Results 1  10
of
70
Guide to Elliptic Curve Cryptography
, 2004
"... Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves ..."
Abstract

Cited by 376 (17 self)
 Add to MetaCart
Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves also figured prominently in the recent proof of Fermat's Last Theorem by Andrew Wiles. Originally pursued for purely aesthetic reasons, elliptic curves have recently been utilized in devising algorithms for factoring integers, primality proving, and in publickey cryptography. In this article, we aim to give the reader an introduction to elliptic curve cryptosystems, and to demonstrate why these systems provide relatively small block sizes, highspeed software and hardware implementations, and offer the highest strengthperkeybit of any known publickey scheme.
Selecting Cryptographic Key Sizes
 TO APPEAR IN THE JOURNAL OF CRYPTOLOGY, SPRINGERVERLAG
, 2001
"... In this article we offer guidelines for the determination of key sizes for symmetric cryptosystems, RSA, and discrete logarithm based cryptosystems both over finite fields and over groups of elliptic curves over prime fields. Our recommendations are based on a set of explicitly formulated parameter ..."
Abstract

Cited by 255 (6 self)
 Add to MetaCart
In this article we offer guidelines for the determination of key sizes for symmetric cryptosystems, RSA, and discrete logarithm based cryptosystems both over finite fields and over groups of elliptic curves over prime fields. Our recommendations are based on a set of explicitly formulated parameter settings, combined with existing data points about the cryptosystems.
PayWord and MicroMint: two simple micropayment schemes
 CryptoBytes
, 1996
"... 1 Introduction We present two simple micropayment schemes, "PayWord " and "MicroMint, " for making small purchases over the Internet. We were inspired to work on this problem by DEC's "Millicent " scheme[10]. Surveys of some electronic payment schemes can be found in Ha ..."
Abstract

Cited by 220 (5 self)
 Add to MetaCart
1 Introduction We present two simple micropayment schemes, "PayWord " and "MicroMint, " for making small purchases over the Internet. We were inspired to work on this problem by DEC's "Millicent " scheme[10]. Surveys of some electronic payment schemes can be found in HallamBaker [6], Schneier[16], and Wayner[18]. Our main goal is to minimize the number of publickey operations required per payment, using hash operations instead whenever possible. As a rough guide, hash functions are about 100 times faster than RSA signature verification, and about 10,000 times faster than RSA signature generation: on a typical workstation, one can sign two messages per second, verify 200 signatures per second, and compute 20,000 hash function values per second.
Allornothing encryption and the package transform
 In In Fast Software Encryption, LNCS 1267
, 1997
"... Abstract. We present a new mode of encryption for block ciphers, which we call allornothing encryption. This mode has the interesting defining property that one must decrypt the entire ciphertext before one can determine even one message block. This means that bruteforce searches against allorn ..."
Abstract

Cited by 91 (2 self)
 Add to MetaCart
Abstract. We present a new mode of encryption for block ciphers, which we call allornothing encryption. This mode has the interesting defining property that one must decrypt the entire ciphertext before one can determine even one message block. This means that bruteforce searches against allornothing encryption are slowed down by a factor equal to the number of blocks in the ciphertext. We give a specific way of implementing allornothing encryption using a "package transform " as a preprocessing step to an ordinary encryption mode. A package transform followed by ordinary codebook encryption also has the interesting property that it is very efficiently implemented in parallel. Allornothing encryption can also provide protection against chosenplaintext and relatedmessage attacks. 1
Twofish: A 128Bit Block Cipher
 in First Advanced Encryption Standard (AES) Conference
, 1998
"... Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bit ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
Twofish is a 128bit block cipher that accepts a variablelength key up to 256 bits. The cipher is a 16round Feistel network with a bijective F function made up of four keydependent 8by8bit Sboxes, a fixed 4by4 maximum distance separable matrix over GF(2 8 ), a pseudoHadamard transform, bitwise rotations, and a carefully designed key schedule. A fully optimized implementation of Twofish encrypts on a Pentium Pro at 17.8 clock cycles per byte, and an 8bit smart card implementation encrypts at 1660 clock cycles per byte. Twofish can be implemented in hardware in 14000 gates. The design of both the round function and the key schedule permits a wide variety of tradeoffs between speed, software size, key setup time, gate count, and memory. We have extensively cryptanalyzed Twofish; our best attack breaks 5 rounds with 2 22.5 chosen plaintexts and 2 51 effort.
Security for a High Performance Commodity Storage Subsystem
, 1999
"... and the United States Postal Service. The views and conclusions in this document are my own and should not be interpreted as representing the official policies, either expressed or implied, of any supporting organization or the U.S. Government. ..."
Abstract

Cited by 41 (1 self)
 Add to MetaCart
and the United States Postal Service. The views and conclusions in this document are my own and should not be interpreted as representing the official policies, either expressed or implied, of any supporting organization or the U.S. Government.
A Cryptographic Evaluation of IPsec
 Counterpane Internet Security, Inc
, 2000
"... Introduction In February 1999, we performed an evaluation of IPsec based on the November 1998 RFCs for IPsec [KA98c, KA98a, MG98a, MG98b, MD98, KA98b, Pip98, MSST98, HC98, GK98, TDG98, PA98]. Our evaluation focused primarily on the cryptographic properties of IPsec. We concentrated less on the inte ..."
Abstract

Cited by 35 (0 self)
 Add to MetaCart
Introduction In February 1999, we performed an evaluation of IPsec based on the November 1998 RFCs for IPsec [KA98c, KA98a, MG98a, MG98b, MD98, KA98b, Pip98, MSST98, HC98, GK98, TDG98, PA98]. Our evaluation focused primarily on the cryptographic properties of IPsec. We concentrated less on the integration aspects of IPsec, as neither of us is intimately familiar with typical IP implementations, IPsec was a great disappointment to us. Given the quality of the people that worked on it and the time that was spent on it, we expected a much better result. We are not alone in this opinion; from various discussions with the people involved, we learned that virtually nobody is satisfied with the process or the result. The development of IPsec seems to have been burdened by the committee process that it was forced to use, and it shows in the results. Even with all the serious critisisms that we have on IPsec, it is probably the best IP security protocol available at the moment. We hav
Breaking Ciphers with COPACOBANA  A CostOptimized Parallel Code Breaker
 IN WORKSHOP ON CRYPTOGRAPHIC HARDWARE AND EMBEDDED SYSTEMS — CHES 2006,YOKOHAMA
, 2006
"... Cryptanalysis of symmetric and asymmetric ciphers is computationally extremely demanding. Since the security parameters (in particular the key length) of almost all practical crypto algorithms are chosen such that attacks with conventional computers are computationally infeasible, the only promising ..."
Abstract

Cited by 35 (14 self)
 Add to MetaCart
Cryptanalysis of symmetric and asymmetric ciphers is computationally extremely demanding. Since the security parameters (in particular the key length) of almost all practical crypto algorithms are chosen such that attacks with conventional computers are computationally infeasible, the only promising way to tackle existing ciphers (assuming no mathematical breakthrough) is to build specialpurpose hardware. Dedicating those machines to the task of cryptanalysis holds the promise of a dramatically improved costperformance ratio so that breaking of commercial ciphers comes within reach. This contribution presents the design and realization of the COPACOBANA (CostOptimized Parallel Code Breaker) machine, which is optimized for running cryptanalytical algorithms and can be realized for less than US $ 10,000. It will be shown that, depending on the actual algorithm, the architecture can outperform conventional computers by several orders in magnitude. COPACOBANA hosts 120 lowcost FPGAs and is able to, e.g., perform an exhaustive key search of the Data Encryption Standard (DES) in less than nine days on average. As a realworld application, our architecture can be used to attack machine readable travel documents (ePass). COPACOBANA is intended, but not necessarily restricted to solving problems related to cryptanalysis. The hardware architecture is suitable for computational problems which are parallelizable and have low communication requirements. The hardware can be used, e.g., to attack elliptic curve cryptosystems and to factor numbers. Even though breaking fullsize RSA (1024 bit or more) or elliptic curves (ECC with 160 bit or more) is out of reach with COPACOBANA, it can be used to analyze cryptosystems with a (deliberately chosen) small bitlength to provide reliable security estimates of RSA and ECC by extrapolation.
Fast DES Implementations for FPGAs and its Application to a Universal KeySearch Machine
 Queen's University
"... . Most modern security protocols and security applications are defined to be algorithm independent, that is, they allow a choice from a set of cryptographic algorithms for the same function. Therefore a keysearch machine which is also defined to be algorithm independent might be interesting. We res ..."
Abstract

Cited by 26 (5 self)
 Add to MetaCart
. Most modern security protocols and security applications are defined to be algorithm independent, that is, they allow a choice from a set of cryptographic algorithms for the same function. Therefore a keysearch machine which is also defined to be algorithm independent might be interesting. We researched the feasibility of a universal keysearch machine using the Data Encryption Standard (DES) as an example algorithm. Field Programmable Gate Arrays (FPGA) provide an ideal match for an algorithm independent cracker as they can switch algorithms onthefly and run much faster than software. We designed, implemented and compared various architecture options of DES with strong emphasis on highspeed performance. Techniques like pipelining and loop unrolling were used and their effectiveness for DES on FPGAs investigated. The most interesting result is that we could achieve data rates of up to 403 Mbit/s using a standard Xilinx FPGA. This result is by a factor 31 faster than software imp...
DEAL  A 128bit Block Cipher
 NIST AES Proposal
, 1998
"... We propose a new block cipher, DEAL, based on the DES (DEA). DEAL has a block size of 128 bits and allows for three key sizes of 128, 192, and 256 bits respectively. Our proposal has several advantages to other schemes: because of the large blocks, the problem of the "matching ciphertext attacks" ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
We propose a new block cipher, DEAL, based on the DES (DEA). DEAL has a block size of 128 bits and allows for three key sizes of 128, 192, and 256 bits respectively. Our proposal has several advantages to other schemes: because of the large blocks, the problem of the "matching ciphertext attacks" is made small, and the encryption rate is similar to that of tripleDES. We conjecture that the most realistic (or the least unrealistic) attack on all versions of DEAL is an exhaustive search for the keys. We have suggested ANSI to include DEAL in the ANSI standard X9.52. We also suggest DEAL as a candidate for the NIST AES standard. 1 Introduction The DES (or DEA) [14] is a 64bit block cipher taking a 64bit key, of which 56 bits are effective. It is an iterated 16round cipher, where the ciphertext is processed by applying a round function iteratively to the plaintext. The DES has a socalled Feistel structure: in each round one half of the ciphertext is fed through a nonlinear f...