Curve25519: New Diffie-Hellman Speed Records

Bernstein, Daniel J.

doi:10.1007/11745853_14

Cited by 615 publications

(503 citation statements)

References 39 publications

Supporting

Mentioning

485

Contrasting

Unclassified

Order By: Relevance

“…All PRFs are based on hashing the secret key and other inputs using SHA-256 [27] and trun- cating the output hash to 16 bytes. The group G is defined as Curve25519 [5] using Adam Langley's implementation. 3 Pairing-friendly curves are provided by the RELIC library [1], and the Optimal Ate pairing over a 256-bit Barreto-Naehrig curve defines groups G 1 , G 2 and G T .…”

Section: Methodsmentioning

confidence: 99%

DP5: A Private Presence Service

Borisov

Danezis

Goldberg

2015

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Users of social applications like to be notified when their friends are online. Typically, this is done by a central server keeping track of who is online and offline, as well as of all of the users' "buddy lists", which contain sensitive information. We present DP5, a cryptographic service that implements online presence indication in a privacy-friendly way. DP5 allows clients to register their online presence and query the presence of their list of friends while keeping this list secret. Besides presence, high-integrity status updates are supported, to facilitate key update and rendezvous protocols. While infrastructure services are required for DP5 to operate, they are designed to not require any long-term secrets and provide perfect forward secrecy in case of compromise. We provide security arguments for the indistinguishability properties of the protocol, as well as an evaluation of its scalability and performance.

show abstract

Section: Methodsmentioning

confidence: 99%

DP5: A Private Presence Service

Borisov

Danezis

Goldberg

2015

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

show abstract

“…The Curve25519 was first presented by Bernstein in 2006 [2]. It is an elliptic curve of the form y 2 = x 3 + 486662x 2 + x, which is birationally equivalent to the Edwards curve: 1 · x 2 + y 2 = 1 + (121665/121666)x 2 y 2 .…”

Section: Curve25519mentioning

confidence: 99%

“…The value of a coordinate is given by X = u 0 + u 1 + ... + u 9 . Note that this representation is not unique, but is faster to compute than the smallest representation [2].…”

Section: Curve25519-donnamentioning

confidence: 99%

See 1 more Smart Citation

When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015

Kaufmann

Pelletier

Vaudenay

et al. 2016

Cryptology and Network Security

View full text Add to dashboard Cite

Abstract. The elliptic curve Curve25519 has been presented as protected against state-of-the-art timing-attacks [2]. This paper shows that a timing attack is still achievable against a particular X25519 implementation which follows the RFC 4 7748 requirements [10]. The attack allows the retrieval of the complete private key used in the ECDH protocol. This is achieved due to timing leakage during Montgomery ladder execution and relies on a conditional branch in the Windows runtime library 2015. The attack can be applied remotely.

show abstract

“…For Curve25519 [3] finite field arithmetic, Bernstein works in an equivalence class using a representation that is not necessarily the canonical smallest non-negative residue. This allows easier modular reductions without conditional statements -better for security, better for performance to not stall the pipeline, and better for parallelization.…”

Section: Software Multiplexingmentioning

confidence: 99%

Faster Software for Fast Endomorphisms

Brumley

2015

Constructive Side-Channel Analysis and Secure Design

View full text Add to dashboard Cite

Abstract. GLV curves (Gallant et al.) have performance advantages over standard elliptic curves, using half the number of point doublings for scalar multiplication. Despite their introduction in 2001, implementations of the GLV method have yet to permeate widespread software libraries. Furthermore, side-channel vulnerabilities, specifically cachetiming attacks, remain unpatched in the OpenSSL code base since the first attack in 2009 (Brumley and Hakala) even still after the most recent attack in 2014 (Benger et al.). This work reports on the integration of the GLV method in OpenSSL for curves from 160 to 256 bits, as well as deploying and evaluating two side-channel defenses. Performance gains are up to 51%, and with these improvements GLV curves are now the fastest elliptic curves in OpenSSL for these bit sizes.

show abstract

Curve25519: New Diffie-Hellman Speed Records

Cited by 615 publications

References 39 publications

DP5: A Private Presence Service

DP5: A Private Presence Service

When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015

Faster Software for Fast Endomorphisms

Contact Info

Product

Resources

About