "conjecture" is used repeatedly throughout). It is principally a considerable engineering achievement.

24

e.g. “Breaking the Curve25519 function—for example, computing the shared secret from the two public keys—is conjectured to be extremely difficult. Every known attack is more expensive than performing a brute-force search

• n a typical 128-bit secret-key
• cipher. : : : Curves of this shape

have order divisible by 4, requiring a marginally larger prime for the same conjectured security level, but this is outweighed by the extra speed of curve operations.”

23

er #2:

benefits including protection timing attacks, no apparrent patent infringements, very good speed. ... negative side, the paper not introduce novel ideas, does it attempt to prove rigorously (the word "conjecture" is used repeatedly throughout). It is principally considerable engineering achievement.

24

e.g. “Breaking the Curve25519 function—for example, computing the shared secret from the two public keys—is conjectured to be extremely difficult. Every known attack is more expensive than performing a brute-force search

• n a typical 128-bit secret-key
• cipher. : : : Curves of this shape

have order divisible by 4, requiring a marginally larger prime for the same conjectured security level, but this is outweighed by the extra speed of curve operations.” Reviewer

... The hardwired which leaves if changes ... My main paper are as low on mostly about very strangely therefore The paper

23

including protection attacks, no infringements,

• speed. ...

side, the paper introduce novel ideas, attempt to prove rigorously (the word used repeatedly is principally engineering

24

e.g. “Breaking the Curve25519 function—for example, computing the shared secret from the two public keys—is conjectured to be extremely difficult. Every known attack is more expensive than performing a brute-force search

• n a typical 128-bit secret-key
• cipher. : : : Curves of this shape

have order divisible by 4, requiring a marginally larger prime for the same conjectured security level, but this is outweighed by the extra speed of curve operations.” Reviewer #3:

... The curve and hardwired into the which leaves little if changes are someday ... My main concerns paper are that it as low on useful mostly about one very strangely written, therefore unpleasant The paper is written

23

protection no infringements, the paper ideas, prove word repeatedly principally engineering

24

e.g. “Breaking the Curve25519 function—for example, computing the shared secret from the two public keys—is conjectured to be extremely difficult. Every known attack is more expensive than performing a brute-force search

• n a typical 128-bit secret-key
• cipher. : : : Curves of this shape

have order divisible by 4, requiring a marginally larger prime for the same conjectured security level, but this is outweighed by the extra speed of curve operations.” Reviewer #3:

... The curve and the field hardwired into the program, which leaves little flexibility if changes are someday needed. ... My main concerns about paper are that it comes across as low on useful content mostly about one curve), very strangely written, and therefore unpleasant to read The paper is written in what

24

e.g. “Breaking the Curve25519 function—for example, computing the shared secret from the two public keys—is conjectured to be extremely difficult. Every known attack is more expensive than performing a brute-force search

• n a typical 128-bit secret-key
• cipher. : : : Curves of this shape

have order divisible by 4, requiring a marginally larger prime for the same conjectured security level, but this is outweighed by the extra speed of curve operations.”

25

Reviewer #3:

... The curve and the field are hardwired into the program, which leaves little flexibility if changes are someday needed. ... My main concerns about the paper are that it comes across as low on useful content (it’s mostly about one curve), and is very strangely written, and therefore unpleasant to read ... The paper is written in what

24

“Breaking the Curve25519 function—for example, computing shared secret from the two keys—is conjectured to be extremely difficult. Every known is more expensive than rming a brute-force search ypical 128-bit secret-key

• cipher. : : : Curves of this shape

rder divisible by 4, requiring inally larger prime for the conjectured security level, this is outweighed by the speed of curve operations.”

25

Reviewer #3:

... The curve and the field are hardwired into the program, which leaves little flexibility if changes are someday needed. ... My main concerns about the paper are that it comes across as low on useful content (it’s mostly about one curve), and is very strangely written, and therefore unpleasant to read ... The paper is written in what comes across incoherent rewriting to make significant someone I’m not be done the content "results" stated results, trivial significant

24

the Curve25519 example, computing secret from the two conjectured to be

• lt. Every known

expensive than rute-force search 128-bit secret-key Curves of this shape divisible by 4, requiring rger prime for the red security level, eighed by the curve operations.”

25

Reviewer #3:

... The curve and the field are hardwired into the program, which leaves little flexibility if changes are someday needed. ... My main concerns about the paper are that it comes across as low on useful content (it’s mostly about one curve), and is very strangely written, and therefore unpleasant to read ... The paper is written in what comes across as a incoherent style. rewriting that would to make this paper significant (though someone willing to I’m not optimistic be done by the deadline, the content (I can’t "results" since there stated results, other trivial mathematical significant enough

24

Curve25519 computing two conjectured to be known than search t-key shape requiring for the level, the erations.”

25

Reviewer #3:

... The curve and the field are hardwired into the program, which leaves little flexibility if changes are someday needed. ... My main concerns about the paper are that it comes across as low on useful content (it’s mostly about one curve), and is very strangely written, and therefore unpleasant to read ... The paper is written in what comes across as a rambling incoherent style. ... The rewriting that would be required to make this paper readable significant (though easy someone willing to do it), I’m not optimistic that it be done by the deadline, the content (I can’t say "results" since there aren’t stated results, other than trivial mathematical result) significant enough to justify

25

Reviewer #3:

... The curve and the field are hardwired into the program, which leaves little flexibility if changes are someday needed. ... My main concerns about the paper are that it comes across as low on useful content (it’s mostly about one curve), and is very strangely written, and therefore unpleasant to read ... The paper is written in what

26

comes across as a rambling incoherent style. ... The rewriting that would be required to make this paper readable is significant (though easy for someone willing to do it), and I’m not optimistic that it would be done by the deadline, or that the content (I can’t say "results" since there aren’t any stated results, other than a trivial mathematical result) is significant enough to justify

25

er #3:

curve and the field are hardwired into the program, leaves little flexibility changes are someday needed. main concerns about the are that it comes across

• n useful content (it’s

about one curve), and is strangely written, and therefore unpleasant to read ... paper is written in what

26

comes across as a rambling incoherent style. ... The rewriting that would be required to make this paper readable is significant (though easy for someone willing to do it), and I’m not optimistic that it would be done by the deadline, or that the content (I can’t say "results" since there aren’t any stated results, other than a trivial mathematical result) is significant enough to justify acceptance. Curve25519 section there’s in it, that

• clear. ...

appendices For example, discussion either be to be a discussion discussion,

25

and the field are the program, little flexibility someday needed. concerns about the it comes across content (it’s curve), and is written, and unpleasant to read ... written in what

26

comes across as a rambling incoherent style. ... The rewriting that would be required to make this paper readable is significant (though easy for someone willing to do it), and I’m not optimistic that it would be done by the deadline, or that the content (I can’t say "results" since there aren’t any stated results, other than a trivial mathematical result) is significant enough to justify

• acceptance. ... The

Curve25519 security section should be there’s useful and in it, that should

• clear. ... Most of

appendices should For example, the discussion of patents either be removed, to be a purely scientific discussion and not discussion, and the

25

field are program, flexibility needed. about the across (it’s and is and read ... what

26

comes across as a rambling incoherent style. ... The rewriting that would be required to make this paper readable is significant (though easy for someone willing to do it), and I’m not optimistic that it would be done by the deadline, or that the content (I can’t say "results" since there aren’t any stated results, other than a trivial mathematical result) is significant enough to justify

• acceptance. ... The "Conjectured

Curve25519 security level" section should be omitted; there’s useful and new content in it, that should be made

• clear. ... Most of the

appendices should be removed. For example, the irrelevant discussion of patents should either be removed, or rephrased to be a purely scientific discussion and not a patent discussion, and the appendix

26

comes across as a rambling incoherent style. ... The rewriting that would be required to make this paper readable is significant (though easy for someone willing to do it), and I’m not optimistic that it would be done by the deadline, or that the content (I can’t say "results" since there aren’t any stated results, other than a trivial mathematical result) is significant enough to justify

27

• acceptance. ... The "Conjectured

Curve25519 security level" section should be omitted; or if there’s useful and new content in it, that should be made

• clear. ... Most of the

appendices should be removed. For example, the irrelevant discussion of patents should either be removed, or rephrased to be a purely scientific discussion and not a patent discussion, and the appendix

26

across as a rambling incoherent style. ... The rewriting that would be required this paper readable is significant (though easy for willing to do it), and

• ptimistic that it would

by the deadline, or that content (I can’t say "results" since there aren’t any results, other than a mathematical result) is significant enough to justify

27

• acceptance. ... The "Conjectured

Curve25519 security level" section should be omitted; or if there’s useful and new content in it, that should be made

• clear. ... Most of the

appendices should be removed. For example, the irrelevant discussion of patents should either be removed, or rephrased to be a purely scientific discussion and not a patent discussion, and the appendix that shows prime should The paper interest Diffie-Hellman curves. the exponent y-coordinate) being used ECC protocols.

26

a rambling

• style. ... The

would be required paper readable is (though easy for to do it), and

• ptimistic that it would

deadline, or that can’t say there aren’t any

• ther than a

mathematical result) is enough to justify

27

• acceptance. ... The "Conjectured

Curve25519 security level" section should be omitted; or if there’s useful and new content in it, that should be made

• clear. ... Most of the

appendices should be removed. For example, the irrelevant discussion of patents should either be removed, or rephrased to be a purely scientific discussion and not a patent discussion, and the appendix that shows that 3 prime should be removed. The paper will be interest to those Diffie-Hellman with

• curves. But the limitations

the exponent (and y-coordinate) prevent being used by El ECC protocols. ...

26

rambling The required readable is for it), and it would

• r that

aren’t any than a result) is justify

27

• acceptance. ... The "Conjectured

Curve25519 security level" section should be omitted; or if there’s useful and new content in it, that should be made

• clear. ... Most of the

appendices should be removed. For example, the irrelevant discussion of patents should either be removed, or rephrased to be a purely scientific discussion and not a patent discussion, and the appendix that shows that 3 numbers prime should be removed. The paper will be of greatest interest to those implementing Diffie-Hellman with elliptic

• curves. But the limitations

the exponent (and the lack y-coordinate) prevent it being used by El Gamal and ECC protocols. ...

27

• acceptance. ... The "Conjectured

Curve25519 security level" section should be omitted; or if there’s useful and new content in it, that should be made

• clear. ... Most of the

appendices should be removed. For example, the irrelevant discussion of patents should either be removed, or rephrased to be a purely scientific discussion and not a patent discussion, and the appendix

28

that shows that 3 numbers are prime should be removed. ... The paper will be of greatest interest to those implementing Diffie-Hellman with elliptic

• curves. But the limitations on

the exponent (and the lack of a y-coordinate) prevent it from being used by El Gamal and other ECC protocols. ...

27

• acceptance. ... The "Conjectured

Curve25519 security level" section should be omitted; or if there’s useful and new content in it, that should be made

• clear. ... Most of the

appendices should be removed. For example, the irrelevant discussion of patents should either be removed, or rephrased to be a purely scientific discussion and not a patent discussion, and the appendix

28

that shows that 3 numbers are prime should be removed. ... The paper will be of greatest interest to those implementing Diffie-Hellman with elliptic

• curves. But the limitations on

the exponent (and the lack of a y-coordinate) prevent it from being used by El Gamal and other ECC protocols. ... The paper is remarkably free of grammatical errors.

27

• acceptance. ... The "Conjectured

Curve25519 security level" should be omitted; or if useful and new content that should be made ... Most of the appendices should be removed. example, the irrelevant discussion of patents should be removed, or rephrased purely scientific discussion and not a patent discussion, and the appendix

28

that shows that 3 numbers are prime should be removed. ... The paper will be of greatest interest to those implementing Diffie-Hellman with elliptic

• curves. But the limitations on

the exponent (and the lack of a y-coordinate) prevent it from being used by El Gamal and other ECC protocols. ... The paper is remarkably free of grammatical errors.

2016: Counterfeit

27

The "Conjectured security level" be omitted; or if and new content should be made

• f the

should be removed. irrelevant patents should removed, or rephrased scientific not a patent the appendix

28

that shows that 3 numbers are prime should be removed. ... The paper will be of greatest interest to those implementing Diffie-Hellman with elliptic

• curves. But the limitations on

the exponent (and the lack of a y-coordinate) prevent it from being used by El Gamal and other ECC protocols. ... The paper is remarkably free of grammatical errors.

2016: Counterfeit

27

"Conjectured level"

• mitted; or if

content made removed. irrelevant should rephrased scientific patent appendix

28

that shows that 3 numbers are prime should be removed. ... The paper will be of greatest interest to those implementing Diffie-Hellman with elliptic

• curves. But the limitations on

the exponent (and the lack of a y-coordinate) prevent it from being used by El Gamal and other ECC protocols. ... The paper is remarkably free of grammatical errors.

2016: Counterfeit “primes”.

28

that shows that 3 numbers are prime should be removed. ... The paper will be of greatest interest to those implementing Diffie-Hellman with elliptic

• curves. But the limitations on

the exponent (and the lack of a y-coordinate) prevent it from being used by El Gamal and other ECC protocols. ... The paper is remarkably free of grammatical errors.

29

2016: Counterfeit “primes”.

28

shows that 3 numbers are should be removed. ... paper will be of greatest interest to those implementing Diffie-Hellman with elliptic But the limitations on exponent (and the lack of a y-coordinate) prevent it from used by El Gamal and other

• protocols. ... The paper is

remarkably free of grammatical

29

2016: Counterfeit “primes”. With reviews how did

28

3 numbers are

• removed. ...

be of greatest those implementing with elliptic limitations on (and the lack of a prevent it from Gamal and other ... The paper is

• f grammatical

29

2016: Counterfeit “primes”. With reviews like these, how did PKC accept

28

numbers are ... greatest implementing elliptic limitations on lack of a from and other paper is grammatical

29

2016: Counterfeit “primes”. With reviews like these, how did PKC accept Curve25519?

29

2016: Counterfeit “primes”.

30

With reviews like these, how did PKC accept Curve25519?

29

2016: Counterfeit “primes”.

30

With reviews like these, how did PKC accept Curve25519? Reviewer #4 was positive. Maybe reviewer #4 convinced

• ther people as part of discussion.

Or program chairs liked paper.

29

2016: Counterfeit “primes”.

30

With reviews like these, how did PKC accept Curve25519? Reviewer #4 was positive. Maybe reviewer #4 convinced

• ther people as part of discussion.

Or program chairs liked paper. Maybe someone thought the title “9th International Conference on Theory and Practice in Public- Key Cryptography” justified an occasional paper like this.

29

2016: Counterfeit “primes”.

30

With reviews like these, how did PKC accept Curve25519? Reviewer #4 was positive. Maybe reviewer #4 convinced

• ther people as part of discussion.

Or program chairs liked paper. Maybe someone thought the title “9th International Conference on Theory and Practice in Public- Key Cryptography” justified an occasional paper like this. Note to young cryptographers: Don’t let referees discourage you.

29

Counterfeit “primes”.

30

With reviews like these, how did PKC accept Curve25519? Reviewer #4 was positive. Maybe reviewer #4 convinced

• ther people as part of discussion.

Or program chairs liked paper. Maybe someone thought the title “9th International Conference on Theory and Practice in Public- Key Cryptography” justified an occasional paper like this. Note to young cryptographers: Don’t let referees discourage you. Edwards 2007 Edw normal fo x3 = y3 = generically (x1; y1) +

• n any elliptic

x2 + y2 Euler+Gauss for one curve:

29

Counterfeit “primes”.

30

With reviews like these, how did PKC accept Curve25519? Reviewer #4 was positive. Maybe reviewer #4 convinced

• ther people as part of discussion.

Or program chairs liked paper. Maybe someone thought the title “9th International Conference on Theory and Practice in Public- Key Cryptography” justified an occasional paper like this. Note to young cryptographers: Don’t let referees discourage you. Edwards curves 2007 Edwards “A normal form for elliptic x3 = x1y2 + c(1 + x1 y3 = y1y2 − c(1 − x1 generically defines (x1; y1) + (x2; y2) =

• n any elliptic curve

x2 + y2 = c2(1 + x Euler+Gauss defined for one curve: c4 =

29

es”.

30

With reviews like these, how did PKC accept Curve25519? Reviewer #4 was positive. Maybe reviewer #4 convinced

• ther people as part of discussion.

Or program chairs liked paper. Maybe someone thought the title “9th International Conference on Theory and Practice in Public- Key Cryptography” justified an occasional paper like this. Note to young cryptographers: Don’t let referees discourage you. Edwards curves 2007 Edwards “A normal form for elliptic curves” x3 = x1y2 + x2y1 c(1 + x1x2y1y2), y3 = y1y2 − x1x2 c(1 − x1x2y1y2) generically defines addition la (x1; y1) + (x2; y2) = (x3; y3)

• n any elliptic curve of the fo

x2 + y2 = c2(1 + x2y2). Euler+Gauss defined this law for one curve: c4 = −1.

30

With reviews like these, how did PKC accept Curve25519? Reviewer #4 was positive. Maybe reviewer #4 convinced

• ther people as part of discussion.

Or program chairs liked paper. Maybe someone thought the title “9th International Conference on Theory and Practice in Public- Key Cryptography” justified an occasional paper like this. Note to young cryptographers: Don’t let referees discourage you.

31

Edwards curves 2007 Edwards “A normal form for elliptic curves”: x3 = x1y2 + x2y1 c(1 + x1x2y1y2), y3 = y1y2 − x1x2 c(1 − x1x2y1y2) generically defines addition law (x1; y1) + (x2; y2) = (x3; y3)

• n any elliptic curve of the form

x2 + y2 = c2(1 + x2y2). Euler+Gauss defined this law for one curve: c4 = −1.

30

reviews like these, did PKC accept Curve25519? er #4 was positive. reviewer #4 convinced people as part of discussion.

• gram chairs liked paper.

someone thought the title International Conference on ry and Practice in Public- Cryptography” justified ccasional paper like this. to young cryptographers: let referees discourage you.

31

Edwards curves 2007 Edwards “A normal form for elliptic curves”: x3 = x1y2 + x2y1 c(1 + x1x2y1y2), y3 = y1y2 − x1x2 c(1 − x1x2y1y2) generically defines addition law (x1; y1) + (x2; y2) = (x3; y3)

• n any elliptic curve of the form

x2 + y2 = c2(1 + x2y2). Euler+Gauss defined this law for one curve: c4 = −1. 2007 Bernstein–Lange addition curves”: easily generalizes x3 = y3 =

• n any e

x2 + y2 d = c4 is d = 0 is

30

e these, accept Curve25519? as positive. #4 convinced part of discussion. chairs liked paper. thought the title International Conference on Practice in Public- Cryptography” justified paper like this. cryptographers: referees discourage you.

31

Edwards curves 2007 Edwards “A normal form for elliptic curves”: x3 = x1y2 + x2y1 c(1 + x1x2y1y2), y3 = y1y2 − x1x2 c(1 − x1x2y1y2) generically defines addition law (x1; y1) + (x2; y2) = (x3; y3)

• n any elliptic curve of the form

x2 + y2 = c2(1 + x2y2). Euler+Gauss defined this law for one curve: c4 = −1. 2007 Bernstein–Lange addition and doubling curves”: Edwards easily generalizes to x3 = x1y2 + 1 + dx1x y3 = y1y2 − 1 − dx1x

• n any elliptic curve

x2 + y2 = 1 + dx2 d = c4 is original Edw d = 0 is circle, non-elliptic.

30

Curve25519? convinced discussion. per. the title Conference on Public- justified this. cryptographers: discourage you.

31

Edwards curves 2007 Edwards “A normal form for elliptic curves”: x3 = x1y2 + x2y1 c(1 + x1x2y1y2), y3 = y1y2 − x1x2 c(1 − x1x2y1y2) generically defines addition law (x1; y1) + (x2; y2) = (x3; y3)

• n any elliptic curve of the form

x2 + y2 = c2(1 + x2y2). Euler+Gauss defined this law for one curve: c4 = −1. 2007 Bernstein–Lange “Faster addition and doubling on elliptic curves”: Edwards addition la easily generalizes to x3 = x1y2 + x2y1 1 + dx1x2y1y2 , y3 = y1y2 − x1x2 1 − dx1x2y1y2 .

• n any elliptic curve of the fo

x2 + y2 = 1 + dx2y2. d = c4 is original Edwards. d = 0 is circle, non-elliptic.

31

Edwards curves 2007 Edwards “A normal form for elliptic curves”: x3 = x1y2 + x2y1 c(1 + x1x2y1y2), y3 = y1y2 − x1x2 c(1 − x1x2y1y2) generically defines addition law (x1; y1) + (x2; y2) = (x3; y3)

• n any elliptic curve of the form

x2 + y2 = c2(1 + x2y2). Euler+Gauss defined this law for one curve: c4 = −1.

32

2007 Bernstein–Lange “Faster addition and doubling on elliptic curves”: Edwards addition law easily generalizes to x3 = x1y2 + x2y1 1 + dx1x2y1y2 , y3 = y1y2 − x1x2 1 − dx1x2y1y2 .

• n any elliptic curve of the form

x2 + y2 = 1 + dx2y2. d = c4 is original Edwards. d = 0 is circle, non-elliptic.

31

Edwards curves 2007 Edwards “A normal form for elliptic curves”: x3 = x1y2 + x2y1 c(1 + x1x2y1y2), y3 = y1y2 − x1x2 c(1 − x1x2y1y2) generically defines addition law (x1; y1) + (x2; y2) = (x3; y3)

• n any elliptic curve of the form

x2 + y2 = c2(1 + x2y2). Euler+Gauss defined this law for one curve: c4 = −1.

32

2007 Bernstein–Lange “Faster addition and doubling on elliptic curves”: Edwards addition law easily generalizes to x3 = x1y2 + x2y1 1 + dx1x2y1y2 , y3 = y1y2 − x1x2 1 − dx1x2y1y2 .

• n any elliptic curve of the form

x2 + y2 = 1 + dx2y2. d = c4 is original Edwards. d = 0 is circle, non-elliptic. Surprise for non-square d: this addition law is complete!

31

rds curves Edwards “A rmal form for elliptic curves”: = x1y2 + x2y1 c(1 + x1x2y1y2), = y1y2 − x1x2 c(1 − x1x2y1y2) generically defines addition law ) + (x2; y2) = (x3; y3) elliptic curve of the form

2 = c2(1 + x2y2).

Euler+Gauss defined this law

• ne curve: c4 = −1.

32

2007 Bernstein–Lange “Faster addition and doubling on elliptic curves”: Edwards addition law easily generalizes to x3 = x1y2 + x2y1 1 + dx1x2y1y2 , y3 = y1y2 − x1x2 1 − dx1x2y1y2 .

• n any elliptic curve of the form

x2 + y2 = 1 + dx2y2. d = c4 is original Edwards. d = 0 is circle, non-elliptic. Surprise for non-square d: this addition law is complete! By easy can write with non-squa as a complete In particula

31

“A elliptic curves”: + x2y1 x1x2y1y2), − x1x2 x1x2y1y2) defines addition law ) = (x3; y3) curve of the form + x2y2). defined this law = −1.

32

2007 Bernstein–Lange “Faster addition and doubling on elliptic curves”: Edwards addition law easily generalizes to x3 = x1y2 + x2y1 1 + dx1x2y1y2 , y3 = y1y2 − x1x2 1 − dx1x2y1y2 .

• n any elliptic curve of the form

x2 + y2 = 1 + dx2y2. d = c4 is original Edwards. d = 0 is circle, non-elliptic. Surprise for non-square d: this addition law is complete! By easy change of can write y2 = x3 with non-square A as a complete Edw In particular: Curve

31

curves”: , law ) the form law

32

2007 Bernstein–Lange “Faster addition and doubling on elliptic curves”: Edwards addition law easily generalizes to x3 = x1y2 + x2y1 1 + dx1x2y1y2 , y3 = y1y2 − x1x2 1 − dx1x2y1y2 .

• n any elliptic curve of the form

x2 + y2 = 1 + dx2y2. d = c4 is original Edwards. d = 0 is circle, non-elliptic. Surprise for non-square d: this addition law is complete! By easy change of coordinates can write y2 = x3 + Ax2 + x with non-square A2 − 4 as a complete Edwards curve. In particular: Curve25519.

32

2007 Bernstein–Lange “Faster addition and doubling on elliptic curves”: Edwards addition law easily generalizes to x3 = x1y2 + x2y1 1 + dx1x2y1y2 , y3 = y1y2 − x1x2 1 − dx1x2y1y2 .

• n any elliptic curve of the form

x2 + y2 = 1 + dx2y2. d = c4 is original Edwards. d = 0 is circle, non-elliptic. Surprise for non-square d: this addition law is complete!

33

By easy change of coordinates can write y2 = x3 + Ax2 + x with non-square A2 − 4 as a complete Edwards curve. In particular: Curve25519.

32

2007 Bernstein–Lange “Faster addition and doubling on elliptic curves”: Edwards addition law easily generalizes to x3 = x1y2 + x2y1 1 + dx1x2y1y2 , y3 = y1y2 − x1x2 1 − dx1x2y1y2 .

• n any elliptic curve of the form

x2 + y2 = 1 + dx2y2. d = c4 is original Edwards. d = 0 is circle, non-elliptic. Surprise for non-square d: this addition law is complete!

33

By easy change of coordinates can write y2 = x3 + Ax2 + x with non-square A2 − 4 as a complete Edwards curve. In particular: Curve25519. Curve arithmetic is very fast. (After various followup papers: even faster!) Almost as fast as Montgomery for n; P → nP in DH. New speed records for m; n; P; Q → mP + nQ and other signature operations.

32

Bernstein–Lange “Faster addition and doubling on elliptic curves”: Edwards addition law generalizes to = x1y2 + x2y1 1 + dx1x2y1y2 , = y1y2 − x1x2 1 − dx1x2y1y2 . elliptic curve of the form

2 = 1 + dx2y2.

is original Edwards. is circle, non-elliptic. rise for non-square d: addition law is complete!

33

By easy change of coordinates can write y2 = x3 + Ax2 + x with non-square A2 − 4 as a complete Edwards curve. In particular: Curve25519. Curve arithmetic is very fast. (After various followup papers: even faster!) Almost as fast as Montgomery for n; P → nP in DH. New speed records for m; n; P; Q → mP + nQ and other signature operations. The Ed25519 CHES 2011 Lange–Schw Start from Skip signature Support Use double-size include public SB = R Generate as a secret ⇒ Avoid Use Curve25519 “−1-twisted”

32

Bernstein–Lange “Faster doubling on elliptic rds addition law generalizes to + x2y1 x1x2y1y2 , − x1x2 x1x2y1y2 . curve of the form x2y2. al Edwards. non-elliptic. non-square d: is complete!

33

By easy change of coordinates can write y2 = x3 + Ax2 + x with non-square A2 − 4 as a complete Edwards curve. In particular: Curve25519. Curve arithmetic is very fast. (After various followup papers: even faster!) Almost as fast as Montgomery for n; P → nP in DH. New speed records for m; n; P; Q → mP + nQ and other signature operations. The Ed25519 signature CHES 2011 Bernstein–Duif– Lange–Schwabe–Y Start from Schnorr Skip signature comp Support batch verific Use double-size H include public key SB = R + H(R; A; Generate R deterministically as a secret hash of ⇒ Avoid PlayStation Use Curve25519 in “−1-twisted” Edw

32

aster elliptic law the form rds. non-elliptic. complete!

33

By easy change of coordinates can write y2 = x3 + Ax2 + x with non-square A2 − 4 as a complete Edwards curve. In particular: Curve25519. Curve arithmetic is very fast. (After various followup papers: even faster!) Almost as fast as Montgomery for n; P → nP in DH. New speed records for m; n; P; Q → mP + nQ and other signature operations. The Ed25519 signature system CHES 2011 Bernstein–Duif– Lange–Schwabe–Yang: Start from Schnorr signatures. Skip signature compression. Support batch verification. Use double-size H output, and include public key A as input: SB = R + H(R; A; M)A. Generate R deterministically as a secret hash of M. ⇒ Avoid PlayStation disaster. Use Curve25519 in complete “−1-twisted” Edwards form.

33

By easy change of coordinates can write y2 = x3 + Ax2 + x with non-square A2 − 4 as a complete Edwards curve. In particular: Curve25519. Curve arithmetic is very fast. (After various followup papers: even faster!) Almost as fast as Montgomery for n; P → nP in DH. New speed records for m; n; P; Q → mP + nQ and other signature operations.

34

The Ed25519 signature system CHES 2011 Bernstein–Duif– Lange–Schwabe–Yang: Start from Schnorr signatures. Skip signature compression. Support batch verification. Use double-size H output, and include public key A as input: SB = R + H(R; A; M)A. Generate R deterministically as a secret hash of M. ⇒ Avoid PlayStation disaster. Use Curve25519 in complete “−1-twisted” Edwards form.

33

easy change of coordinates write y2 = x3 + Ax2 + x non-square A2 − 4 complete Edwards curve. rticular: Curve25519. arithmetic is very fast. various followup papers: faster!) Almost as fast as Montgomery → nP in DH. speed records for ; Q → mP + nQ

• ther signature operations.

34

The Ed25519 signature system CHES 2011 Bernstein–Duif– Lange–Schwabe–Yang: Start from Schnorr signatures. Skip signature compression. Support batch verification. Use double-size H output, and include public key A as input: SB = R + H(R; A; M)A. Generate R deterministically as a secret hash of M. ⇒ Avoid PlayStation disaster. Use Curve25519 in complete “−1-twisted” Edwards form. Optimizations 2007 Gaudry–Thom 2009 Costigan–Schw 2011 Bernstein–Duif–Lange– Schwabe–Y 2012 Bernstein–Schw 2014 Langley–Mo 2014 Mah 2014 Sasdrich–G 2015 Chou 2015 D¨ ull–Haase–Hinterw Hutter–P microcontrollers. 2015 Hutter-Schilling–Schw Wieser:

33

• f coordinates

3 + Ax2 + x

A2 − 4 Edwards curve. Curve25519. is very fast. followup papers: as Montgomery DH. rds for + nQ ure operations.

34

The Ed25519 signature system CHES 2011 Bernstein–Duif– Lange–Schwabe–Yang: Start from Schnorr signatures. Skip signature compression. Support batch verification. Use double-size H output, and include public key A as input: SB = R + H(R; A; M)A. Generate R deterministically as a secret hash of M. ⇒ Avoid PlayStation disaster. Use Curve25519 in complete “−1-twisted” Edwards form. Optimizations for mo 2007 Gaudry–Thom 2009 Costigan–Schw 2011 Bernstein–Duif–Lange– Schwabe–Yang: Nehalem. 2012 Bernstein–Schw 2014 Langley–Moon 2014 Mah´ e–Chauvet 2014 Sasdrich–G¨ uneysu 2015 Chou: newer 2015 D¨ ull–Haase–Hinterw Hutter–Paar–S´ anchez–Schw microcontrollers. 2015 Hutter-Schilling–Schw Wieser: ASICs.

33

rdinates x curve. st. papers: Montgomery erations.

34

The Ed25519 signature system CHES 2011 Bernstein–Duif– Lange–Schwabe–Yang: Start from Schnorr signatures. Skip signature compression. Support batch verification. Use double-size H output, and include public key A as input: SB = R + H(R; A; M)A. Generate R deterministically as a secret hash of M. ⇒ Avoid PlayStation disaster. Use Curve25519 in complete “−1-twisted” Edwards form. Optimizations for more platfo 2007 Gaudry–Thom´ e: Core 2. 2009 Costigan–Schwabe: Cell. 2011 Bernstein–Duif–Lange– Schwabe–Yang: Nehalem. 2012 Bernstein–Schwabe: NEON. 2014 Langley–Moon: newer 2014 Mah´ e–Chauvet: GPUs. 2014 Sasdrich–G¨ uneysu: FPGAs. 2015 Chou: newer Intel. 2015 D¨ ull–Haase–Hinterw¨ alder– Hutter–Paar–S´ anchez–Schwab microcontrollers. 2015 Hutter-Schilling–Schwab Wieser: ASICs.

34

The Ed25519 signature system CHES 2011 Bernstein–Duif– Lange–Schwabe–Yang: Start from Schnorr signatures. Skip signature compression. Support batch verification. Use double-size H output, and include public key A as input: SB = R + H(R; A; M)A. Generate R deterministically as a secret hash of M. ⇒ Avoid PlayStation disaster. Use Curve25519 in complete “−1-twisted” Edwards form.

35

Optimizations for more platforms 2007 Gaudry–Thom´ e: Core 2. 2009 Costigan–Schwabe: Cell. 2011 Bernstein–Duif–Lange– Schwabe–Yang: Nehalem. 2012 Bernstein–Schwabe: NEON. 2014 Langley–Moon: newer Intel. 2014 Mah´ e–Chauvet: GPUs. 2014 Sasdrich–G¨ uneysu: FPGAs. 2015 Chou: newer Intel. 2015 D¨ ull–Haase–Hinterw¨ alder– Hutter–Paar–S´ anchez–Schwabe: microcontrollers. 2015 Hutter-Schilling–Schwabe– Wieser: ASICs.

34

Ed25519 signature system 2011 Bernstein–Duif– Lange–Schwabe–Yang: from Schnorr signatures. signature compression. rt batch verification. double-size H output, and include public key A as input: R + H(R; A; M)A. Generate R deterministically secret hash of M. Avoid PlayStation disaster. Curve25519 in complete wisted” Edwards form.

35

Optimizations for more platforms 2007 Gaudry–Thom´ e: Core 2. 2009 Costigan–Schwabe: Cell. 2011 Bernstein–Duif–Lange– Schwabe–Yang: Nehalem. 2012 Bernstein–Schwabe: NEON. 2014 Langley–Moon: newer Intel. 2014 Mah´ e–Chauvet: GPUs. 2014 Sasdrich–G¨ uneysu: FPGAs. 2015 Chou: newer Intel. 2015 D¨ ull–Haase–Hinterw¨ alder– Hutter–Paar–S´ anchez–Schwabe: microcontrollers. 2015 Hutter-Schilling–Schwabe– Wieser: ASICs. Next-generation NaCl: Net Cryptography very simple key authenticated All-in-one uses Curve25519 Salsa20 fo Poly1305 More on 2011 Bernstein–Lange–Schw “The securit new cryptographic

34

signature system Bernstein–Duif– e–Yang: Schnorr signatures. compression. verification. H output, and ey A as input: A; M)A. deterministically

• f M.

yStation disaster. in complete Edwards form.

35

Optimizations for more platforms 2007 Gaudry–Thom´ e: Core 2. 2009 Costigan–Schwabe: Cell. 2011 Bernstein–Duif–Lange– Schwabe–Yang: Nehalem. 2012 Bernstein–Schwabe: NEON. 2014 Langley–Moon: newer Intel. 2014 Mah´ e–Chauvet: GPUs. 2014 Sasdrich–G¨ uneysu: FPGAs. 2015 Chou: newer Intel. 2015 D¨ ull–Haase–Hinterw¨ alder– Hutter–Paar–S´ anchez–Schwabe: microcontrollers. 2015 Hutter-Schilling–Schwabe– Wieser: ASICs. Next-generation crypto NaCl: Networking Cryptography libra very simple new API key authenticated All-in-one crypto_box uses Curve25519 fo Salsa20 for encryption, Poly1305 for authentication. More on NaCl design: 2011 Bernstein–Lange–Schw “The security impact new cryptographic

34

system Bernstein–Duif– signatures. ression. tion. and input: deterministically disaster. complete m.

35

Optimizations for more platforms 2007 Gaudry–Thom´ e: Core 2. 2009 Costigan–Schwabe: Cell. 2011 Bernstein–Duif–Lange– Schwabe–Yang: Nehalem. 2012 Bernstein–Schwabe: NEON. 2014 Langley–Moon: newer Intel. 2014 Mah´ e–Chauvet: GPUs. 2014 Sasdrich–G¨ uneysu: FPGAs. 2015 Chou: newer Intel. 2015 D¨ ull–Haase–Hinterw¨ alder– Hutter–Paar–S´ anchez–Schwabe: microcontrollers. 2015 Hutter-Schilling–Schwabe– Wieser: ASICs. Next-generation crypto library NaCl: Networking and Cryptography library provides very simple new API for public- key authenticated encryption. All-in-one crypto_box function uses Curve25519 for DH, Salsa20 for encryption, Poly1305 for authentication. More on NaCl design: see 2011 Bernstein–Lange–Schw “The security impact of a new cryptographic library”.

35

Optimizations for more platforms 2007 Gaudry–Thom´ e: Core 2. 2009 Costigan–Schwabe: Cell. 2011 Bernstein–Duif–Lange– Schwabe–Yang: Nehalem. 2012 Bernstein–Schwabe: NEON. 2014 Langley–Moon: newer Intel. 2014 Mah´ e–Chauvet: GPUs. 2014 Sasdrich–G¨ uneysu: FPGAs. 2015 Chou: newer Intel. 2015 D¨ ull–Haase–Hinterw¨ alder– Hutter–Paar–S´ anchez–Schwabe: microcontrollers. 2015 Hutter-Schilling–Schwabe– Wieser: ASICs.

36

Next-generation crypto library NaCl: Networking and Cryptography library provides very simple new API for public- key authenticated encryption. All-in-one crypto_box function uses Curve25519 for DH, Salsa20 for encryption, Poly1305 for authentication. More on NaCl design: see 2011 Bernstein–Lange–Schwabe “The security impact of a new cryptographic library”.

35

Optimizations for more platforms Gaudry–Thom´ e: Core 2. Costigan–Schwabe: Cell. Bernstein–Duif–Lange– abe–Yang: Nehalem. Bernstein–Schwabe: NEON. Langley–Moon: newer Intel. Mah´ e–Chauvet: GPUs. Sasdrich–G¨ uneysu: FPGAs. Chou: newer Intel. ¨ ull–Haase–Hinterw¨ alder– Hutter–Paar–S´ anchez–Schwabe: controllers. Hutter-Schilling–Schwabe– Wieser: ASICs.

36

Next-generation crypto library NaCl: Networking and Cryptography library provides very simple new API for public- key authenticated encryption. All-in-one crypto_box function uses Curve25519 for DH, Salsa20 for encryption, Poly1305 for authentication. More on NaCl design: see 2011 Bernstein–Lange–Schwabe “The security impact of a new cryptographic library”. Simplicit Curve25519 advertised 2013 Bernstein–Janssen– Lange–Schw reimplementing

• tweets. Do

35

r more platforms Gaudry–Thom´ e: Core 2. Costigan–Schwabe: Cell. Bernstein–Duif–Lange– Nehalem. Bernstein–Schwabe: NEON. Langley–Moon: newer Intel. e–Chauvet: GPUs. ¨ uneysu: FPGAs. er Intel. ull–Haase–Hinterw¨ alder– anchez–Schwabe: controllers. Hutter-Schilling–Schwabe–

36

Next-generation crypto library NaCl: Networking and Cryptography library provides very simple new API for public- key authenticated encryption. All-in-one crypto_box function uses Curve25519 for DH, Salsa20 for encryption, Poly1305 for authentication. More on NaCl design: see 2011 Bernstein–Lange–Schwabe “The security impact of a new cryptographic library”. Simplicity Curve25519 paper advertised “short co 2013 Bernstein–Janssen– Lange–Schwabe: Tw reimplementing NaCl

• tweets. Does speed

35

platforms re 2. Cell. Bernstein–Duif–Lange– NEON. er Intel. GPUs. FPGAs. ¨ alder– anchez–Schwabe: Hutter-Schilling–Schwabe–

36

Next-generation crypto library NaCl: Networking and Cryptography library provides very simple new API for public- key authenticated encryption. All-in-one crypto_box function uses Curve25519 for DH, Salsa20 for encryption, Poly1305 for authentication. More on NaCl design: see 2011 Bernstein–Lange–Schwabe “The security impact of a new cryptographic library”. Simplicity Curve25519 paper advertised “short code.” 2013 Bernstein–Janssen– Lange–Schwabe: TweetNaCl reimplementing NaCl in 100

• tweets. Does speed matter?

36

Next-generation crypto library NaCl: Networking and Cryptography library provides very simple new API for public- key authenticated encryption. All-in-one crypto_box function uses Curve25519 for DH, Salsa20 for encryption, Poly1305 for authentication. More on NaCl design: see 2011 Bernstein–Lange–Schwabe “The security impact of a new cryptographic library”.

37

Simplicity Curve25519 paper advertised “short code.” 2013 Bernstein–Janssen– Lange–Schwabe: TweetNaCl, reimplementing NaCl in 100

• tweets. Does speed matter?

36

Next-generation crypto library NaCl: Networking and Cryptography library provides very simple new API for public- key authenticated encryption. All-in-one crypto_box function uses Curve25519 for DH, Salsa20 for encryption, Poly1305 for authentication. More on NaCl design: see 2011 Bernstein–Lange–Schwabe “The security impact of a new cryptographic library”.

37

Simplicity Curve25519 paper advertised “short code.” 2013 Bernstein–Janssen– Lange–Schwabe: TweetNaCl, reimplementing NaCl in 100

• tweets. Does speed matter?

Largest chunk of code: The hash function used inside signatures!

36

Next-generation crypto library NaCl: Networking and Cryptography library provides very simple new API for public- key authenticated encryption. All-in-one crypto_box function uses Curve25519 for DH, Salsa20 for encryption, Poly1305 for authentication. More on NaCl design: see 2011 Bernstein–Lange–Schwabe “The security impact of a new cryptographic library”.

37

Simplicity Curve25519 paper advertised “short code.” 2013 Bernstein–Janssen– Lange–Schwabe: TweetNaCl, reimplementing NaCl in 100

• tweets. Does speed matter?

Largest chunk of code: The hash function used inside signatures! 2014 Bernstein–van Gastel– Janssen–Lange–Schwabe– Smetsers: formal verification of some TweetNaCl properties.

36

Next-generation crypto library Networking and Cryptography library provides simple new API for public- authenticated encryption. All-in-one crypto_box function Curve25519 for DH, Salsa20 for encryption,

• ly1305 for authentication.
• n NaCl design: see

Bernstein–Lange–Schwabe security impact of a cryptographic library”.

37

Simplicity Curve25519 paper advertised “short code.” 2013 Bernstein–Janssen– Lange–Schwabe: TweetNaCl, reimplementing NaCl in 100

• tweets. Does speed matter?

Largest chunk of code: The hash function used inside signatures! 2014 Bernstein–van Gastel– Janssen–Lange–Schwabe– Smetsers: formal verification of some TweetNaCl properties. 2014 Chen–Hsu–Lin–Schw Tsai–Wang–Y Curve25519 verification two high-sp Newer w Russinoff surveyable Curve25519 Bernstein–Schw Single-curve and is the towards

36

crypto library rking and rary provides API for public- authenticated encryption. crypto_box function for DH, encryption, authentication. design: see Bernstein–Lange–Schwabe impact of a cryptographic library”.

37

Simplicity Curve25519 paper advertised “short code.” 2013 Bernstein–Janssen– Lange–Schwabe: TweetNaCl, reimplementing NaCl in 100

• tweets. Does speed matter?

Largest chunk of code: The hash function used inside signatures! 2014 Bernstein–van Gastel– Janssen–Lange–Schwabe– Smetsers: formal verification of some TweetNaCl properties. 2014 Chen–Hsu–Lin–Schw Tsai–Wang–Yang–Y Curve25519 softwa verification of correctness two high-speed asm Newer work ongoing: Russinoff “A computationally surveyable proof of Curve25519 group Bernstein–Schwabe Single-curve code h and is the most promising towards bug-free ECC

36

rary rovides public- encryption. function authentication. Bernstein–Lange–Schwabe .

37

Simplicity Curve25519 paper advertised “short code.” 2013 Bernstein–Janssen– Lange–Schwabe: TweetNaCl, reimplementing NaCl in 100

• tweets. Does speed matter?

Largest chunk of code: The hash function used inside signatures! 2014 Bernstein–van Gastel– Janssen–Lange–Schwabe– Smetsers: formal verification of some TweetNaCl properties. 2014 Chen–Hsu–Lin–Schwab Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: formal verification of correctness of two high-speed asm main loops. Newer work ongoing: e.g., 2015 Russinoff “A computationally surveyable proof of the Curve25519 group axioms”; Bernstein–Schwabe gfverif Single-curve code helps speed and is the most promising av towards bug-free ECC softwa

37

Simplicity Curve25519 paper advertised “short code.” 2013 Bernstein–Janssen– Lange–Schwabe: TweetNaCl, reimplementing NaCl in 100

• tweets. Does speed matter?

Largest chunk of code: The hash function used inside signatures! 2014 Bernstein–van Gastel– Janssen–Lange–Schwabe– Smetsers: formal verification of some TweetNaCl properties.

38

2014 Chen–Hsu–Lin–Schwabe– Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: formal verification of correctness of two high-speed asm main loops. Newer work ongoing: e.g., 2015 Russinoff “A computationally surveyable proof of the Curve25519 group axioms”; 2015 Bernstein–Schwabe gfverif. Single-curve code helps speed and is the most promising avenue towards bug-free ECC software.

37

Simplicity Curve25519 paper advertised “short code.” Bernstein–Janssen– Lange–Schwabe: TweetNaCl, reimplementing NaCl in 100

• eets. Does speed matter?

rgest chunk of code: The hash function used inside signatures! Bernstein–van Gastel– Janssen–Lange–Schwabe– Smetsers: formal verification of TweetNaCl properties.

38

2014 Chen–Hsu–Lin–Schwabe– Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: formal verification of correctness of two high-speed asm main loops. Newer work ongoing: e.g., 2015 Russinoff “A computationally surveyable proof of the Curve25519 group axioms”; 2015 Bernstein–Schwabe gfverif. Single-curve code helps speed and is the most promising avenue towards bug-free ECC software. 2012: Apple

37

er rt code.” Bernstein–Janssen– e: TweetNaCl, NaCl in 100 eed matter?

• f code: The hash

inside signatures! Bernstein–van Gastel– Janssen–Lange–Schwabe– rmal verification of eetNaCl properties.

38

2014 Chen–Hsu–Lin–Schwabe– Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: formal verification of correctness of two high-speed asm main loops. Newer work ongoing: e.g., 2015 Russinoff “A computationally surveyable proof of the Curve25519 group axioms”; 2015 Bernstein–Schwabe gfverif. Single-curve code helps speed and is the most promising avenue towards bug-free ECC software. 2012: Apple deplo

37

eetNaCl, 100 matter? The hash signatures! Gastel– ion of erties.

38

2014 Chen–Hsu–Lin–Schwabe– Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: formal verification of correctness of two high-speed asm main loops. Newer work ongoing: e.g., 2015 Russinoff “A computationally surveyable proof of the Curve25519 group axioms”; 2015 Bernstein–Schwabe gfverif. Single-curve code helps speed and is the most promising avenue towards bug-free ECC software. 2012: Apple deploys Curve25519

38

2014 Chen–Hsu–Lin–Schwabe– Tsai–Wang–Yang–Yang “Verifying Curve25519 software”: formal verification of correctness of two high-speed asm main loops. Newer work ongoing: e.g., 2015 Russinoff “A computationally surveyable proof of the Curve25519 group axioms”; 2015 Bernstein–Schwabe gfverif. Single-curve code helps speed and is the most promising avenue towards bug-free ECC software.

39

2012: Apple deploys Curve25519

38

Chen–Hsu–Lin–Schwabe– ang–Yang–Yang “Verifying Curve25519 software”: formal verification of correctness of high-speed asm main loops. work ongoing: e.g., 2015 Russinoff “A computationally able proof of the Curve25519 group axioms”; 2015 Bernstein–Schwabe gfverif. Single-curve code helps speed the most promising avenue rds bug-free ECC software.

39

2012: Apple deploys Curve25519 2013: Signal

38

Chen–Hsu–Lin–Schwabe– ang–Yang “Verifying ware”: formal correctness of asm main loops.

• ngoing: e.g., 2015

computationally

• f the

group axioms”; 2015 abe gfverif. de helps speed promising avenue ECC software.

39

2012: Apple deploys Curve25519 2013: Signal deplo

38

abe– erifying rmal rectness of loops. e.g., 2015 computationally axioms”; 2015 gfverif. eed avenue ware.

39

2012: Apple deploys Curve25519 2013: Signal deploys Curve25519

39

2012: Apple deploys Curve25519

40

2013: Signal deploys Curve25519

39

Apple deploys Curve25519

40

2013: Signal deploys Curve25519 2014: Op

39

deploys Curve25519

40

2013: Signal deploys Curve25519 2014: OpenSSH deplo

39

Curve25519

40

2013: Signal deploys Curve25519 2014: OpenSSH deploys Curve25519

40

2013: Signal deploys Curve25519

41

2014: OpenSSH deploys Curve25519

40

Signal deploys Curve25519

41

2014: OpenSSH deploys Curve25519 2015.10: EdDSA—Ed25519 for signatures. X25519 2015.10: ECC standa paving w 2015.11: X25519 These are Many mo /curve25519-deployment.html and /ed25519-deployment.html

40

deploys Curve25519

41

2014: OpenSSH deploys Curve25519 2015.10: IRTF CFRG EdDSA—Ed25519 for signatures. Already X25519 and X448 2015.10: NIST reop ECC standards for paving way for new 2015.11: BoringSSL X25519 and Ed25519. These are just some Many more: ianix.com/pub /curve25519-deployment.html and /ed25519-deployment.html

40

ve25519

41

2014: OpenSSH deploys Curve25519 2015.10: IRTF CFRG settles EdDSA—Ed25519 and Ed448— for signatures. Already selected X25519 and X448 for DH. 2015.10: NIST reopens its ECC standards for comment, paving way for new curves. 2015.11: BoringSSL adds X25519 and Ed25519. These are just some highligh Many more: ianix.com/pub /curve25519-deployment.html and /ed25519-deployment.html

41

2014: OpenSSH deploys Curve25519

42

2015.10: IRTF CFRG settles on EdDSA—Ed25519 and Ed448— for signatures. Already selected X25519 and X448 for DH. 2015.10: NIST reopens its ECC standards for comment, paving way for new curves. 2015.11: BoringSSL adds X25519 and Ed25519. These are just some highlights. Many more: ianix.com/pub /curve25519-deployment.html and /ed25519-deployment.html.