Kummer Strikes Back: New DH Speed Records

Bernstein, DJ Daniel; Chuengsatiansup, Chitchanok; Lange, Tanja; Schwabe, Peter

doi:10.1007/978-3-662-45611-8_17

Cited by 48 publications

(62 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In comparison with curvebased implementations on genus 2 curves or binary curves, we observe that our results are between 24%-26% faster than the genus 2 implementation by Bos et al [8], and between 19%-24% faster than the implementation by Oliveira et al [35] based on a binary GLS curve using the 2-GLV method 1 . Only the recent implementation by Bernstein et al [4], which uses the same genus 2 Kummer surface employed by Bos et al [8], is able to achieve a performance that is comparable to this work, with a result that is slightly slower on the Intel Ivy Bridge processor. In addition, the applicability of the Kummer surface is essentially restricted to ECDH; e.g., it cannot be used directly for signature schemes and its performance is poor in ECDHE when precomputations (via fixed-base scalar multiplication) can be exploited.…”

Section: Resultsmentioning

confidence: 54%

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Faz-Hernández

Longa

Sánchez

2014

Topics in Cryptology – CT-RSA 2014

View full text Add to dashboard Cite

We propose efficient algorithms and formulas that improve the performance of side channel protected elliptic curve computations with special focus on scalar multiplication exploiting the Gallant-Lambert-Vanstone (CRYPTO 2001) and Galbraith-Lin-Scott (EUROCRYPT 2009) methods. Firstly, by adapting Feng et al.'s recoding to the GLV setting, we derive new regular algorithms for variable-base scalar multiplication that offer protection against simple side-channel and timing attacks. Secondly, we propose an efficient, sidechannel protected algorithm for fixed-base scalar multiplication which combines Feng et al.'s recoding with Lim-Lee's comb method. Thirdly, we propose an efficient technique that interleaves ARM and NEON-based multiprecision operations over an extension field to improve performance of GLS curves on modern ARM processors. Finally, we showcase the efficiency of the proposed techniques by implementing a state-of-the-art GLV-GLS curve in twisted Edwards form defined over F p 2 , which supports a four dimensional decomposition of the scalar and is fully protected against timing attacks. Analysis and performance results are reported for modern x64 and ARM processors. For instance, we compute a variable-base scalar multiplication in 89,000 and 244,000 cycles on an Intel Ivy Bridge and an ARM Cortex-A15 processor (respect.); using a precomputed table of 6KB, we compute a fixed-base scalar multiplication in 49,000 and 116,000 cycles (respect.); and using a precomputed table of 3KB, we compute a double scalar multiplication in 115,000 and 285,000 cycles (respect.). The proposed techniques represent an important improvement of the state-ofthe-art performance of elliptic curve computations, and allow us to set new speed records in several modern processors. The techniques also reduce the cost of adding protection against timing attacks in the computation of GLV-based variable-base scalar multiplication to below 10%. This work is the extended version of a publication that appeared at CT-RSA 2014 [12].

show abstract

Section: Resultsmentioning

confidence: 54%

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Faz-Hernández

Longa

Sánchez

2014

Topics in Cryptology – CT-RSA 2014

View full text Add to dashboard Cite

show abstract

“…This paper addresses the scalability challenges that appear at higher security levels. Hyperelliptic-curve DH has also recently reached this performance bar for the Cortex-A8: the HECDH implementation in [4] is even faster than Curve25519. However, the performance benefits of hyperelliptic curves are specific to DH, as admitted in [4], while elliptic curves are easily adapted to other important applications such as signatures.…”

Section: Introductionmentioning

confidence: 99%

“…Hyperelliptic-curve DH has also recently reached this performance bar for the Cortex-A8: the HECDH implementation in [4] is even faster than Curve25519. However, the performance benefits of hyperelliptic curves are specific to DH, as admitted in [4], while elliptic curves are easily adapted to other important applications such as signatures. More importantly, the 128-bit hyperelliptic curve used in [4] came from a massive computation by Gaudry and Schost in [20], using more than 1000000 hours of CPU time.…”

Section: Introductionmentioning

confidence: 99%

“…However, the performance benefits of hyperelliptic curves are specific to DH, as admitted in [4], while elliptic curves are easily adapted to other important applications such as signatures. More importantly, the 128-bit hyperelliptic curve used in [4] came from a massive computation by Gaudry and Schost in [20], using more than 1000000 hours of CPU time. Finding a similar curve at a higher security level would be extraordinarily difficult.…”

Section: Introductionmentioning

confidence: 99%

“…Of course, there are CPUs with even larger multipliers, and CPUs (and FPGAs) with smaller multipliers, but 32-bit multipliers have been a popular choice for many years and seem likely to remain in widespread use in embedded systems for many years to come. We focus on the Cortex-A8 for the same reasons as [11] and [4,Section 5].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Curve41417: Karatsuba Revisited

Bernstein

Chuengsatiansup

Lange

2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. This paper introduces constant-time ARM Cortex-A8 ECDH software that (1) is faster than the fastest ECDH option in the latest version of OpenSSL but (2) achieves a security level above 2 200 using a prime above 2 400 . For comparison, this OpenSSL ECDH option is not constant-time and has a security level of only 2 80 . The new speeds are achieved in a quite different way from typical prime-field ECC software: they rely on a synergy between Karatsuba's method and choices of radix smaller than the CPU word size.

show abstract

Provable secure lightweight hyper elliptic curve‐based communication system for wireless sensor networks

Naresh¹,

Reddi

Murthy

2018

Int J Communication

View full text Add to dashboard Cite

It is widely believed that hyper elliptic curve cryptosystems (HECCs) are not attractive for wireless sensor network because of their complexity compared with systems based on lower genera, especially elliptic curves. Our contribution shows that for low cost security applications HECs cryptosystems can outperform elliptic curve cryptosystems. The aim of this paper is to propose a discrete logarithm problem-based lightweight secure communication system using HEC. We propose this for different genus curves over varied prime fields performing a full scale study of their adaptability to various types of constrained networks. Also, we propose to evaluate the performance of the protocol for computational times with respect to different genus for main operations like Jacobian, Divisor identifications, key generation, signature generation/verification, message encryption, and decryption by changing the size of the field. A formal security model was established based on the hardness of HEC-Decision Diffie-Hellman (HEC-DDH). Finally, a comparative analysis with ECC-based cryptosystems was made, and satisfactory results were obtained. KEYWORDSDiffie-Hellman, elliptic curve, genus, hyper elliptic curve, Jacobian, wireless sensor networks | INTRODUCTIONIn modern world, most of the wireless systems require resource constrained devices such as RFID tags, sensors, smart cards, small processors, PDA's, and smart phones. These devices play a major role in providing security for satellite communication, internet security, e-banking, e-commerce, Internet Of Things (IOT) applications, and embedded systems. Implementing security for wireless communication system using these devices is the most challenging problem. Many cryptographic algorithms were developed to accomplish their requirements for secure data communication in wireless systems. These algorithms have many limitations, which include increased power consumption, communication, and computational complexity with increased processing time. Thus, an efficient cryptographic algorithm that overcomes these limitations is the need of the hour.Public key cryptography (PKC) 1 offers a solution to the above limitations by using 2 different keys known as the public and private keys. The secret (private) key is chosen by the user and is well known only to him. The public key is computed from the private key by using a reversible mathematical process and is made open to all. Both the keys are interoperable on each other and are used for the decryption and encryption processes. As the private key is never revealed, PKC is highly secured unlike symmetric key cryptography. Based on the arithmetic operations, PKC is broadly

show abstract

Kummer Strikes Back: New DH Speed Records

Cited by 48 publications

References 19 publications

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves

Curve41417: Karatsuba Revisited

Provable secure lightweight hyper elliptic curve‐based communication system for wireless sensor networks

Contact Info

Product

Resources

About