Results 1  10
of
31
ECM on Graphics Cards
"... Abstract. This paper reports recordsetting performance for the ellipticcurve method of integer factorization: for example, 604.99 curves/second for ECM stage 1 with B1 = 8192 for 280bit integers on a single PC. The stateoftheart GMPECM software handles 171.42 curves/second for ECM stage 1 with ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Abstract. This paper reports recordsetting performance for the ellipticcurve method of integer factorization: for example, 604.99 curves/second for ECM stage 1 with B1 = 8192 for 280bit integers on a single PC. The stateoftheart GMPECM software handles 171.42 curves/second for ECM stage 1 with B1 = 8192 for 280bit integers using all four cores of a 2.4GHz Core 2 Quad Q6600. The extra speed takes advantage of extra hardware, specifically two NVIDIA GTX 280 graphics cards, using a new ECM implementation introduced in this paper. Our implementation uses Edwards curves, relies on new parallel addition formulas, and is carefully tuned for the highly parallel GPU architecture. On a single GTX 280 the implementation performs 22.66 million modular multiplications per second for a general 280bit modulus. GMPECM, using all four cores of a Q6600, performs 17.91 million multiplications per second. This paper also reports speeds on other graphics processors: for example,
Highspeed highsecurity signatures
"... Abstract. This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2 128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Abstract. This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2 128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance figures include strong defenses against software sidechannel attacks: there is no data flow from secret keys to array indices, and there is no data flow from secret keys to branch conditions.
F.: Four dimensional GallantLambertVanstone scalar multiplication. Journal of Cryptology pp. 1–36 (2013) Quer, J.: Fields of definition of Qcurves. Journal de Théorie des Nombres de Bordeaux 13(1
, 2001
"... Abstract. The GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) computes any multiple kP of a point P of prime order n lying on an elliptic curve with a lowdegree endomorphism Φ (called GLV curve) over Fp as kP = k1P + k2Φ(P), with max{k1, k2} ≤ C1 n for some explicit constant C1> 0. R ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Abstract. The GLV method of Gallant, Lambert and Vanstone (CRYPTO 2001) computes any multiple kP of a point P of prime order n lying on an elliptic curve with a lowdegree endomorphism Φ (called GLV curve) over Fp as kP = k1P + k2Φ(P), with max{k1, k2} ≤ C1 n for some explicit constant C1> 0. Recently, Galbraith, Lin and Scott (EUROCRYPT 2009) extended this method to all curves over Fp2 which are twists of curves defined over Fp. We show in this work how to merge the two approaches in order to get, for twists of any GLV curve over Fp2, a fourdimensional decomposition together with fast endomorphisms Φ, Ψ over Fp2 acting on the group generated by a point P of prime order n, resulting in a proven decomposition for any scalar k ∈ [1, n] given by kP = k1P + k2Φ(P) + k3Ψ(P) + k4ΨΦ(P), with max(ki) < C2 n i
Huff’s Model for Elliptic Curves
"... Abstract. This paper revisits a model for elliptic curves over Q introduced by Huff in 1948 to study a diophantine problem. Huff’s model readily extends over fields of odd characteristic. Every elliptic curve over such a field and containing a copy of Z/4Z × Z/2Z is birationally equivalent to a Huff ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. This paper revisits a model for elliptic curves over Q introduced by Huff in 1948 to study a diophantine problem. Huff’s model readily extends over fields of odd characteristic. Every elliptic curve over such a field and containing a copy of Z/4Z × Z/2Z is birationally equivalent to a Huff curve over the original field. This paper extends and generalizes Huff’s model. It presents fast explicit formulæ for point addition and doubling on Huff curves. It also addresses the problem of the efficient evaluation of pairings over Huff curves. Remarkably, the soobtained formulæ feature some useful properties, including completeness and independence of the curve parameters.
Families of fast elliptic curves from Qcurves
"... Abstract. We construct new families of elliptic curves over Fp2 with efficiently computable endomorphisms, which can be used to accelerate elliptic curvebased cryptosystems in the same way as Gallant–Lambert–Vanstone (GLV) and Galbraith–Lin–Scott (GLS) endomorphisms. Our construction is based on red ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Abstract. We construct new families of elliptic curves over Fp2 with efficiently computable endomorphisms, which can be used to accelerate elliptic curvebased cryptosystems in the same way as Gallant–Lambert–Vanstone (GLV) and Galbraith–Lin–Scott (GLS) endomorphisms. Our construction is based on reducing Qcurves—curves over quadratic number fields without complex multiplication, but with isogenies to their Galois conjugates—modulo inert primes. As a first application of the general theory we construct, for every p> 3, two oneparameter families of elliptic curves over Fp2 equipped with endomorphisms that are faster than doubling. Like GLS (which appears as a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves, and thus finding secure group orders when p is fixed. Unlike GLS, we also offer the possibility of constructing twistsecure curves. Among our examples are primeorder curves equipped with fast endomorphisms, with almostprimeorder twists, over Fp2 for p = 2127 − 1 and p = 2 255 − 19.
A Hardware Analysis of Twisted Edwards Curves for an Elliptic Curve Cryptosystem
"... Abstract. This paper presents implementation results of a reconfigurable elliptic curve processor defined over prime fields GF(p). We use this processor to compare a new algorithm for point addition and point doubling operations on the twisted Edwards curves, against a current standard algorithm in ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. This paper presents implementation results of a reconfigurable elliptic curve processor defined over prime fields GF(p). We use this processor to compare a new algorithm for point addition and point doubling operations on the twisted Edwards curves, against a current standard algorithm in use, namely the DoubleandAdd. Secure power analysis versions of both algorithms are also examined and compared. The algorithms are implemented on an FPGA, and the speed, area and power performance of each are then evaluated for various modes of circuit operation using parallel processing. To the authors ’ knowledge, this work introduces the first documented FPGA implementation for computations on twisted Edwards curves over fields GF(p).
Efficient and secure algorithms for GLVbased scalar multiplication and their implementation on GLVGLS curves. Cryptology ePrint Archive, Report 2013/158
, 2013
"... Abstract. We propose efficient algorithms and formulas that improve the performance of sidechannel protected elliptic curve computations, with special focus on scalar multiplication exploiting the GallantLambertVanstone (CRYPTO 2001) and GalbraithLinScott (EUROCRYPT 2009) methods. Firstly, by a ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. We propose efficient algorithms and formulas that improve the performance of sidechannel protected elliptic curve computations, with special focus on scalar multiplication exploiting the GallantLambertVanstone (CRYPTO 2001) and GalbraithLinScott (EUROCRYPT 2009) methods. Firstly, by adapting Feng et al.’s recoding to the GLV setting, we derive new regular algorithms for variablebase scalar multiplication that offer protection against simple sidechannel and timing attacks. Secondly, we propose an efficient algorithm for fixedbase scalar multiplication that is also protected against sidechannel attacks by combining Feng et al.’s recoding with LimLee’s comb method. Thirdly, we propose an efficient technique that interleaves ARMbased and NEONbased multiprecision operations over an extension field, as typically found on GLS curves and pairing computations, to improve performance on modern ARM processors. Finally, we showcase the efficiency of the proposed techniques by implementing a stateoftheart GLVGLS curve in twisted Edwards form defined over F p 2, which supports a four dimensional decomposition of the scalar and is fully protected against timing attacks. Analysis and performance results are reported for modern x64 and ARM processors. For instance, using a precomputed table of only 512 bytes, we compute a variablebase scalar multiplication in 92,000 and 244,000 cycles on an Intel Ivy Bridge and an ARM CortexA15 processor (respect.); using an offline precomputed
On isogeny classes of Edwards curves over finite fields
, 2011
"... We count the number of isogeny classes of Edwards curves over finite fields, answering a question recently posed by Rezaeian and Shparlinski. We also show that each isogeny class contains a complete Edwards curve, and that an Edwards curve is isogenous to an original Edwards curve over IFq if and on ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We count the number of isogeny classes of Edwards curves over finite fields, answering a question recently posed by Rezaeian and Shparlinski. We also show that each isogeny class contains a complete Edwards curve, and that an Edwards curve is isogenous to an original Edwards curve over IFq if and only if its group order is divisible by 8 if q ≡ −1 (mod 4), and 16 if q ≡ 1 (mod 4). Furthermore, we give formulae for the proportion of d ∈ IFq \ {0, 1} for which the Edwards curve Ed is complete or original, relative to the total number of d in each isogeny class. 1
Twisted EdwardsForm Elliptic Curve Cryptography for 8bit AVRbased Sensor Nodes
"... Wireless Sensor Networks (WSNs) pose a number of unique security challenges that demand innovation in several areas including the design of cryptographic primitives and protocols. Despite recent progress, the efficient implementation of Elliptic Curve Cryptography (ECC) for WSNs is still a very acti ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Wireless Sensor Networks (WSNs) pose a number of unique security challenges that demand innovation in several areas including the design of cryptographic primitives and protocols. Despite recent progress, the efficient implementation of Elliptic Curve Cryptography (ECC) for WSNs is still a very active research topic and techniques to further reduce the time and energy cost of ECC are eagerly sought. This paper presents an optimized ECC implementation that we developed from scratch to comply with the severe resource constraints of 8bit sensor nodes such as the MICAz and IRIS motes. Our ECC software uses Optimal Prime Fields (OPFs) as underlying algebraic structure and supports two different families of elliptic curves, namely Weierstraßform and twisted Edwardsform curves. Due to the combination of efficient field arithmetic and fast group operations, we achieve an execution time of 5.9 · 10 6 clock cycles for a full 160bit scalar multiplication on an 8bit ATmega128 microcontroller, which is 2.78 times faster than the widelyused TinyECC library. Our implementation also shows that the energy cost of ephemeral ECDH key exchange between two MICAz (or IRIS) motes amounts to only 38.7 mJ per mote (including radio communication). A mote with a standard AA battery pack could theoretically perform up to 174,278 ECDH key exchanges before running out of energy.
SNARKs for C: Verifying program executions succinctly and in zero knowledge
 In Proceedings of CRYPTO 2013, LNCS
"... An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationallybounded prover. Such a system is noninteractive and publiclyverifiable if, after a trusted party publishes a proving key and a verification key, ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationallybounded prover. Such a system is noninteractive and publiclyverifiable if, after a trusted party publishes a proving key and a verification key, anyone can use the proving key to generate noninteractive proofs for adaptivelychosen NP statements, and proofs can be verified by anyone by using the verification key. We present an implementation of a publiclyverifiable noninteractive argument system for NP. The system, moreover, is a zeroknowledge proofofknowledge. It directly proves correct executions of programs on TinyRAM, a randomaccess machine tailored for efficient verification of nondeterministic computations. Given a program P and time bound T, the system allows for proving correct execution of P, on any input x, for up to T steps, after a onetime setup requiring Õ(P  · T) cryptographic operations. An honest prover requires Õ(P  · T) cryptographic operations to generate such a proof, while proof verification can be performed with only O(x) cryptographic operations. This system can be used to prove the correct execution of C programs, using our TinyRAM port of the GCC compiler. This yields a zeroknowledge Succinct Noninteractive ARgument of Knowledge (zkSNARK) for