diversity and transparency for ecc
play

Diversity and Transparency for ECC Jean-Pierre Flori, Jrme Plt, - PowerPoint PPT Presentation

Jun 22, 2023 •313 likes •655 views

Diversity and Transparency for ECC Jean-Pierre Flori, Jrme Plt, Jean-Ren Reinhard, and Martin Eker ANSSI and NCSA/SW June 11, 2015 J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 1 / 32 I Standardization J.-P.

  1. Diversity and Transparency for ECC Jean-Pierre Flori, Jérôme Plût, Jean-René Reinhard, and Martin Ekerå ANSSI and NCSA/SW June 11, 2015 J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 1 / 32

  2. I – Standardization J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 2 / 32

  3. Standardization Need for standardization? In general, the group of rational points of an elliptic curve behaves as a “generic group”: the DLOG problem has exponential complexity, provided: The curve cardinality includes a large prime factor q . Solution: use curves with (almost) prime cardinality. The DLOG problem can not be transferred into weaker groups. Solution: avoid weak curves. Applying these solutions is computationally expensive : curves can not be generated on demand. J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 3 / 32

  4. Standardization Standardized curves Year Curves Sizes 2000 NIST 192, 224, 256, 384, 521 2005 Brainpool 160, 192, 224, 256, 320, 384, 512 2010 OSCCA 256 2011 ANSSI 256 Plus a few academic propositions (Curve25519/41417, NUMS, Ed448-Goldilocks, . . . ). J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 4 / 32

  5. Standardization Need for a second round? The first curves were standardized in years 2000 when: it was possible to find curves with prime cardinality (SEA algorithm); weak classes of curves were identified. We think that these curves are still secure. . . . . . but new concerns emerged since then: what about the generation process? (is there some hidden secret vulnerability?) what about side-channel attacks? what about scientific progess in related domains (e.g. DLOG in finite fields)? It is a good time to standardize new curves. J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 5 / 32

  6. II – Security J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 6 / 32

  7. Security Five classes of criteria 1 The DLOG problem should be hard. 2 Implementations should be safe (e.g. resist side-channel attacks ). 3 The curve should exhibit no particularities . 4 Implementations can be optimized . 5 (The curve exhibits interesting properties.) Tradeoffs Some conditions are incompatible : this is a good reason to standardize different (families of ) curves. Base field We only deal with prime base fields as we think that extension fields introduce more vulnerabilities without valuable properties. J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 7 / 32

  8. Security DLOG problem difficulty DLOG problem difficulty √ Large prime subgroup : Attacks with complexity O ( q ) exist where q is the largest prime factor of N . It is mandatory that: 1 q ≈ N ( P ≈ log p , costly). At best q = N ( no complete addition law! ). Weak curves : For some curves the DLOG problem can be transferred into a weaker finite field. It is mandatory that: ∆ = 0 ( P ≈ 1, free); N = p ( P ≈ 1, free); the embedding degree must be large ( P ≈ 1, costly). J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 8 / 32

  9. Security Safe implementation Safe implementation Even though the DLOG problem is hard on the curve, implementations might leak information. Example: scalar multiplication using naive “double-and-add” algorithm. D A D D D A D A 1 0 0 1 1 J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 9 / 32

  10. Security Safe implementation Classical countermeasures Against simple attacks: avoid branching depending on secret elements. “double-and-add” always; Montgomery ladder. Against differential attacks: avoid using secrets elements repeatedly. secret masking ; curve masking ; point masking . This is not enough: information can still leak ! J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 10 / 32

  11. Security Safe implementation Further countermeasures Masking inefficiency Avoid base field with special prime cardinality ( no fast reduction! ). Exceptional cases Use a curve with a complete addition law ( no prime cardinality! ). Special points Ensure no points with a zero coordinate exist ( no complete addition law! ). J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 11 / 32

  12. Security Safe implementation Misbehavior resistance Subgroup attacks Ensure no small subgroups exist ( P = 1 if N is prime, no complete addition law! ). Twist attacks 1 Use a twist with prime cardinality ( P ≈ log p , does not leverage all checks! ). J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 12 / 32

  13. Security Genericity Resist attacks to come? What if we don’t know all classes of weak curves? Avoid producing too “ special ” curves! Verify properties satisfied with P ≈ 1 in the sense of the DLOG problem difficulty. In particular, some numbers attached to the curve should be “ large enough ”. The curve should look generic . J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 13 / 32

  14. Security Genericity Numbers attached to a curve Discriminant of the endomorphism ring In general, the discriminant satisfies | D E | ≈ p ; therefore, | D E | ≥ √ p √ with P ≈ 1 − O ( 1 / p ) ( no pairings, no fast endomorphism! ). Class number friability In general, the class number h E has at least a prime divisor ≥ ( log p ) O ( 1 ) . Embedding degree √ The embedding degree is ≥ p 1 / 4 with P ≥ 1 − 1 / p ( no pairings! ). J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 14 / 32

  15. Security Genericity Numbers attached to a curve (II) Twist cardinality In general, the twist cardinality N 1 has at least a prime divisor ≥ ( log p ) O ( 1 ) . DLOG in the base field The base field cardinality p should be pseudo-random ( no fast reduction! ). √ p − 1 has a prime divisor ≥ ( log p ) 2 with P ≥ 1 − 1 / p . J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 15 / 32

  16. Security Genericity Summary NIST Brainpool ANSSI OSCCA N prime . . . . p ordinary . . . Complete law Twist secure Generic . . . NUMS Curve25519/41417 Ed448-Goldilocks N prime p ordinary Complete law . . . Twist secure . . . Generic J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 16 / 32

  17. Security Optimized implementation Optimized implementation Curves with N < p points (half of them). Fast computation of square roots ( p = 3 ( mod 4 ) ). Fast modular reduction (special primes, inefficient masking! ). Small coefficients for the curve equation ( no genericity! ). Specific system of coordinates (some entail no prime cardinality! ). J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 17 / 32

  18. Security Diversity Different criteria for different uses The aforementioned criteria are conflicting . In particular, tradeoffs to be made between genericity/speed. . . . . . but also between optimization/side-channel security. Only the first class of criteria is mandatory to ensure the DLOG problem difficulty . The other classes of criteria mostly affect speed and ease of implementation. Use (and standardize) different (families of ) curves! J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 18 / 32

  19. Security Diversity Real zoo Weierstrass Edwards J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 19 / 32

  20. Security Diversity Real zoo (II) Jacobi Hess J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 20 / 32

  21. Security Diversity Finite field zoo Frog Cockroach J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 21 / 32

  22. Security Diversity Finite field zoo (II) Walrus Bunny J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 22 / 32

  23. III – Transparency J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 23 / 32

  24. Transparency Certificates for elliptic curves Architecture Provide curves fulfilling a selection of criteria . . . . . . together with a certificate for faster verification of: the number of points, the discriminant and class number properties, the embedding degree. A deterministic algorithm to sample curves. . . . . . and producing a certificate : Completely reproducible generation process. Either pseudo-random (for genericity) or by enumeration of increasing values (for efficiency). Certify every step, including rejected curves. J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 24 / 32

  25. Transparency Certificates for elliptic curves Cardinality of curves Prime order Certificate : ( G , q , Π) where G = 0 is s.t. q · G = 0 with q ≥ p − 2 √ p + 1, and Π a primality proof for q . Size and verification in O ( log 2 p ) , generally only generated once. Composite order √ p − 1 ) 2 , Certificate : ( P , n , c ) , where P = 0 is s.t. n · P = 0 with n < 2 ( and c a composition witness for n . Size in O ( log p ) , generation and verification in O ( log 2 p ) . More efficient verification using early-abort SEA information about small torsion points. J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 25 / 32

  26. Transparency Generation process Example Sampling function from the seed s : p = smallest prime ≥ s ; g = smallest generator of F × p ; equations of the form y 2 = x 3 − 3 x + b , b = g , g 2 , ... . Conditions : N et N 1 prime; ∆ = 0, N , N 1 = p , p + 1; embedding degrees of E , E 1 at least p 1 / 4 ; class number ≥ p 1 / 4 . J.-P. Flori (ANSSI) Diversity and Transparency for ECC June 11, 2015 26 / 32

Recommend

Fundamentals of Diversity Reception What is diversity? Diversity is a technique to combine

Fundamentals of Diversity Reception What is diversity? Diversity is a technique to combine

Fundamentals of Diversity Reception What is diversity? Diversity is a technique to combine several copies of the same message received over different channels. Why diversity? To improve link performance Methods for obtaining multiple replicas

738 views • 17 slides
1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No

1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No

Politics and Information: Discussion Notes 1. Why transparency? Results 1 - 100 of about 2,430,000 for transparency democracy No democratic society worthy of the name can govern itself without transparency and information. Onthecommons.org

461 views • 5 slides
Outline A brief tour of practice diversity Its everywhere you look! Is practice diversity

Outline A brief tour of practice diversity Its everywhere you look! Is practice diversity

5/30/2014 I think Medicine has Practice diversity: What does it mean when everybody does it differently? 1. Too much practice diversity 2. Just enough practice diversity 3. Not enough practice diversity Avery Tung, M.D. FCCM Quality Chief

816 views • 24 slides
Transparency initiatives and the TGA Dr Peter Papathanasiou Transparency &amp; Advisory

Transparency initiatives and the TGA Dr Peter Papathanasiou Transparency &amp; Advisory

Transparency initiatives and the TGA Dr Peter Papathanasiou Transparency &amp; Advisory Management Section Prescription Medicines Authorisation Branch Market Authorisation Division, TGA ARCS Scientific Congress Canberra 2016 Two transparency

652 views • 36 slides
www.transparencyindia.org Transparency International India Transparency International-India

www.transparencyindia.org Transparency International India Transparency International-India

www.transparencyindia.org Transparency International India Transparency International-India is the accredited Indian National Chapter of Transparency International. It was established in 1997. Transparency International India endeavors

603 views • 45 slides
Dissecting Diversity towards a conceptual framework for realizing diversity in

Dissecting Diversity towards a conceptual framework for realizing diversity in

Dissecting Diversity towards a conceptual framework for realizing diversity in recommendations Prof. Dr. Natali Helberger, Institute for Information Law Bozen, 29 February 2018 Central questions What is diversity? Do people encounter

521 views • 38 slides
Transparency GEF Secretariat Background Paris Agreement, Transparency, and CBIT Paris Agreement

Transparency GEF Secretariat Background Paris Agreement, Transparency, and CBIT Paris Agreement

Capacity-building Initiative for Transparency GEF Secretariat Background Paris Agreement, Transparency, and CBIT Paris Agreement Article 13: Transparency To build mutual trust and confidence and to promote effective implementation

643 views • 15 slides
Fiscal Transparency and Accountability Overview Importance of Institutional Transparency

Fiscal Transparency and Accountability Overview Importance of Institutional Transparency

September 28, 2017 Alex Hathaway Center for State and Local Finance Fiscal Transparency and Accountability Overview Importance of Institutional Transparency Review of the Literature Methodology Volcker Alliance questions

343 views • 16 slides
NUCLEAR TRANSPARENCY WATCH Prevent and anticipate through transparency and participation

NUCLEAR TRANSPARENCY WATCH Prevent and anticipate through transparency and participation

NUCLEAR TRANSPARENCY WATCH Prevent and anticipate through transparency and participation Activities of NTW Workshop on Environmental Mapping: Mobilising Trust in Measurements and Engaging Scientific Citizenry Nadja Zeleznik nzeleznik@rec.org

338 views • 30 slides
Which Bio-Diversity Indices Fuzzy Logic Justifies . . . Bio-Diversity of . . . Are Most Adequate

Which Bio-Diversity Indices Fuzzy Logic Justifies . . . Bio-Diversity of . . . Are Most Adequate

Gauging Bio-Diversity . . . Why These Measures? An Intuitive Meaning . . . Which Bio-Diversity Indices Fuzzy Logic Justifies . . . Bio-Diversity of . . . Are Most Adequate Localness Property Possibility of Scaling Olga Kosheleva 1 , Craig

694 views • 21 slides
Breaking down data silos for improved insight a data transparency perspective Transparency

Breaking down data silos for improved insight a data transparency perspective Transparency

Breaking down data silos for improved insight a data transparency perspective Transparency an organisational view Transparency is all about the release of information by institutions or companies that is relevant for the evaluation of

883 views • 32 slides
Diversity Initiative October 21, 2019 Diversity Committee The Diversity Committee consisted

Diversity Initiative October 21, 2019 Diversity Committee The Diversity Committee consisted

Diversity Initiative October 21, 2019 Diversity Committee The Diversity Committee consisted of 17 members during the 2018-19 school year. The group continues to discuss the recruitment and retention of minority staff members, as well as,

592 views • 20 slides
Diversity Initiative September 17, 2018 Diversity Committee The Diversity Committee consisted of

Diversity Initiative September 17, 2018 Diversity Committee The Diversity Committee consisted of

Diversity Initiative September 17, 2018 Diversity Committee The Diversity Committee consisted of 16 members during the 2017-18 school year. Expanded its purpose beyond the recruitment and retention of minority staff members

350 views • 20 slides
transparency: Opportunities of the Fisheries Transparency Initiative (FiTI) 16 Session COFI

transparency: Opportunities of the Fisheries Transparency Initiative (FiTI) 16 Session COFI

Driving change in fisheries trade through transparency: Opportunities of the Fisheries Transparency Initiative (FiTI) 16 Session COFI Sub-Committee on Fish trade / Busan, 6 September 2017 The necessity of transparency in fisheries International

346 views • 15 slides
Why Are We Here? The combination of ownership diversity and technology diversity is

Why Are We Here? The combination of ownership diversity and technology diversity is

GIBSON: Global IP-Based Service-Oriented Network Ping Pan, Tom Nolle S eptember 2006, Oslo Meeting Why Are We Here? The combination of ownership diversity and technology diversity is reflected in a more complex set of management

711 views • 14 slides
www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013

www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013

1 www.transparency.org.nz Policy Implications of Transparency International Integrity Plus 2013 NZ's National Integrity System Assessment The Treasury Friday 14 th March 2014 1:30pm- 3:00pm liz.brown@paradise.net.nz mpetrie@esg.co.nz

947 views • 45 slides
DRIVING DIVERSITY AND INCLUSION INDUSTRY COLLABORATION TO CLOSE THE DIVERSITY GAP IN COMMERCIAL

DRIVING DIVERSITY AND INCLUSION INDUSTRY COLLABORATION TO CLOSE THE DIVERSITY GAP IN COMMERCIAL

DRIVING DIVERSITY AND INCLUSION INDUSTRY COLLABORATION TO CLOSE THE DIVERSITY GAP IN COMMERCIAL REAL ESTATE AGENDA AGENDA 1. Understanding the Diversity Gap 2. The Business Imperative and its Benefits 3. What is the Diversity Collaborative

386 views • 14 slides
Gender Diversity at the Top: Good Intentions and Unexpected Consequences GENDER DIVERSITY

Gender Diversity at the Top: Good Intentions and Unexpected Consequences GENDER DIVERSITY

Gender Diversity at the Top: Good Intentions and Unexpected Consequences GENDER DIVERSITY MAKES ORGANISATIONS BETTER More family More More social Smaller pay friendly diversity responsibility gaps practices initiatives (Bear, Rahman

436 views • 18 slides
LEADERSHIP AND DIVERSITY Diversity is defined as Any collective mixture characterized by

LEADERSHIP AND DIVERSITY Diversity is defined as Any collective mixture characterized by

10/19/2015 LEADERSHIP AND DIVERSITY Diversity is defined as Any collective mixture characterized by differences, similarities with related tensions and complexities. D r . R . R o o s e v e l t T h o m a s , J r . Dimensions of Diversity-

80 views • 7 slides
The Pay Transparency Challenge Deciding Where to Fall on the Salary Transparency Spectrum

The Pay Transparency Challenge Deciding Where to Fall on the Salary Transparency Spectrum

The Pay Transparency Challenge Deciding Where to Fall on the Salary Transparency Spectrum Mykkah Herner, MA, CCP Director of Professional Services Paige Hanley, CCP Sr. Compensation Professional 14,000 Positions 3000 Customers 11 Countries

371 views • 35 slides
1 CONTENTS 1. Supplier Diversity Data Call 2. Insurer Response Rate 3. Supplier Diversity

1 CONTENTS 1. Supplier Diversity Data Call 2. Insurer Response Rate 3. Supplier Diversity

1 CONTENTS 1. Supplier Diversity Data Call 2. Insurer Response Rate 3. Supplier Diversity Policies 4. Supplier Diversity Program 5. Corporate Governance 6. Board Member Diversity 7. Conclusion 2 SUPPLIER DIVERSITY DATA CALL In 2011,

504 views • 9 slides
LONGITUDINAL DATA AND FISCAL IMPACT TRANSPARENCY Transparency is telling all of the people all of

LONGITUDINAL DATA AND FISCAL IMPACT TRANSPARENCY Transparency is telling all of the people all of

TIF FINANCING: Allan-Charles Chipman LONGITUDINAL DATA AND FISCAL IMPACT TRANSPARENCY Transparency is telling all of the people all of the truth Transparency can be violated in two ways: 1. Telling some of the people all of the truth 2.

518 views • 35 slides
Transparency-Enhancing Tools PETs PhD Course at Chalmers Tobias Pulls Karlstad University,

Transparency-Enhancing Tools PETs PhD Course at Chalmers Tobias Pulls Karlstad University,

Transparency TETs Transparency Logging A4Cloud Summary Transparency-Enhancing Tools PETs PhD Course at Chalmers Tobias Pulls Karlstad University, Sweden tobias.pulls@kau.se October 29, 2012 Transparency TETs Transparency Logging

1.05k views • 59 slides
DIVERSITY AND INCLUSION INITIATIVE Index 01. Executive Summary 02. Initial Diversity and

DIVERSITY AND INCLUSION INITIATIVE Index 01. Executive Summary 02. Initial Diversity and

DIVERSITY AND INCLUSION INITIATIVE Index 01. Executive Summary 02. Initial Diversity and Inclusion Framework 03. Definitions and Diversity Statistics 04. The Four Goals 05. Implementation Strategy 06. Branding 07. Enhanced Training 08.

237 views • 23 slides

More recommend