Results 1 
7 of
7
Faster and TimingAttack Resistant AESGCM. IACR Cryptology ePrint Archive, report 2009/129
, 2009
"... Abstract. We present a bitsliced implementation of AES encryption in counter mode for 64bit Intel processors. Running at 7.81 cycles/byte on a Core 2, it is up to 25 % faster than previous implementations, while simultaneously offering protection against timing attacks. In particular, it is the onl ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
Abstract. We present a bitsliced implementation of AES encryption in counter mode for 64bit Intel processors. Running at 7.81 cycles/byte on a Core 2, it is up to 25 % faster than previous implementations, while simultaneously offering protection against timing attacks. In particular, it is the only cachetimingattack resistant implementation offering competitive speeds for stream as well as for packet encryption: for 576byte packets, we improve performance over previous bitsliced implementations by more than a factor of 2. We also report more than 30 % improved speeds for lookuptable based Galois/Counter mode authentication, achieving 11.51 cycles/byte for authenticated encryption. Furthermore, we present the first constanttime implementation of AESGCM that has a reasonable speed of 22.19 cycles/byte, thus offering a full suite of timinganalysis resistant software for authenticated encryption. Keywords: AES, Galois/Counter mode, cachetiming attacks, fast implementations 1
Batch binary Edwards
 In Crypto 2009, volume 5677 of LNCS
, 2009
"... Abstract. This paper sets new software speed records for highsecurity DiffieHellman computations, specifically 251bit ellipticcurve variablebasepoint scalar multiplication. In one second of computation on a $200 Core 2 Quad Q6600 CPU, this paper’s software performs 30000 251bit scalar multipli ..."
Abstract

Cited by 17 (7 self)
 Add to MetaCart
Abstract. This paper sets new software speed records for highsecurity DiffieHellman computations, specifically 251bit ellipticcurve variablebasepoint scalar multiplication. In one second of computation on a $200 Core 2 Quad Q6600 CPU, this paper’s software performs 30000 251bit scalar multiplications on the binary Edwards curve d(x + x 2 + y + y 2) = (x + x 2)(y + y 2) over the field F2[t]/(t 251 + t 7 + t 4 + t 2 + 1) where d = t 57 + t 54 + t 44 + 1. The paper’s fieldarithmetic techniques can be applied in much more generality but have a particularly efficient interaction with the completeness of addition formulas for binary Edwards curves. Keywords. Scalar multiplication, Diffie–Hellman, batch throughput, vectorization, Karatsuba, Toom, elliptic curves, binary Edwards curves, differential addition, complete addition formulas 1
Highspeed highsecurity signatures
"... Abstract. This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2 128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Abstract. This paper shows that a $390 massmarket quadcore 2.4GHz Intel Westmere (Xeon E5620) CPU can create 109000 signatures per second and verify 71000 signatures per second on an elliptic curve at a 2 128 security level. Public keys are 32 bytes, and signatures are 64 bytes. These performance figures include strong defenses against software sidechannel attacks: there is no data flow from secret keys to array indices, and there is no data flow from secret keys to branch conditions.
NEON crypto
"... Abstract. NEON is a vector instruction set included in a large fraction of new ARMbased tablets and smartphones. This paper shows that NEON supports highsecurity cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptogr ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
Abstract. NEON is a vector instruction set included in a large fraction of new ARMbased tablets and smartphones. This paper shows that NEON supports highsecurity cryptography at surprisingly high speeds; normally data arrives at lower speeds, giving the CPU time to handle tasks other than cryptography. In particular, this paper explains how to use a single 800MHz Cortex A8 core to compute the existing NaCl suite of highsecurity cryptographic primitives at the following speeds: 5.60 cycles per byte (1.14 Gbps) to encrypt using a shared secret key, 2.30 cycles per byte (2.78 Gbps) to authenticate using a shared secret key, 527102 cycles (1517/second) to compute a shared secret key for a new public key, 650102 cycles (1230/second) to verify a signature, and 368212 cycles (2172/second) to sign a message. These speeds make no use of secret branches and no use of secret memory addresses.
McBits: fast constanttime codebased cryptography
"... Abstract. This paper presents extremely fast algorithms for codebased publickey cryptography, including full protection against timing attacks. For example, at a 2 128 security level, this paper achieves a reciprocal decryption throughput of just 60493 cycles (plus cipher cost etc.) on a single Iv ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. This paper presents extremely fast algorithms for codebased publickey cryptography, including full protection against timing attacks. For example, at a 2 128 security level, this paper achieves a reciprocal decryption throughput of just 60493 cycles (plus cipher cost etc.) on a single Ivy Bridge core. These algorithms rely on an additive FFT for fast root computation, a transposed additive FFT for fast syndrome computation, and a sorting network to avoid cachetiming attacks.
Extending the Salsa20 nonce
"... Abstract. This paper introduces the XSalsa20 stream cipher. XSalsa20 is based upon the Salsa20 stream cipher but has a much longer nonce: 192 bits instead of 64 bits. XSalsa20 has exactly the same streaming speed as Salsa20, and its extra noncesetup cost is slightly smaller than the cost of generat ..."
Abstract
 Add to MetaCart
Abstract. This paper introduces the XSalsa20 stream cipher. XSalsa20 is based upon the Salsa20 stream cipher but has a much longer nonce: 192 bits instead of 64 bits. XSalsa20 has exactly the same streaming speed as Salsa20, and its extra noncesetup cost is slightly smaller than the cost of generating one block of Salsa20 output. This paper proves that XSalsa20 is secure if Salsa20 is secure: any successful fast attack on XSalsa20 can be converted into a successful fast attack on Salsa20.