Results 1  10
of
63
Curve25519: new DiffieHellman speed records
 In Public Key Cryptography (PKC), SpringerVerlag LNCS 3958
, 2006
"... Abstract. This paper explains the design and implementation of a highsecurity ellipticcurveDiffieHellman function achieving recordsetting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and stateoftheart timingattack protection) ..."
Abstract

Cited by 113 (25 self)
 Add to MetaCart
Abstract. This paper explains the design and implementation of a highsecurity ellipticcurveDiffieHellman function achieving recordsetting speeds: e.g., 832457 Pentium III cycles (with several side benefits: free key compression, free key validation, and stateoftheart timingattack protection), more than twice as fast as other authors ’ results at the same conjectured security level (with or without the side benefits). 1
Fault attacks on RSA with CRT: Concrete Results and Practical Countermeasures
, 2002
"... This article describes concrete results and practically approved countermeasures concerning differential fault attacks on RSA using the CRT. It especially investigates smartcards with a RSA coprocessor where any hardware countermeasure to defeat such fault attacks have been switched off. This scenar ..."
Abstract

Cited by 49 (2 self)
 Add to MetaCart
This article describes concrete results and practically approved countermeasures concerning differential fault attacks on RSA using the CRT. It especially investigates smartcards with a RSA coprocessor where any hardware countermeasure to defeat such fault attacks have been switched off. This scenario has been chosen in order to completely analyze the resulting effects and errors occurring inside the hardware. Using the results of this kind of physical stress attack enables the development of completely reliable software countermeasures. Although
Elliptic Curve Cryptosystems in the Presence of Permanent and Transient Faults
 DESIGNS, CODES AND CRYPTOGRAPHY
, 2003
"... Elliptic curve cryptosystems in the presence of faults were studied by Biehl, Meyer and Müller (2000). The rst fault model they consider requires that the input point P in the computation of dP is chosen by the adversary. Their second and third fault models only require the knowledge of P . But ..."
Abstract

Cited by 41 (3 self)
 Add to MetaCart
Elliptic curve cryptosystems in the presence of faults were studied by Biehl, Meyer and Müller (2000). The rst fault model they consider requires that the input point P in the computation of dP is chosen by the adversary. Their second and third fault models only require the knowledge of P . But these two latter models are less `practical' in the sense that they assume that only a few bits of error are inserted (typically exactly one bit is supposed to be disturbed) either into P just prior to the point multiplication or during the course of the computation in a chosen location. This paper
Sign Change Fault Attacks on Elliptic Curve Cryptosystems
 Fault Diagnosis and Tolerance in Cryptography 2006 (FDTC ’06), volume 4236 of Lecture Notes in Computer Science
, 2004
"... We present a new type of fault attacks on elliptic curve scalar multiplications: Sign Change Attacks. These attacks exploit di#erent number representations as they are often employed in modern cryptographic applications. Previously, fault attacks on elliptic curves aimed to force a device to out ..."
Abstract

Cited by 27 (0 self)
 Add to MetaCart
We present a new type of fault attacks on elliptic curve scalar multiplications: Sign Change Attacks. These attacks exploit di#erent number representations as they are often employed in modern cryptographic applications. Previously, fault attacks on elliptic curves aimed to force a device to output points which are on a cryptographically weak curve. Such attacks can easily be defended against. Our attack produces points which do not leave the curve and are not easily detected. The paper also presents a revised scalar multiplication algorithm that provably protects against Sign Change Attacks.
Elligator: Ellipticcurve points indistinguishable from uniform random strings
"... Censorshipcircumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorshipcircumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unbloc ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
Censorshipcircumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorshipcircumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unblocked programs, so that simple traffic profiling cannot identify the tools within a reasonable number of traces; the censors respond by deploying firewalls with increasingly sophisticated deeppacket inspection. Cryptography hides patterns in user data but does not evade censorship if the censor can recognize patterns in the cryptography itself. In particular, ellipticcurve cryptography often transmits points on known elliptic curves, and those points are easily distinguishable from uniform random strings of bits. This paper introduces highsecurity highspeed ellipticcurve systems in which ellipticcurve points are encoded so as to be indistinguishable from uniform random strings. 1.
Fault based cryptanalysis of the Advanced Encryption Standard,” www.iacr.org/eprint/2002/075.pdf
"... Abstract. In this paper we describe several fault attacks on the Advanced Encryption Standard (AES). First, using optical/eddy current fault induction attacks as recently publicly presented by Skorobogatov, Anderson and Quisquater, Samyde [SA,QS], we present an implementation independent fault att ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
Abstract. In this paper we describe several fault attacks on the Advanced Encryption Standard (AES). First, using optical/eddy current fault induction attacks as recently publicly presented by Skorobogatov, Anderson and Quisquater, Samyde [SA,QS], we present an implementation independent fault attack on AES. This attack is able to determine the complete 128bit secret key of a sealed tamperproof smartcard by generating 128 faulty cipher texts. Second, we present several implementationdependent fault attacks on AES. These attacks rely on the observation that due to the AES’s known timing analysis vulnerability (as pointed out by Koeune and Quisquater [KQ]), any implementation of the AES must ensure a data independent timing behavior for the so called AES’s xtime operation. We present fault attacks on AES based on various timing analysis resistant implementations of the xtimeoperation. Our strongest attack in this direction uses a very liberal fault model and requires only 256 faulty encryptions to determine a 128bit key.
An Overview of the XTR Public Key System
 IN PUBLICKEY CRYPTOGRAPHY AND COMPUTATIONAL NUMBER THEORY, VERLAGES WALTER DE GRUYTER
, 2000
"... XTR is a new method to represent elements of a subgroup of a multiplicative group of a finite field. Application of XTR in cryptographic protocols leads to substantial savings both in communication and computational overhead without compromising security. This paper describes and explains the techn ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
XTR is a new method to represent elements of a subgroup of a multiplicative group of a finite field. Application of XTR in cryptographic protocols leads to substantial savings both in communication and computational overhead without compromising security. This paper describes and explains the techniques and properties that are relevant for the XTR cryptosystem and its implementation. It is based on the material from [10,?,?,?].
Stateoftheart of secure ECC implementations: a survey on known sidechannel attacks and countermeasures
, 2010
"... Implementations of cryptographic primitives are vulnerable to physical attacks. While the adversary only needs to succeed in one out of many attack methods, the designers have to consider all the known attacks, whenever applicable to their system, simultaneously. Thus, keeping an organized, complet ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
Implementations of cryptographic primitives are vulnerable to physical attacks. While the adversary only needs to succeed in one out of many attack methods, the designers have to consider all the known attacks, whenever applicable to their system, simultaneously. Thus, keeping an organized, complete and uptodate table of physical attacks and countermeasures is of paramount importance to system designers. This paper summarizes known physical attacks and countermeasures on Elliptic Curve Cryptosystems. Instead of repeating the details of different attacks, we focus on a systematic way of organizing and understanding known attacks and countermeasures. Three principles of selecting countermeasures to thwart multiple attacks are given. This paper can be used as a road map for countermeasure selection in a first design iteration.
Techniques of Side Channel Cryptanalysis
 University of Waterloo
, 2001
"... I hereby declare that I am the sole author of this thesis. This is a true copy of the thesis, including any required final revisions, as accepted by my examiners. I understand that my thesis may be made electronically available to the public. ii The traditional model of cryptography examines the sec ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
I hereby declare that I am the sole author of this thesis. This is a true copy of the thesis, including any required final revisions, as accepted by my examiners. I understand that my thesis may be made electronically available to the public. ii The traditional model of cryptography examines the security of cryptographic primitives as mathematical functions. This approach does not account for the physical side effects of using these primitives in the real world. A more realistic model employs the concept of a side channel. A side channel is a source of information that is inherent to a physical implementation of a primitive. Research done in the last half of the 1990s has shown that the information transmitted by side channels, such as execution time, computational faults and power consumption, can be detrimental to the security of ciphers like DES and RSA. This thesis surveys the techniques of side channel cryptanalysis presented in [30], [10], and [31] and shows how side channel information can be used to break implementations of DES and RSA. Some specific techniques covered include the timing attack, differential fault analysis, simple power analysis and differential power analysis. Possible defenses against each of these side channel attacks are also discussed. iii
Fast irreducibility and subgroup membership testing
 IN XTR, PROCEEDINGS OF THE 2001 PUBLIC KEY CRYPTOGRAPHY CONFERENCE, LNCS 1992
, 1992
"... We describe a new general method to perform part of the setup stage of the XTR system introduced at Crypto 2000, namely finding the trace of a generator of the XTR group. Our method is substantially faster than the general method presented at Asiacrypt 2000. As a side result, we obtain an efficient ..."
Abstract

Cited by 11 (5 self)
 Add to MetaCart
(Show Context)
We describe a new general method to perform part of the setup stage of the XTR system introduced at Crypto 2000, namely finding the trace of a generator of the XTR group. Our method is substantially faster than the general method presented at Asiacrypt 2000. As a side result, we obtain an efficient method to test subgroup membership when using XTR.