Results 1  10
of
74
Faster addition and doubling on elliptic curves
 In Asiacrypt 2007 [10
, 2007
"... Abstract. Edwards recently introduced a new normal form for elliptic curves. Every elliptic curve over a nonbinary field is birationally equivalent to a curve in Edwards form over an extension of the field, and in many cases over the original field. This paper presents fast explicit formulas (and r ..."
Abstract

Cited by 56 (10 self)
 Add to MetaCart
(Show Context)
Abstract. Edwards recently introduced a new normal form for elliptic curves. Every elliptic curve over a nonbinary field is birationally equivalent to a curve in Edwards form over an extension of the field, and in many cases over the original field. This paper presents fast explicit formulas (and register allocations) for group operations on an Edwards curve. The algorithm for doubling uses only 3M + 4S, i.e., 3 field multiplications and 4 field squarings. If curve parameters are chosen to be small then the algorithm for mixed addition uses only 9M + 1S and the algorithm for nonmixed addition uses only 10M + 1S. Arbitrary Edwards curves can be handled at the cost of just one extra multiplication by a curve parameter. For comparison, the fastest algorithms known for the popular “a4 = −3 Jacobian ” form use 3M + 5S for doubling; use 7M + 4S for mixed addition; use 11M + 5S for nonmixed addition; and use 10M + 4S for nonmixed addition when one input has been added before. The explicit formulas for nonmixed addition on an Edwards curve can be used for doublings at no extra cost, simplifying protection against sidechannel attacks. Even better, many elliptic curves (approximately 1/4 of all isomorphism classes of elliptic curves over a nonbinary finite field) are birationally equivalent — over the original field — to Edwards curves where this addition algorithm works for all pairs of curve points, including inverses, the neutral element, etc. This paper contains an extensive comparison of different forms of elliptic curves and different coordinate systems for the basic group operations (doubling, mixed addition, nonmixed addition, and unified addition) as well as higherlevel operations such as multiscalar multiplication.
Twisted Edwards Curves
"... Abstract. This paper introduces “twisted Edwards curves, ” a generalization of the recently introduced Edwards curves; shows that twisted Edwards curves include more curves over finite fields, and in particular every elliptic curve in Montgomery form; shows how to cover even more curves via isogenie ..."
Abstract

Cited by 37 (4 self)
 Add to MetaCart
(Show Context)
Abstract. This paper introduces “twisted Edwards curves, ” a generalization of the recently introduced Edwards curves; shows that twisted Edwards curves include more curves over finite fields, and in particular every elliptic curve in Montgomery form; shows how to cover even more curves via isogenies; presents fast explicit formulas for twisted Edwards curves in projective and inverted coordinates; and shows that twisted Edwards curves save time for many curves that were already expressible as Edwards curves.
Privacyfriendly aggregation for the smartgrid. Privacy Enhancing Technologies
, 2011
"... Abstract. The widespread deployment of smart meters for electricity gas and water consumption to modernise the electricity systems, has been associated with privacy concerns. In this paper, we present protocols that can be used to privately compute aggregate meter measurements, allowing for fraud an ..."
Abstract

Cited by 21 (4 self)
 Add to MetaCart
(Show Context)
Abstract. The widespread deployment of smart meters for electricity gas and water consumption to modernise the electricity systems, has been associated with privacy concerns. In this paper, we present protocols that can be used to privately compute aggregate meter measurements, allowing for fraud and leakage detection as well as further statistical processing of meter measurements, without revealing any additional information about the individual meter readings. 1 Introduction. Smartgrid deployments are actively promoted by many governments, including the United States as well as the European Union. Yet, current smart metering technologies rely on centralizing personal consumption information, leading to privacy concerns. We address the problem of security aggregating meter readings
Toward Acceleration of RSA Using 3D Graphics Hardware
"... Abstract. Demand in the consumer market for graphics hardware that accelerates rendering of 3D images has resulted in commodity devices capable of astonishing levels of performance. These results were achieved by specifically tailoring the hardware for the target domain. As graphics accelerators bec ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Demand in the consumer market for graphics hardware that accelerates rendering of 3D images has resulted in commodity devices capable of astonishing levels of performance. These results were achieved by specifically tailoring the hardware for the target domain. As graphics accelerators become increasingly programmable however, this performance has made them an attractive target for other domains. Specifically, they have motivated the transformation of costly algorithms from a general purpose computational model into a form that executes on said graphics hardware. We investigate the implementation and performance of modular exponentiation using a graphics accelerator, with the view of using it to execute operations required in the RSA public key cryptosystem. 1
Cirripede: circumvention infrastructure using router redirection with plausible deniability
 in Proceedings of CCS
, 2011
"... Many users face surveillance of their Internet communications and a significant fraction suffer from outright blocking of certain destinations. Anonymous communication systems allow users to conceal the destinations they communicate with, but do not hide the fact that the users are using them. The m ..."
Abstract

Cited by 20 (6 self)
 Add to MetaCart
(Show Context)
Many users face surveillance of their Internet communications and a significant fraction suffer from outright blocking of certain destinations. Anonymous communication systems allow users to conceal the destinations they communicate with, but do not hide the fact that the users are using them. The mere use of such systems may invite suspicion, or access to them may be blocked. We therefore propose Cirripede, a system that can be used for unobservable communication with Internet destinations. Cirripede is designed to be deployed by ISPs; it interceptsconnectionsfromclientstoinnocentlookingdestinations and redirects them to the true destination requested by the client. The communication is encoded in a way that is indistinguishable from normal communications to anyone without the master secret key, while publickey cryptography is used to eliminate the need for any secret information that must be shared with Cirripede users. Cirripede is designed to work scalably with routers that handle large volumes of traffic while imposing minimal overhead on ISPs and not disrupting existing traffic. This allows Cirripede proxies to be strategically deployed at central locations, making access to Cirripede very difficult to block. WebuiltaproofofconceptimplementationofCirripedeand performed a testbed evaluation of its performance properties.
Telex: Anticensorship in the Network Infrastructure
"... In this paper, we present Telex, a new approach to resisting statelevel Internet censorship. Rather than attempting to win the catandmouse game of finding open proxies, we leverage censors ’ unwillingness to completely block daytoday Internet access. In effect, Telex converts innocuous, unblock ..."
Abstract

Cited by 20 (4 self)
 Add to MetaCart
In this paper, we present Telex, a new approach to resisting statelevel Internet censorship. Rather than attempting to win the catandmouse game of finding open proxies, we leverage censors ’ unwillingness to completely block daytoday Internet access. In effect, Telex converts innocuous, unblocked websites into proxies, without their explicit collaboration. We envision that friendly ISPs would deploy Telex stations on paths between censors’ networks and popular, uncensored Internet destinations. Telex stations would monitor seemingly innocuous flows for a special “tag ” and transparently divert them to a forbidden website or service instead. We propose a new cryptographic scheme based on elliptic curves for tagging TLS handshakes such that the tag is visible to a Telex station but not to a censor. In addition, we use our tagging scheme to build a protocol that allows clients to connect to Telex stations while resisting both passive and active attacks. We also present a proofofconcept implementation that demonstrates the feasibility of our system. 1
Batch binary Edwards
 In Crypto 2009, volume 5677 of LNCS
, 2009
"... Abstract. This paper sets new software speed records for highsecurity DiffieHellman computations, specifically 251bit ellipticcurve variablebasepoint scalar multiplication. In one second of computation on a $200 Core 2 Quad Q6600 CPU, this paper’s software performs 30000 251bit scalar multipli ..."
Abstract

Cited by 19 (8 self)
 Add to MetaCart
(Show Context)
Abstract. This paper sets new software speed records for highsecurity DiffieHellman computations, specifically 251bit ellipticcurve variablebasepoint scalar multiplication. In one second of computation on a $200 Core 2 Quad Q6600 CPU, this paper’s software performs 30000 251bit scalar multiplications on the binary Edwards curve d(x + x 2 + y + y 2) = (x + x 2)(y + y 2) over the field F2[t]/(t 251 + t 7 + t 4 + t 2 + 1) where d = t 57 + t 54 + t 44 + 1. The paper’s fieldarithmetic techniques can be applied in much more generality but have a particularly efficient interaction with the completeness of addition formulas for binary Edwards curves. Keywords. Scalar multiplication, Diffie–Hellman, batch throughput, vectorization, Karatsuba, Toom, elliptic curves, binary Edwards curves, differential addition, complete addition formulas 1
Highspeed highsecurity signatures
"... Abstract. This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2 128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
(Show Context)
Abstract. This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2 128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance figures include strong defenses against software sidechannel attacks: there is no data flow from secret keys to array indices, and there is no data flow from secret keys to branch conditions.
Four dimensional GallantLambertVanstone scalar multiplication
, 2001
"... The GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) computes any multiple kP of a point P of prime order n lying on an elliptic curve with a lowdegree endomorphism Φ (called GLV curve) over Fp as kP = k1P + k2Φ(P), with max{k1, k2} ≤ C1 n for some explicit constant C1> 0. Recent ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
The GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) computes any multiple kP of a point P of prime order n lying on an elliptic curve with a lowdegree endomorphism Φ (called GLV curve) over Fp as kP = k1P + k2Φ(P), with max{k1, k2} ≤ C1 n for some explicit constant C1> 0. Recently, Galbraith, Lin and Scott (EUROCRYPT 2009) extended this method to all curves over Fp2 which are twists of curves defined over Fp. We show in this work how to merge the two approaches in order to get, for twists of any GLV curve over Fp2, a fourdimensional decomposition together with fast endomorphisms Φ, Ψ over Fp2 acting on the group generated by a point P of prime order n, resulting in a proven decomposition for any scalar k ∈ [1, n] given by kP = k1P + k2Φ(P) + k3Ψ(P) + k4ΨΦ(P), with max(ki) < C2 n i