curve25519 curve41417 e 521 curve25519 d j bernstein
play

Curve25519, Curve41417, E-521 Curve25519 D. J. Bernstein - PowerPoint PPT Presentation

Dec 30, 2023 •554 likes •1.24k views

1 2 Curve25519, Curve41417, E-521 Curve25519 D. J. Bernstein Introduced in ECC 2005 talk University of Illinois at Chicago & and PKC 2006 paper New Technische Universiteit Eindhoven DiffieHellman speed records. Main features

  1. 1 2 Curve25519, Curve41417, E-521 Curve25519 D. J. Bernstein Introduced in ECC 2005 talk University of Illinois at Chicago & and PKC 2006 paper “New Technische Universiteit Eindhoven Diffie–Hellman speed records.” Main features listed in paper: Curve25519 mod ♣ = 2 255 � 19: “extremely high speed”; ② 2 = ① 3 + 486662 ① 2 + ① . “no time variability”; 32-byte secret keys; Equivalent to Edwards curve 32-byte public keys; ① 2 + ② 2 = 1 + (1 � 1 ❂ 121666) ① 2 ② 2 . “free key validation”; Curve41417 mod 2 414 � 17: “short code”. ① 2 + ② 2 = 1 + 3617 ① 2 ② 2 . The big picture: E-521 mod 2 521 � 1: Minimize tensions between ① 2 + ② 2 = 1 � 376014 ① 2 ② 2 . speed, simplicity, security.

  2. 1 2 Curve25519, Curve41417, E-521 Curve25519 Tension: Bernstein Introduced in ECC 2005 talk How will University of Illinois at Chicago & and PKC 2006 paper “New compute ❛❂❜ ♣ echnische Universiteit Eindhoven Diffie–Hellman speed records.” Many bo Main features listed in paper: Passes interop Curve25519 mod ♣ = 2 255 � 19: “extremely high speed”; But variable ① 3 + 486662 ① 2 + ① . ② “no time variability”; presumably 32-byte secret keys; Equivalent to Edwards curve 32-byte public keys; ② 2 = 1 + (1 � 1 ❂ 121666) ① 2 ② 2 . ① “free key validation”; Curve41417 mod 2 414 � 17: “short code”. ② 2 = 1 + 3617 ① 2 ② 2 . ① The big picture: mod 2 521 � 1: Minimize tensions between ② 2 = 1 � 376014 ① 2 ② 2 . ① speed, simplicity, security.

  3. 1 2 Curve41417, E-521 Curve25519 Tension: a neutral Introduced in ECC 2005 talk How will implemento Illinois at Chicago & and PKC 2006 paper “New compute ❛❂❜ mod ♣ Universiteit Eindhoven Diffie–Hellman speed records.” Many books recommend Main features listed in paper: Passes interoperabilit ♣ = 2 255 � 19: “extremely high speed”; But variable time 486662 ① 2 + ① . ② ① “no time variability”; presumably a securit 32-byte secret keys; Edwards curve 32-byte public keys; (1 � 1 ❂ 121666) ① 2 ② 2 . ① ② “free key validation”; 2 414 � 17: “short code”. 3617 ① 2 ② 2 . ① ② The big picture: � 1: Minimize tensions between � 376014 ① 2 ② 2 . ① ② speed, simplicity, security.

  4. 1 2 E-521 Curve25519 Tension: a neutral example Introduced in ECC 2005 talk How will implementors Chicago & and PKC 2006 paper “New compute ❛❂❜ mod ♣ ? Eindhoven Diffie–Hellman speed records.” Many books recommend Euclid. Main features listed in paper: Passes interoperability tests. ♣ � 19: “extremely high speed”; But variable time , ② ① ① ① “no time variability”; presumably a security problem. 32-byte secret keys; curve 32-byte public keys; � ❂ 121666) ① 2 ② 2 . ① ② “free key validation”; � 17: “short code”. ① ② ① ② The big picture: � Minimize tensions between ① ② ① ② . � speed, simplicity, security.

  5. 2 3 Curve25519 Tension: a neutral example Introduced in ECC 2005 talk How will implementors and PKC 2006 paper “New compute ❛❂❜ mod ♣ ? Diffie–Hellman speed records.” Many books recommend Euclid. Main features listed in paper: Passes interoperability tests. “extremely high speed”; But variable time , “no time variability”; presumably a security problem. 32-byte secret keys; 32-byte public keys; “free key validation”; “short code”. The big picture: Minimize tensions between speed, simplicity, security.

  6. 2 3 Curve25519 Tension: a neutral example Introduced in ECC 2005 talk How will implementors and PKC 2006 paper “New compute ❛❂❜ mod ♣ ? Diffie–Hellman speed records.” Many books recommend Euclid. Main features listed in paper: Passes interoperability tests. “extremely high speed”; But variable time , “no time variability”; presumably a security problem. 32-byte secret keys; Defense 1: Encourage 32-byte public keys; implementors to use ❛❜ ♣ � 2 . “free key validation”; Simpler than Euclid, fast enough. “short code”. The big picture: Minimize tensions between speed, simplicity, security.

  7. 2 3 Curve25519 Tension: a neutral example Introduced in ECC 2005 talk How will implementors and PKC 2006 paper “New compute ❛❂❜ mod ♣ ? Diffie–Hellman speed records.” Many books recommend Euclid. Main features listed in paper: Passes interoperability tests. “extremely high speed”; But variable time , “no time variability”; presumably a security problem. 32-byte secret keys; Defense 1: Encourage 32-byte public keys; implementors to use ❛❜ ♣ � 2 . “free key validation”; Simpler than Euclid, fast enough. “short code”. But maybe implementor finds it The big picture: simplest to use a Euclid library, Minimize tensions between and wants the Euclid speed. speed, simplicity, security.

  8. 2 3 Curve25519 Tension: a neutral example Defense implemento duced in ECC 2005 talk How will implementors verify constant-time PKC 2006 paper “New compute ❛❂❜ mod ♣ ? e.g. 2010 Diffie–Hellman speed records.” Many books recommend Euclid. Almeida–Ba features listed in paper: Passes interoperability tests. “extremely high speed”; But variable time , time variability”; presumably a security problem. yte secret keys; Defense 1: Encourage yte public keys; implementors to use ❛❜ ♣ � 2 . ey validation”; Simpler than Euclid, fast enough. code”. But maybe implementor finds it big picture: simplest to use a Euclid library, Minimize tensions between and wants the Euclid speed. eed, simplicity, security.

  9. 2 3 Tension: a neutral example Defense 2: Encourage implementors to use ECC 2005 talk How will implementors verify constant-time paper “New compute ❛❂❜ mod ♣ ? e.g. 2010 Langley speed records.” Many books recommend Euclid. Almeida–Barbosa–Pinto–Vieira. listed in paper: Passes interoperability tests. speed”; But variable time , riability”; presumably a security problem. eys; Defense 1: Encourage eys; implementors to use ❛❜ ♣ � 2 . validation”; Simpler than Euclid, fast enough. But maybe implementor finds it simplest to use a Euclid library, tensions between and wants the Euclid speed. simplicity, security.

  10. 2 3 Tension: a neutral example Defense 2: Encourage implementors to use tools to talk How will implementors verify constant-time behavio “New compute ❛❂❜ mod ♣ ? e.g. 2010 Langley “ctgrind”; rds.” Many books recommend Euclid. Almeida–Barbosa–Pinto–Vieira. er: Passes interoperability tests. But variable time , presumably a security problem. Defense 1: Encourage implementors to use ❛❜ ♣ � 2 . Simpler than Euclid, fast enough. But maybe implementor finds it simplest to use a Euclid library, een and wants the Euclid speed. security.

  11. 3 4 Tension: a neutral example Defense 2: Encourage implementors to use tools to How will implementors verify constant-time behavior. compute ❛❂❜ mod ♣ ? e.g. 2010 Langley “ctgrind”; 2013 Many books recommend Euclid. Almeida–Barbosa–Pinto–Vieira. Passes interoperability tests. But variable time , presumably a security problem. Defense 1: Encourage implementors to use ❛❜ ♣ � 2 . Simpler than Euclid, fast enough. But maybe implementor finds it simplest to use a Euclid library, and wants the Euclid speed.

  12. 3 4 Tension: a neutral example Defense 2: Encourage implementors to use tools to How will implementors verify constant-time behavior. compute ❛❂❜ mod ♣ ? e.g. 2010 Langley “ctgrind”; 2013 Many books recommend Euclid. Almeida–Barbosa–Pinto–Vieira. Passes interoperability tests. Defense 3: Encourage But variable time , implementors to use fractions presumably a security problem. (e.g., “projective coordinates”). Defense 1: Encourage Then Euclid speedup is negligible. implementors to use ❛❜ ♣ � 2 . Simpler than Euclid, fast enough. But maybe implementor finds it simplest to use a Euclid library, and wants the Euclid speed.

  13. 3 4 Tension: a neutral example Defense 2: Encourage implementors to use tools to How will implementors verify constant-time behavior. compute ❛❂❜ mod ♣ ? e.g. 2010 Langley “ctgrind”; 2013 Many books recommend Euclid. Almeida–Barbosa–Pinto–Vieira. Passes interoperability tests. Defense 3: Encourage But variable time , implementors to use fractions presumably a security problem. (e.g., “projective coordinates”). Defense 1: Encourage Then Euclid speedup is negligible. implementors to use ❛❜ ♣ � 2 . Defense 4: Choose curves that Simpler than Euclid, fast enough. naturally avoid all divisions. But maybe implementor finds it simplest to use a Euclid library, and wants the Euclid speed.

Recommend

The first 10 years of Curve25519 Abstract: This paper explains the design and implementation

The first 10 years of Curve25519 Abstract: This paper explains the design and implementation

1 2 The first 10 years of Curve25519 Abstract: This paper explains the design and implementation Daniel J. Bernstein of a high-security elliptic-curve- University of Illinois at Chicago & Diffie-Hellman function Technische

2.07k views • 192 slides
The first 10 years of Curve25519 Daniel J. Bernstein University of Illinois at Chicago &

The first 10 years of Curve25519 Daniel J. Bernstein University of Illinois at Chicago &

1 The first 10 years of Curve25519 Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2005.05.19: Seminar talk; design+software close to done. 2005.09.15: Software online. 2005.09.20: Invited talk

869 views • 73 slides
Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D. J. Bernstein Real-world cost measures: Pentium cycles, Athlon cycles, Thanks to: etc. for generating keys, signing, University of Illinois at

541 views • 35 slides
Curve25519: Proving datatypes with a rooster Beno t Viguier MSc ( x y. x@y.nl ) benoit

Curve25519: Proving datatypes with a rooster Beno t Viguier MSc ( x y. x@y.nl ) benoit

Curve25519: Proving datatypes with a rooster Beno t Viguier MSc ( x y. x@y.nl ) benoit viguier https://www.viguier.nl DS Lunch talk 9th December 2016 Institute for Computing and Information Sciences Digital Security Radboud

761 views • 29 slides
Modern ECC signatures Many papers have explored Curve25519/Ed25519 speed. 2011

Modern ECC signatures Many papers have explored Curve25519/Ed25519 speed. 2011

1 2 Modern ECC signatures Many papers have explored Curve25519/Ed25519 speed. 2011 BernsteinDuifLange SchwabeYang: e.g. 2015 Chou software: Ed25519 signature scheme = on Intel Sandy Bridge (2011), EdDSA using conservative

2.15k views • 125 slides
Verification of TweetNaCls Curve25519 Peter Schwabe, Beno t Viguier , Timmy Weerwag, Freek

Verification of TweetNaCls Curve25519 Peter Schwabe, Beno t Viguier , Timmy Weerwag, Freek

Verification of TweetNaCls Curve25519 Peter Schwabe, Beno t Viguier , Timmy Weerwag, Freek Wiedijk Journ ee GT M ethodes Formelles pour la S ecurit e March 18 th , 2019 Institute for Computing and Information Sciences

621 views • 47 slides
Roger Dingledine March 2013 update 1 2 3 4 5 6 7 8 9 10 Tor 0.2.4.7-alpha ..

Roger Dingledine March 2013 update 1 2 3 4 5 6 7 8 9 10 Tor 0.2.4.7-alpha ..

Roger Dingledine March 2013 update 1 2 3 4 5 6 7 8 9 10 Tor 0.2.4.7-alpha .. 0.2.4.9-alpha New stronger/faster ECC-based link encryption New stronger/faster ECC-based circuit handshake (ntor, curve25519) Support for exiting

237 views • 23 slides
Fast, Safe, Pure-Rust Elliptic Curve Cryptography Isis Lovecruft / Henry de Valence RustConf 2017

Fast, Safe, Pure-Rust Elliptic Curve Cryptography Isis Lovecruft / Henry de Valence RustConf 2017

Fast, Safe, Pure-Rust Elliptic Curve Cryptography Isis Lovecruft / Henry de Valence RustConf 2017 Overview What is curve25519-dalek ? Implementing low-level arithmetic in Rust Rust features we love, and features we want to improve Implementing

806 views • 28 slides
Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein,

Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein,

1 Algorithms for multiquadratic number fields D. J. Bernstein Jens Bauch, Daniel J. Bernstein, Henry de Valence, Tanja Lange, Christine van Vredendaal. Short generators without quantum computers: the case of multiquadratics. Eurocrypt

1.13k views • 97 slides
Why Fuzzy Interpretation of . . . Bernstein Polynomials Fuzzy Interpretation . . . How Can We .

Why Fuzzy Interpretation of . . . Bernstein Polynomials Fuzzy Interpretation . . . How Can We .

Functional . . . Need for Polynomial . . . How to Represent . . . Bernstein . . . Why Fuzzy Interpretation of . . . Bernstein Polynomials Fuzzy Interpretation . . . How Can We . . . Are Better: Fuzzy Analysis (cont-d) Why Bernstein . . .

420 views • 18 slides
The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many

The libpqcrypto software library for post-quantum cryptography Daniel J. Bernstein and many contributors libpqcrypto.org Daniel J. Bernstein Context libpqcrypto.org Daniel J. Bernstein Redesigning crypto for security New requirements for

541 views • 51 slides
Jeffrey Bernstein Jeffrey Bernstein Kathy Guilbert Kathy Guilbert CTE schools have changed

Jeffrey Bernstein Jeffrey Bernstein Kathy Guilbert Kathy Guilbert CTE schools have changed

Jeffrey Bernstein Jeffrey Bernstein Kathy Guilbert Kathy Guilbert CTE schools have changed with the times. CTE schools are academically strenuous CTE schools emphasize college CTE schools are for all students Dispelling Myths

532 views • 26 slides
Jonathan and Erik Bernstein Bernstein Crisis Management, Inc Crisis Management Best Practices

Jonathan and Erik Bernstein Bernstein Crisis Management, Inc Crisis Management Best Practices

BEST PRACTICES IN CRISIS MANAGEMENT Jonathan and Erik Bernstein Bernstein Crisis Management, Inc Crisis Management Best Practices Crisis Prevention Organizations must plan for crises or they are, de facto, planning to have a crisis.

417 views • 18 slides
Un solveur de syst` emes non lin eaires bas e sur le polytope de Bernstein Christoph F

Un solveur de syst` emes non lin eaires bas e sur le polytope de Bernstein Christoph F

Nonlinear Systems Solver based on a Bernstein Polytope Chr. F unfzig Un solveur de syst` emes non lin eaires bas e sur le polytope de Bernstein Christoph F unfzig Dominique Michelucci Sebti Foufou LE2I, Universit e de

514 views • 38 slides
Announcement of the CAESAR finalists Daniel J. Bernstein Announcement of the CAESAR finalists

Announcement of the CAESAR finalists Daniel J. Bernstein Announcement of the CAESAR finalists

Announcement of the CAESAR finalists Daniel J. Bernstein Announcement of the CAESAR finalists Daniel J. Bernstein CAESAR timeline planned in 2012 2013.01: Announce tentative schedule. 2014.01: Deadline for first-round submissions.

527 views • 10 slides
Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische

Crypto horror stories Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Crypto horror stories Daniel J. Bernstein Horror story 1 RC4 Crypto horror stories Daniel J. Bernstein RC4 stream cipher:

799 views • 61 slides
Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and

Binary Edwards Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 12.08.2008 joint work with Reza Rezaeian Farashahi, Eindhoven D. J. Bernstein

428 views • 27 slides
OptOssol Presentation Case Review Robert Floros DPM FACFAS With contributions by David Bernstein

OptOssol Presentation Case Review Robert Floros DPM FACFAS With contributions by David Bernstein

OptOssol Presentation Case Review Robert Floros DPM FACFAS With contributions by David Bernstein DPM FACFAS and Philip Bernstein DPM FACFAS OptOssol Compression Device Ease of Use Inserts under power with a wire driver Floating Head

409 views • 12 slides
Entropy-based Concept Shift Detection Peter Vorburger, Abraham Bernstein University of Zurich

Entropy-based Concept Shift Detection Peter Vorburger, Abraham Bernstein University of Zurich

Entropy-based Concept Shift Detection Peter Vorburger, Abraham Bernstein University of Zurich Department of Informatics Binzm uhlestrasse 14, 8050 Zurich, Switzerland { vorburger, bernstein } @ifi.unizh.ch Abstract per is a real-world

176 views • 6 slides
Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

1 Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0) ; : : : ; AES k ( n 1)) is distinguishable from uniform with probability n ( n 1) = 2 129 , plus tiny key-guessing

577 views • 32 slides
The Bernstein problem for equations of minimal surface type Connor Mooney UC Irvine October 20,

The Bernstein problem for equations of minimal surface type Connor Mooney UC Irvine October 20,

The Bernstein problem for equations of minimal surface type Connor Mooney UC Irvine October 20, 2020 Connor Mooney (UC Irvine) Bernstein problem October 20, 2020 1 / 22 Partly joint work with Y. Yang Connor Mooney (UC Irvine) Bernstein

344 views • 22 slides
Thomas Jefferson and Apple versus the FBI Daniel J. Bernstein University of Illinois at Chicago

Thomas Jefferson and Apple versus the FBI Daniel J. Bernstein University of Illinois at Chicago

Thomas Jefferson and Apple versus the FBI Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Thomas Jefferson and Apple versus the FBI Daniel J. Bernstein 1919 The Womens Christian Temperance Union

552 views • 29 slides
Randomness Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit

Randomness Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit

Randomness Daniel J. Bernstein University of Illinois at Chicago Technische Universiteit Eindhoven Tanja Lange Technische Universiteit Eindhoven Preliminary analysis of some submissions to snakeoil.cr.yp.to Daniel J. Bernstein University

363 views • 32 slides
Sharp Bernstein and Hoeffding type inequalities for regenerative Markov chains Gabriela Cio

Sharp Bernstein and Hoeffding type inequalities for regenerative Markov chains Gabriela Cio

Introduction Maximal inequalities under uniform entropy Bernstein type maximal inequality for Harris recurrent Markov chains Sharp Bernstein and Hoeffding type inequalities for regenerative Markov chains Gabriela Cio lek LTCI, T el

432 views • 24 slides

More recommend