curve25519 curve41417 e 521 curve25519 d j bernstein
play

Curve25519, Curve41417, E-521 Curve25519 D. J. Bernstein - PowerPoint PPT Presentation

1 2 Curve25519, Curve41417, E-521 Curve25519 D. J. Bernstein Introduced in ECC 2005 talk University of Illinois at Chicago & and PKC 2006 paper New Technische Universiteit Eindhoven DiffieHellman speed records. Main features


  1. 1 2 Curve25519, Curve41417, E-521 Curve25519 D. J. Bernstein Introduced in ECC 2005 talk University of Illinois at Chicago & and PKC 2006 paper “New Technische Universiteit Eindhoven Diffie–Hellman speed records.” Main features listed in paper: Curve25519 mod ♣ = 2 255 � 19: “extremely high speed”; ② 2 = ① 3 + 486662 ① 2 + ① . “no time variability”; 32-byte secret keys; Equivalent to Edwards curve 32-byte public keys; ① 2 + ② 2 = 1 + (1 � 1 ❂ 121666) ① 2 ② 2 . “free key validation”; Curve41417 mod 2 414 � 17: “short code”. ① 2 + ② 2 = 1 + 3617 ① 2 ② 2 . The big picture: E-521 mod 2 521 � 1: Minimize tensions between ① 2 + ② 2 = 1 � 376014 ① 2 ② 2 . speed, simplicity, security.

  2. 1 2 Curve25519, Curve41417, E-521 Curve25519 Tension: Bernstein Introduced in ECC 2005 talk How will University of Illinois at Chicago & and PKC 2006 paper “New compute ❛❂❜ ♣ echnische Universiteit Eindhoven Diffie–Hellman speed records.” Many bo Main features listed in paper: Passes interop Curve25519 mod ♣ = 2 255 � 19: “extremely high speed”; But variable ① 3 + 486662 ① 2 + ① . ② “no time variability”; presumably 32-byte secret keys; Equivalent to Edwards curve 32-byte public keys; ② 2 = 1 + (1 � 1 ❂ 121666) ① 2 ② 2 . ① “free key validation”; Curve41417 mod 2 414 � 17: “short code”. ② 2 = 1 + 3617 ① 2 ② 2 . ① The big picture: mod 2 521 � 1: Minimize tensions between ② 2 = 1 � 376014 ① 2 ② 2 . ① speed, simplicity, security.

  3. 1 2 Curve41417, E-521 Curve25519 Tension: a neutral Introduced in ECC 2005 talk How will implemento Illinois at Chicago & and PKC 2006 paper “New compute ❛❂❜ mod ♣ Universiteit Eindhoven Diffie–Hellman speed records.” Many books recommend Main features listed in paper: Passes interoperabilit ♣ = 2 255 � 19: “extremely high speed”; But variable time 486662 ① 2 + ① . ② ① “no time variability”; presumably a securit 32-byte secret keys; Edwards curve 32-byte public keys; (1 � 1 ❂ 121666) ① 2 ② 2 . ① ② “free key validation”; 2 414 � 17: “short code”. 3617 ① 2 ② 2 . ① ② The big picture: � 1: Minimize tensions between � 376014 ① 2 ② 2 . ① ② speed, simplicity, security.

  4. 1 2 E-521 Curve25519 Tension: a neutral example Introduced in ECC 2005 talk How will implementors Chicago & and PKC 2006 paper “New compute ❛❂❜ mod ♣ ? Eindhoven Diffie–Hellman speed records.” Many books recommend Euclid. Main features listed in paper: Passes interoperability tests. ♣ � 19: “extremely high speed”; But variable time , ② ① ① ① “no time variability”; presumably a security problem. 32-byte secret keys; curve 32-byte public keys; � ❂ 121666) ① 2 ② 2 . ① ② “free key validation”; � 17: “short code”. ① ② ① ② The big picture: � Minimize tensions between ① ② ① ② . � speed, simplicity, security.

  5. 2 3 Curve25519 Tension: a neutral example Introduced in ECC 2005 talk How will implementors and PKC 2006 paper “New compute ❛❂❜ mod ♣ ? Diffie–Hellman speed records.” Many books recommend Euclid. Main features listed in paper: Passes interoperability tests. “extremely high speed”; But variable time , “no time variability”; presumably a security problem. 32-byte secret keys; 32-byte public keys; “free key validation”; “short code”. The big picture: Minimize tensions between speed, simplicity, security.

  6. 2 3 Curve25519 Tension: a neutral example Introduced in ECC 2005 talk How will implementors and PKC 2006 paper “New compute ❛❂❜ mod ♣ ? Diffie–Hellman speed records.” Many books recommend Euclid. Main features listed in paper: Passes interoperability tests. “extremely high speed”; But variable time , “no time variability”; presumably a security problem. 32-byte secret keys; Defense 1: Encourage 32-byte public keys; implementors to use ❛❜ ♣ � 2 . “free key validation”; Simpler than Euclid, fast enough. “short code”. The big picture: Minimize tensions between speed, simplicity, security.

  7. 2 3 Curve25519 Tension: a neutral example Introduced in ECC 2005 talk How will implementors and PKC 2006 paper “New compute ❛❂❜ mod ♣ ? Diffie–Hellman speed records.” Many books recommend Euclid. Main features listed in paper: Passes interoperability tests. “extremely high speed”; But variable time , “no time variability”; presumably a security problem. 32-byte secret keys; Defense 1: Encourage 32-byte public keys; implementors to use ❛❜ ♣ � 2 . “free key validation”; Simpler than Euclid, fast enough. “short code”. But maybe implementor finds it The big picture: simplest to use a Euclid library, Minimize tensions between and wants the Euclid speed. speed, simplicity, security.

  8. 2 3 Curve25519 Tension: a neutral example Defense implemento duced in ECC 2005 talk How will implementors verify constant-time PKC 2006 paper “New compute ❛❂❜ mod ♣ ? e.g. 2010 Diffie–Hellman speed records.” Many books recommend Euclid. Almeida–Ba features listed in paper: Passes interoperability tests. “extremely high speed”; But variable time , time variability”; presumably a security problem. yte secret keys; Defense 1: Encourage yte public keys; implementors to use ❛❜ ♣ � 2 . ey validation”; Simpler than Euclid, fast enough. code”. But maybe implementor finds it big picture: simplest to use a Euclid library, Minimize tensions between and wants the Euclid speed. eed, simplicity, security.

  9. 2 3 Tension: a neutral example Defense 2: Encourage implementors to use ECC 2005 talk How will implementors verify constant-time paper “New compute ❛❂❜ mod ♣ ? e.g. 2010 Langley speed records.” Many books recommend Euclid. Almeida–Barbosa–Pinto–Vieira. listed in paper: Passes interoperability tests. speed”; But variable time , riability”; presumably a security problem. eys; Defense 1: Encourage eys; implementors to use ❛❜ ♣ � 2 . validation”; Simpler than Euclid, fast enough. But maybe implementor finds it simplest to use a Euclid library, tensions between and wants the Euclid speed. simplicity, security.

  10. 2 3 Tension: a neutral example Defense 2: Encourage implementors to use tools to talk How will implementors verify constant-time behavio “New compute ❛❂❜ mod ♣ ? e.g. 2010 Langley “ctgrind”; rds.” Many books recommend Euclid. Almeida–Barbosa–Pinto–Vieira. er: Passes interoperability tests. But variable time , presumably a security problem. Defense 1: Encourage implementors to use ❛❜ ♣ � 2 . Simpler than Euclid, fast enough. But maybe implementor finds it simplest to use a Euclid library, een and wants the Euclid speed. security.

  11. 3 4 Tension: a neutral example Defense 2: Encourage implementors to use tools to How will implementors verify constant-time behavior. compute ❛❂❜ mod ♣ ? e.g. 2010 Langley “ctgrind”; 2013 Many books recommend Euclid. Almeida–Barbosa–Pinto–Vieira. Passes interoperability tests. But variable time , presumably a security problem. Defense 1: Encourage implementors to use ❛❜ ♣ � 2 . Simpler than Euclid, fast enough. But maybe implementor finds it simplest to use a Euclid library, and wants the Euclid speed.

  12. 3 4 Tension: a neutral example Defense 2: Encourage implementors to use tools to How will implementors verify constant-time behavior. compute ❛❂❜ mod ♣ ? e.g. 2010 Langley “ctgrind”; 2013 Many books recommend Euclid. Almeida–Barbosa–Pinto–Vieira. Passes interoperability tests. Defense 3: Encourage But variable time , implementors to use fractions presumably a security problem. (e.g., “projective coordinates”). Defense 1: Encourage Then Euclid speedup is negligible. implementors to use ❛❜ ♣ � 2 . Simpler than Euclid, fast enough. But maybe implementor finds it simplest to use a Euclid library, and wants the Euclid speed.

  13. 3 4 Tension: a neutral example Defense 2: Encourage implementors to use tools to How will implementors verify constant-time behavior. compute ❛❂❜ mod ♣ ? e.g. 2010 Langley “ctgrind”; 2013 Many books recommend Euclid. Almeida–Barbosa–Pinto–Vieira. Passes interoperability tests. Defense 3: Encourage But variable time , implementors to use fractions presumably a security problem. (e.g., “projective coordinates”). Defense 1: Encourage Then Euclid speedup is negligible. implementors to use ❛❜ ♣ � 2 . Defense 4: Choose curves that Simpler than Euclid, fast enough. naturally avoid all divisions. But maybe implementor finds it simplest to use a Euclid library, and wants the Euclid speed.

Recommend


More recommend