2015
DOI: 10.1007/978-3-319-27152-1_6
|View full text |Cite
|
Sign up to set email alerts
|

How to Manipulate Curve Standards: A White Paper for the Black Hat http://bada55.cr.yp.to

Abstract: This paper analyzes the cost of breaking ECC under the following assumptions: (1) ECC is using a standardized elliptic curve that was actually chosen by an attacker; (2) the attacker is aware of a vulnerability in some curves that are not publicly known to be vulnerable. This cost includes the cost of exploiting the vulnerability, but also the initial cost of computing a curve suitable for sabotaging the standard. This initial cost depends heavily upon the acceptability criteria used by the public to decide wh… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

0
34
0

Year Published

2015
2015
2022
2022

Publication Types

Select...
5
3

Relationship

0
8

Authors

Journals

citations
Cited by 57 publications
(34 citation statements)
references
References 20 publications
0
34
0
Order By: Relevance
“…Every ADD in the Montgomery ladder is in the form [i]P ⊕ [i + 1]P , so every associated difference is equal to P . Several two-dimensional differential addition chains have been proposed, targeting multiexponentiations in elliptic curves and other primitives; we suggest [4] and [34] for overviews.…”
Section: Two-dimensional Differential Addition Chainsmentioning
confidence: 99%
See 1 more Smart Citation
“…Every ADD in the Montgomery ladder is in the form [i]P ⊕ [i + 1]P , so every associated difference is equal to P . Several two-dimensional differential addition chains have been proposed, targeting multiexponentiations in elliptic curves and other primitives; we suggest [4] and [34] for overviews.…”
Section: Two-dimensional Differential Addition Chainsmentioning
confidence: 99%
“…We have implemented three different two-dimensional differential addition chains: one due to Montgomery [24] via Stam [34], one due to Bernstein [4], and one due to Azarderakhsh and Karabina [1]. We provide implementation details and timings for scalar multiplications based on each of our chains in §6.…”
Section: Introductionmentioning
confidence: 99%
“…The performance numbers in Sec. 4 show up to a 51% improvement. Furthermore, results of integrating two side-channel defenses show that up to 33% improvement can be retained in tandem with the GLV method.…”
Section: Introductionmentioning
confidence: 90%
“…Ideally, as the scalar multiplication algorithm is executing it presents a consistent view through these caches that is independent of the key, i.e., the sequence of point additions and doublings is fixed regardless of the scalar. One way to do this, especially with GLV in mind, would be a multi-scalar version of Montgomery's ladder (see, e.g., Bernstein [4]) -but this would have quite a large performance penalty for OpenSSL. An ideal solution with respect to the OpenSSL code base, to retain performance and for easy integration, has the following characteristics:…”
Section: Regular Scalar Encodingsmentioning
confidence: 99%
“…There are several algorithms to obtain efficient results for multiplication operation: Karatsuba-Ofman method, Toom-Cook method, FFT-based techniques, Montgomery method [1]. In this paper we focus on Montgomery modular multiplication method and its efficient adaptation to lattice-based cryptographic schemes.…”
Section: Introductionmentioning
confidence: 99%