hardware operators for pairing based cryptography
play

Hardware Operators for Pairing-Based Cryptography Part I: Because - PowerPoint PPT Presentation

Apr 09, 2023 •318 likes •1.73k views

Hardware Operators for Pairing-Based Cryptography Part I: Because size matters Jean-Luc Beuchat Laboratory of Cryptography and Informantion Security University of Tsukuba, Japan jeanluc.beuchat@gmail.com Joint work with: enaire, LIP,

  1. 5 Bilinear pairings ◮ ( ● 2 , × ), a multiplicatively-written cyclic group of order # ● 2 = # ● 1 = ℓ ◮ A bilinear pairing on ( ● 1 , ● 2 ) is a map ˆ e : ● 1 × ● 1 → ● 2 that satisfies the following conditions: • non-degeneracy: ˆ e ( P , P ) � = 1 ● 2 (equivalently ˆ e ( P , P ) generates ● 2 ) • bilinearity: e ( Q 1 + Q 2 , R ) = ˆ ˆ e ( Q 1 , R ) · ˆ e ( Q 2 , R ) ˆ e ( Q , R 1 + R 2 ) = ˆ e ( Q , R 1 ) · ˆ e ( Q , R 2 ) • computability: ˆ e can be efficiently computed ◮ Immediate property: for any two integers k 1 and k 2 e ( Q , R ) k 1 k 2 ˆ e ( k 1 Q , k 2 R ) = ˆ e ( Q , R ) k 2 k 1 ˆ k 1 Q k 2 R ˆ e Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 5 / 38

  2. 6 Pairings in cryptography ◮ At first, used to attack supersingular elliptic curves • Menezes-Okamoto-Vanstone and Frey-R¨ uck attacks, 1993 and 1994 DLP ● 1 kP Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 6 / 38

  3. 6 Pairings in cryptography ◮ At first, used to attack supersingular elliptic curves • Menezes-Okamoto-Vanstone and Frey-R¨ uck attacks, 1993 and 1994 DLP ● 1 < P DLP ● 2 e ( P , P ) k − → ˆ e ( kP , P ) = ˆ kP Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 6 / 38

  4. 6 Pairings in cryptography ◮ At first, used to attack supersingular elliptic curves • Menezes-Okamoto-Vanstone and Frey-R¨ uck attacks, 1993 and 1994 DLP ● 1 < P DLP ● 2 e ( P , P ) k − → ˆ e ( kP , P ) = ˆ kP • for cryptographic applications, we will also require the DLP in ● 2 to be hard Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 6 / 38

  5. 6 Pairings in cryptography ◮ At first, used to attack supersingular elliptic curves • Menezes-Okamoto-Vanstone and Frey-R¨ uck attacks, 1993 and 1994 DLP ● 1 < P DLP ● 2 e ( P , P ) k − → e ( kP , P ) = ˆ ˆ kP • for cryptographic applications, we will also require the DLP in ● 2 to be hard ◮ One-round three-party key agreement (Joux, 2000) ◮ Identity-based encryption • Boneh-Franklin, 2001 • Sakai-Kasahara, 2001 ◮ Short digital signatures • Boneh-Lynn-Shacham, 2001 • Zang-Safavi-Naini-Susilo, 2004 ◮ ... Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 6 / 38

  6. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  7. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  8. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a Message digest D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  9. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a Signature: Message digest aD D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  10. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a Signature: Message digest aD D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  11. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a Signature: Message digest aD D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  12. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a Signature: Message digest aD D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  13. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a aD D Signature: Message digest aD D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  14. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a aD D Signature: Message a P P digest aD D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  15. 7 Short signature (Boneh, Lynn & Shacham, 2001) PKI P a P Alice Bob a aD D Signature: Message a P P ˆ e ( D , aP ) ˆ e ( aD , P ) digest aD D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 7 / 38

  16. 8 Outline of the talk ◮ Pairing-based cryptography ◮ Pairings over elliptic curves ◮ Finite-field arithmetic ◮ Implementation results ◮ Concluding thoughts Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 8 / 38

  17. 9 Pairings over elliptic curves ◮ We first define • ❋ q , a finite field, with q = 2 m , 3 m or p • E , an elliptic curve defined over ❋ q • ℓ , a large prime factor of # E ( ❋ q ) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 9 / 38

  18. 9 Pairings over elliptic curves ◮ We first define • ❋ q , a finite field, with q = 2 m , 3 m or p • E , an elliptic curve defined over ❋ q • ℓ , a large prime factor of # E ( ❋ q ) ◮ ● 1 = E ( ❋ q )[ ℓ ], the ❋ q -rational ℓ -torsion of E : ● 1 = { P ∈ E ( ❋ q ) | ℓ P = O} Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 9 / 38

  19. 9 Pairings over elliptic curves ◮ We first define • ❋ q , a finite field, with q = 2 m , 3 m or p • E , an elliptic curve defined over ❋ q • ℓ , a large prime factor of # E ( ❋ q ) ◮ ● 1 = E ( ❋ q )[ ℓ ], the ❋ q -rational ℓ -torsion of E : ● 1 = { P ∈ E ( ❋ q ) | ℓ P = O} ◮ ● 2 = µ ℓ , the group of ℓ -th roots of unity in ❋ × q k : q k | U ℓ = 1 } ● 2 = { U ∈ ❋ × Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 9 / 38

  20. 9 Pairings over elliptic curves ◮ We first define • ❋ q , a finite field, with q = 2 m , 3 m or p • E , an elliptic curve defined over ❋ q • ℓ , a large prime factor of # E ( ❋ q ) ◮ ● 1 = E ( ❋ q )[ ℓ ], the ❋ q -rational ℓ -torsion of E : ● 1 = { P ∈ E ( ❋ q ) | ℓ P = O} ◮ ● 2 = µ ℓ , the group of ℓ -th roots of unity in ❋ × q k : q k | U ℓ = 1 } ● 2 = { U ∈ ❋ × ◮ k is the embedding degree, the smallest integer such that µ ℓ ⊆ ❋ × q k • usually large for ordinary elliptic curves • bounded in the case of supersingular elliptic curves (4 in characteristic 2; 6 in characteristic 3; and 2 in characteristic > 3) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 9 / 38

  21. 9 Pairings over elliptic curves ◮ We first define • ❋ q , a finite field, with q = 2 m , 3 m or p • E , an elliptic curve defined over ❋ q • ℓ , a large prime factor of # E ( ❋ q ) ◮ ● 1 = E ( ❋ q )[ ℓ ], the ❋ q -rational ℓ -torsion of E : ● 1 = { P ∈ E ( ❋ q ) | ℓ P = O} ◮ ● 2 = µ ℓ , the group of ℓ -th roots of unity in ❋ × q k : q k | U ℓ = 1 } ● 2 = { U ∈ ❋ × ◮ k is the embedding degree, the smallest integer such that µ ℓ ⊆ ❋ × q k • usually large for ordinary elliptic curves • bounded in the case of supersingular elliptic curves (4 in characteristic 2; 6 in characteristic 3; and 2 in characteristic > 3) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 9 / 38

  22. 10 The Tate pairing E ˆ e Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 10 / 38

  23. 10 The Tate pairing E P = ( x P , y P ) Q = ( x Q , y Q ) ˆ : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] e ( , ) P Q Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 10 / 38

  24. 10 The Tate pairing ˆ e ( P , Q ) E µ ℓ P = ( x P , y P ) Q = ( x Q , y Q ) ⊆ ❋ × ˆ : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] − → µ ℓ e q k ( , ) �− → ˆ e ( P , Q ) P Q Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 10 / 38

  25. 10 The Tate pairing ˆ e ( P , Q ) E µ ℓ P = ( x P , y P ) Q = ( x Q , y Q ) ⊆ ❋ × ˆ : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] − → µ ℓ e q k ( , ) �− → e ( P , Q ) ˆ P Q ◮ Computation via Miller’s iterative algorithm: • m / 2 iterations over ❋ 2 m and ❋ 3 m ( η T pairing) • log 2 p iterations over ❋ p Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 10 / 38

  26. 11 Security considerations aP Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  27. 11 Security considerations aP dlog ● 1 a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  28. 11 Security considerations aP dlog ● 1 a ◮ Discrete logarithm problem should be hard in ● 1 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  29. 11 Security considerations aP dlog ● 1 a ◮ Discrete logarithm problem should be hard in ● 1 aP Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  30. 11 Security considerations aP dlog ● 1 a ◮ Discrete logarithm problem should be hard in ● 1 aP P Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  31. 11 Security considerations aP dlog ● 1 a ◮ Discrete logarithm problem should be hard in ● 1 aP a ˆ e ( P , P ) ˆ e P Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  32. 11 Security considerations aP dlog ● 1 a ◮ Discrete logarithm problem should be hard in ● 1 aP a ˆ e ( P , P ) dlog ● 2 ˆ e a P Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  33. 11 Security considerations aP dlog ● 1 a ◮ Discrete logarithm problem should be hard in ● 1 aP a e ( P , P ) ˆ dlog ● 2 ˆ e a P ◮ Discrete logarithm problem should be hard in ● 2 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 11 / 38

  34. 12 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 12 / 38

  35. 12 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ Discrete logarithm in ● 1 = E ( ❋ q )[ ℓ ] (Pollard’s ρ ): √ ℓ ≈ √ q ◮ Discrete logarithm in ● 2 = µ ℓ ⊆ ❋ × q k (FFS or NFS): � � 1 2 c · (ln q k ) 3 · (ln ln q k ) exp 3 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 12 / 38

  36. 12 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ Discrete logarithm in ● 1 = E ( ❋ q )[ ℓ ] (Pollard’s ρ ): � 1 � √ ℓ ≈ √ q = exp 2 · (ln q ) ◮ Discrete logarithm in ● 2 = µ ℓ ⊆ ❋ × q k (FFS or NFS): � � 1 2 c · (ln q k ) 3 · (ln ln q k ) exp 3 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 12 / 38

  37. 12 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ Discrete logarithm in ● 1 = E ( ❋ q )[ ℓ ] (Pollard’s ρ ): � 1 � √ ℓ ≈ √ q = exp 2 · (ln q ) ◮ Discrete logarithm in ● 2 = µ ℓ ⊆ ❋ × q k (FFS or NFS): � � 1 2 c · (ln q k ) 3 · (ln ln q k ) exp 3 ◮ The discrete logarithm problem is usually easier in ● 2 than in ● 1 • current security: ∼ 2 80 , equivalent to 80-bit symmetric encryption or RSA-1024 • recommended security: ∼ 2 128 (AES-128, RSA-3072) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 12 / 38

  38. 13 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ The embedding degree k depends on the field characteristic q Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

  39. 13 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ The embedding degree k depends on the field characteristic q Base field ( ❋ q ) ❋ 2 m ❋ 3 m ❋ p Embedding degree ( k ) 4 6 2 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

  40. 13 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ The embedding degree k depends on the field characteristic q Base field ( ❋ q ) ❋ 2 m ❋ 3 m ❋ p Embedding degree ( k ) 4 6 2 Lower security ( ∼ 2 64 ) m = 239 m = 97 | p | ≈ 256 bits Medium security ( ∼ 2 80 ) m = 373 m = 163 | p | ≈ 512 bits Higher security ( ∼ 2 128 ) m = 1103 m = 503 | p | ≈ 1536 bits Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

  41. 13 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ The embedding degree k depends on the field characteristic q Base field ( ❋ q ) ❋ 2 m ❋ 3 m ❋ p Embedding degree ( k ) 4 6 2 Lower security ( ∼ 2 64 ) m = 239 m = 97 | p | ≈ 256 bits Medium security ( ∼ 2 80 ) m = 373 m = 163 | p | ≈ 512 bits Higher security ( ∼ 2 128 ) m = 1103 m = 503 | p | ≈ 1536 bits ◮ ❋ 2 m : simpler finite field arithmetic Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

  42. 13 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ The embedding degree k depends on the field characteristic q Base field ( ❋ q ) ❋ 2 m ❋ 3 m ❋ p Embedding degree ( k ) 4 6 2 Lower security ( ∼ 2 64 ) m = 239 m = 97 | p | ≈ 256 bits Medium security ( ∼ 2 80 ) m = 373 m = 163 | p | ≈ 512 bits Higher security ( ∼ 2 128 ) m = 1103 m = 503 | p | ≈ 1536 bits ◮ ❋ 2 m : simpler finite field arithmetic ◮ ❋ 3 m : smaller field extension Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

  43. 13 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ The embedding degree k depends on the field characteristic q Base field ( ❋ q ) ❋ 2 m ❋ 3 m ❋ p Embedding degree ( k ) 4 6 2 Lower security ( ∼ 2 64 ) m = 239 m = 97 | p | ≈ 256 bits Medium security ( ∼ 2 80 ) m = 373 m = 163 | p | ≈ 512 bits Higher security ( ∼ 2 128 ) m = 1103 m = 503 | p | ≈ 1536 bits ◮ ❋ 2 m : simpler finite field arithmetic ◮ ❋ 3 m : smaller field extension ◮ ❋ p : prohibitive field sizes Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

  44. 13 Security considerations e : E ( ❋ q )[ ℓ ] × E ( ❋ q )[ ℓ ] → µ ℓ ⊆ ❋ × ˆ q k ◮ The embedding degree k depends on the field characteristic q Base field ( ❋ q ) ❋ 2 m ❋ 3 m ❋ p Embedding degree ( k ) 4 6 2 Lower security ( ∼ 2 64 ) m = 239 m = 97 | p | ≈ 256 bits Medium security ( ∼ 2 80 ) m = 373 m = 163 | p | ≈ 512 bits Higher security ( ∼ 2 128 ) m = 1103 m = 503 | p | ≈ 1536 bits ◮ ❋ 2 m : simpler finite field arithmetic ◮ ❋ 3 m : smaller field extension ◮ ❋ p : prohibitive field sizes Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 13 / 38

  45. 14 Computation of the Tate pairing ˆ e : E ( ❋ p m )[ ℓ ] × E ( ❋ p m )[ ℓ ] → µ ℓ ⊆ ❋ × p km Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 14 / 38

  46. 14 Computation of the Tate pairing ˆ e : E ( ❋ p m )[ ℓ ] × E ( ❋ p m )[ ℓ ] → µ ℓ ⊆ ❋ × p km ◮ Arithmetic over ❋ p m : • polynomial basis: ❋ p m ∼ = ❋ p [ x ] / ( f ( x )) • f ( x ), degree- m polynomial irreducible over ❋ p Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 14 / 38

  47. 14 Computation of the Tate pairing ˆ e : E ( ❋ p m )[ ℓ ] × E ( ❋ p m )[ ℓ ] → µ ℓ ⊆ ❋ × p km ◮ Arithmetic over ❋ p m : • polynomial basis: ❋ p m ∼ = ❋ p [ x ] / ( f ( x )) • f ( x ), degree- m polynomial irreducible over ❋ p ◮ Arithmetic over ❋ × p km : • tower-field representation • only arithmetic over the underlying field ❋ p m Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 14 / 38

  48. 14 Computation of the Tate pairing ˆ e : E ( ❋ p m )[ ℓ ] × E ( ❋ p m )[ ℓ ] → µ ℓ ⊆ ❋ × p km ◮ Arithmetic over ❋ p m : • polynomial basis: ❋ p m ∼ = ❋ p [ x ] / ( f ( x )) • f ( x ), degree- m polynomial irreducible over ❋ p ◮ Arithmetic over ❋ × p km : • tower-field representation • only arithmetic over the underlying field ❋ p m ◮ Operations over ❋ p m : Characteristic 2 Characteristic 3 Base field ( ❋ p m ) ❋ 2 m ❋ 2 313 ❋ 3 m ❋ 3 127 27 ⌊ m 119 ⌊ m + / − 2 ⌋ + 75 4287 4 ⌋ + 260 3949 7 ⌊ m 25 ⌊ m × 2 ⌋ + 29 1121 4 ⌋ + 93 868 17 ⌊ m a p 6 m + 9 1887 2 ⌋ + 8 1079 a − 1 1 1 1 1 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 14 / 38

  49. 14 Computation of the Tate pairing ˆ e : E ( ❋ p m )[ ℓ ] × E ( ❋ p m )[ ℓ ] → µ ℓ ⊆ ❋ × p km ◮ Arithmetic over ❋ p m : • polynomial basis: ❋ p m ∼ = ❋ p [ x ] / ( f ( x )) • f ( x ), degree- m polynomial irreducible over ❋ p ◮ Arithmetic over ❋ × p km : • tower-field representation • only arithmetic over the underlying field ❋ p m ◮ Operations over ❋ p m : Characteristic 2 Characteristic 3 Base field ( ❋ p m ) ❋ 2 m ❋ 2 313 ❋ 3 m ❋ 3 127 27 ⌊ m 119 ⌊ m + / − 2 ⌋ + 75 4287 4 ⌋ + 260 3949 7 ⌊ m 25 ⌊ m × 2 ⌋ + 29 1121 4 ⌋ + 93 868 17 ⌊ m a p 6 m + 9 1887 2 ⌋ + 8 1079 a − 1 1 1 1 1 ◮ Software not well suited to small characteristic: need for hardware acceleration Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 14 / 38

  50. 15 Outline of the talk ◮ Pairing-based cryptography ◮ Pairings over elliptic curves ◮ Finite-field arithmetic ◮ Implementation results ◮ Concluding thoughts Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 15 / 38

  51. 15 Outline of the talk ◮ Pairing-based cryptography ◮ Pairings over elliptic curves ◮ Finite-field arithmetic (only in characteristic 3) ◮ Implementation results ◮ Concluding thoughts Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 15 / 38

  52. 16 Arithmetic over ❋ 3 m ◮ f ∈ ❋ 3 [ x ]: degree- m irreducible polynomial over ❋ 3 f = x m + f m − 1 x m − 1 + · · · + f 1 x + f 0 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 16 / 38

  53. 16 Arithmetic over ❋ 3 m ◮ f ∈ ❋ 3 [ x ]: degree- m irreducible polynomial over ❋ 3 f = x m + f m − 1 x m − 1 + · · · + f 1 x + f 0 ◮ ❋ 3 m ∼ = ❋ 3 [ x ] / ( f ) ◮ a ∈ ❋ 3 m : a = a m − 1 x m − 1 + · · · + a 1 x + a 0 ◮ Each element of ❋ 3 stored using two bits Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 16 / 38

  54. 17 Addition over ❋ 3 m a b a + b ◮ r = a + b = ( a m − 1 + b m − 1 ) x m − 1 + · · · + ( a 1 + b 1 ) x + ( a 0 + b 0 ) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 17 / 38

  55. 17 Addition over ❋ 3 m a m − 1 b m − 1 a 1 b 1 a 0 b 0 a b a + b ( + ) ( + ) ( + ) a m − 1 b m − 1 a 1 b 1 a 0 b 0 mod 3 mod 3 mod 3 ◮ r = a + b = ( a m − 1 + b m − 1 ) x m − 1 + · · · + ( a 1 + b 1 ) x + ( a 0 + b 0 ) • coefficient-wise additions over ❋ 3 : r i = ( a i + b i ) mod 3 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 17 / 38

  56. 17 Addition over ❋ 3 m a m − 1 b m − 1 a 1 b 1 a 0 b 0 a b + 0 1 2 0 0 1 2 1 1 2 0 2 2 0 1 a + b ( + ) ( + ) ( + ) a m − 1 b m − 1 a 1 b 1 a 0 b 0 mod 3 mod 3 mod 3 ◮ r = a + b = ( a m − 1 + b m − 1 ) x m − 1 + · · · + ( a 1 + b 1 ) x + ( a 0 + b 0 ) • coefficient-wise additions over ❋ 3 : r i = ( a i + b i ) mod 3 • addition over ❋ 3 : small look-up tables Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 17 / 38

  57. 18 Addition, subtraction and accumulation over ❋ 3 m load add/sub enable c 0 c 2 c 5 + / − a R 0 r + / − b R 1 0 c 1 c 3 c 4 load add/sub accumulate • sign selection: multiplication by 1 or 2 − a ≡ 2 a (mod 3) • feedback loop for accumulation Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 18 / 38

  58. 19 Multiplication over ❋ 3 m ◮ Parallel-serial multiplication • multiplicand loaded in a parallel register • multiplier loaded in a shift register ◮ Most significant coefficients first (Horner scheme) � m � ◮ D coefficients processed at each clock cycle: cycles per multiplication D Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 19 / 38

  59. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  60. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  61. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · b m − 1 a · b m − 2 a b m − 3 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  62. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · b m − 1 a · · x b m − 2 a b m − 3 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  63. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · b m − 1 a · · x b m − 2 a b m − 3 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  64. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 ( · ) mod f b m − 1 a ( · · x ) mod f b m − 2 a b m − 3 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  65. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 ( · ) mod f b m − 1 a ( · · x ) mod f b m − 2 a b m − 3 · a r (partial sum) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  66. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( ( b m − 1 · · ) mod f ) mod f b m − 1 a a ( b m − 2 · ( · · x · x ) mod f ) mod f b m − 2 a a b m − 3 b m − 3 · · a a r (partial sum) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  67. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( ( b m − 1 · · ) mod f ) mod f b m − 1 a a ( b m − 2 · ( · · x · x ) mod f ) mod f b m − 2 a a b m − 3 b m − 3 · · a a r (partial sum) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  68. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( ( b m − 1 · · ) mod f ) mod f b m − 1 a a ( b m − 2 · ( · · x · x ) mod f ) mod f b m − 2 a a b m − 3 · b m − 3 · a a r (partial sum) · b m − 4 a · b m − 5 a b m − 6 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  69. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( b m − 1 · ( · ) ) mod f mod f b m − 1 a a ( ( b m − 2 · · · x · x ) mod f ) mod f b m − 2 a a b m − 3 · b m − 3 · a a · x 3 r (partial sum) · x 2 · b m − 4 a · · x b m − 5 a b m − 6 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  70. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( b m − 1 · ( · ) ) mod f mod f b m − 1 a a ( ( b m − 2 · · · x · x ) mod f ) mod f b m − 2 a a b m − 3 · b m − 3 · a a · x 3 r (partial sum) · x 2 · b m − 4 a · · x b m − 5 a b m − 6 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  71. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( b m − 1 · ( · ) ) mod f mod f b m − 1 a a ( b m − 2 · ( · · x · x ) mod f ) mod f b m − 2 a a b m − 3 · b m − 3 · a a · x 3 ( r (partial sum) ) mod f · x 2 ( · ) mod f b m − 4 a ( · · x ) mod f b m − 5 a b m − 6 · a Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  72. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( b m − 1 · ( · ) ) mod f mod f b m − 1 a a ( b m − 2 · ( · · x · x ) mod f ) mod f b m − 2 a a b m − 3 · b m − 3 · a a · x 3 ( r (partial sum) ) mod f · x 2 ( · ) mod f b m − 4 a ( · · x ) mod f b m − 5 a b m − 6 · a r (partial sum) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  73. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( ( b m − 1 · · ) ) mod f mod f b m − 1 a a ( ( b m − 2 · · · x · x ) ) mod f mod f b m − 2 a a b m − 3 · b m − 3 · a a · x 3 · x 3 ( ( r (partial sum) ) mod f ) mod f r · x 2 · x 2 ( b m − 4 · ( · ) ) mod f mod f b m − 4 a a ( ( b m − 5 · · · x · x ) mod f ) mod f b m − 5 a a b m − 6 b m − 6 · · a a r (partial sum) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  74. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( ( b m − 1 · · ) ) mod f mod f b m − 1 a a ( ( b m − 2 · · · x · x ) ) mod f mod f b m − 2 a a b m − 3 · b m − 3 · a a · x 3 · x 3 ( ( r (partial sum) ) mod f ) mod f r · x 2 · x 2 ( b m − 4 · ( · ) ) mod f mod f b m − 4 a a ( ( b m − 5 · · · x · x ) mod f ) mod f b m − 5 a a b m − 6 b m − 6 · · a a r (partial sum) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  75. 20 Multiplication over ❋ 3 m ◮ Example for D = 3 (3 coefficients per iteration): x m − 1 x 2 · · · x 1 a b · x 2 · x 2 ( ( b m − 1 · · ) ) mod f mod f b m − 1 a a ( ( b m − 2 · · · x · x ) ) mod f mod f b m − 2 a a b m − 3 · b m − 3 · a a · x 3 · x 3 ( ( r (partial sum) ) mod f ) mod f r · x 2 · x 2 ( b m − 4 · ( · ) ) mod f mod f b m − 4 a a ( ( b m − 5 · · · x · x ) mod f ) mod f b m − 5 a a b m − 6 b m − 6 · · a a r (partial sum) · · · Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 20 / 38

  76. 21 Multiplication over ❋ 3 m ◮ Computing the partial products b j · a : • coefficient-wise multiplication over ❋ 3 : ( b j · a i ) mod 3 • multiplications over ❋ 3 : small look-up tables Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 21 / 38

  77. 21 Multiplication over ❋ 3 m ◮ Computing the partial products b j · a : • coefficient-wise multiplication over ❋ 3 : ( b j · a i ) mod 3 • multiplications over ❋ 3 : small look-up tables ◮ Multiplication by x j : simple shift (only wires) Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 21 / 38

  78. 21 Multiplication over ❋ 3 m ◮ Computing the partial products b j · a : • coefficient-wise multiplication over ❋ 3 : ( b j · a i ) mod 3 • multiplications over ❋ 3 : small look-up tables ◮ Multiplication by x j : simple shift (only wires) ◮ Modulo f reduction: • f = x m + f m − 1 x m − 1 + · · · + f 1 x + f 0 gives x m ≡ ( − f m − 1 ) x m − 1 + · · · + ( − f 1 ) x + ( − f 0 ) (mod f ) • highest degree of polynomial to reduce: m + D − 1 • if f is carefully selected ( e.g. a trinomial or pentanomial), only a few multiplications and additions over ❋ 3 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 21 / 38

  79. 21 Multiplication over ❋ 3 m ◮ Computing the partial products b j · a : • coefficient-wise multiplication over ❋ 3 : ( b j · a i ) mod 3 • multiplications over ❋ 3 : small look-up tables ◮ Multiplication by x j : simple shift (only wires) ◮ Modulo f reduction: • f = x m + f m − 1 x m − 1 + · · · + f 1 x + f 0 gives x m ≡ ( − f m − 1 ) x m − 1 + · · · + ( − f 1 ) x + ( − f 0 ) (mod f ) • highest degree of polynomial to reduce: m + D − 1 • if f is carefully selected ( e.g. a trinomial or pentanomial), only a few multiplications and additions over ❋ 3 • example for m = 97: f = x 97 + x 12 + 2 Jean-Luc Beuchat – Hardware Operators for Pairing-Based Cryptography – Part I: Because size matters 21 / 38

Recommend

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1 Tennodai, Tsukuba Ibaraki, 305-8573,

896 views • 58 slides
Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles

Pairing based cryptography Antoine Joux DGA/SPOTI and University de Versailles St-Quentin-en-Yvelines France 1 Introduction: EC in cryptography Starting point: 1985 (V. Miller) Discrete logarithm based

487 views • 45 slides
Pairing-Based Cryptography &amp; Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography &amp; Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography &amp; Generic Groups Lecture 22 Bilinear Pairing Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Bilinear Pairing Two (or three) groups with an

1.44k views • 105 slides
Pairing-Based Cryptography &amp; Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography &amp; Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing

Pairing-Based Cryptography &amp; Generic Groups Lecture 21 Bilinear Pairing Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Bilinear Pairing Two (or three) groups with an

1.67k views • 118 slides
Pairing-Based Cryptography &amp; Generic Groups Lecture 22 1 Bilinear Pairing 2 Bilinear

Pairing-Based Cryptography &amp; Generic Groups Lecture 22 1 Bilinear Pairing 2 Bilinear

Pairing-Based Cryptography &amp; Generic Groups Lecture 22 1 Bilinear Pairing 2 Bilinear Pairing Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear 2 Bilinear Pairing Two (or three) groups

1.06k views • 102 slides
Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based Encryption 2 Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair 2 Identity-Based Encryption In PKE, KeyGen produces a random

1.47k views • 114 slides
Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia

Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia

Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia El Mrabet (1) and Christophe Negre (2) (1) Team Arith/LIRMM, Universit e Montpellier 2 (2) Team DALI/ELIAUS, Universit e de Perpignan

753 views • 49 slides
Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography Identity-Based Encryption Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair

1.65k views • 115 slides
An Algorithm for the T Pairing Calculation in Characteristic Three and its Hardware

An Algorithm for the T Pairing Calculation in Characteristic Three and its Hardware

An Algorithm for the T Pairing Calculation in Characteristic Three and its Hardware Implementation Jean-Luc Beuchat 1 Masaaki Shirase 2 Tsuyoshi Takagi 2 Eiji Okamoto 1 1 Graduate School of Systems and Information Engineering University of

576 views • 41 slides
Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the HW/SW Co-Design of qTESLA Wen Wang , Shanquan Tian, Bernhard Jungk, Nina Bindel, Patrick Longa, and Jakub Szefer CHES 2020 September 14, 2020

711 views • 69 slides
A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties

A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties

Abelian Varieties and Pairing-Based Cryptography Constructing Pairing-Friendly Abelian Varieties Analyzing the Algorithm A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties David Freeman Stanford

537 views • 16 slides
Hardware-based Cryptography Smart cards, YubiKeys &amp; more Karol Babioch Security Engineer

Hardware-based Cryptography Smart cards, YubiKeys &amp; more Karol Babioch Security Engineer

Hardware-based Cryptography Smart cards, YubiKeys &amp; more Karol Babioch Security Engineer kbabioch@suse.de Rationale - Computers running general purpose software can be compromised hacked Offline-access, etc. -

619 views • 26 slides
Low-Cost Threshold Cryptography HSM for OpenDNSSEC Francisco Cifuentes francisco@niclabs.cl

Low-Cost Threshold Cryptography HSM for OpenDNSSEC Francisco Cifuentes francisco@niclabs.cl

Low-Cost Threshold Cryptography HSM for OpenDNSSEC Francisco Cifuentes francisco@niclabs.cl Problem description To satisfy security needs, DNS operators use Hardware Security Modules. Specialized hardware that have special security

445 views • 21 slides
Pairing Pairing is the process by which we condition ourselves, the teaching materials, and

Pairing Pairing is the process by which we condition ourselves, the teaching materials, and

Pairing &amp; Manding Vincent J. Carbone Ed.D., BCBA-D NYS Licensed Behavior Analyst Carbone Clinic New York Boston Dubai www.CarboneClinic.com www.TheCarboneclinic.ae IESCUM Parma, Italy December 1,2 &amp; 3, 2016 1 Pairing

622 views • 35 slides
Pairing time-reversal states J = 0 + (a) +m -m k F k F K k F + L.N.

Pairing time-reversal states J = 0 + (a) +m -m k F k F K k F + L.N.

Nuclear pairing from microscopic forces (with applications) Paolo Finelli Dept. of Physics and Astronomy, University of Bologna paolo. fj nelli@bo.infn.it Based on Phys. Rev. C 90, 044003 Published 21 October 2014 Pairing time-reversal

674 views • 22 slides
Secure Device Pairing What is device pairing? What is

Secure Device Pairing What is device pairing? What is

Secure Device Pairing What is device pairing? What is device pairing? What is the problem? The wireless communica8on channel is rela8vely easy to

298 views • 9 slides
Lecture 6 Arithmetic Operators 3. Hardware and Softw are 4. High Level Languages C has a

Lecture 6 Arithmetic Operators 3. Hardware and Softw are 4. High Level Languages C has a

1. Introduction 2. Binary Representation Lecture 6 Arithmetic Operators 3. Hardware and Softw are 4. High Level Languages C has a number of arithmetic operators which are used to 5. Standard input and output combine variables and

403 views • 3 slides
Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable

Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim Gneysu Towards One Cycle per Bit Asymmetric Encryption: Code-Based Cryptography on Reconfigurable Hardware Stefan Heyse, Tim

590 views • 22 slides
Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors

Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors

Lightweight Cryptography - Hardware Perspective - Miroslav Kne evi NXP Semiconductors Thanks to the teams of KATAN, SPONGENT, PRINCE, FIDES Design and Security of Cryptographic Functions, Algorithms, and Devices, PAGE: 1 of 33 Summer

590 views • 45 slides
Ontology-Based Operators Ontology-Based Operators for e-Business Model De- and for e-Business

Ontology-Based Operators Ontology-Based Operators for e-Business Model De- and for e-Business

Gedistribueerde Systemen 2 mei 2000 Ontology-Based Operators Ontology-Based Operators for e-Business Model De- and for e-Business Model De- and Reconstruction Reconstruction Jaap Gordijn Hans Akkermans Free University Amsterdam/Faculty of

328 views • 6 slides
THE STATE-OF-THE-ART OF HARDWARE IMPLEMENTATIONS OF ELLIPTIC CURVE CRYPTOGRAPHY Kimmo Jrvinen

THE STATE-OF-THE-ART OF HARDWARE IMPLEMENTATIONS OF ELLIPTIC CURVE CRYPTOGRAPHY Kimmo Jrvinen

THE STATE-OF-THE-ART OF HARDWARE IMPLEMENTATIONS OF ELLIPTIC CURVE CRYPTOGRAPHY Kimmo Jrvinen Department of Computer Science University of Helsinki kimmo.u.jarvinen@helsinki.fi ECRYPT-CSA Workshop on Hardware Benchmarking Bochum, Germany,

840 views • 58 slides
Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

1. Introduction 2. Binary Representation Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5. Standard input and output Hardware has been defined as 6. Operators, expression and statem ents the

238 views • 3 slides
Hardware Acceleration of Cryptography Patrick Schaumont Professor Bradley Department of ECE

Hardware Acceleration of Cryptography Patrick Schaumont Professor Bradley Department of ECE

Hardware Acceleration of Cryptography Patrick Schaumont Professor Bradley Department of ECE Virginia Tech Patrick Schaumont (VT) Outline 1. Fundamentals of Parallelism 2. Embedded Architecture of MSP430, MSP432 3. Hardware Acceleration

1.38k views • 100 slides
T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices Xiaopeng Li, Qiang Zeng , Lannan

T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices Xiaopeng Li, Qiang Zeng , Lannan

T2Pair: Secure and Usable Pairing for Heterogeneous IoT Devices Xiaopeng Li, Qiang Zeng , Lannan Luo, Tongbo Luo CCS 2020 IoT Pairing Pairing is supposed to establish a secure communication channel IoT pairing is important for adding

345 views • 21 slides

More recommend