$$\mu $$Kummer: Efficient Hyperelliptic Signatures and Key Exchange on Microcontrollers

Renes, Joost; Schwabe, Peter; Smith, Benjamin; Batina, Lejla

doi:10.1007/978-3-662-53140-2_15

Cited by 27 publications

(56 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the case of ECDH with FourQ, we evaluate the use of both 32 and 64-byte public keys. For comparison, we include two efficient alternatives that have been deployed on various microcontrollers: the "µKummer" implementation by Renes et al [46] using the genus-2 Kummer surface by Gaudry and Schost [24], and the "Curve25519" implementations by Düll et al [19] and De Santis et al [48]. The Kummer surface enables fast static DH key exchange with a small footprint.…”

Section: Results and Analysis Of Constant-time Implementationsmentioning

confidence: 99%

FourQ on embedded devices with strong countermeasures against side-channel attacks

Liu

Longa

Pereira

et al. 2018

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Abstract. This work deals with the energy-efficient, high-speed and high-security implementation of elliptic curve scalar multiplication and elliptic curve Diffie-Hellman (ECDH) key exchange on embedded devices using FourQ and incorporating strong countermeasures to thwart a wide variety of side-channel attacks. First, we set new speed records for constant-time curve-based scalar multiplication and DH key exchange at the 128-bit security level with implementations targeting 8, 16 and 32-bit microcontrollers. For example, our software computes a static ECDH shared secret in ∼6.9 million cycles (or 0.86 seconds @8MHz) on a low-power 8-bit AVR microcontroller which, compared to the fastest Curve25519 and genus-2 Kummer implementations on the same platform, offers 2x and 1.4x speedups, respectively. Similarly, it computes the same operation in ∼496 thousand cycles on a 32-bit ARM Cortex-M4 microcontroller, achieving a factor-2.9 speedup when compared to the fastest Curve25519 implementation targeting the same platform. Second, we engineer a set of side-channel countermeasures taking advantage of FourQ's rich arithmetic and propose a secure implementation that offers protection against a wide range of sophisticated side-channel attacks. Finally, we perform a differential power analysis evaluation of our software running on an ARM Cortex-M4, and report that no leakage was detected with up to 10 million traces. These results demonstrate the potential of deploying FourQ on low-power applications such as protocols for IoT.

show abstract

Section: Results and Analysis Of Constant-time Implementationsmentioning

confidence: 99%

FourQ on embedded devices with strong countermeasures against side-channel attacks

Liu

Longa

Pereira

et al. 2018

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

show abstract

“…Here, the efficiency really is a consequence of a special 2-torsion structure: all of the 2-torsion points are defined over F q , and their translations act linearly on the Kummer by diagonal and permutation matrices. This approach has successfully used in high-speed Diffie-Hellman implementations [9,6,44], and a hyperelliptic generalization of ECM factorization [17].…”

Section: The Montgomery Ladder On Hyperelliptic Curvesmentioning

confidence: 99%

Montgomery curves and their arithmetic

Costello

Smith

2017

J Cryptogr Eng

Self Cite

View full text Add to dashboard Cite

Three decades ago, Montgomery introduced a new elliptic curve model for use in Lenstra's ECM factorization algorithm. Since then, his curves and the algorithms associated with them have become foundational in the implementation of elliptic curve cryptosystems. This article surveys the theory and cryptographic applications of Montgomery curves over non-binary finite fields, including Montgomery's x-only arithmetic and Ladder algorithm, xonly Diffie-Hellman, y-coordinate recovery, and 2-dimensional and Euclidean differential addition chains such as Montgomery's PRAC algorithm.

show abstract

“…4]. Cryptographic parameters for genus-2 Jacobians equipped with fast Kummers can be (and have been) computed: the implementation of [24] uses the parameters from [16] in the algorithms presented below.…”

Section: Genus Jacobians With Fast Kummer Surfacesmentioning

confidence: 99%

“…Our results bring this speed to a wider range of protocols, such as ElGamal and signature schemes. Indeed, the methods described below (including Algorithms 2 and 3) have already been successfully put into practice in a fast and compact implementation of Schnorr signatures for microcontrollers [24], but without any proof of correctness or explanation of the algorithms 6 ; this article provides that proof, and detailed algorithms to enable further implementations.…”

mentioning

confidence: 99%