Results 1  10
of
122
Faster addition and doubling on elliptic curves
 In Asiacrypt 2007 [10
, 2007
"... Abstract. Edwards recently introduced a new normal form for elliptic curves. Every elliptic curve over a nonbinary field is birationally equivalent to a curve in Edwards form over an extension of the field, and in many cases over the original field. This paper presents fast explicit formulas (and r ..."
Abstract

Cited by 53 (10 self)
 Add to MetaCart
Abstract. Edwards recently introduced a new normal form for elliptic curves. Every elliptic curve over a nonbinary field is birationally equivalent to a curve in Edwards form over an extension of the field, and in many cases over the original field. This paper presents fast explicit formulas (and register allocations) for group operations on an Edwards curve. The algorithm for doubling uses only 3M + 4S, i.e., 3 field multiplications and 4 field squarings. If curve parameters are chosen to be small then the algorithm for mixed addition uses only 9M + 1S and the algorithm for nonmixed addition uses only 10M + 1S. Arbitrary Edwards curves can be handled at the cost of just one extra multiplication by a curve parameter. For comparison, the fastest algorithms known for the popular “a4 = −3 Jacobian ” form use 3M + 5S for doubling; use 7M + 4S for mixed addition; use 11M + 5S for nonmixed addition; and use 10M + 4S for nonmixed addition when one input has been added before. The explicit formulas for nonmixed addition on an Edwards curve can be used for doublings at no extra cost, simplifying protection against sidechannel attacks. Even better, many elliptic curves (approximately 1/4 of all isomorphism classes of elliptic curves over a nonbinary finite field) are birationally equivalent — over the original field — to Edwards curves where this addition algorithm works for all pairs of curve points, including inverses, the neutral element, etc. This paper contains an extensive comparison of different forms of elliptic curves and different coordinate systems for the basic group operations (doubling, mixed addition, nonmixed addition, and unified addition) as well as higherlevel operations such as multiscalar multiplication.
A leakageresilient mode of operation
 In EUROCRYPT
, 2009
"... Abstract. A weak pseudorandom function (wPRF) is a pseudorandom functions with a relaxed security requirement, where one only requires the output to be pseudorandom when queried on random (and not adversarially chosen) inputs. We show that unlike standard PRFs, wPRFs are secure against memory attack ..."
Abstract

Cited by 48 (5 self)
 Add to MetaCart
Abstract. A weak pseudorandom function (wPRF) is a pseudorandom functions with a relaxed security requirement, where one only requires the output to be pseudorandom when queried on random (and not adversarially chosen) inputs. We show that unlike standard PRFs, wPRFs are secure against memory attacks, that is they remain secure even if a bounded amount of information about the secret key is leaked to the adversary. As an application of this result we propose a simple mode of operation which – when instantiated with any wPRF – gives a leakageresilient streamcipher. Such a cipher is secure against any sidechannel attack, as long as the amount of information leaked per round is bounded, but overall can be arbitrary large. This construction is simpler than the only previous one (DziembowskiPietrzak FOCS’08) as it only uses a single primitive (a wPRF) in a straight forward manner. 1
Hessian Elliptic Curves and SideChannel Attacks
 of Lecture Notes in Computer Science
, 2001
"... Sidechannel attacks are a recent class of attacks that have been revealed to be very powerful in practice. By measuring some sidechannel information (running time, power consumption, . . . ), an attacker is able to recover some secret data from a carelessly implemented cryptoalgorithm. ..."
Abstract

Cited by 47 (7 self)
 Add to MetaCart
Sidechannel attacks are a recent class of attacks that have been revealed to be very powerful in practice. By measuring some sidechannel information (running time, power consumption, . . . ), an attacker is able to recover some secret data from a carelessly implemented cryptoalgorithm.
Protections against Differential Analysis for Elliptic Curve Cryptography  An Algebraic Approach
 CHES 2001, LNCS 2162
, 2001
"... We propose several new methods to protect the scalar multiplication on an elliptic curve against Di#erential Analysis. The basic idea consists in transforming the curve through various random morphisms to provide a nondeterministic execution of the algorithm. The solutions ..."
Abstract

Cited by 46 (2 self)
 Add to MetaCart
We propose several new methods to protect the scalar multiplication on an elliptic curve against Di#erential Analysis. The basic idea consists in transforming the curve through various random morphisms to provide a nondeterministic execution of the algorithm. The solutions
Differential Power Analysis in the Presence of Hardware Countermeasures
, 2000
"... The silicon industry has lately been focusing on side channel attacks, that is attacks that exploit information that leaks from the physical devices. Although different countermeasures to thwart these attacks have been proposed and implemented in general, such protections do not make attacks infeasi ..."
Abstract

Cited by 46 (2 self)
 Add to MetaCart
The silicon industry has lately been focusing on side channel attacks, that is attacks that exploit information that leaks from the physical devices. Although different countermeasures to thwart these attacks have been proposed and implemented in general, such protections do not make attacks infeasible, but increase the attacker's experimental (data acquisition) and computational (data processing) workload beyond reasonable limits. This paper examines different...
A Fast Parallel Elliptic Curve Multiplication Resistant against Side Channel Attacks
, 2002
"... Abstract. This paper proposes a fast elliptic curve multiplication algorithm applicable for any types of curves over finite fields Fp (p a prime), based on [Mon87], together with criteria which make our algorithm resistant against the side channel attacks (SCA). The algorithm improves both on an add ..."
Abstract

Cited by 32 (6 self)
 Add to MetaCart
Abstract. This paper proposes a fast elliptic curve multiplication algorithm applicable for any types of curves over finite fields Fp (p a prime), based on [Mon87], together with criteria which make our algorithm resistant against the side channel attacks (SCA). The algorithm improves both on an addition chain and an addition formula in the scalar multiplication. Our addition chain requires no table lookup (or a very small number of precomputed points) and a prominent property is that it can be implemented in parallel. The computing time for nbit scalar multiplication is one ECDBL + (n − 1) ECADDs in the parallel case and (n − 1) ECDBLs + (n − 1) ECADDs in the single case. We also propose faster addition formulas which only use the xcoordinates of the points. By combination of our addition chain and addition formulas, we establish a faster scalar multiplication resistant against the SCA in both single and parallel computation. The improvement of our scalar multiplications over the previous method is about 37 % for two processors and 5.7 % for a single processor. Our scalar multiplication is suitable for the implementation on smart cards. 1
The Montgomery Powering Ladder
, 2002
"... This paper gives a comprehensive analysis of Montgomery powering ladder. Initially developed for fast scalar multiplication on elliptic curves, we extend the scope of Montgomery ladder to any exponentiation in an abelian group. Computationally, the Montgomery ladder has the triple advantage of prese ..."
Abstract

Cited by 30 (3 self)
 Add to MetaCart
This paper gives a comprehensive analysis of Montgomery powering ladder. Initially developed for fast scalar multiplication on elliptic curves, we extend the scope of Montgomery ladder to any exponentiation in an abelian group. Computationally, the Montgomery ladder has the triple advantage of presenting a Lucas chain structure, of being parallelized, and of sharing a common operand. Furthermore, contrary to the classical binary algorithms, it behaves very regularly, which makes it naturally protected against a large variety of implementation attacks.
Randomized additionsubtraction chains as a countermeasure against power attacks
 In: Fourth International Workshop on Cryptographic Hardware and Embedded Systems
, 2001
"... Abstract. Power Analysis attacks on elliptic curve cryptosystems and various countermeasures against them, have been first discussed by Coron ([6]). All proposed countermeasures are based on the randomization or blinding of the inputparameters of the binary algorithm. We propose a countermeasure tha ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
Abstract. Power Analysis attacks on elliptic curve cryptosystems and various countermeasures against them, have been first discussed by Coron ([6]). All proposed countermeasures are based on the randomization or blinding of the inputparameters of the binary algorithm. We propose a countermeasure that randomizes the binary algorithm itself. Our algorithm needs approximately 9 % more additions than the ordinary binary algorithm, but makes power analysis attacks really difficult.
Poweranalysis attacks on an FPGA — first experimental results
 Proceedings of Workshop on Cryptographic Hardware and Embedded Systems (CHES 2003), Lecture Notes in Computer Science Volume 2779
, 2003
"... Abstract. Field Programmable Gate Arrays (FPGAs) are becoming increasingly popular, especially for rapid prototyping. For implementations of cryptographic algorithms, not only the speed and the size of the circuit are important, but also their security against implementation attacks such as sidecha ..."
Abstract

Cited by 25 (1 self)
 Add to MetaCart
Abstract. Field Programmable Gate Arrays (FPGAs) are becoming increasingly popular, especially for rapid prototyping. For implementations of cryptographic algorithms, not only the speed and the size of the circuit are important, but also their security against implementation attacks such as sidechannel attacks. Poweranalysis attacks are typical examples of sidechannel attacks, that have been demonstrated to be effective against implementations without special countermeasures. The flexibility of FPGAs is an important advantage in real applications but also in lab environments. It is therefore natural to use FPGAs to assess the vulnerability of hardware implementations to poweranalysis attacks. To our knowledge, this paper is the first to describe a setup to conduct poweranalysis attacks on FPGAs. We discuss the design of our handmade FPGAboard and we provide a first characterization of the power consumption of a Virtex 800 FPGA. Finally we provide strong evidence that implementations of elliptic curve cryptosystems without specific countermeasures are indeed vulnerable to simple poweranalysis attacks.
Securing Elliptic Curve Point Multiplication against SideChannel Attacks
, 2001
"... For making elliptic curve point multiplication secure against sidechannel attacks, various methods have been proposed using special point representations for specifically chosen elliptic curves. We show that the same goal can be achieved based on conventional elliptic curve arithmetic implement ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
For making elliptic curve point multiplication secure against sidechannel attacks, various methods have been proposed using special point representations for specifically chosen elliptic curves. We show that the same goal can be achieved based on conventional elliptic curve arithmetic implementations. Our point multiplication method is much more general than the proposals requiring nonstandard point representations; in particular, it can be used with the curves recommended by NIST and SECG. It also provides e#ciency advantages over most earlier proposals.