the first 10 years of curve25519 abstract this paper
play

The first 10 years of Curve25519 Abstract: This paper explains the - PowerPoint PPT Presentation

Dec 12, 2022 •139 likes •2.07k views

1 2 The first 10 years of Curve25519 Abstract: This paper explains the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische

  1. 4 5 (distributed 1984) Lenstra: 1986 Chudnovsky–Chudnovsky, Did Chudnovsky an elliptic-curve method for ECM+ECPP: analyze several actually recommend integers. ways to represent elliptic curves; What about Montgomery? optimize # field operations. What about papers 1986 Goldwasser– Chudnovsky– 1987 Montgomery, for ECM: best speed from y 2 = x 3 + Ax 2 + x , 1988 Atkin: ECPP, rimality proving. preferably with ( A − 2) = 4 small. (distributed 1984) Miller, Late 1990s: ANSI/IEEE/NIST standards specify y 2 = x 3 − 3 x + b endently (distributed 1984) Koblitz: in Jacobian coordinates, elliptic curves in DH citing Chudnovsky–Chudnovsky. index-calculus attacks. Alleged motivation: “the fastest arithmetic on elliptic curves”.

  2. 4 5 Lenstra: 1986 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky method for ECM+ECPP: analyze several actually recommend this? ways to represent elliptic curves; What about Montgomery? optimize # field operations. What about papers after 1987? asser– 1987 Montgomery, for ECM: best speed from y 2 = x 3 + Ax 2 + x , ECPP, roving. preferably with ( A − 2) = 4 small. Miller, Late 1990s: ANSI/IEEE/NIST standards specify y 2 = x 3 − 3 x + b Koblitz: in Jacobian coordinates, in DH citing Chudnovsky–Chudnovsky. attacks. Alleged motivation: “the fastest arithmetic on elliptic curves”.

  3. 5 6 1986 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky for ECM+ECPP: analyze several actually recommend this? ways to represent elliptic curves; What about Montgomery? optimize # field operations. What about papers after 1987? 1987 Montgomery, for ECM: best speed from y 2 = x 3 + Ax 2 + x , preferably with ( A − 2) = 4 small. Late 1990s: ANSI/IEEE/NIST standards specify y 2 = x 3 − 3 x + b in Jacobian coordinates, citing Chudnovsky–Chudnovsky. Alleged motivation: “the fastest arithmetic on elliptic curves”.

  4. 5 6 1986 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky for ECM+ECPP: analyze several actually recommend this? ways to represent elliptic curves; What about Montgomery? optimize # field operations. What about papers after 1987? 1987 Montgomery, for ECM: Analyze all known options best speed from y 2 = x 3 + Ax 2 + x , for computing n; P �→ nP preferably with ( A − 2) = 4 small. on conservative elliptic curves. Montgomery ladder is the fastest. Late 1990s: ANSI/IEEE/NIST standards specify y 2 = x 3 − 3 x + b in Jacobian coordinates, citing Chudnovsky–Chudnovsky. Alleged motivation: “the fastest arithmetic on elliptic curves”.

  5. 5 6 1986 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky for ECM+ECPP: analyze several actually recommend this? ways to represent elliptic curves; What about Montgomery? optimize # field operations. What about papers after 1987? 1987 Montgomery, for ECM: Analyze all known options best speed from y 2 = x 3 + Ax 2 + x , for computing n; P �→ nP preferably with ( A − 2) = 4 small. on conservative elliptic curves. Montgomery ladder is the fastest. Late 1990s: ANSI/IEEE/NIST standards specify y 2 = x 3 − 3 x + b Problem: Elliptic-curve formulas in Jacobian coordinates, always have exceptional cases. citing Chudnovsky–Chudnovsky. Montgomery derives formulas for Alleged motivation: “the fastest generic inputs; for crypto we need arithmetic on elliptic curves”. algorithms that always work.

  6. 5 6 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky CM+ECPP: analyze several actually recommend this? to represent elliptic curves; What about Montgomery? optimize # field operations. What about papers after 1987? Montgomery, for ECM: Analyze all known options speed from y 2 = x 3 + Ax 2 + x , for computing n; P �→ nP referably with ( A − 2) = 4 small. on conservative elliptic curves. Montgomery ladder is the fastest. 1990s: ANSI/IEEE/NIST rds specify y 2 = x 3 − 3 x + b Problem: Elliptic-curve formulas Jacobian coordinates, always have exceptional cases. Chudnovsky–Chudnovsky. Montgomery derives formulas for Alleged motivation: “the fastest generic inputs; for crypto we need rithmetic on elliptic curves”. algorithms that always work.

  7. 5 6 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky CM+ECPP: analyze several actually recommend this? resent elliptic curves; What about Montgomery? operations. What about papers after 1987? Montgomery, for ECM: Analyze all known options y 2 = x 3 + Ax 2 + x , for computing n; P �→ nP A − 2) = 4 small. on conservative elliptic curves. Montgomery ladder is the fastest. ANSI/IEEE/NIST ecify y 2 = x 3 − 3 x + b Problem: Elliptic-curve formulas rdinates, always have exceptional cases. Chudnovsky–Chudnovsky. Montgomery derives formulas for motivation: “the fastest generic inputs; for crypto we need elliptic curves”. algorithms that always work.

  8. 5 6 Chudnovsky–Chudnovsky, Did Chudnovsky and Chudnovsky several actually recommend this? curves; What about Montgomery? erations. What about papers after 1987? ECM: Analyze all known options Ax 2 + x , for computing n; P �→ nP small. on conservative elliptic curves. Montgomery ladder is the fastest. ANSI/IEEE/NIST − 3 x + b Problem: Elliptic-curve formulas always have exceptional cases. Chudnovsky–Chudnovsky. Montgomery derives formulas for fastest generic inputs; for crypto we need curves”. algorithms that always work.

  9. 6 7 Did Chudnovsky and Chudnovsky actually recommend this? What about Montgomery? What about papers after 1987? Analyze all known options for computing n; P �→ nP on conservative elliptic curves. Montgomery ladder is the fastest. Problem: Elliptic-curve formulas always have exceptional cases. Montgomery derives formulas for generic inputs; for crypto we need algorithms that always work.

  10. 6 7 Chudnovsky and Chudnovsky But wait actually recommend this? Crypto 1996 about Montgomery? secret branches about papers after 1987? this leaks Analyze all known options omputing n; P �→ nP conservative elliptic curves. Montgomery ladder is the fastest. Problem: Elliptic-curve formulas have exceptional cases. Montgomery derives formulas for generic inputs; for crypto we need rithms that always work.

  11. 6 7 and Chudnovsky But wait, it’s worse! recommend this? Crypto 1996 Koche Montgomery? secret branches affect ers after 1987? this leaks your secret wn options ; P �→ nP elliptic curves. ladder is the fastest. Elliptic-curve formulas exceptional cases. derives formulas for for crypto we need always work.

  12. 6 7 Chudnovsky But wait, it’s worse! Crypto 1996 Kocher: secret branches affect timing; 1987? this leaks your secret key. curves. fastest. rmulas cases. rmulas for we need rk.

  13. 7 8 But wait, it’s worse! Crypto 1996 Kocher: secret branches affect timing; this leaks your secret key.

  14. 7 8 But wait, it’s worse! Crypto 1996 Kocher: secret branches affect timing; this leaks your secret key. Briefly mentioned by Kocher and by ESORICS 1998 Kelsey– Schneier–Wagner–Hall: secret array indices can affect timing via cache misses. 2002 Page, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: timing attacks on DES.

  15. 7 8 But wait, it’s worse! “Guaranteed” load entire Crypto 1996 Kocher: secret branches affect timing; this leaks your secret key. Briefly mentioned by Kocher and by ESORICS 1998 Kelsey– Schneier–Wagner–Hall: secret array indices can affect timing via cache misses. 2002 Page, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: timing attacks on DES.

  16. 7 8 But wait, it’s worse! “Guaranteed” counterme load entire table into Crypto 1996 Kocher: secret branches affect timing; this leaks your secret key. Briefly mentioned by Kocher and by ESORICS 1998 Kelsey– Schneier–Wagner–Hall: secret array indices can affect timing via cache misses. 2002 Page, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: timing attacks on DES.

  17. 7 8 But wait, it’s worse! “Guaranteed” countermeasur load entire table into cache. Crypto 1996 Kocher: secret branches affect timing; this leaks your secret key. Briefly mentioned by Kocher and by ESORICS 1998 Kelsey– Schneier–Wagner–Hall: secret array indices can affect timing via cache misses. 2002 Page, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: timing attacks on DES.

  18. 8 9 But wait, it’s worse! “Guaranteed” countermeasure: load entire table into cache. Crypto 1996 Kocher: secret branches affect timing; this leaks your secret key. Briefly mentioned by Kocher and by ESORICS 1998 Kelsey– Schneier–Wagner–Hall: secret array indices can affect timing via cache misses. 2002 Page, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: timing attacks on DES.

  19. 8 9 But wait, it’s worse! “Guaranteed” countermeasure: load entire table into cache. Crypto 1996 Kocher: secret branches affect timing; 2004.11/2005.04 Bernstein: this leaks your secret key. Timing attacks on AES. Countermeasure isn’t safe; Briefly mentioned by Kocher e.g., secret array indices can affect and by ESORICS 1998 Kelsey– timing via cache-bank collisions. Schneier–Wagner–Hall: What is safe: kill all data flow secret array indices can affect from secrets to array indices. timing via cache misses. 2002 Page, CHES 2003 Tsunoo– Saito–Suzaki–Shigeri–Miyauchi: timing attacks on DES.

  20. 8 9 But wait, it’s worse! “Guaranteed” countermeasure: load entire table into cache. Crypto 1996 Kocher: secret branches affect timing; 2004.11/2005.04 Bernstein: this leaks your secret key. Timing attacks on AES. Countermeasure isn’t safe; Briefly mentioned by Kocher e.g., secret array indices can affect and by ESORICS 1998 Kelsey– timing via cache-bank collisions. Schneier–Wagner–Hall: What is safe: kill all data flow secret array indices can affect from secrets to array indices. timing via cache misses. 2013 Bernstein–Schwabe 2002 Page, CHES 2003 Tsunoo– “A word of warning”: Saito–Suzaki–Shigeri–Miyauchi: Cheaper countermeasure timing attacks on DES. recommended by Intel isn’t safe.

  21. 8 9 ait, it’s worse! “Guaranteed” countermeasure: 2016: Op load entire table into cache. 1996 Kocher: branches affect timing; 2004.11/2005.04 Bernstein: leaks your secret key. Timing attacks on AES. Countermeasure isn’t safe; mentioned by Kocher e.g., secret array indices can affect ESORICS 1998 Kelsey– timing via cache-bank collisions. Schneier–Wagner–Hall: What is safe: kill all data flow array indices can affect from secrets to array indices. via cache misses. 2013 Bernstein–Schwabe age, CHES 2003 Tsunoo– “A word of warning”: Saito–Suzaki–Shigeri–Miyauchi: Cheaper countermeasure attacks on DES. recommended by Intel isn’t safe.

  22. 8 9 rse! “Guaranteed” countermeasure: 2016: OpenSSL didn’t load entire table into cache. cher: affect timing; 2004.11/2005.04 Bernstein: secret key. Timing attacks on AES. Countermeasure isn’t safe; mentioned by Kocher e.g., secret array indices can affect ESORICS 1998 Kelsey– timing via cache-bank collisions. agner–Hall: What is safe: kill all data flow indices can affect from secrets to array indices. misses. 2013 Bernstein–Schwabe CHES 2003 Tsunoo– “A word of warning”: Saito–Suzaki–Shigeri–Miyauchi: Cheaper countermeasure on DES. recommended by Intel isn’t safe.

  23. 8 9 “Guaranteed” countermeasure: 2016: OpenSSL didn’t listen load entire table into cache. timing; 2004.11/2005.04 Bernstein: Timing attacks on AES. Countermeasure isn’t safe; cher e.g., secret array indices can affect Kelsey– timing via cache-bank collisions. What is safe: kill all data flow affect from secrets to array indices. 2013 Bernstein–Schwabe Tsunoo– “A word of warning”: auchi: Cheaper countermeasure recommended by Intel isn’t safe.

  24. 9 10 “Guaranteed” countermeasure: 2016: OpenSSL didn’t listen. load entire table into cache. 2004.11/2005.04 Bernstein: Timing attacks on AES. Countermeasure isn’t safe; e.g., secret array indices can affect timing via cache-bank collisions. What is safe: kill all data flow from secrets to array indices. 2013 Bernstein–Schwabe “A word of warning”: Cheaper countermeasure recommended by Intel isn’t safe.

  25. 9 10 ranteed” countermeasure: 2016: OpenSSL didn’t listen. The Curve25519 entire table into cache. Avoid “all 2004.11/2005.04 Bernstein: branches, Timing attacks on AES. indices, and Countermeasure isn’t safe; with input-dep secret array indices can affect via cache-bank collisions. is safe: kill all data flow secrets to array indices. Bernstein–Schwabe rd of warning”: er countermeasure recommended by Intel isn’t safe.

  26. 9 10 countermeasure: 2016: OpenSSL didn’t listen. The Curve25519 pap into cache. Avoid “all input-dep Bernstein: branches, all input-dep on AES. indices, and other isn’t safe; with input-dependent indices can affect cache-bank collisions. kill all data flow array indices. Bernstein–Schwabe rning”: countermeasure y Intel isn’t safe.

  27. 9 10 asure: 2016: OpenSSL didn’t listen. The Curve25519 paper cache. Avoid “all input-dependent Bernstein: branches, all input-dependent indices, and other instructions safe; with input-dependent timings”. can affect collisions. flow indices. isn’t safe.

  28. 10 11 2016: OpenSSL didn’t listen. The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”.

  29. 10 11 2016: OpenSSL didn’t listen. The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y 2 = x 3 + Ax 2 + x where A 2 − 4 is not a square. ≈ 25% of all elliptic curves.

  30. 10 11 2016: OpenSSL didn’t listen. The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y 2 = x 3 + Ax 2 + x where A 2 − 4 is not a square. ≈ 25% of all elliptic curves. Define X 0 ( x; y ) = x ; X 0 ( ∞ ) = 0. Transmit each point P as X 0 ( P ).

  31. 10 11 2016: OpenSSL didn’t listen. The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y 2 = x 3 + Ax 2 + x where A 2 − 4 is not a square. ≈ 25% of all elliptic curves. Define X 0 ( x; y ) = x ; X 0 ( ∞ ) = 0. Transmit each point P as X 0 ( P ). Use the Montgomery ladder without any extra tests .

  32. 10 11 2016: OpenSSL didn’t listen. The Curve25519 paper Avoid “all input-dependent branches, all input-dependent array indices, and other instructions with input-dependent timings”. Choose a curve y 2 = x 3 + Ax 2 + x where A 2 − 4 is not a square. ≈ 25% of all elliptic curves. Define X 0 ( x; y ) = x ; X 0 ( ∞ ) = 0. Transmit each point P as X 0 ( P ). Use the Montgomery ladder without any extra tests . Theorem: Output is X 0 ( nP ).

  33. 10 11 OpenSSL didn’t listen. The Curve25519 paper x2,z2,x3,z3 for i in Avoid “all input-dependent bit = branches, all input-dependent array x2,x3 indices, and other instructions z2,z3 with input-dependent timings”. x3,z3 Choose a curve y 2 = x 3 + Ax 2 + x where A 2 − 4 is not a square. x2,z2 ≈ 25% of all elliptic curves. 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 Define X 0 ( x; y ) = x ; X 0 ( ∞ ) = 0. z2,z3 Transmit each point P as X 0 ( P ). return x2*z2^(p-2) Use the Montgomery ladder without any extra tests . Theorem: Output is X 0 ( nP ).

  34. 10 11 didn’t listen. The Curve25519 paper x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): Avoid “all input-dependent bit = 1 & (n >> branches, all input-dependent array x2,x3 = cswap(x2,x3,bit) indices, and other instructions z2,z3 = cswap(z2,z3,bit) with input-dependent timings”. x3,z3 = ((x2*x3-z2*z3)^2, Choose a curve y 2 = x 3 + Ax 2 + x x1*(x2*z3-z2*x3)^2) where A 2 − 4 is not a square. x2,z2 = ((x2^2-z2^2)^2, ≈ 25% of all elliptic curves. 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) Define X 0 ( x; y ) = x ; X 0 ( ∞ ) = 0. z2,z3 = cswap(z2,z3,bit) Transmit each point P as X 0 ( P ). return x2*z2^(p-2) Use the Montgomery ladder without any extra tests . Theorem: Output is X 0 ( nP ).

  35. 10 11 listen. The Curve25519 paper x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): Avoid “all input-dependent bit = 1 & (n >> i) branches, all input-dependent array x2,x3 = cswap(x2,x3,bit) indices, and other instructions z2,z3 = cswap(z2,z3,bit) with input-dependent timings”. x3,z3 = ((x2*x3-z2*z3)^2, Choose a curve y 2 = x 3 + Ax 2 + x x1*(x2*z3-z2*x3)^2) where A 2 − 4 is not a square. x2,z2 = ((x2^2-z2^2)^2, ≈ 25% of all elliptic curves. 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) Define X 0 ( x; y ) = x ; X 0 ( ∞ ) = 0. z2,z3 = cswap(z2,z3,bit) Transmit each point P as X 0 ( P ). return x2*z2^(p-2) Use the Montgomery ladder without any extra tests . Theorem: Output is X 0 ( nP ).

  36. 11 12 The Curve25519 paper x2,z2,x3,z3 = 1,0,x1,1 for i in reversed(range(255)): Avoid “all input-dependent bit = 1 & (n >> i) branches, all input-dependent array x2,x3 = cswap(x2,x3,bit) indices, and other instructions z2,z3 = cswap(z2,z3,bit) with input-dependent timings”. x3,z3 = ((x2*x3-z2*z3)^2, Choose a curve y 2 = x 3 + Ax 2 + x x1*(x2*z3-z2*x3)^2) where A 2 − 4 is not a square. x2,z2 = ((x2^2-z2^2)^2, ≈ 25% of all elliptic curves. 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) Define X 0 ( x; y ) = x ; X 0 ( ∞ ) = 0. z2,z3 = cswap(z2,z3,bit) Transmit each point P as X 0 ( P ). return x2*z2^(p-2) Use the Montgomery ladder without any extra tests . Theorem: Output is X 0 ( nP ).

  37. 11 12 Curve25519 paper Montgomery x2,z2,x3,z3 = 1,0,x1,1 depending for i in reversed(range(255)): “all input-dependent bit = 1 & (n >> i) ranches, all input-dependent array x2,x3 = cswap(x2,x3,bit) indices, and other instructions z2,z3 = cswap(z2,z3,bit) input-dependent timings”. x3,z3 = ((x2*x3-z2*z3)^2, ose a curve y 2 = x 3 + Ax 2 + x x1*(x2*z3-z2*x3)^2) A 2 − 4 is not a square. x2,z2 = ((x2^2-z2^2)^2, of all elliptic curves. 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) X 0 ( x; y ) = x ; X 0 ( ∞ ) = 0. z2,z3 = cswap(z2,z3,bit) ransmit each point P as X 0 ( P ). return x2*z2^(p-2) the Montgomery ladder without any extra tests . rem: Output is X 0 ( nP ).

  38. 11 12 paper Montgomery has va x2,z2,x3,z3 = 1,0,x1,1 depending on top bit for i in reversed(range(255)): put-dependent bit = 1 & (n >> i) input-dependent array x2,x3 = cswap(x2,x3,bit) other instructions z2,z3 = cswap(z2,z3,bit) endent timings”. x3,z3 = ((x2*x3-z2*z3)^2, y 2 = x 3 + Ax 2 + x x1*(x2*z3-z2*x3)^2) not a square. x2,z2 = ((x2^2-z2^2)^2, elliptic curves. 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) = x ; X 0 ( ∞ ) = 0. z2,z3 = cswap(z2,z3,bit) oint P as X 0 ( P ). return x2*z2^(p-2) Montgomery ladder extra tests . Output is X 0 ( nP ).

  39. 11 12 Montgomery has variable #lo x2,z2,x3,z3 = 1,0,x1,1 depending on top bit of n . for i in reversed(range(255)): endent bit = 1 & (n >> i) endent array x2,x3 = cswap(x2,x3,bit) instructions z2,z3 = cswap(z2,z3,bit) timings”. x3,z3 = ((x2*x3-z2*z3)^2, Ax 2 + x x1*(x2*z3-z2*x3)^2) square. x2,z2 = ((x2^2-z2^2)^2, curves. 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) ) = 0. z2,z3 = cswap(z2,z3,bit) X 0 ( P ). return x2*z2^(p-2) ladder P ).

  40. 12 13 Montgomery has variable #loops, x2,z2,x3,z3 = 1,0,x1,1 depending on top bit of n . for i in reversed(range(255)): bit = 1 & (n >> i) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2)

  41. 12 13 Montgomery has variable #loops, x2,z2,x3,z3 = 1,0,x1,1 depending on top bit of n . for i in reversed(range(255)): bit = 1 & (n >> i) Curve25519: Change initialization x2,x3 = cswap(x2,x3,bit) to allow leading 0 bits. z2,z3 = cswap(z2,z3,bit) Use constant #loops. x3,z3 = ((x2*x3-z2*z3)^2, x1*(x2*z3-z2*x3)^2) x2,z2 = ((x2^2-z2^2)^2, 4*x2*z2*(x2^2+A*x2*z2+z2^2)) x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2)

  42. 12 13 Montgomery has variable #loops, x2,z2,x3,z3 = 1,0,x1,1 depending on top bit of n . for i in reversed(range(255)): bit = 1 & (n >> i) Curve25519: Change initialization x2,x3 = cswap(x2,x3,bit) to allow leading 0 bits. z2,z3 = cswap(z2,z3,bit) Use constant #loops. x3,z3 = ((x2*x3-z2*z3)^2, Also define scalars n x1*(x2*z3-z2*x3)^2) to never have leading 0 bits, x2,z2 = ((x2^2-z2^2)^2, so original Montgomery ladder 4*x2*z2*(x2^2+A*x2*z2+z2^2)) still takes constant time. x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) return x2*z2^(p-2)

  43. 12 13 Montgomery has variable #loops, x2,z2,x3,z3 = 1,0,x1,1 depending on top bit of n . for i in reversed(range(255)): bit = 1 & (n >> i) Curve25519: Change initialization x2,x3 = cswap(x2,x3,bit) to allow leading 0 bits. z2,z3 = cswap(z2,z3,bit) Use constant #loops. x3,z3 = ((x2*x3-z2*z3)^2, Also define scalars n x1*(x2*z3-z2*x3)^2) to never have leading 0 bits, x2,z2 = ((x2^2-z2^2)^2, so original Montgomery ladder 4*x2*z2*(x2^2+A*x2*z2+z2^2)) still takes constant time. x2,x3 = cswap(x2,x3,bit) z2,z3 = cswap(z2,z3,bit) Use arithmetic to compute return x2*z2^(p-2) cswap in constant time.

  44. 12 13 Montgomery has variable #loops, “Hey, you x2,z2,x3,z3 = 1,0,x1,1 depending on top bit of n . the input in reversed(range(255)): 1 & (n >> i) Curve25519: Change initialization = cswap(x2,x3,bit) to allow leading 0 bits. = cswap(z2,z3,bit) Use constant #loops. = ((x2*x3-z2*z3)^2, Also define scalars n x1*(x2*z3-z2*x3)^2) to never have leading 0 bits, = ((x2^2-z2^2)^2, so original Montgomery ladder 4*x2*z2*(x2^2+A*x2*z2+z2^2)) still takes constant time. = cswap(x2,x3,bit) = cswap(z2,z3,bit) Use arithmetic to compute x2*z2^(p-2) cswap in constant time.

  45. 12 13 Montgomery has variable #loops, “Hey, you forgot to 1,0,x1,1 depending on top bit of n . the input is on the reversed(range(255)): >> i) Curve25519: Change initialization cswap(x2,x3,bit) to allow leading 0 bits. cswap(z2,z3,bit) Use constant #loops. ((x2*x3-z2*z3)^2, Also define scalars n x1*(x2*z3-z2*x3)^2) to never have leading 0 bits, ((x2^2-z2^2)^2, so original Montgomery ladder 4*x2*z2*(x2^2+A*x2*z2+z2^2)) still takes constant time. cswap(x2,x3,bit) cswap(z2,z3,bit) Use arithmetic to compute x2*z2^(p-2) cswap in constant time.

  46. 12 13 Montgomery has variable #loops, “Hey, you forgot to check that depending on top bit of n . the input is on the curve!” reversed(range(255)): Curve25519: Change initialization cswap(x2,x3,bit) to allow leading 0 bits. cswap(z2,z3,bit) Use constant #loops. ((x2*x3-z2*z3)^2, Also define scalars n x1*(x2*z3-z2*x3)^2) to never have leading 0 bits, ((x2^2-z2^2)^2, so original Montgomery ladder 4*x2*z2*(x2^2+A*x2*z2+z2^2)) still takes constant time. cswap(x2,x3,bit) cswap(z2,z3,bit) Use arithmetic to compute cswap in constant time.

  47. 13 14 Montgomery has variable #loops, “Hey, you forgot to check that depending on top bit of n . the input is on the curve!” Curve25519: Change initialization to allow leading 0 bits. Use constant #loops. Also define scalars n to never have leading 0 bits, so original Montgomery ladder still takes constant time. Use arithmetic to compute cswap in constant time.

  48. 13 14 Montgomery has variable #loops, “Hey, you forgot to check that depending on top bit of n . the input is on the curve!” Curve25519: Change initialization Conventional wisdom: Important to allow leading 0 bits. to check; otherwise broken by Use constant #loops. Crypto 2000 Biehl–Meyer–M¨ uller. Also define scalars n to never have leading 0 bits, so original Montgomery ladder still takes constant time. Use arithmetic to compute cswap in constant time.

  49. 13 14 Montgomery has variable #loops, “Hey, you forgot to check that depending on top bit of n . the input is on the curve!” Curve25519: Change initialization Conventional wisdom: Important to allow leading 0 bits. to check; otherwise broken by Use constant #loops. Crypto 2000 Biehl–Meyer–M¨ uller. Also define scalars n ESORICS 2015 Jager–Schwenk– to never have leading 0 bits, Somorovsky: Successful attacks! so original Montgomery ladder Checking is easy to forget. still takes constant time. Use arithmetic to compute cswap in constant time.

  50. 13 14 Montgomery has variable #loops, “Hey, you forgot to check that Curve25519 ending on top bit of n . the input is on the curve!” “free key eliminates Curve25519: Change initialization Conventional wisdom: Important No cost w leading 0 bits. to check; otherwise broken by no code constant #loops. Crypto 2000 Biehl–Meyer–M¨ uller. define scalars n ESORICS 2015 Jager–Schwenk– never have leading 0 bits, Somorovsky: Successful attacks! riginal Montgomery ladder Checking is easy to forget. takes constant time. rithmetic to compute in constant time.

  51. 13 14 has variable #loops, “Hey, you forgot to check that Curve25519 paper: top bit of n . the input is on the curve!” “free key validation” eliminates these attacks. Change initialization Conventional wisdom: Important No cost for checking 0 bits. to check; otherwise broken by no code to forget. #loops. Crypto 2000 Biehl–Meyer–M¨ uller. rs n ESORICS 2015 Jager–Schwenk– leading 0 bits, Somorovsky: Successful attacks! Montgomery ladder Checking is easy to forget. constant time. to compute constant time.

  52. 13 14 #loops, “Hey, you forgot to check that Curve25519 paper: . the input is on the curve!” “free key validation” eliminates these attacks. initialization Conventional wisdom: Important No cost for checking input; to check; otherwise broken by no code to forget. Crypto 2000 Biehl–Meyer–M¨ uller. ESORICS 2015 Jager–Schwenk– its, Somorovsky: Successful attacks! ladder Checking is easy to forget.

  53. 14 15 “Hey, you forgot to check that Curve25519 paper: the input is on the curve!” “free key validation” eliminates these attacks. Conventional wisdom: Important No cost for checking input; to check; otherwise broken by no code to forget. Crypto 2000 Biehl–Meyer–M¨ uller. ESORICS 2015 Jager–Schwenk– Somorovsky: Successful attacks! Checking is easy to forget.

  54. 14 15 “Hey, you forgot to check that Curve25519 paper: the input is on the curve!” “free key validation” eliminates these attacks. Conventional wisdom: Important No cost for checking input; to check; otherwise broken by no code to forget. Crypto 2000 Biehl–Meyer–M¨ uller. 1. Montgomery naturally ESORICS 2015 Jager–Schwenk– follows 1986 Miller compression: Somorovsky: Successful attacks! send only x -coordinate, not ( x; y ). Checking is easy to forget. Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!)

  55. 14 15 “Hey, you forgot to check that Curve25519 paper: the input is on the curve!” “free key validation” eliminates these attacks. Conventional wisdom: Important No cost for checking input; to check; otherwise broken by no code to forget. Crypto 2000 Biehl–Meyer–M¨ uller. 1. Montgomery naturally ESORICS 2015 Jager–Schwenk– follows 1986 Miller compression: Somorovsky: Successful attacks! send only x -coordinate, not ( x; y ). Checking is easy to forget. Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!) 2. Montgomery ladder works correctly for inputs on twist.

  56. 14 15 “Hey, you forgot to check that Curve25519 paper: the input is on the curve!” “free key validation” eliminates these attacks. Conventional wisdom: Important No cost for checking input; to check; otherwise broken by no code to forget. Crypto 2000 Biehl–Meyer–M¨ uller. 1. Montgomery naturally ESORICS 2015 Jager–Schwenk– follows 1986 Miller compression: Somorovsky: Successful attacks! send only x -coordinate, not ( x; y ). Checking is easy to forget. Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!) 2. Montgomery ladder works correctly for inputs on twist. 3. Choose twist-secure curve.

  57. 14 15 you forgot to check that Curve25519 paper: Longest input is on the curve!” “free key validation” paper: fast eliminates these attacks. improving Conventional wisdom: Important No cost for checking input; from 1999–2004 check; otherwise broken by no code to forget. 2000 Biehl–Meyer–M¨ uller. 1. Montgomery naturally ESORICS 2015 Jager–Schwenk– follows 1986 Miller compression: rovsky: Successful attacks! send only x -coordinate, not ( x; y ). Checking is easy to forget. Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!) 2. Montgomery ladder works correctly for inputs on twist. 3. Choose twist-secure curve.

  58. 14 15 to check that Curve25519 paper: Longest section in the curve!” “free key validation” paper: fast finite-field eliminates these attacks. improving on algorithm wisdom: Important No cost for checking input; from 1999–2004 Bernstein. otherwise broken by no code to forget. Biehl–Meyer–M¨ uller. 1. Montgomery naturally Jager–Schwenk– follows 1986 Miller compression: Successful attacks! send only x -coordinate, not ( x; y ). to forget. Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!) 2. Montgomery ladder works correctly for inputs on twist. 3. Choose twist-secure curve.

  59. 14 15 that Curve25519 paper: Longest section in Curve25519 “free key validation” paper: fast finite-field arithm eliminates these attacks. improving on algorithm designs ortant No cost for checking input; from 1999–2004 Bernstein. by no code to forget. er–M¨ uller. 1. Montgomery naturally Jager–Schwenk– follows 1986 Miller compression: attacks! send only x -coordinate, not ( x; y ). t. Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!) 2. Montgomery ladder works correctly for inputs on twist. 3. Choose twist-secure curve.

  60. 15 16 Curve25519 paper: Longest section in Curve25519 “free key validation” paper: fast finite-field arithmetic, eliminates these attacks. improving on algorithm designs No cost for checking input; from 1999–2004 Bernstein. no code to forget. 1. Montgomery naturally follows 1986 Miller compression: send only x -coordinate, not ( x; y ). Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!) 2. Montgomery ladder works correctly for inputs on twist. 3. Choose twist-secure curve.

  61. 15 16 Curve25519 paper: Longest section in Curve25519 “free key validation” paper: fast finite-field arithmetic, eliminates these attacks. improving on algorithm designs No cost for checking input; from 1999–2004 Bernstein. no code to forget. Barely mentioned in paper: 1. Montgomery naturally new programming language. follows 1986 Miller compression: send only x -coordinate, not ( x; y ). Forces input onto “curve” or “twist”. (Bonus: 32-byte keys!) 2. Montgomery ladder works correctly for inputs on twist. 3. Choose twist-secure curve.

  62. 15 16 Curve25519 paper: Longest section in Curve25519 “free key validation” paper: fast finite-field arithmetic, eliminates these attacks. improving on algorithm designs No cost for checking input; from 1999–2004 Bernstein. no code to forget. Barely mentioned in paper: 1. Montgomery naturally new programming language. follows 1986 Miller compression: New prime 2 255 − 19. send only x -coordinate, not ( x; y ). Faster than NIST P-256 prime Forces input onto “curve” or 2 256 − 2 224 + 2 192 + 2 96 − 1. “twist”. (Bonus: 32-byte keys!) “Prime fields also have 2. Montgomery ladder works the virtue of minimizing the correctly for inputs on twist. number of security concerns for 3. Choose twist-secure curve. elliptic-curve cryptography.”

  63. 15 16 Curve25519 paper: Longest section in Curve25519 Curve25519 ey validation” paper: fast finite-field arithmetic, multi-user eliminates these attacks. improving on algorithm designs 1976 Diffie–Hellm cost for checking input; from 1999–2004 Bernstein. 1999 Resc de to forget. mode”; 2006 Barely mentioned in paper: Montgomery naturally new programming language. ws 1986 Miller compression: New prime 2 255 − 19. only x -coordinate, not ( x; y ). Faster than NIST P-256 prime input onto “curve” or 2 256 − 2 224 + 2 192 + 2 96 − 1. wist”. (Bonus: 32-byte keys!) “Prime fields also have Montgomery ladder works the virtue of minimizing the rrectly for inputs on twist. number of security concerns for Choose twist-secure curve. elliptic-curve cryptography.”

  64. 15 16 er: Longest section in Curve25519 Curve25519 paper validation” paper: fast finite-field arithmetic, multi-user DH system. attacks. improving on algorithm designs 1976 Diffie–Hellma checking input; from 1999–2004 Bernstein. 1999 Rescorla “static-static rget. mode”; 2006 NIST Barely mentioned in paper: naturally new programming language. Miller compression: New prime 2 255 − 19. rdinate, not ( x; y ). Faster than NIST P-256 prime onto “curve” or 2 256 − 2 224 + 2 192 + 2 96 − 1. (Bonus: 32-byte keys!) “Prime fields also have ladder works the virtue of minimizing the inputs on twist. number of security concerns for wist-secure curve. elliptic-curve cryptography.”

  65. 15 16 Longest section in Curve25519 Curve25519 paper specified a paper: fast finite-field arithmetic, multi-user DH system. See improving on algorithm designs 1976 Diffie–Hellman; also, e.g., t; from 1999–2004 Bernstein. 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. Barely mentioned in paper: new programming language. ression: New prime 2 255 − 19. not ( x; y ). Faster than NIST P-256 prime or 2 256 − 2 224 + 2 192 + 2 96 − 1. keys!) “Prime fields also have rks the virtue of minimizing the wist. number of security concerns for curve. elliptic-curve cryptography.”

  66. 16 17 Longest section in Curve25519 Curve25519 paper specified a paper: fast finite-field arithmetic, multi-user DH system. See improving on algorithm designs 1976 Diffie–Hellman; also, e.g., from 1999–2004 Bernstein. 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. Barely mentioned in paper: new programming language. New prime 2 255 − 19. Faster than NIST P-256 prime 2 256 − 2 224 + 2 192 + 2 96 − 1. “Prime fields also have the virtue of minimizing the number of security concerns for elliptic-curve cryptography.”

  67. 16 17 Longest section in Curve25519 Curve25519 paper specified a paper: fast finite-field arithmetic, multi-user DH system. See improving on algorithm designs 1976 Diffie–Hellman; also, e.g., from 1999–2004 Bernstein. 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. Barely mentioned in paper: new programming language. Included security survey: • Reductions: intolerably loose. New prime 2 255 − 19. • Known attack ideas: rho etc. Faster than NIST P-256 prime • Multi-user batch attacks. 2 256 − 2 224 + 2 192 + 2 96 − 1. • Special-purpose hardware: “Prime fields also have 160-bit ECC is breakable. the virtue of minimizing the • Small-subgroup attacks, number of security concerns for invalid-curve attacks, etc. elliptic-curve cryptography.”

  68. 16 17 Longest section in Curve25519 Curve25519 paper specified a 2015: Bew fast finite-field arithmetic, multi-user DH system. See roving on algorithm designs 1976 Diffie–Hellman; also, e.g., 1999–2004 Bernstein. 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. mentioned in paper: rogramming language. Included security survey: • Reductions: intolerably loose. rime 2 255 − 19. • Known attack ideas: rho etc. than NIST P-256 prime • Multi-user batch attacks. 2 224 + 2 192 + 2 96 − 1. • Special-purpose hardware: “Prime fields also have 160-bit ECC is breakable. virtue of minimizing the • Small-subgroup attacks, er of security concerns for invalid-curve attacks, etc. elliptic-curve cryptography.”

  69. 16 17 in Curve25519 Curve25519 paper specified a 2015: Beware batch finite-field arithmetic, multi-user DH system. See algorithm designs 1976 Diffie–Hellman; also, e.g., Bernstein. 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. mentioned in paper: ming language. Included security survey: • Reductions: intolerably loose. − 19. • Known attack ideas: rho etc. NIST P-256 prime • Multi-user batch attacks. 192 + 2 96 − 1. • Special-purpose hardware: also have 160-bit ECC is breakable. minimizing the • Small-subgroup attacks, security concerns for invalid-curve attacks, etc. cryptography.”

  70. 16 17 Curve25519 Curve25519 paper specified a 2015: Beware batch attacks. hmetic, multi-user DH system. See designs 1976 Diffie–Hellman; also, e.g., Bernstein. 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. er: language. Included security survey: • Reductions: intolerably loose. • Known attack ideas: rho etc. rime • Multi-user batch attacks. 1. • Special-purpose hardware: 160-bit ECC is breakable. the • Small-subgroup attacks, concerns for invalid-curve attacks, etc. .”

  71. 17 18 Curve25519 paper specified a 2015: Beware batch attacks. multi-user DH system. See 1976 Diffie–Hellman; also, e.g., 1999 Rescorla “static-static mode”; 2006 NIST “C(0,2)”. Included security survey: • Reductions: intolerably loose. • Known attack ideas: rho etc. • Multi-user batch attacks. • Special-purpose hardware: 160-bit ECC is breakable. • Small-subgroup attacks, invalid-curve attacks, etc.

  72. 17 18 Curve25519 paper specified a 2015: Beware batch attacks. Paper sk multi-user DH system. See attack mo Diffie–Hellman; also, e.g., composition Rescorla “static-static multi-user de”; 2006 NIST “C(0,2)”. (as in, e.g., “public-k Included security survey: attacks on Reductions: intolerably loose. (the motivation wn attack ideas: rho etc. “Reveal” Multi-user batch attacks. Freire–Hofheinz–Kiltz–P ecial-purpose hardware: dishonest 160-bit ECC is breakable. (as in, e.g., Small-subgroup attacks, Cash–Kiltz–Shoup); invalid-curve attacks, etc. keys as strings e.g., 2000

  73. 17 18 er specified a 2015: Beware batch attacks. Paper sketched common-sense system. See attack model, including Diffie–Hellman; also, e.g., composition with s “static-static multi-user secret-k ST “C(0,2)”. (as in, e.g., 2001 Bernstein “public-key authenticato survey: attacks on secret-k intolerably loose. (the motivation given ideas: rho etc. “Reveal” queries in batch attacks. Freire–Hofheinz–Kiltz–P ose hardware: dishonest key registrations breakable. (as in, e.g., Eurocrypt Small-subgroup attacks, Cash–Kiltz–Shoup); attacks, etc. keys as strings (allo e.g., 2000 Biehl–Mey

  74. 17 18 ecified a 2015: Beware batch attacks. Paper sketched common-sense See attack model, including e.g., composition with subsequent “static-static multi-user secret-key system “C(0,2)”. (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system loose. (the motivation given for etc. “Reveal” queries in PKC 2013 attacks. Freire–Hofheinz–Kiltz–Paterson); re: dishonest key registrations able. (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); etc. keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–M¨ uller).

  75. 18 19 2015: Beware batch attacks. Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–M¨ uller).

  76. 18 19 Beware batch attacks. Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–M¨ uller).

  77. 18 19 batch attacks. Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–M¨ uller).

  78. 18 19 attacks. Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–M¨ uller).

  79. 19 20 Paper sketched common-sense attack model, including composition with subsequent multi-user secret-key system (as in, e.g., 2001 Bernstein “public-key authenticators”); attacks on secret-key system (the motivation given for “Reveal” queries in PKC 2013 Freire–Hofheinz–Kiltz–Paterson); dishonest key registrations (as in, e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); keys as strings (allows modeling, e.g., 2000 Biehl–Meyer–M¨ uller).

  80. 19 20 sketched common-sense Email from model, including osition with subsequent It is my multi-user secret-key system that your e.g., 2001 Bernstein new Diffie-Hellman “public-key authenticators”); records" attacks on secret-key system PKC’06. motivation given for “Reveal” queries in PKC 2013 reire–Hofheinz–Kiltz–Paterson); dishonest key registrations e.g., Eurocrypt 2008 Cash–Kiltz–Shoup); as strings (allows modeling, 2000 Biehl–Meyer–M¨ uller).

  81. 19 20 common-sense Email from program including with subsequent It is my pleasure t-key system that your paper "Curve25519: Bernstein new Diffie-Hellman enticators”); records" was accepted secret-key system PKC’06. Congratulations! given for in PKC 2013 reire–Hofheinz–Kiltz–Paterson); registrations crypt 2008 Cash–Kiltz–Shoup); (allows modeling, Biehl–Meyer–M¨ uller).

  82. 19 20 common-sense Email from program chairs: ent It is my pleasure to inform system that your paper "Curve25519: Bernstein new Diffie-Hellman speed rs”); records" was accepted to m PKC’06. Congratulations! 2013 aterson); 2008 deling, uller). ¨

  83. 20 21 Email from program chairs: It is my pleasure to inform you that your paper "Curve25519: new Diffie-Hellman speed records" was accepted to PKC’06. Congratulations!

  84. 20 21 Email from program chairs: It is my pleasure to inform you that your paper "Curve25519: new Diffie-Hellman speed records" was accepted to PKC’06. Congratulations! Below please find the reviewers’ comments on your paper "Curve25519: new Diffie- Hellman speed records" that was submitted to PKC 2006.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Curve25519, Curve41417, E-521 Curve25519 D. J. Bernstein Introduced in ECC 2005 talk University

Curve25519, Curve41417, E-521 Curve25519 D. J. Bernstein Introduced in ECC 2005 talk University

1 2 Curve25519, Curve41417, E-521 Curve25519 D. J. Bernstein Introduced in ECC 2005 talk University of Illinois at Chicago & and PKC 2006 paper New Technische Universiteit Eindhoven DiffieHellman speed records. Main features

1.24k views • 68 slides
>>>CLICK HERE<<< How To Write Abstract For Paper Presentation New York need

>>>CLICK HERE<<< How To Write Abstract For Paper Presentation New York need

How To Write Abstract For Paper Presentation How to write abstract for paper presentation Vernon buy dissertation results on pornography for $10 purchasing agent resume example make research paper on minors due soon. How to write abstract for

397 views • 5 slides
The STARS Paper The Paper and the Process Part 2 The Paper Components of the Paper Abstract:

The STARS Paper The Paper and the Process Part 2 The Paper Components of the Paper Abstract:

The STARS Paper The Paper and the Process Part 2 The Paper Components of the Paper Abstract: Typically 100-250 words. Consists of purpose, method, results and conclusion. Introduction: Introduces topic and issue. Summarizes relevant

1.13k views • 11 slides
The first 10 years of Curve25519 Daniel J. Bernstein University of Illinois at Chicago &

The first 10 years of Curve25519 Daniel J. Bernstein University of Illinois at Chicago &

1 The first 10 years of Curve25519 Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2005.05.19: Seminar talk; design+software close to done. 2005.09.15: Software online. 2005.09.20: Invited talk

869 views • 73 slides
ABSTRACT P e o p l e l i k e a b s t r a c t a r t b e c a u s e i t m a k e s t h e m f

ABSTRACT P e o p l e l i k e a b s t r a c t a r t b e c a u s e i t m a k e s t h e m f

ABSTRACT P e o p l e l i k e a b s t r a c t a r t b e c a u s e i t m a k e s t h e m f e e l c l e v e r WHAT IS ABSTRACT OF RESEARCH PAPER? An abstract summarizes, usually in one paragraph of 300 words or less, the major aspects

263 views • 10 slides
>>>CLICK HERE<<< How To Write Abstract For Technical Paper Presentation New

>>>CLICK HERE<<< How To Write Abstract For Technical Paper Presentation New

How To Write Abstract For Technical Paper Presentation How to write abstract for technical paper presentation Fort Saskatchewan how to purchase dissertation conclusion on pornography as soon as possible make report on euthanasia now proofread my

315 views • 5 slides
The STARS Paper Summer 2017 The Paper and the Process Part 2 The Paper Components of the Paper

The STARS Paper Summer 2017 The Paper and the Process Part 2 The Paper Components of the Paper

The STARS Paper Summer 2017 The Paper and the Process Part 2 The Paper Components of the Paper Abstract: Typically 100-250 words. Consists of purpose, method, results and conclusion. Introduction: Introduces topic and issue. Summarizes

409 views • 11 slides
Curve25519: Proving datatypes with a rooster Beno t Viguier MSc ( x y. x@y.nl ) benoit

Curve25519: Proving datatypes with a rooster Beno t Viguier MSc ( x y. x@y.nl ) benoit

Curve25519: Proving datatypes with a rooster Beno t Viguier MSc ( x y. x@y.nl ) benoit viguier https://www.viguier.nl DS Lunch talk 9th December 2016 Institute for Computing and Information Sciences Digital Security Radboud

761 views • 29 slides
Guidelines for Preparation of Technical Paper Presentation at WATMAN International Conference 2020

Guidelines for Preparation of Technical Paper Presentation at WATMAN International Conference 2020

Guidelines for Preparation of Technical Paper Presentation at WATMAN International Conference 2020 ABSTRACT Each paper should be provided with an Abstract of about 150- 200 words, reporting concisely on the purpose and results of the paper.

250 views • 4 slides
Approaching the Scientific Literature Sections of a paper Title Abstract Introduction

Approaching the Scientific Literature Sections of a paper Title Abstract Introduction

Approaching the Scientific Literature Sections of a paper Title Abstract Introduction Materials and Methods Results Discussion Title Usually conveys the take-home message Abstract More than just a summary!

560 views • 28 slides
30 Years of Abstract Interpretation Thomas Jaudon Ball Microsoft Research [This is the text of a

30 Years of Abstract Interpretation Thomas Jaudon Ball Microsoft Research [This is the text of a

30 Years of Abstract Interpretation Thomas Jaudon Ball Microsoft Research [This is the text of a 20 minute talk I gave at the 30 Years of Abstract Interpretation Workshop in San Francisco, California, USA on January 9, 2008. The subsections

196 views • 9 slides
Modern ECC signatures Many papers have explored Curve25519/Ed25519 speed. 2011

Modern ECC signatures Many papers have explored Curve25519/Ed25519 speed. 2011

1 2 Modern ECC signatures Many papers have explored Curve25519/Ed25519 speed. 2011 BernsteinDuifLange SchwabeYang: e.g. 2015 Chou software: Ed25519 signature scheme = on Intel Sandy Bridge (2011), EdDSA using conservative

2.15k views • 125 slides
Abstract: This paper will analyse the different ways by which law has been mapped, modelled and

Abstract: This paper will analyse the different ways by which law has been mapped, modelled and

Abstract: This paper will analyse the different ways by which law has been mapped, modelled and graphically represented in rela9on to and within the context of the internetworked society. Star9ng with Lawrence Lessig's illustra9on of the

275 views • 13 slides
Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D. J. Bernstein Real-world cost measures: Pentium cycles, Athlon cycles, Thanks to: etc. for generating keys, signing, University of Illinois at

541 views • 35 slides
Verification of TweetNaCls Curve25519 Peter Schwabe, Beno t Viguier , Timmy Weerwag, Freek

Verification of TweetNaCls Curve25519 Peter Schwabe, Beno t Viguier , Timmy Weerwag, Freek

Verification of TweetNaCls Curve25519 Peter Schwabe, Beno t Viguier , Timmy Weerwag, Freek Wiedijk Journ ee GT M ethodes Formelles pour la S ecurit e March 18 th , 2019 Institute for Computing and Information Sciences

621 views • 47 slides
Object Class Recognition Readings: Yi Lis 2 Papers Abstract Regions Paper 1: EM as a

Object Class Recognition Readings: Yi Lis 2 Papers Abstract Regions Paper 1: EM as a

Object Class Recognition Readings: Yi Lis 2 Papers Abstract Regions Paper 1: EM as a Classifier Paper 2: Generative/Discriminative Classifier Object Class Recognition using Images of Abstract Regions Yi Li, Jeff A. Bilmes, and

711 views • 48 slides
Precision Measurement of a and b in Neutron Decay The Nab/abBA Experimental Program L. Peter

Precision Measurement of a and b in Neutron Decay The Nab/abBA Experimental Program L. Peter

Precision Measurement of a and b in Neutron Decay The Nab/abBA Experimental Program L. Peter Alonzi III, for the Nab Collaboration University of Virginia April APS Meeting, Denver, 03 May 2009 Motivation Spectrometer Outline Neutron

349 views • 14 slides
Users Really Do Answer Telephone Scams Huahong Tu (Raymond), UMD Adam Doup, ASU Ziming Zhao, RIT

Users Really Do Answer Telephone Scams Huahong Tu (Raymond), UMD Adam Doup, ASU Ziming Zhao, RIT

Users Really Do Answer Telephone Scams Huahong Tu (Raymond), UMD Adam Doup, ASU Ziming Zhao, RIT Gail-Joon Ahn, ASU & Samsung Distinguished Paper Award #usesec19 Aug 15, 2019 What inspired our research? Research Question What causes

641 views • 35 slides
Cyber-Physical Resilient Systems From Malware & Operational Security to Feedback Truthfulness

Cyber-Physical Resilient Systems From Malware & Operational Security to Feedback Truthfulness

Cyber-Physical Resilient Systems From Malware & Operational Security to Feedback Truthfulness Distinguishability Joaquin Garcia-Alfaro Institut Mines-Tlcom (Tlcom SudParis) & Universit Paris-Saclay ETIC-UPF Seminars,

429 views • 31 slides
Dump in the Framework of the LHC Injectors Upgrade Project Summary 6-06-2018 Franois-Xavier

Dump in the Framework of the LHC Injectors Upgrade Project Summary 6-06-2018 Franois-Xavier

Facility for Rare Isotope Beams Michigan State University Design and prototyping of the CERN Proton Synchrotron Internal Dump in the Framework of the LHC Injectors Upgrade Project Summary 6-06-2018 Franois-Xavier Nuiry Giulia Romagnoli

371 views • 24 slides
9 June 2006, Transport Accident Commission, Melbourne Bridging the Gap between Safe System

9 June 2006, Transport Accident Commission, Melbourne Bridging the Gap between Safe System

9 June 2006, Transport Accident Commission, Melbourne Bridging the Gap between Safe System Thinking and Real-world Practice Bruce Corben Monash University Accident Research Centre 9 June 2006 Acknowledgments: Michael Lenn, Nimmi Candappa,

461 views • 23 slides
QCD in a strong magnetic field Part I: magnetic field and anomaly Yoshimasa Hidaka (RIKEN)

QCD in a strong magnetic field Part I: magnetic field and anomaly Yoshimasa Hidaka (RIKEN)

QCD in a strong magnetic field Part I: magnetic field and anomaly Yoshimasa Hidaka (RIKEN) Introduction 450,000G Orders of magnitude for magnetic fields wikipedia Typical magnet 50G Neodymium magnet 12,500G (strongest permanent magnet)

1.28k views • 69 slides
Precision observables of compositeness Roman Pasechnik Dept. of Astronomy and Theoretical physics,

Precision observables of compositeness Roman Pasechnik Dept. of Astronomy and Theoretical physics,

Precision observables of compositeness Roman Pasechnik Dept. of Astronomy and Theoretical physics, Lund University HP2, September 5 th , 2014 Dynamical electroweak symmetry breaking Many attractive features EWSB is triggered by a

658 views • 19 slides
Morphology David Yarowsky 9/8/2020 Acknowledgements and thanks to: Chris Quirk Marta

Morphology David Yarowsky 9/8/2020 Acknowledgements and thanks to: Chris Quirk Marta

Morphology David Yarowsky 9/8/2020 Acknowledgements and thanks to: Chris Quirk Marta Costa-jussa Richard DeArmond Eleni Miltsakaki Antske Fokkens Penny Eckert Ivan Sag Eleni Miltsakaki Adam

1.06k views • 71 slides

More recommend