ecc optimization on sandy bridge
play

ECC optimization on Sandy Bridge The cost of cofactor h = 1 Daan - PowerPoint PPT Presentation

Oct 29, 2023 •182 likes •1.07k views

ECC optimization on Sandy Bridge The cost of cofactor h = 1 Daan Sprenkels hello@dsprenkels.com Radboud University Nijmegen 1 April 2019 Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 1 / 30 Outline Introduction

  1. ECC optimization on Sandy Bridge The cost of cofactor h = 1 Daan Sprenkels hello@dsprenkels.com Radboud University Nijmegen 1 April 2019 Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 1 / 30

  2. Outline Introduction Preliminaries Cofactor security ECC implementation Results Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 2 / 30

  3. Outline Introduction Preliminaries Cofactor security ECC implementation Results Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 2 / 30

  4. Elliptic curves E : y 2 = x 3 + ax + b Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 3 / 30

  5. Elliptic curves E : y 2 = x 3 + ax + b 4 2 0 y − 2 − 4 − 4 − 2 0 2 4 x Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 3 / 30

  6. Elliptic curves: addition E : y 2 = x 3 + ax + b 4 − R Q 2 P 0 y − 2 R − 4 − 4 − 2 0 2 4 x Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 3 / 30

  7. Elliptic curves: doubling E : y 2 = x 3 + ax + b 4 − R P 2 0 y − 2 R − 4 − 4 − 2 0 2 4 x Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 3 / 30

  8. Elliptic curves ◮ Coordinates include the point at infinity O ◮ Define P + O = P Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 4 / 30

  9. Elliptic curves ◮ Coordinates include the point at infinity O ◮ Define P + O = P ◮ Curve equation: E : y 2 = x 3 + ax + b Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 4 / 30

  10. Elliptic curves ◮ Coordinates include the point at infinity O ◮ Define P + O = P ◮ Curve equation: E : y 2 = x 3 + ax + b ◮ Coordinates are defined over a field F q ◮ I.e. integers modulo q Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 4 / 30

  11. Elliptic curves: actually E : y 2 = x 3 − 3 x + 1 defined over F 11 5 4 3 2 1 0 y − 1 − 2 − 3 − 4 − 5 0 1 2 3 4 5 6 7 8 9 10 11 x Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 5 / 30

  12. Elliptic curves: actual addition E : y 2 = x 3 − 3 x + 1 defined over F 11 5 R 4 3 Q 2 1 0 y − 1 P − 2 − 3 − 4 − R − 5 0 1 2 3 4 5 6 7 8 9 10 11 x Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 5 / 30

  13. Group arithmetic ◮ We can do arithmetic with these rules! :) ◮ Addition: P + Q ◮ Subtraction: P − Q ◮ Neutral element: O , i.e. “zero” Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 6 / 30

  14. Group arithmetic ◮ We can do arithmetic with these rules! :) ◮ Addition: P + Q ◮ Subtraction: P − Q ◮ Neutral element: O , i.e. “zero” ◮ Scalar multiplication: [ k ] P = P + P + ... + P � �� � k times Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 6 / 30

  15. Group arithmetic ◮ We can do arithmetic with these rules! :) ◮ Addition: P + Q ◮ Subtraction: P − Q ◮ Neutral element: O , i.e. “zero” ◮ Scalar multiplication: [ k ] P = P + P + ... + P � �� � k times ◮ Discrete log problem: given P , Q where [ k ] P = Q , hard to find k Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 6 / 30

  16. Elliptic curves are cyclic ◮ Points form a cycle: O + P + P + P + P → ... + P + P − − → P − − → [2] P − − → [3] P − − − − → [ n − 1] P − − → O Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 7 / 30

  17. Elliptic curves are cyclic ◮ Points form a cycle: O + P + P + P + P → ... + P + P − − → P − − → [2] P − − → [3] P − − − − → [ n − 1] P − − → O � �� � n steps ◮ The order n should contain a large prime factor ◮ Only one cycle if n is prime Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 7 / 30

  18. Cofactors ◮ If n is not a prime Then n = h · ℓ ◮ I.e. small loops are possible: + T 4 + T 4 + T 4 + T 4 E.g. if 4 | n , then there is a point T 4 : O − − → T 4 − − → [2] T 4 − − → [3] T 4 − − → O � �� � only 4 steps! Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 8 / 30

  19. Cofactors ◮ If n is not a prime Then n = h · ℓ ◮ I.e. small loops are possible: + T 4 + T 4 + T 4 + T 4 E.g. if 4 | n , then there is a point T 4 : O − − → T 4 − − → [2] T 4 − − → [3] T 4 − − → O � �� � only 4 steps! ◮ h is called the cofactor Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 8 / 30

  20. Cofactors ◮ If n is not a prime Then n = h · ℓ ◮ I.e. small loops are possible: + T 4 + T 4 + T 4 + T 4 E.g. if 4 | n , then there is a point T 4 : O − − → T 4 − − → [2] T 4 − − → [3] T 4 − − → O � �� � only 4 steps! ◮ h is called the cofactor ◮ This property is often harmless Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 8 / 30

  21. Cofactors ◮ If n is not a prime Then n = h · ℓ ◮ I.e. small loops are possible: + T 4 + T 4 + T 4 + T 4 E.g. if 4 | n , then there is a point T 4 : O − − → T 4 − − → [2] T 4 − − → [3] T 4 − − → O � �� � only 4 steps! ◮ h is called the cofactor ◮ This property is often harmless ◮ I.e. sometimes it’s the opposite of harmless Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 8 / 30

  22. A brief history... ◮ 1999: elliptic curves popularized Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 9 / 30

  23. A brief history... ◮ 1999: elliptic curves popularized ◮ 2006: Curve25519 published by Bernstein ◮ “Safe” for implementors Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 9 / 30

  24. A brief history... ◮ 1999: elliptic curves popularized ◮ 2006: Curve25519 published by Bernstein ◮ “Safe” for implementors ◮ Super fast Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 9 / 30

  25. A brief history... ◮ 1999: elliptic curves popularized ◮ 2006: Curve25519 published by Bernstein ◮ “Safe” for implementors ◮ Super fast ◮ Has cofactor h = 8 Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 9 / 30

  26. A brief history... ◮ 1999: elliptic curves popularized ◮ 2006: Curve25519 published by Bernstein ◮ “Safe” for implementors ◮ Super fast ◮ Has cofactor h = 8 ◮ 2014: Monero cryptocurrency ◮ Uses Curve25519 Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 9 / 30

  27. A brief history... ◮ 1999: elliptic curves popularized ◮ 2006: Curve25519 published by Bernstein ◮ “Safe” for implementors ◮ Super fast ◮ Has cofactor h = 8 ◮ 2014: Monero cryptocurrency ◮ Uses Curve25519 ◮ 2017: vulnerability in Monero found ◮ Allowed anyone to create coins out of thin air Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 9 / 30

  28. The Monero vulnerability ◮ Transaction involves a ring signature Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 10 / 30

  29. The Monero vulnerability ◮ Transaction involves a ring signature ◮ Double-spending is prevented by a key image I Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 10 / 30

  30. The Monero vulnerability ◮ Transaction involves a ring signature ◮ Double-spending is prevented by a key image I ◮ I binds the transaction to signer’s public key P Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 10 / 30

  31. The Monero vulnerability ◮ Transaction involves a ring signature ◮ Double-spending is prevented by a key image I ◮ I binds the transaction to signer’s public key P ◮ Binding is in zero-knowledge Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 10 / 30

  32. The Monero vulnerability ◮ Transaction involves a ring signature ◮ Double-spending is prevented by a key image I ◮ I binds the transaction to signer’s public key P ◮ Binding is in zero-knowledge ◮ Key image I should be unique Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 10 / 30

  33. Monero transactions ◮ Have generators G 1 , G 2 ; private key x ; public key P ; key image I . ◮ sign x ( m ) ◮ Sign m with private key x ◮ Choose commitment u ∈ R h Z ℓ ◮ Compute a 2 = [ u ] G 2 ; c = H ( m , a 1 , a 2 ); r = u + cx ◮ Output signature s = ( a 1 , a 2 , r ) Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 11 / 30

  34. Monero transactions ◮ Have generators G 1 , G 2 ; private key x ; public key P ; key image I . ◮ sign x ( m ) ◮ Sign m with private key x ◮ Choose commitment u ∈ R h Z ℓ ◮ Compute a 2 = [ u ] G 2 ; c = H ( m , a 1 , a 2 ); r = u + cx ◮ Output signature s = ( a 1 , a 2 , r ) ◮ verify P , I ( m , s ) ? ◮ [ r ] G 1 = a 1 + [ c ] P ? ◮ [ r ] G 2 = a 2 + [ c ] I ◮ I unique? Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 11 / 30

  35. Attacking Monero signatures ◮ Challenge. Find some signature+keypair a 2 , c , r , and I , s.t. [ r ] G 2 = a 2 + [ c ] I = a 2 + [ c ] I ′ , where I � = I ′ . Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 12 / 30

  36. Attacking Monero signatures ◮ Challenge. Find some signature+keypair a 2 , c , r , and I , s.t. [ r ] G 2 = a 2 + [ c ] I = a 2 + [ c ] I ′ , where I � = I ′ . ◮ Solution. Choose I ′ = I + T α , where α | c and [ α ] T α = O . Daan Sprenkels ECC optimization on Sandy Bridge 1 April 2019 12 / 30

Recommend

MagentoPerformance and Optimization ChrisWells CEO - Nexcess The Ambassador Bridge USA/Canada

MagentoPerformance and Optimization ChrisWells CEO - Nexcess The Ambassador Bridge USA/Canada

Laying the Foundation for MagentoPerformance and Optimization ChrisWells CEO - Nexcess The Ambassador Bridge USA/Canada The Ambassador Bridge USA/Canada Todays Topics A note on permissions Common pitfalls L AMP L AMP L AMP

553 views • 37 slides
Creating Safer Schools & Communities WHO is Sandy Hook Promise Sandy Hook Promise (SHP) is a

Creating Safer Schools & Communities WHO is Sandy Hook Promise Sandy Hook Promise (SHP) is a

Creating Safer Schools & Communities WHO is Sandy Hook Promise Sandy Hook Promise (SHP) is a nonprofit Timothy Makris Executive Director organization led by several family members who lost loved ones at the Sandy Hook Elementary

340 views • 22 slides
Port of New York and New Jersey Post Sandy Approach to Resiliency AAPA - Energy &

Port of New York and New Jersey Post Sandy Approach to Resiliency AAPA - Energy &

Port of New York and New Jersey Post Sandy Approach to Resiliency AAPA - Energy & Environment Seminar September 12, 2018 Our Port Facilities Sandy Re-Cap Sandy Sandy - Storm Surge Map Map Source: WNYC -

399 views • 28 slides
5 th Street SE Bridge Overview Bridge is functionally obsolete New bridge funded with

5 th Street SE Bridge Overview Bridge is functionally obsolete New bridge funded with

5 th Street SE Bridge Overview Bridge is functionally obsolete New bridge funded with federal money Layout was approved 2017 MnDOT hosted several visual quality workshops where community members were able to select bridge

530 views • 13 slides
Sandy Skoglund By: Emma, Allie, Tibayan ART120 Photorealism Bio - Sandy Skoglund was born in

Sandy Skoglund By: Emma, Allie, Tibayan ART120 Photorealism Bio - Sandy Skoglund was born in

Sandy Skoglund By: Emma, Allie, Tibayan ART120 Photorealism Bio - Sandy Skoglund was born in 1946 in Quincy, MA. - She went to Smith College for her BFA and eventually got a MFA from the University of Iowa. - She became a Professor at the

402 views • 18 slides
Sandy Landsberg Sandy.Landsberg@science.doe.gov Presented to IFIP Working Conference on

Sandy Landsberg Sandy.Landsberg@science.doe.gov Presented to IFIP Working Conference on

DOE Office of Science Advanced Scientific Computing Research Applied Mathematics Program Sandy Landsberg Sandy.Landsberg@science.doe.gov Presented to IFIP Working Conference on Uncertainty Quantification in Scientific Computing August 1, 2011

726 views • 21 slides
Bridge How Bridge Can Benefit Your School and Your Students Benefits of Playing Bridge Benefit

Bridge How Bridge Can Benefit Your School and Your Students Benefits of Playing Bridge Benefit

Bridge How Bridge Can Benefit Your School and Your Students Benefits of Playing Bridge Benefit to Administrators Improvement in Standardized Test Scores Promote STEM Education Goals Students Learn Cooperation and Communication

531 views • 14 slides
Bridge Rehabilitation/Replacement Needs Redbud Trail Bridge Barton Springs Road Bridge Presentation

Bridge Rehabilitation/Replacement Needs Redbud Trail Bridge Barton Springs Road Bridge Presentation

Bridge Rehabilitation/Replacement Needs Redbud Trail Bridge Barton Springs Road Bridge Presentation to Mobility Committee April 2015 PWD Bridge Program City of Austin has 447 rated bridges. Goal is to maintain all bridges in

623 views • 22 slides
SR 73 Loudon County Bridge SR73 Bridge History Several alternates were studied q TVA expressed

SR 73 Loudon County Bridge SR73 Bridge History Several alternates were studied q TVA expressed

SR 73 Loudon County Bridge SR73 Bridge History Several alternates were studied q TVA expressed a desire not to replace or widen the existng q bridge on the dam the bridge hampers access requires stopping and controlling trafc maintenance

966 views • 10 slides
Making New York City Hurricane Sandy Proof Presented by Michael Grant, Tony Mizutani, Daniel

Making New York City Hurricane Sandy Proof Presented by Michael Grant, Tony Mizutani, Daniel

Making New York City Hurricane Sandy Proof Presented by Michael Grant, Tony Mizutani, Daniel Smith, David Mashkevich, and Emily Nemecek History of Hurricanes Saffir-Simpson Scale Tracking Hurricane Sandy Hurricane Sandy Damages 7.5

323 views • 20 slides
Sandy Valley Local Schools Two Options for Sandy Valleys Reset/Restart Plan u Option 1: u

Sandy Valley Local Schools Two Options for Sandy Valleys Reset/Restart Plan u Option 1: u

Sandy Valley Local Schools Two Options for Sandy Valleys Reset/Restart Plan u Option 1: u Option 2: ALL IN ONLINE LEARNING Students at Students have Sandy Valley access to All Day, Everyday curriculum online ALL IN PLAN: All Students,

95 views • 8 slides
Meaningful Access: Bridge Project Jorge Rivera, Project Lead (MLS) | Bridge Project, Planning

Meaningful Access: Bridge Project Jorge Rivera, Project Lead (MLS) | Bridge Project, Planning

Meaningful Access: Bridge Project Jorge Rivera, Project Lead (MLS) | Bridge Project, Planning Department , Toronto Public Library Kristian Roberts, Partner, Nordicity Jan 31, 2020 What is Bridge? The Bridge Technology Services Assessment Toolkit

285 views • 28 slides
Intel Core i7 Memory Hierarchy Amanda Adkins, Brett Ammeson, James Anouna, Tony Garside, Lukas

Intel Core i7 Memory Hierarchy Amanda Adkins, Brett Ammeson, James Anouna, Tony Garside, Lukas

Intel Core i7 Memory Hierarchy Amanda Adkins, Brett Ammeson, James Anouna, Tony Garside, Lukas Hunker, Sam Mailand Intel i7 Timeline 2011 2013 2015 Nehalem Ivy Bridge Broadwell Sandy Haswell Skylake Bridge 2008 2012

420 views • 40 slides
Indi diana na Bridge L Load R Rating Jeremy Hunter INDOT Bridge Design Manager Indiana

Indi diana na Bridge L Load R Rating Jeremy Hunter INDOT Bridge Design Manager Indiana

Indi diana na Bridge L Load R Rating Jeremy Hunter INDOT Bridge Design Manager Indiana Bridge Load Rating Requirements AASHTO Manual For Bridge Evaluation 2 nd Edition Defines requirements for: Bridge Records Bridge Management

360 views • 9 slides
Hurricane Sandy Alex Amparo Deputy Assistant Administrator Recovery Directorate 1

Hurricane Sandy Alex Amparo Deputy Assistant Administrator Recovery Directorate 1

Hurricane Sandy Alex Amparo Deputy Assistant Administrator Recovery Directorate 1 Presenters Name June 17, 2003 Hurricane Sandy At a Glance 2 nd largest Atlantic storm on record Impacted the most densely populated area of

359 views • 15 slides
Sandy Burke BSN RN CWCN Deb Perry MS RN Olmsted Medical Center Rochester, MN Deb Perry MS,

Sandy Burke BSN RN CWCN Deb Perry MS RN Olmsted Medical Center Rochester, MN Deb Perry MS,

Sandy Burke BSN RN CWCN Deb Perry MS RN Olmsted Medical Center Rochester, MN Deb Perry MS, RN Sandy Burke BSN, RN, CWCN Sandy has loved and participated in wound care for 20 years Deb has a passion for wound care starting with her 26

905 views • 68 slides
Delaware Section Bridge Construction Presentations: Rapid Bridge Replacement by Dr. Christopher

Delaware Section Bridge Construction Presentations: Rapid Bridge Replacement by Dr. Christopher

Delaware Section Bridge Construction Presentations: Rapid Bridge Replacement by Dr. Christopher Meehan & DelDOT Accelerated Bridge Construction (ABC) Techniques by Jason Hastings Wednesday March 21, 2018 Co-sponsored by ASME, ASCE,

567 views • 4 slides
Unlicensed Rooming House Presentation 28 June, 2016 Introduction Action Sandy Hills

Unlicensed Rooming House Presentation 28 June, 2016 Introduction Action Sandy Hills

Bob Forbes Vice President Unlicensed Rooming House Presentation 28 June, 2016 Introduction Action Sandy Hills Mission is to promote and preserve Sandy Hill as a: Diverse, heritage community Vibrant neighbourhood which

510 views • 34 slides
BRIDGE CENTRALITY: IDENTIFYING BRIDGE SYMPTOMS IN PSYCHOPATHOLOGY NETWORKS Payton Jones Harvard

BRIDGE CENTRALITY: IDENTIFYING BRIDGE SYMPTOMS IN PSYCHOPATHOLOGY NETWORKS Payton Jones Harvard

BRIDGE CENTRALITY: IDENTIFYING BRIDGE SYMPTOMS IN PSYCHOPATHOLOGY NETWORKS Payton Jones Harvard University Masters Thesis Presentation Mental Disorder Comorbidity 1 6 3 4 7 8 2 9 5 10 Depression Social Anxiety Bridge Nodes 1

849 views • 31 slides
key bridge Taipei, November 15, 2011 1 key bridge Challenge and Needs How to enable a

key bridge Taipei, November 15, 2011 1 key bridge Challenge and Needs How to enable a

Data Model In Support of White Space Database Access Protocols draft-caulfield-paws-protocol-for-tvws-01 key bridge Taipei, November 15, 2011 1 key bridge Challenge and Needs How to enable a standardized, lightweight and Rules-compliant

344 views • 9 slides
Overview of Aerodynamics Study Simon Amor Head of Planning and Development A14 Orwell Bridge

Overview of Aerodynamics Study Simon Amor Head of Planning and Development A14 Orwell Bridge

A14 Orwell Bridge Overview of Aerodynamics Study Simon Amor Head of Planning and Development A14 Orwell Bridge Orwell Bridge Construction of the bridge started in October 1979 and was completed in December 1982. The bridge opened to

926 views • 22 slides
CRP 693 W Cashmere Bridge Replacement Project 1 2 Existing Condition of West Cashmere Bridge

CRP 693 W Cashmere Bridge Replacement Project 1 2 Existing Condition of West Cashmere Bridge

CRP 693 W Cashmere Bridge Replacement Project 1 2 Existing Condition of West Cashmere Bridge Multi-Design Bridge with Warren Truss Main Spans Total Length 503 feet Posted for No Trucks 3 Existing Condition Needed Repairs

437 views • 14 slides
Science and Technology in Disasters Opportunities Revealed by Sandy CCICADA/DIMACS Workshop

Science and Technology in Disasters Opportunities Revealed by Sandy CCICADA/DIMACS Workshop

Department of Homeland Security Science & Technology Science and Technology in Disasters Opportunities Revealed by Sandy CCICADA/DIMACS Workshop on S&T Innovations in Hurricane Sandy Research Dr. Mitchell Erickson Interagency Office

397 views • 21 slides
Regional Measure 3 Stakeholder Kickoff Meeting: S.F.-Oakland Bay Bridge Corridor Steve Heminger

Regional Measure 3 Stakeholder Kickoff Meeting: S.F.-Oakland Bay Bridge Corridor Steve Heminger

Regional Measure 3 Stakeholder Kickoff Meeting: S.F.-Oakland Bay Bridge Corridor Steve Heminger Executive Director February 13, 2017 BATAs Seven-Bridge System Carquinez Bridge Opened 1927, 1958 and 2003 Antioch Bridge Benicia-Martinez

438 views • 16 slides

More recommend