Results 1  10
of
14
Selecting Elliptic Curves for Cryptography: An Efficiency and Security Analysis
"... Abstract. We select a set of elliptic curves for cryptography and analyze our selection from a performance and security perspective. This analysis complements recent curve proposals that suggest (twisted) Edwards curves by also considering the Weierstrass model. Working with both Montgomeryfriendly ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Abstract. We select a set of elliptic curves for cryptography and analyze our selection from a performance and security perspective. This analysis complements recent curve proposals that suggest (twisted) Edwards curves by also considering the Weierstrass model. Working with both Montgomeryfriendly and pseudoMersenne primes allows us to consider more possibilities which improves the overall efficiency of base field arithmetic. Our Weierstrass curves are backwards compatible with current implementations of prime order NIST curves, while providing improved efficiency and stronger security properties. We choose algorithms and explicit formulas to demonstrate that our curves support constanttime, exceptionfree scalar multiplications, thereby offering high practical security in cryptographic applications. Our implementation shows that variablebase scalar multiplication on the new Weierstrass curves at the 128bit security level is about 1.4 times faster than the recent implementation record on the corresponding NIST curve. For practitioners who are willing to use a different curve model and sacrifice a few bits of security, we present a collection of twisted Edwards curves with particularly efficient arithmetic that are up to 1.43, 1.26 and 1.24 times faster than the new Weierstrass curves at the 128, 192 and 256bit security levels, respectively. Finally, we discuss how these curves behave in a real world protocol by considering different scalar multiplication scenarios in the transport layer security (TLS) protocol. 1
Faster Compact DiffieHellman: Endomorphisms on the xline
"... Abstract. We describe an implementation of fast elliptic curve scalar multiplication, optimized for Diffie–Hellman Key Exchange at the 128bit security level. The algorithms are compact (using only xcoordinates), run in constant time with uniform execution patterns, and do not distinguish between t ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
Abstract. We describe an implementation of fast elliptic curve scalar multiplication, optimized for Diffie–Hellman Key Exchange at the 128bit security level. The algorithms are compact (using only xcoordinates), run in constant time with uniform execution patterns, and do not distinguish between the curve and its quadratic twist; they thus have a builtin measure of sidechannel resistance. The core of our construction is a suite of twodimensional differential addition chains driven by efficient endomorphism decompositions, built on curves selected from a family of Qcurve reductions over F p 2 with p = 2 127 −1. We include stateoftheart experimental results for twistsecure, constanttime, xcoordinateonly scalar multiplication.
A Formal Treatment of Backdoored Pseudorandom Generators
"... We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited fo ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited form and not in the context of subverting cryptographic protocols. The latter has become increasingly important due to revelations about NIST’s backdoored Dual EC PRG and new results about its practical exploitability using a trapdoor. We show that backdoored PRGs are equivalent to publickey encryption schemes with pseudorandom ciphertexts. We use this equivalence to build backdoored PRGs that avoid a well known drawback of the Dual EC PRG, namely biases in outputs that an attacker can exploit without the trapdoor. Our results also yield a number of new constructions and an explanatory framework for why there are no reported observations in the wild of backdoored PRGs using only symmetric primitives. We also investigate folklore suggestions for countermeasures to backdoored PRGs, which we call immunizers. We show that simply hashing PRG outputs is not an effective immunizer against an attacker that knows the hash function in use. Salting the hash, however, does yield a secure immunizer, a fact we prove using a surprisingly subtle proof in the random oracle model. We also give a proof in the standard model under the assumption that the hash function is a universal computational extractor (a recent notion introduced by Bellare, Tung, and Keelveedhi). 1
Elligator Squared Uniform Points on Elliptic Curves of Prime Order as Uniform Random Strings
"... Abstract. When represented as a bit string in a standard way, even using point compression, an elliptic curve point is easily distinguished from a random bit string. This property potentially allows an adversary to tell apart network traffic that makes use of elliptic curve cryptography from random ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. When represented as a bit string in a standard way, even using point compression, an elliptic curve point is easily distinguished from a random bit string. This property potentially allows an adversary to tell apart network traffic that makes use of elliptic curve cryptography from random traffic, and then intercept, block or otherwise tamper with such traffic. Recently, Bernstein, Hamburg, Krasnova and Lange proposed a partial solution to this problem in the form of Elligator: an algorithm for representing around half of the points on a large class of elliptic curves as close to uniform random strings. Their proposal has the advantage of being very efficient, but suffers from several limitations: – Since only a subset of all elliptic curve points can be encoded as a string, their approach only applies to cryptographic protocols transmitting points that are rerandomizable in some sense. – Supported curves all have nontrivial 2torsion, so that Elligator cannot be used with primeorder curves, ruling out standard ECC parameters and many other cryptographically interesting curves such as BN curves. – For indistinguishability to hold, transmitted points have to be uniform in the whole set of representable points; in particular, they cannot be taken from a prime order subgroup, which, in conjunction
TapDance: EndtoMiddle Anticensorship without Flow Blocking
"... In response to increasingly sophisticated statesponsored Internet censorship, recent work has proposed a new approach to censorship resistance: endtomiddle proxying. This concept, developed in systems such as Telex, Decoy Routing, and Cirripede, moves anticensorship technology into the core of th ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
In response to increasingly sophisticated statesponsored Internet censorship, recent work has proposed a new approach to censorship resistance: endtomiddle proxying. This concept, developed in systems such as Telex, Decoy Routing, and Cirripede, moves anticensorship technology into the core of the network, at large ISPs outside the censoring country. In this paper, we focus on two technical obstacles to the deployment of certain endtomiddle schemes: the need to selectively block flows and the need to observe both directions of a connection. We propose a new construction, TapDance, that removes these requirements. TapDance employs a novel TCPlevel technique that allows the anticensorship station at an ISP to function as a passive network tap, without an inline blocking component. We also apply a novel steganographic encoding to embed control messages in TLS ciphertext, allowing us to operate on HTTPS connections even under asymmetric routing. We implement and evaluate a TapDance prototype that demonstrates how the system could function with minimal impact on an ISP’s network operations. 1
ForwardSecure Distributed Encryption⋆
"... Abstract. Distributed encryption is a cryptographic primitive that implements revocable privacy. The primitive allows a recipient of a message to decrypt it only if enough senders encrypted that same message. We present a new distributed encryption scheme that is simpler than the previous solution b ..."
Abstract
 Add to MetaCart
Abstract. Distributed encryption is a cryptographic primitive that implements revocable privacy. The primitive allows a recipient of a message to decrypt it only if enough senders encrypted that same message. We present a new distributed encryption scheme that is simpler than the previous solution by Hoepman and Galindo—in particular it does not rely on pairings—and that satisfies stronger security requirements. Moreover, we show how to achieve key evolution, which is necessary to ensure scalability in many practical applications, and prove that the resulting scheme is forward secure. Finally, we present a provably secure batched distributed encryption scheme that is much more efficient for small plaintext domains, but that requires more storage. 1
CONIKS: Bringing Key Transparency to End Users
"... We present CONIKS, an enduser key verification service capable of integration in endtoend encrypted communication systems. CONIKS builds on transparency log proposals for web server certificates but solves several new challenges specific to key verification for end users. CONIKS obviates the n ..."
Abstract
 Add to MetaCart
We present CONIKS, an enduser key verification service capable of integration in endtoend encrypted communication systems. CONIKS builds on transparency log proposals for web server certificates but solves several new challenges specific to key verification for end users. CONIKS obviates the need for global thirdparty monitors and enables users to efficiently monitor their own key bindings for consistency, downloading less than 20 kB per day to do so even for a provider with billions of users. CONIKS users and providers can collectively audit providers for nonequivocation, and this requires downloading a constant 2.5 kB per provider per day. Additionally, CONIKS preserves the level of privacy offered by today’s major communication services, hiding the list of usernames present and even allowing providers to conceal the total number of users in the system. 1
USENIX Association 24th USENIX Security Symposium 383 CONIKS: Bringing Key Transparency to End Users
"... is sponsored by USENIX ..."
Same Value Analysis on Edwards Curves
, 2015
"... Recently, several research groups in cryptography have presented new elliptic curve model based on Edwards curves. These new curves were selected for their good performance and security perspectives. Cryptosystems based on elliptic curves in embedded devices can be vulnerable to SideChannel Attacks ..."
Abstract
 Add to MetaCart
(Show Context)
Recently, several research groups in cryptography have presented new elliptic curve model based on Edwards curves. These new curves were selected for their good performance and security perspectives. Cryptosystems based on elliptic curves in embedded devices can be vulnerable to SideChannel Attacks (SCA), such as the Simple Power Analysis (SPA) or the Differential Power Analysis (DPA). In this paper, we analyze the existence of special points whose use in SCA is known as Same Value Analysis (SVA), for Edwards curves. These special points show up as internal collisions under power analysis. Our results indicate that no Edwards curve is safe from such an attacks.
Faster ECC over F25211
"... Abstract. In this paper we present a new multiplication algorithm for residues modulo the Mersenne prime 25211. Using this approach, on an Intel Haswell Core i74770, constanttime variablebase scalar multiplication on NIST’s (and SECG’s) curve P521 requires 989; 000 cycles, while on the recently ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. In this paper we present a new multiplication algorithm for residues modulo the Mersenne prime 25211. Using this approach, on an Intel Haswell Core i74770, constanttime variablebase scalar multiplication on NIST’s (and SECG’s) curve P521 requires 989; 000 cycles, while on the recently proposed Edwards curve E521 it requires just 779; 000 cycles. As a comparison, on the same architecture openSSL’s ECDH speed test for curve P521 requires 1; 319; 000 cycles. Furthermore, our code was written entirely in C with no noncompiler optimisations and so is robust across different platforms. The basic observation behind these speedups is that the form of the modulus allows one to multiply residues with as few wordbyword multiplications as is needed for squaring, while incurring very little overhead from extra additions, in contrast to the usual Karatsuba methods.