scholarly journals Faster Montgomery and double-add ladders for short Weierstrass curves

2020 ◽  
pp. 189-208
Author(s):  
Mike Hamburg
Keyword(s):  
Elliptic Curve ◽  
Prime Order ◽  
Regular Structure ◽  
Side Channel ◽  
Modest Increase ◽  
Novel Technique ◽  
Montgomery Ladder ◽  
Supplementary Material ◽  
Set Up ◽  
Elliptic Curve Scalar Multiplication

The Montgomery ladder and Joye ladder are well-known algorithms for elliptic curve scalar multiplication with a regular structure. The Montgomery ladder is best known for its implementation on Montgomery curves, which requires 5M+4S+1m+8A per scalar bit, and 6 field registers. Here (M, S,m,A) represent respectively field Multiplications, Squarings, multiplications by a curve constant, and Additions or subtractions. This ladder is also complete, meaning that it works on all input points and all scalars. Many protocols do not use Montgomery curves, but instead use prime-order curves in short Weierstrass form. These have historically been much slower, with ladders costing at least 14 multiplications or squarings per bit: 8M + 6S + 27A for the Montgomery ladder and 8M+ 6S + 30A for the Joye ladder. In 2017, Kim et al. improved the Montgomery ladder to 8M+ 4S + 12A + 1H per bit using 9 registers, where the H represents a halving. Hamburg simplified Kim et al.’s formulas to 8M+ 4S + 8A + 1H per bit using 6 registers. Here we present improved formulas which compute the Montgomery ladder on short Weierstrass curves using 8M+ 3S + 7A per bit, and requiring 6 registers. We also give formulas for the Joye ladder that use 9M+3S+7A per bit, requiring 5 registers. One of our new formulas supports very efficient 4-way vectorization. We also discuss curve invariants, exceptional points, side-channel protection and how to set up and finish these ladder operations. Finally, we show a novel technique to make these ladders complete when the curve order is not divisible by 2 or 3, at a modest increase in cost. A sample implementation of these techniques is given in the supplementary material, also posted at https://github.com/bitwiseshiftleft/ladder_formulas

scholarly journals Online Template Attacks: Revisited

2021 ◽  
pp. 28-59
Author(s):  
Alejandro Cabrera Aldaya ◽  
Billy Bob Brumley
Keyword(s):  
Power Consumption ◽  
Elliptic Curve ◽  
Side Channel ◽  
Powerful Technique ◽  
Leakage Model ◽  
On Demand ◽  
Side Channels ◽  
Generic Framework ◽  
Template Attacks ◽  
Elliptic Curve Scalar Multiplication

An online template attack (OTA) is a powerful technique previously used to attack elliptic curve scalar multiplication algorithms. This attack has only been analyzed in the realm of power consumption and EM side channels, where the signals leak related to the value being processed. However, microarchitecture signals have no such feature, invalidating some assumptions from previous OTA works.In this paper, we revisit previous OTA descriptions, proposing a generic framework and evaluation metrics for any side-channel signal. Our analysis reveals OTA features not previously considered, increasing its application scenarios and requiring a fresh countermeasure analysis to prevent it.In this regard, we demonstrate that OTAs can work in the backward direction, allowing to mount an augmented projective coordinates attack with respect to the proposal by Naccache, Smart and Stern (Eurocrypt 2004). This demonstrates that randomizing the initial targeted algorithm state does not prevent the attack as believed in previous works.We analyze three libraries libgcrypt, mbedTLS, and wolfSSL using two microarchitecture side channels. For the libgcrypt case, we target its EdDSA implementation using Curve25519 twist curve. We obtain similar results for mbedTLS and wolfSSL with curve secp256r1. For each library, we execute extensive attack instances that are able to recover the complete scalar in all cases using a single trace.This work demonstrates that microarchitecture online template attacks are also very powerful in this scenario, recovering secret information without knowing a leakage model. This highlights the importance of developing secure-by-default implementations, instead of fix-on-demand ones.

scholarly journals Parallel and Regular Algorithm of Elliptic Curve Scalar Multiplication over Binary Fields

2020 ◽  
Vol 2020 ◽  
pp. 1-10
Author(s):  
Xingran Li ◽  
Wei Yu ◽  
Bao Li
Keyword(s):  
Elliptic Curve ◽  
Efficient Algorithm ◽  
Multicore Processors ◽  
Scalar Multiplication ◽  
Side Channel ◽  
Elliptic Curve Cryptosystem ◽  
Side Channel Attacks ◽  
Binary Fields ◽  
Speed Up ◽  
Elliptic Curve Scalar Multiplication

Accelerating scalar multiplication has always been a significant topic when people talk about the elliptic curve cryptosystem. Many approaches have been come up with to achieve this aim. An interesting perspective is that computers nowadays usually have multicore processors which could be used to do cryptographic computations in parallel style. Inspired by this idea, we present a new parallel and efficient algorithm to speed up scalar multiplication. First, we introduce a new regular halve-and-add method which is very efficient by utilizing λ projective coordinate. Then, we compare many different algorithms calculating double-and-add and halve-and-add. Finally, we combine the best double-and-add and halve-and-add methods to get a new faster parallel algorithm which costs around 12.0% less than the previous best. Furthermore, our algorithm is regular without any dummy operations, so it naturally provides protection against simple side-channel attacks.

Public-Key Encryption

2017 ◽  
Author(s):  
Keith M. Martin
Keyword(s):  
Elliptic Curve ◽  
Public Key Cryptography ◽  
Public Key ◽  
Public Key Encryption ◽  
Hybrid Encryption ◽  
Public Key Cryptosystems ◽  
Encryption And Decryption ◽  
Encryption Schemes ◽  
Hard Problems ◽  
Set Up

In this chapter, we introduce public-key encryption. We first consider the motivation behind the concept of public-key cryptography and introduce the hard problems on which popular public-key encryption schemes are based. We then discuss two of the best-known public-key cryptosystems, RSA and ElGamal. For each of these public-key cryptosystems, we discuss how to set up key pairs and perform basic encryption and decryption. We also identify the basis for security for each of these cryptosystems. We then compare RSA, ElGamal, and elliptic-curve variants of ElGamal from the perspectives of performance and security. Finally, we look at how public-key encryption is used in practice, focusing on the popular use of hybrid encryption.

Sign in / Sign up

Export Citation Format

Share Document